One good way to classify NAC products is to ask the question “Where is the evaluation step done?” This simple question divides NAC systems into three groups:

• In-Band - Most NAC appliances do evaluation and enforcement in one box. Nice and simple! The downsides are cost and scalability. If you want to do enforcement at the edge of your network (which is better from a security standpoint), you must buy a lot of NAC appliances (often one to replace each edge switch). Still, in-band NAC is popular with customers who have a small network or only need NAC in one part of their network.
• Out-Of-Band - Larger NAC vendors often use an out-of-band NAC architecture. Evaluation is done by central NAC servers and enforcement is done by separate network devices, such as switches or firewalls. If your existing network equipment can be used for enforcement, this approach can be much more economical than an in-band approach. Another advantage of out-of-band NAC is that one central NAC server can integrate with multiple enforcement points and other security devices for greater security and efficiency: evaluate once, enforce many times. As for concerns with out-of-band NAC, the NAC server must be rock solid and scalable. Otherwise, network access will grind to a halt.
• Endpoint-based - Doing evaluation on the endpoint is attractive because it’s so cheap. No network equipment needs to be changed. Unfortunately, it’s not very secure. Really, it’s just an honor system. You must trust the endpoint to evaluate its own identity and health and decide what level of access it should get. This doesn’t pass the sniff test.

I hope this simple analysis provides some insight into the pros and cons of different approaches. Which approach looks like it will work best for you? Write me a comment and let me know.

Assessment is a key part of any NAC system: gathering data about the endpoint and the user before an access control decision is made. There are so many different ways to do assessment. Let’s take a look at them.

• Agent - Placing permanent software (an “agent”) on the endpoint allows security checks to remain in force even when the endpoint is not connected to the network. However, many companies and most guests are reluctant to install a permanent agent.
• Web-based - A lightweight solution for guests and others is to download a bit of software (ActiveX or Java) through the user’s web browser and do a quick scan of the system. However, there are many limits to what this scan can check.
• None - How can you scan an endpoint without any software on it? There are several options. You can probe it from the network (port scan or RPC) or monitor its communications (passive assessment). For some devices like printers, this is the only option. The security provided is less than can be obtained with other methods. Still, probing and monitoring are valuable techniques that should not be underestimated.

As you can see, each of these options has its pros and cons. Many NAC systems these days offer all three choices, allowing administrators to use different client software for different users and devices.

Now that we have a simple definition of NAC, let’s take a closer look at how it works. The NAC process generally has three steps:

1. Assessment - identifying systems to check and gathering data about them
2. Evaluation - deciding what network access should be granted
3. Enforcement - enforcing decisions made during the Evaluation step

NAC may include other steps like remediation (fixing problems with the endpoint) and ongoing monitoring (of endpoint behavior and health) but the three steps listed above are the primary ones. Let’s look at each of those steps in more detail.

Assessment is all about gathering the data needed to make a NAC decision. This can include information about endpoint health, user identity, endpoint identity, and even other things like endpoint behavior and geographical or network location. There are many ways to do assessment: installing software on the endpoint, running a remote scan, etc.

Evaluation varies from one NAC system to another but it generally involves comparing the information gathered during the assessment step against a NAC policy to decide what network access should be granted. These policies can be complex with different policies for different groups. For example, “engineers have no endpoint requirements but can only access engineering equipment and company-wide services”.

Enforcement ensures that the appropriate level of network access is granted, based on the results of the Evaluation step. There are many ways to do enforcement: with switches, wireless access points, firewalls, etc. Each approach has its own pros and cons.

In order to really understand NAC, we need to dive deeper. I’m going to write a separate article on each of these steps, looking at the various technologies people use (802.1X, firewalls, NAC appliances, etc.) and the pros and cons of each.