In the scanning method the NAC scans the end machine and, based on the scan result, the posture is determined for the next step of identity and access to network resources. This approach may or may not test the endpoint’s patch levels, Anti-virus definition files status, or file/registry value. Another issue is that of the time required to scan an endpoint, which may be exacerbated at peak endpoint activity due to simultaneous endpoint scans. With the ActiveX or browser plug-in technology, the plug-in is downloaded on the end point for posture determination and to report the compliance status of the end point. The advantages of this are comparatively less memory and CPU overhead.
Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
- Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
- 802.1X: IEEE standard for port based access control.
- DHCP: IP assignment restrictions.
Considerations for inline devices are:
- Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
- High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
- The degree of separation provided between the endpoints and the business critical systems inside the network.
- Reporting from the enforcement device: for both compliant and non complaint endpoints.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.