To understand how access control is done in NAC products, you have to look along three dimensions: where access controls are enforced, how access control is communicated, and the granularity of access control. But first you need to decide if you want to enforce access control at all. There are two reasons why you might not want to.

One, actual enforcement may not be a goal. For example, if you just want to know your level of compliance with end-point security policies, NAC can help you detect and report on that, even if you don't want to kick someone off the network for being out of compliance.

You may think you have compliance already covered because, in theory, the endpoint security products running on your desktops and laptops already do this when hooked back to the central management console. But because NAC actually checks the compliance of everyone who wants to connect to the network, the reality is that you can find systems using NAC that the enterprise consoles don't know about.

The second reason not to enforce NAC is if your plans call for an initial "report-only" phase, prior to moving to enforcement. All the products we tested will let you operate in "report-only" mode.

In the products we tested, enforcement is not a big red switch that you flip. Instead, there's usually the option to not send enforcement instructions into the network, which may take a little digging to find.

Of course, depending on the type of NAC deployment you have, even "non-enforcing" NAC may be intrusive to network operations. For example, if you are planning on using 802.1X for authentication and enforcement, you have to get the basics of 802.1X right, or people won't necessarily be able to get on the network.

If you are very concerned about interfering with network traffic, you may want to look at Bradford Network Sentry, ForeScout CounterACT, and Trustwave NAC, all of which have an exceedingly light touch on the network when used in "observe only" mode.

Enforcement scenarios

Let's say you do decide to enforce access controls. There are four ways to do so: edge enforcement, deep in-line enforcement, protocol-based enforcement and hybrid enforcement.

Edge enforcement, which is a type of in-line enforcement, uses a device at the edge of the network. In the case of switched access, the edge is the switch port. Edge enforcement can also be used in wireless controllers and VPN concentrators, enforcing access at the point of connection to the network. Many NAC vendors call this "out of band" enforcement because their hardware is not enforcing access controls — your edge hardware is. But it's still very much an "in-band" enforcement.

Most products we tested support edge enforcement as an option, with the exceptions being Trustwave and McAfee.

If you move enforcement deeper into the network, that's "deep in-line" enforcement. Sometimes it's done at Layer 2 (the Ethernet layer) by a device that looks like a transparent bridge; other times at Layer 3 (the IP layer) by a device that looks more like a router or a firewall.

Alcatel-Lucent, Avenda, Cisco, Enterasys, Juniper, McAfee, and Symantec offer in-line devices that sit between the user and some part of the network to enforce access controls. For each of these products, deep in-line enforcement is an option, not a requirement.

Hybrid enforcement combines edge-based and deep in-line enforcement. The general idea is that the NAC device starts in-line with user traffic, and then at some point gets "out of the way" by reconfiguring the network to use edge enforcement. The best example of this is in McAfee's N-450 NAC Appliance.

Because hybrid enforcement is, well, a hybrid, not every NAC product works the same way as the McAfee N-450 NAC Appliance when in hybrid mode. Some NAC products reserve hybrid mode for users who are authenticating via Web browsers, a more intrusive way of controlling access, but a common model for guest users.

Many products offer multiple types of hybrid operation as well, depending on whether they are sitting as a Layer 2 or Layer 3 device. If you do choose hybrid or deep in-line operation, make sure you're buying enough boxes. Some products, such as Cisco NAC Appliance and Symantec NAC Enforcer 6100, can operate in one mode or the other, but not both, so if you want to use both in your NAC deployment, you may need to buy additional hardware.

Protocol-based enforcement is an option in Alcatel-Lucent SafeNAC, ForeScout CounterACT, Microsoft NAP and Trustwave NAC. In this model, the actual enforcement depends on devices playing by the rules of the protocol, because there is no real enforcement actually happening.

A good example is DHCP-based enforcement, which is an option with Alcatel-Lucent SafeNAC and Microsoft NAP. With DHCP-based enforcement, end devices are given an IP address that somehow restricts where they can go, such as by manipulating the subnet mask or the default gateway.

As long as the device plays by the rules and listens to what they get told via DHCP, the NAC will "enforce" access controls. If the device starts to cheat, perhaps by not DHCPing in the first place, then the NAC isn't able to enforce access controls.

Protocol-based enforcement is most appropriate in environments where you aren't trying to keep off malicious users. For example, if you have good physical security in your building, your main NAC goal may be end-point security compliance, not authentication.

ForeScout and Trustwave strongly encourage you to use protocol-based enforcement for part of your deployment. Both use more sophisticated mechanisms than simply playing with DHCP. For example, Trustwave NAC poisons ARP caches to redirect traffic to the Trustwave NAC appliance, which then sits in-line during initial authentication and end-point security checks.

Several NAC products also support something we call Host-based Access Control. We didn't test this because it seems to be a different product category, but it is an option in products including Alcatel-Lucent SafeNAC, Juniper UAC, Microsoft NAP and McAfee ePolicy Orchestrator NAC. In host-based access controls, the enforcement is pushed to the end devices.

If you're looking for products with the most flexibility, Alcatel-Lucent Safe NAC, Avenda NAC, Cisco NAC Appliance, Enterasys NAC, Juniper NAC and Symantec NAC are at top of our list because they let you choose what you want: in-line or edge.

When you're only looking at users on switches, that flexibility may not seem all that important, but our experience with real networks and their myriad installations of hidden switches (like that one on your desk that isn't managed or even official), wireless networks, and VPNs to branch offices and remote users has taught us that flexibility counts for a lot.