Advertisement

5 Questions to Ask a NAC Vendor  (submitted by ForeScout Technologies; PDF Version)

Today's enterprises are faced with a daunting challenge of securing their globally-dispersed networks without disrupting productivity or business continuity. With the proliferation of devices and connection methods, the increasing mobility of employees, the ongoing virtualization of business, and the need to grant controlled access to partners, contractors, and customers, the network perimeter is quickly becoming a thing of the past. In this dynamic environment, network access control is the only means to ensure security without compromising end-user productivity.

What is Network Access Control?

Network access control is designed to answer some of the most critical network security questions:

• Who and what is on my network?
• Are they compliant with my security policies?
• Are they a threat to my network?

But when it comes to selecting and implementing a NAC solution, it often seems like there are more questions than answers. Common questions include:

• Will every device be detected and inspected?
• How can I manage guest/contractor devices?
• Do I have to install and manage agents?
• Will enforcement disrupt my business?
• Do I have to add another inline device?
• Do I have to upgrade my infrastructure?

How Does NAC Work?

A comprehensive NAC solution consists of four fundamental functions: detect, assess, enforce, and monitor.

• DETECT every device connecting to the network.
• INSPECT each device to ensure it is in compliance with corporate security policies.
• ENFORCE to grant, restrict or deny access, and remediate detected non-compliances and vulnerabilities.
• MONITOR devices throughout the connection session.

Customize NAC Enforcement

Flexible enforcement is a must-have feature of any NAC system that provides appropriate security without disrupting business operations. Each industry has vastly different security needs based on the nature of its business, type of network environment, and operations, as well as regulatory compliance requirements. Different policies and subsequent violations require that each response action is tailored to the exact degree of policy violation and security objectives of the organization.

For example, organizations in the financial sector implement stringent rules with restrictive and blocking actions to address potential vulnerabilities to ensure the safety of sensitive and confidential company and customer data. On the other hand, while hospitals detect and remediate all non-compliant devices and vulnerabilities on their networks, they generally cannot impose severe enforcement actions, because it would risk disruption of access to critical patient data.

Non-Disruptive Deployment

A gradual deployment is a key element of a successful NAC implementation. As policies are created, network administrators identify the non-compliance trends and develop effective enforcement and remediation options. Concurrently, the end users can be informed about the nature of their violations and provided with remediation options to avoid any potential network service disruptions. By the time enforcement is activated, only a small segment of the user base is affected, significantly reducing disruption of productivity.

Benefits of a NAC Solution

Any NAC system you consider must offer the following fundamental benefits:

Regain End-Point Control

Network access control gives IT and security managers unprecedented control of all network devices, and identifies common trends of security and compliance issues. Every endpoint is subject to compliance, regardless of whether the device belongs to an employee, guest, VPN user, or is a non-OS-based device such as printer or VoIP phone. The result is quick identification and remediation of problems without network disruptions or loss of user productivity.

Shape End-User Behavior

Unified policy management shapes end-user behavior through informing and educating violators. The policy enforcement engine not only grants, limits or restricts access, but also notifies users of how they fall short and assists them in remediating the problem. The result is increased compliance with corporate network security standards, improved productivity, and reduced involvement on the part of IT staff.

Automate IT Processes

A properly deployed NAC system must seamlessly integrate with other network services to achieve its full potential. By interacting with systems such as identity management, helpdesk, and remediation, NAC further expands the power of IT automation to keep the network secure without disruptions of service to end-users. The result is greater control of network security, automation of a significant portion of response procedures, and a greatly reduced load on security and IT teams.

Deploy Without Disruptions

By seamlessly integrating with real-world heterogeneous networks without requiring infrastructure overhauls or additional inline devices, NAC can be implemented without costly equipment upgrades or lengthy downtimes. NAC policies and enforcement actions can be deployed gradually across network segments, while flexible enforcement options provide a controlled approach to addressing policy violations. The result is improved network security and availability, increased user productivity, and a faster return on investment in a NAC system.

5 Key Questions to Ask a NAC Vendor

1. Does it detect every device without requiring prior knowledge of the endpoint?
2. Does it interrogate every device without requiring software clients/agents?
3. Does it detect threats and vulnerabilities in real time before and during connection?
4. Does it provide a range of flexible enforcement options for varying policy violations?
5. Does it deploy and enforce without causing network disruptions?

ForeScout’s NAC Solution: CounterACT

ForeScout’s CounterACT is the only non-disruptive, clientless NAC solution to deliver granular endpoint inspection and access control while eliminating the usual mandatory “quarantine upon connection” phase and moving users immediately into productivity. CounterACT detects and identifies all connecting and connected devices without a client, and all security checks include deep interrogation for bullet-proof security, but are immediate and completely transparent to the user. CounterACT delivers a wide range of policy enforcement options to custom-fit response actions to policy violations to ensure there are no disruptions to the network or normal business operations. CounterACT is deployed completely out-of-band, and requires no equipment upgrades or costly infrastructure changes.

The ForeScout Difference

ForeScout’s clientless NAC is the only solution in the industry that delivers these essential features:

Detects every device connecting to the network without requiring a client

Upon connection to the network CounterACT immediately determines if device is company owned or whether it belongs to a guest or contractor. If the device is a part of the domain, CounterACT launches a device scan to check for policy compliance status. If the device is not part of the domain, CounterACT features multiple enforcement mechanisms to automatically ensure the guest/contractor has enough access to remain productive without compromising the security of the enterprise network. The in-depth scan of managed and unmanaged devices requires no client or agent to reside on the device.

Interrogates all devices for security compliance and malicious code

CounterACT monitors all devices at the point of connection and throughout the duration of the connection, for any form of self-propagating malicious threat. If an infected system attempts to gain access to the network, CounterACT’s integrated IPS provides real time detection and protection from the spread of known or zero day threats. This is accomplished without quarantine by default requirement, so that compliant users do not experience any change in login behavior. Once CounterACT established the remote login, a deep inspection of the system is conducted allowing for policies to be created and enforced based upon any combination of system variable (i.e., antivirus, OS patch levels, allowed/not allowed applications, active processes, etc.)

Enforcement tailored to violation

CounterACT provides a full spectrum of enforcement actions to provide a high level of flexibility in addressing minor and moderate policy violations. CounterACT enables configuration of granular policies in which the level of restriction corresponds to the severity of a policy violation. This functionality ensures that interruption of user productivity is limited only to critical network security violations.

Deploy and enforce without disruptions: Out-of-Band Deployment

CounterACT typically is deployed from a distribution switch. The out-of-band deployment ensures there is no disruption to the network, IT staff and compliant users. With integrations into most switching infrastructure, when a policy violation is detected, CounterACT can leverage remediation systems to automatically guide non-compliant users into compliance.

CounterAct Product Profile

The CounterACT product profile from our NAC Product Selection Guide, the industry's most comprehensive and current anaylsis of NAC products, is now viewable online