By Joel Snyder
Network World, April 3, 2006
Original Article on Network World Web Site
Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network.
When all of the parts are in place, NAC will be a way to apply a policy for network access across LAN, wireless and VPN infrastructures. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible.
Within a NAC deployment, the IT manager uses three main elements to pick an access-control policy: authentication, endpoint-security assessment and network environmental information.
Authentication is the straightforward "Who are you?" transaction that users are accustomed to with other applications. As a concept, NAC doesn't have special requirements for authentication.
A good NAC deployment would use the same authentication system as other applications. For example, if you're applying NAC to a remote access IPSec VPN tunnel, you should use the same authentication to bring up the IPSec tunnel as you do to authenticate a user.
Endpoint security assessment is the most complex part of selecting a policy in NAC, but it's also the driving factor for deploying NAC in the first place.
The underlying idea is that the security posture of the connecting laptop, desktop or server should be a part of access control policies. For example, if a connecting system doesn't have the standard corporate anti-virus package, the user should get a different access control policy than if everything is installed and all the signatures are up-to-date.
Network environmental information is a small but important part of selecting access policies in a NAC scheme. Environmental information might be circumstantial data about whether you're connecting via a wireless network or through a VPN, or whether you're in the building or in another country.
These circumstances play into the decision of what access control policy is assigned to the connecting system.
For example, if you're coming in on a VPN, you might not be able to get to as many parts of the network as if you were in the building.
NAC is a hot buzzword; therefore, this component-level definition of what NAC is won't map directly to all NAC products and architectures.
But most products being offered as part of an overall NAC strategy include at least some component, if not all, of this definition.