Network executives planning to deploy network access control should start with very specific goals, not intricate schemes to quarantine and remediate insecure devices, shut down badly behaving machines and record every connection each device attempts to make on the network.

That's because comprehensive NAC roll-outs are costly and complex, and the technology is young enough that even if the goals are simple, the implementation may not be.

For instance, Erickson Retirement Communities in Maryland, wanted NAC to block intentionally malicious users from gaining access to the network. "If you can't authenticate successfully, you're going to end up in some dirty VLAN that gives you Internet access, and that's it," says Scott Erickson, the company's CTO, who oversees the firm's 14 campuses.

"I want contractors to be able to get traffic in and out, and if auditors are here, for them to use their VPN s. That's really what I was after with NAC."

But even that focused agenda is difficult for Erickson to achieve, for two reasons. One, he has been trying to implement the technology while keeping an eye on his budget. And two, all the elements he needs are not ready, although vendors he works with talk about them as if they are.

This dilemma stems from the many definitions of NAC being bandied about. Initially, NAC as defined by Cisco was a response to the Blaster worm that ravaged networks in 2003. The goal was to check that endpoints had proper patches and updated security in operation before they gained network access.

Since then, useful additions such as internal intrusion-detection/prevention gear have been tacked on to the definition. Notoriety of the technology has soared, and based on the expanded definition, NAC has been split into two parts: pre-admission and post-admission.

Erickson was interested in pre-admission controls that tie users and machines to policies. He wanted machines to identify themselves as issued by the company or not, then have users identify themselves and use a combination of the two identity checks to determine what, if any, access they get. "Now, if it's a combination of the two, I'll put you into a fully accessible VLAN," he says.

Erickson figured he had all the elements he needed. His Cisco switches are software upgraded to handle 802.1x port-level policy enforcement, and his Cisco Access Control Server (ACS) RADIUS server is interoperable with Active Directory.

Lots of catch-22s

But it wasn't as simple as he thought. For Cisco switches to enforce the policies using 802.1x port authentication, each machine being screened needs 802.1x supplicant client software, and Cisco didn't have any ready late last year when Erickson was ready to go.

He hoped Microsoft would come up with a supplicant for Windows XP that would work with Cisco switches, but it didn't. So his first thought was to pilot Cisco NAC using Microsoft Vista and its 802.1x supplicant. "I have three sites with about 100 PCs each that I just opened, and I'm going to flip all three of them. Those will be my pilot sites," Erickson says. At least that was the original plan.

Now, he's considering a more costly alternative -- installing Cisco NAC appliances at each site. He has so many sites that the cost is high, he says. But he may be forced into eating the extra cost in the interest of avoiding a long wait while bugs are worked out of Vista.

As Erickson's experience points out, NAC can have pitfalls. "There's lots of pieces and parts to NAC, and the number of vendors makes it hard," says Zeus Kerravala, an analyst with the Yankee Group.

But Kerravala points out that Erickson has done many things right in his deployment, such as examining whether existing policy-storage directories can fit into the NAC scheme a customer is considering. He says that if a company has Active Directory in use, they should be able to leverage it in a Cisco NAC implementation, rather than buying Cisco's Clean Access Server.

In addition, businesses should first deploy NAC to a small group of technically savvy users at different sites, just as Erickson plans to do. "Learn your lessons with them and build off that, then roll it out more broadly," Kerravala says.

And Kerravala recommends starting with an appliance even if the goal is to embed NAC in the network infrastructure. "A network upgrade is expensive, and an appliance lets you test the technology before you commit to one," he says.

The no-client, appliance approach

Brett Childress, the director of IT Infrastructure for instrumentation vendor National Instruments, says he wanted a NAC appliance from the outset. Two years ago when he started looking, his network vendor, Cisco, had no workable NAC equipment, and he wanted to avoid any NAC scheme that required client software.

He also was interested in post-admission NAC to guard against malware that gets past virus screening. He selected Mirage Networks gear from among limited choices, primarily because it required no client software. "We just didn't want another piece of software spread around on machines that we would have to keep updated and would make us worry about multi-platform support," Childress says. National Instruments desktops run multiple flavours of Windows, Linux and Macintosh.

The company doesn't use a formal pre-adrmission NAC product, instead relying on frequent operating-system patches and anti-virus signature updates to protect the network from infected machines, Childress says. "With a layered defence of central-managed anti-virus, patch management via SMS and with Mirage on top of that, we feel fairly comfortable," he says.

But that could change if the company broadens its remote-access program to include machines owned by employees that are not maintained by National Instruments. Childress says he would have to examine the cost of pre-admission NAC compared with its benefits, because it tells the status of the connecting machines' defences, not whether they have actually been infected.

"I'm checking they have anti-virus installed and turned on, a DAT file that's not more than a week out of date, that they have the most recent critical update from Microsoft," Childress says. "The reality is you're not checking for all these other potentially unknown pieces of malware that could be installed on that machine."

The philosophy of the company is to allow employees unrestricted access to resources and the Internet as long as that behaviour doesn't endanger the network. "We tend to shy away from super-strict, up-front secure policies," he says, and use Mirage to defend against attacks that freedom might enable. "We want to provide an adequate safety net to protect the productivity of the company. We would never want one user's actions to take down the department for a day."

The price of pre-admission

Advertising and marketing firm Omnicom Group, based in New York, has adopted ForeScout's Counteract appliance that performs pre-admission NAC. The firm needed this capability because it has so many travelling employees who use their laptops off network for weeks on end, then return with the laptops behind in updates and patches and possibly infected, says CIO Kenneth Corriveau.

Since installing Counteract about a year ago, the company makes sure that systems coming on the network are patched and have current virus definitions. Based on their status they are denied access or assigned to specific VLANs, Corriveau says. The pre-admission NAC also checks whether users have filed time sheets and denies access until they are done.

In general, it is important to err on the side of caution, Kerravala says, to avoid unintended disruptions. The classic example: forcing the CEO's laptop to update virus definitions before it can connect to the network. Is the annoyance worth the marginal protection the network gains by the update? "Be careful what you deploy," he says. "What you put in must not prohibit workflow."

That is why it is key to get support for NAC from the top. In particular, managers for lines of business should be part of setting policies that will establish to everyone that the cost and possible delays caused by NAC are deemed worthwhile, Kerravala says.

Corriveau says he enlisted business groups to suggest what post-admission policies were appropriate to their units, but recommended any policies put in place be tested first for unforeseen effects. For instance, his initial policies with the ForeScout gear picked up administrative access to SQL databases as malicious traffic, which it then blocked. Tweaking the policy corrected the problem, he says.

Despite some shortcomings in the real world, NAC has drawn so much attention that it has solidly worked its way into long-term corporate network planning. According to Harte-Hanks Aberdeen Group, 44 percent of IT decision makers polled recently plan to implement some form of NAC this year.

A separate survey by TheInfoPro last autumn put the proportion likely to implement or develop a NAC plan at 37 percent, down from 54 percent earlier last year, but still a significant number. The decline was perhaps influenced by the late release of Microsoft's Vista client that is essential to many NAC deployments.

These results suggest that limited, controlled NAC deployments are the way to go.