1. Decide Which Part of NAC You Want
Perhaps you're trying to balance a more mobile workforce with a need to compartmentalize and segregate pieces of the network, restricting user access to the part of the network they need to do their jobs. In that case, the granular access control part of NAC might be your reason for investigation. Or your organization might be fighting viruses, Trojan horses and bots, making validation of end-point security posture a primary reason to add NAC.
Sharpen your focus to what matters most to you and what will help you the most before looking at a single product.
2. Recognize That NAC Isn't a Product
NAC is not something you buy. Rather, it's a combination of technologies you mix together to increase your level of control.
NAC is like dynamic network routing with Router Information Protocol, Open Shortest Path First or Border Gateway Protocol: You didn't buy "dynamic routing." You bought routers, firewalls and virtual private network equipment. NAC is the same concept: different products working together to build an interoperable NAC solution.
Approach NAC as a technology rather than a purchase order. You'll be able to re-use infrastructure you've already deployed, saving dollars and time. When you talk to vendors about deploying NAC, focus on integration and interoperability with what you already own.
3. Consider the Clients
Whether you use an installed client such as Cisco Systems' or Juniper's, a built-in supplicant such as the Microsoft Network Access Protection supplicant in Vista or a so-called dissolving client such as the option Trend Micro offers, you'll find that building security policy and enforcing posture assessment are straightforward for Windows clients. The challenge lies in working with non-Windows users, guests and embedded devices.
Users may bring their own notebooks using different versions of Windows, Macintosh or Linux operating systems. And what about that snazzy Nokia E61i smartphone your boss just got? Palm devices, Windows Mobile, Symbian -- all are being deployed for an increasingly mobile workforce that needs to access the network.
Guests represent another edge case to consider carefully in your NAC deployment, especially if you have deployed a wireless local area network. With personal firewalls and a variety of browsers, you will find checking end-point security offers little, if any, useful information. Yet guest users might have a real need to get on the network: Think contractors, auditors or participants in a multiagency meeting.
Finally, make sure you handle embedded devices, such as printers. You can't leave their ports unprotected, yet printers are not going to run a NAC client to report end-point status.
NAC affects all of the devices on your network, not just the ones you think the most about.
4. Link IDS/IPS to NAC
NAC can check to see if an end-point complies with security policy, but it can't ensure that an infected system is blocked from your network. Tools such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can help verify that trusted systems and users are behaving in a trusted way.
Consider IDS/IPS as part of your NAC solution, by using the IDS/IPS to identify misbehaving users and machines and NAC to map problems back to individual users. Keep the pressure on your NAC vendor to ensure that an automated link between IDS/IPS and your NAC solution is available as quickly as possible.
5. Overcome Organizational Hurdles
NAC crosses boundaries of security teams, network infrastructure teams and desktop/operating system support teams. Each must bring something to the table in defining NAC policies, applying access controls and implementing NAC throughout the network. The greatest chance of success occurs when all of the major stakeholders come together early on and work out issues and obstacles.
Many government agencies use a combination of staff, contractors and outsourcing, which can make agreement and cooperation difficult, especially for a new technology. If your organizational and political challenges seem insoluble, then focus on NAC-like solutions that reside entirely on the end-point, such as those available from Microsoft, Senforce and Symantec, because they don't require such broad agreement within the organization.
6. Keep Remote Access in Mind
In the world of NAC, most vendors are focused on the enterprise LAN, but your security concerns might extend equally to remote-access environments.
Searching for a single NAC product that can work equally well in both environments will lead you to compromises in one direction or the other. You'll find that some vendors, including Check Point, Cisco Systems, Juniper and Symantec, are closer to having a single unified solution, but no one has the perfect answer.
7. Educate Up and Down
When NAC is in place, the network becomes a monitored, controlled and gated facility that a user can't just plug into. In agencies focused on education or research, or those with broad service mandates, this might be an abrupt change and require some rethinking and re-educating.
Some early education up and down your staff hierarchy on benefits and costs in terms of convenience will go a long way toward reducing surprises and increasing acceptance.
NAC is user-focused, network-based access control.
Being user focused differentiates NAC from other access control schemes, such as firewalls, where Internet Protocol addresses are usually used to differentiate among users. With NAC, we're authenticating a real person and defining access controls based on who that user is. User focus can include not just identity but also information such as where the user is on the network, the kind of system the user has, and the state of end-point security. Being network based means that NAC occurs in the network itself. This isn't software that runs on a PC and which might play nice or not.
Finally, access control in the simplest case is go or no go: A user either gets on the network or doesn't. More commonly, IT managers may choose to use VLAN-based access control: A user is put on a particular VLAN (such as production, remediation or guest) based on authentication and end-point security posture assessment results.
Use What You Have
Ready to investigate NAC? You might already have some NAC components that you don't need to buy. For example, Cisco Systems, Enterasys, Extreme Networks or Hewlett-Packard switches purchased in the last three to five years probably already have the features you need for a NAC deployment.
Did you invest in Juniper NetScreen firewalls or a Juniper (Funk) Radius server? Juniper has been a big supporter of standards-based NAC, and those pieces can be part of your solution.
Are you planning on Microsoft Windows Server 2008 (Longhorn)? Microsoft is including many NAC components in Longhorn and Vista -- and you've already budgeted for them.