Next generation network access control

Has your organisation deployed Network Access Control (NAC) security? About 25% of European IT organisations have already done so, and that number is expected to grow to 45% by 2012.

What is causing this increase? Is NAC appropriate for your organisation?

This article will provide an overview of today’s advanced NAC technologies to help you decide whether NAC might be useful for your organisation.

Why more IT security?

In the not-so-distant past, securing your network was quite simple: install a firewall; install anti-virus; and stop employees from taking their desktop computers out of the office. Of course, this fortress paradigm is now obsolete.
Two major changes are driving organisations to re-think IT security:

1)    In today’s business environment, connectivity is essential to keep pace with a global marketplace.  Greater connectivity means we have more guests, more contractors and more business partners trying to access our networks. This increases the challenge of securing a corporate network. Traditional network security solutions—such as firewalls and intrusion prevention systems— provide no protection from insider attack.

2)    More data is being lost, both from malicious attack as well as employee carelessness.  The desire to protect sensitive data has caused many CIOs to invest in new forms of security such as data encryption and data loss prevention. But these security technologies are based on software, which is hard (almost impossible) to completely deploy and maintain. In some organisations, fewer than 50% of the computers are fully compliant with the organisation’s security policy, despite best efforts by the IT organisation.

Network Access Control addresses both challenges

Modern Network Access Control technologies are uniquely capable of dealing with the chaos of the modern IT infrastructure. Today’s leading-edge NAC products can:
•    Give you 100% visibility of everything and every person on your network. NAC can automatically distinguish visitors from employees, authorised from rogue devices. Once identified, NAC can make automatic decisions about which devices and which users should be granted network access.
•    Control which portions of the network each user can access. NAC can integrate with your existing network directory and provide role-based access control for both employees and contractors. 
•    Ensure that 100% of your endpoint security software – such as anti-virus, patch management, encryption, and data loss prevention (DLP) agents – are deployed and working properly. NAC can set and enforce security policies on endpoint computers, ensuring that you obtain full value from your existing investment in software security products.

Next-generation NAC is easy to install

NAC was invented in 2003, but the first two generations of products were complex and hard to install: You had to install new switching technologies, fit endpoint computers with new agents, and deploy servers that were dedicated to storing and managing access control policies. As a result, early NAC products did not enjoy widespread adoption.

Fast-forward to 2010. ForeScout Technologies has developed a third generation NAC product that is radically easier to install than previous NAC technologies.  ForeScout’s product is an appliance that typically installs within one day. It works with your existing network infrastructure – all brands, all devices. There is no software to install, no hardware upgrades.

Is NAC right for you?

If you meet two or more of these criteria, you are a good candidate for NAC technologies:
•    You are concerned about security, particularly about data security.
•    You regularly have guests and contractors visiting your office, bringing their laptop computers with them.
•    Your network is connected to other organisations’ networks – either partners or firms that you have acquired.
•    You already have three or more security agents running on your desktop computers—anti-virus, anti-spyware, firewall, patch management, encryption, data loss prevention, etc.
•    You have 500 or more devices on your network
Here are a few examples of how ForeScout has helped customers protect their networks:
•    SITA UK employs 6000 people across 230 locations in the UK.  SITA evaluated several different NAC solutions, including the NAC solution provided by their existing network infrastructure vendor. SITA chose ForeScout NAC because it was so easy to deploy – no hardware upgrades, no software installation.  ForeScout NAC allows SITA to ensure that only authorized users are on their network, and to enforce endpoint security policies.  For more information, see www.forescout.com/success_stories/sita.html.

London South Bank University has around 23,000 students and 2,500 staff. They deployed ForeScout NAC to protect their internal network from malware carried in from student computers and iPhones.  Not only has ForeScout’s NAC appliance improved their security, it has also saved them money through automation. Now, when a staff computer’s anti-virus is out of date, the University no longer needs to send an engineer to fix the problem, they utilise ForeScout NAC to automatically remediate the security deficiency. For more information, see www.forescout.com/success_stories/london_university.html.

•    Culpeper County Government, in the United States, deployed ForeScout NAC for three reasons:  1) To protect classified data. 2) To block malware such as Conficker. 3) To comply with government regulations.  For more information, see www.forescout.com./success_stories/culpeper_county.html

About the author

Gord Boyce is CEO of ForeScout Technologies, Inc.  Gord oversees all of ForeScout's operations and advanced development decisions. Prior to ForeScout, Gord held several senior management positions within the Nokia Internet Communications group and with VoIP pioneer, Vienna Systems. Gord holds a Bachelor of Engineering and Management in Electrical Engineering from McMaster University in Ontario, Canada.