When it comes to NAC and LAN security, I hear people talk about pre- and post-admission. What are the benefits of each?
The functions associated with pre- vs. post-admission NAC are quite different, and as a result, the benefits of each differ as well. Sometimes called pre- and post-connect, the terms refer to the features associated with admitting someone onto the LAN - the pre-admission steps - versus the functions involved in controlling users after they're on the LAN - the post-admission features.
Pre-admission NAC includes authenticating a user's login credentials and checking whether the user's computer meets your security standards. These authentication and posture check steps are a critical first step to securing your LAN and provide several key benefits. First, you can use authentication to quickly separate corporate users from guests. You can further delineate between employees and contractors with authentication, provided you've included contractors in your authentication database and have designated them as such. This fundamental feature enables you to block access to anyone who doesn't belong on your LAN in the first place.
The posture-check step is key to preventing the spread of malware - primarily known malware. Posture-check or endpoint-validation technologies range in capabilities, but in general, they provide the benefit of detecting the presence of malware or other signs of a compromised system. Some of the more fully featured systems allow you to customise what the posture-check software should look for on a system, including changes to the Registry file, the presence of adware or spyware, or company-specific files or other markers that should be on company-owned assets.
To truly gain the malware-avoidance benefits of posture-check software, you'll need to look for solutions that can span both managed and unmanaged systems. If you're only ever checking the corporate-owned computers, for instance, you'll leave yourself open to infection by guest machines. Support for unmanaged machines will require downloadable or dissolvable posture-check software, since you won't be able to pre-load software on guest machines.
To sum up the benefits of pre-admission checks, you'll ensure that only the right people and "clean" machines are able to get onto your LAN.
Turning to post-admission features, the benefits shift a little. Keep in mind that any system that offers post-admission control can nearly certainly offer pre-admission features - the same can't be said in reverse. But post-admission control features really run the gamut, from limited capabilities such as VLAN steering, where the system drops authenticated users into specific VLANs based on role or group, to full-functioned control over what servers and applications a user can run based on role, location, time of day, and other metrics.
The benefit of these post-admission capabilities is that you gain far greater control over what users can do after they're already on your LAN. This level of control, in turn, should lead to better protection of your sensitive corporate assets.
For example, if a LAN security system can let you set policies that say only users in the engineering role can access blueprint files, then you've added significant protection against an onsite contractor being able to access those documents and forward them to a competitor.
This level of control, provided it comes with extensive user tracking, offers the additional benefit of helping with auditing and compliance. Being able to readily demonstrate that such restrictions are in place, and logging all user activity and all access into specific resources, provides the kind of reporting that simplifies meeting an auditor's demands.
For most companies, the benefits of both pre- and post-admission control functions are essential to truly protecting the business. Solving only part of the problem, with pre-admission only features, rarely provides the security needed.
Jeff Prince is chairman and CTO of ConSentry Networks.