NAC Forum
Mobile Comm
Global e-Business
News & Insights
Contact Us


Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

NAC Forum

By Steve Tsai, Managing Editor, Internet Journal

Network Computing held a forum on Network Access Control at Fairmont Hotel in San Jose on January 25, 2007. John Siefert, the publisher of Network Computing (, was very gracious to invite me to the forum. The forum participants included both the NAC vendors as well as the NAC users, mostly the IT directors and the CISOs. NAC vendors present were Symantec, HP, Microsoft, Nortel, Foundry, Lockdown, Bradford, Vernier, ConSentry, and Camas.

 This report highlights some of the issues discussed in the forum. In next week's RSA conference there is dedicated sessions and demo for the NAC vendors interoperating with Microsoft NAP in Vista and Longhorn environment.

NAC (Network Access Control) is a part of the overall security framework. It deals with security policies, authentication and compliance check, policy enforcement (admission, or quarantine and remediation), access control, and on-going monitoring. From a user viewpoint, standards in NAC is clearly needed to improve the interoperability among these solutions. The debate about whether the in-band or out-of-band solution is better is missing the bigger picture, since the checking and monitoring is only a part of the overall NAC requirements. Conceptually, the policy setting and policy enforcement should be separated. From the user standpoint, the more practical considerations are:

  • Close match with the stated (business) objectives and requirements
  • Ease of implementation
  • Minimal impact on existing infrastructure
  • Granularity of the access control
  • Flexibility for future expansion
  • Ease of isolation, quarantine, and the transparency in remediation
  • Ease of on-going security administration, monitoring, and mitigation

The IT Perspective

It is always interesting to hear the users' perspective on the problems they face in the real world. This panel discussion has the following participants:

  • Steve Campbell, director of network services, Beckman Coulter, a biotech company and a user of Lockdown Networks' solution.
  • Mazen Abu-Hijley, director, networking, Cedars-Sinai Medical Center and a user of Vernier Networks' solution.
  • George Owoc, director, business admin, EADS Astrium North America, a defense and aerospace company
  • Brian Nichols, chief IT security & policy officer, Louisiana State Univ. a user of Microsoft NAP.
  • Steve Berg, director of IT, Omneon, a digital media storage company and a user of ConSentry Networks' solution.

Here are some highlights of the key issues that these IT security people are facing and how they approach them>

The environment:

At Cedars-Sinai, there are patient access, guest access, and contractor access, in addition to the internal staff access. Using Vernier's solution, patients and guests have access to the Internet only; contractors can access some resources in a restricted area.

At Omneon, a hi-tech company, Internet access is expected, you can't refuse to let CEO's guests access the Internet for information they need. Employees may bring in infected laptops, these must be quarantined right away and the users should be identified, not the IP addresses, for quick trackdown. ConSentry does that well.

What are the requirements?

In hospitals, the focus is to save lives. IT is to provide services both to the hospital personnel as well as the patients and visitors. It has to be transparent to them.

Interoperability is important. The solution must work with the existing environment without forklift or massive change to the infrastructure.

What is the ROI?

For hospitals, if there is a computer virus outbreak in the hospital, everything go back to paper process, this is unacceptable. Therefore, having the policy and the granularity to enforce it is critical.

In-band or out-of-band NAC?

Users may use the in-band NAC solutions like Vernier, ConSentry, or Caymas, but they will try them in the lab initially as an out-of-band monitoring tool. Once they gain the confidence that they function properly, they will turn on the in-band monitoring, still in the test environment. Once it is proven working, they will then roll it out, still initially as an out-of-band monitoring tool and gather information first.

Words of wisdom

Define the problem you try to solve first (usually a business problem) and then find solutions and work with the vendors.

Keep cost in mind. Universities don't have a lot of money to spend.

KISS, keep it simple, the real cost is labor and downtime to the company, not the cost of the product.


NAC deals with access control for those users (for authentication) and machines (for compliance) that can physically connect to the corporate network. The users and machines can attach to the corporate network via a number of ways, wired LAN, wireless LAN, IPSEC VPN, and SSL VPN. Therefore, the access control must encompass all of these access points. In terms of users, they can be visitors and contractors on the corporate premises, remote branch offices, at home employees, or mobile employees. Since some of these users are inside the premises of a corporation, therefore, they have already gone beyond the perimeter.

NAC consists of policy setting, verification of credential and compliance, control the access either admission or quarantine, if admitted, continued monitoring for compliance and abnormal behaviors and enact containment if security breach occurs. If the inspection fails, block the access or quarantine the machine and perform remediation.

For IT decision makers, the following guidelines are helpful in selecting the NAC solutions:

  • Define the business and regulatory requirements first
  • Have an overall picture of the current and future IT infrastructure regarding network topology, user types, access methods, and security layers.
  • Keep the cost of implementation and on-going operations and the cost of security breaches (real or false alarm) in mind in addition to the cost of the solution when evaluating a NAC solution.
  • Keep it simple, use centralized policy console for ease control and management, minimize the number of appliances or end point agents required to implement the NAC.
  • Choose flexible access control policy setting to allow for role based, location based, connection type based, and time based access permission for a granular access control.
  • Communicate with the user communities to educate and prepare them for the NAC deployment.

About The Author
Steve Tsai is the Managing Editor of the
Internet Journal Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to


[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]