Before the 4h, I posted on the access control-side of NAC. I compared it with web access control and examined some similarities. This week, I want to look at the other side of NAC: admission control.
NAC as Network Admission Control
Treating NAC as admission control is more of a network/threat-centric approach. There are some basic characteristics of NAC as admissions control:
• Health and configuration validation and remediation
• Machine authentication to the network infrastructure
• Assignment of IP address
Health checking is a common NAC function. This is just good house keeping and it is something that every organization, big or small, needs to do. There are a variety of ways to check the health state of a connecting end-point and most are fairly simple to do. The challenge is managing the remediation of a sick end-point. This is where the real skill of NAC vendors (and a lot of time – their partners) comes into play. How do you quarantine? What configuration management and software distribution tools are used to remediate the problems? How do you orchestrate all of these pieces working together? This is non-trivial work and there are a lot of vendors out there doing really great stuff.
The next two items are not truly mandatory functions for admission control, but they are important nonetheless. Some form of machine authentication is lumped in here: RADIUS, 802.1x, EAP. This is one approach to ensure that only organization-owned laptops are on the network. What concerns me is the conflation of me for my laptop. In order to truly understand what is going on inside the network, user and machine identity have to be treated separately. I am not my laptop and my laptop is not I.
Last, getting an IP address is the last aspect of admission. Some NAC vendors integrate with DHCP services to orchestrate all the necessary steps for admission including address assignment. I’m not saying that DHCP services need to be embedded into the same product that does health analysis, but it is the last step to network admission and should be treated with importance.
Will the real NAC please stand up?
In conversations, blog entries, analyst papers, which NAC is being discussed? I feel that both are necessary to have a complete story, but each side has a different heritage and mindset. Using NAC as an abbreviation blurs the distinction between what is required for admission versus access control. We can do better. Anyone up for renaming this market Network Admission and Access Control – NAAC?