Network Admission Control - Best Practices

While NAC may EVENTUALLY be one of the most POWERFUL security solutions you ever deploy, prudence should govern every decision every step of the way.

1. Aim High Strategically, But Proceed Cautiously. Yes, it is important to have a big vision for NAC in your organization. Possibility-thinking is essential to wringing out the most long term benefits. But be careful NOT to "set the bar" too high with complex policies, large scale implementations or aggressive rollout schedules. Start small. Keep it simple. Plan well. Define modest stages. Monitor Results. Learn. Adapt. Keep learning.
2. Security Policies. One of the hardest parts of implementing a NAC solution is defining a manageable yet effective set of compliance-checking, enforcement and remediation policies. What types of checks will be performed? When and how often? And if a device is deemed non-compliant how will user access privileges change? Will immediate remediation be required? What types of warnings will be displayed to users? How will policies vary by user? Device? Location? Will role-based AND resource-based access control be employed?

3. "Walk-before-you run". Your implemetation strategy should emphasize monitoring, then warnings, then "appropriately" tight controls. Identify a small number of user communities and implement the most basic security policies first. These might be remote users, guests and contractors, and anyone who uses a local wireless LAN.

4. Continual Education. Emphasize everyone's education and your learning about what is really going on in your network. Educating users rather than changing their privileges is critical especially during transition periods.
5. Disruptive Technology. Migrating to a NAC solution requires a great deal of planning and education of IT and security personnel and end users as it is a naturally disruptive technology. Users previously granted broad network privileges will be "unsettled" by messages that they have either been denied access or have had privileges restricted. Situation based policies will create even more confusion. "How come I can access X yesterday from our sales office but not from my home computer?". Expect user support calls to rise sharply even with the best communications program.
6. User Transparency I. The "end-to-end" design of remediation services is critical to how secure your end devices are and to how well NAC will be received by the user and IT community. User transparency and automation are the best routes to minimizing costs and resistance to NAC. Implement automation early with small-scale NAC deployments and proactively learn what works best in your organization.

7. User Transparency II. Some NAC solutions will automatically perform device scans when the user is NOT online and then remediate many compliance problems without any user involvement whatsoever. That can make users very happy and reduce the number of support calls.
8. Testbeds. Before you roll-out any new phase of a NAC solution thoroughly test it on a subset of users in order to fully understand how it impacts your organization. We guarantee you will be surprised by the many valuable lessons you will learn. Make adjustments and test again BEFORE rolling out ANY changes in NAC operation to a wider community.
9. Heterogeneous Device Types. Many NAC solutions work most effectively with Windows devices. That is, the most in-depth inspections are performed by solutions that require NAC clients on end devices and most vendors only offer these clients for Windows. If you want in-depth inspections in a heterogeneous device environment there are few choices today.
10. Compliance Checking. All NAC solutions do not perform the same set of inspections. While most can be customized somewhat you will likely prefer out-of-the-box solutions that fit your specific environment.
11. Rogue Devices. Detecting and reporting the presence of unauthorized devices on production networks is one of a significant potential benefit of NAC. We recommend that you seriously consider a solution that authenticates MAC addresses and IP addresses and safeguards against circumvention using static IP addresses.

For additional perspectives on NAC Best Practices we recommend you read the following analysis:

Network Admission Control: Balancing Security and the User Experience Two strategies and a dozen tips help you improve your NAC implementations

12. Frameworks vs. Products. Major security vendors (e.g., Cisco, Microsoft, Check Point and Nortel) have all announced NAC strategies and some products. Be aware that their offerings remain immature and they have many "holes" to fill in their product lines. You can learn more about these vendor's products by viewing our NAC vendor directory and following links to their web sites.
13. Embedded 802.1x port level control. Authentication via 802.1x support, RADIUS servers and compatible network access points and end devices is considered the most secure way to quarantine devices prior to authenticating users. Unfortunately, these upgrades can be costly to install and maintain. Someday this functionality will be built-in to all network equipment and simply turned-on when licensed by the enterprise.
14. In-line Intrusion Protection. Vendors of in-line NAC enforcers often include malicious activity/code protection by scanning traffic for attack signatures or behavioral, protocol and traffic anomalies. Make sure you fully understand what these security capabilities really can do and how these features impact performance.
15. In-line versus out-of-band NAC enforcement. In-line NAC enforcers are installed upstream of (some) LAN switches; out-of-band systems work through (some) network equipment. Both work equally well in heterogeneous network environments. While vendors typically portray the important tradeoffs as being performance and reliability, in reality the actual differences depend more on how different systems are designed and configured. Most in-line appliances use high performance ASICs and system performance is driven largely by the amount of processing associated with intrusion protection.
16. NAC Failure. No implementation plan is complete until you have figured out how to smoothly handle any problems with the NAC system itself. How will users be effected if any NAC component fails or is misconfigured? Who is responsible for ensuring contingency plans will actually work as expected? How do you know that sound recovery processes are in-place?

Additional Information on NAC

1. What security problems do organizations expect NAC to solve?

2. What different types of NAC solutions are available today?

3. Network Admission Control: An In-depth Review

4. Network Admission Control Best Practices

5. NAC Facts, Opinions and Misunderstandings

6. NAC Product Selection Guide (20 vendors)

7. Portal Blog