As it sets up a network access control infrastructure to run herd on the wide range of transient workers who have legitimate needs to access its network, Mercy Medical Center in Baltimore has bumped into business challenges that are proving more difficult than the technical ones.

Those who need to gain network access include residents, interns, rotating medical staff, nurses and doctors from other hospitals with credentials to practice at Mercy, says Mark Rein, director of IT.

They use devices ranging from notebooks to PDAs and mobile phones. "At any given time I have people on my network and I have no idea who they are and who is maintaining their equipment," he says.

Soon after he started working at the hospital nine months ago he set about looking for NAC gear that could check whether machines signing onto the network meet security standards and would authorise them to access only those resources they need to reach.

"We had one person dedicated for three months just testing NAC products," he says, declining to say which ones. "We've been under non-disclosure with several companies the last nine months."

But he finally settled on ConSentry's LANShield to scan machines for compliance, then restrict them to the resources they are cleared to reach. The device can also divert machines to sites where they can get updates that help them pass the scans after they have failed.

But before he could get the device to work, he had to determine what workers had legitimate needs to access what resources. Some workers need to access the hospital information system of broad patient information including insurance details, others may just need access to medical records, he says.

"First you need to understand your user base, where they need to go, where they don't need to go and segregating their traffic appropriately," Rein says.

"You have to identify what you're trying to protect, identify different segments you might need to set up," Rein says. That translates into policies set up for the ConSentry gear to enforce. "The policy gets to what you need to know and what you don't need to see," he says.

Rein says he was attracted to ConSentry because it requires no installation of clients on all the legitimate machines that need to be scanned and no creation of extensive virtual LANs (VLAN) to segregate users from resources as other schemes require. "It decomplicates a lot of what Cisco and everybody else tried to complicate by creating thousands of different VLANs or hundreds of VLANs to segregate your traffic, he says.

Instead, the ConSentry gear ties into policies set in Active Directory and segregates traffic directly, he says. But even that is a long process to restrict access to more than 220 servers and about 800 applications.

"We're now seven months into the process," he says. "It's taken us quite a long time to develop the rule set because we had to go out and spend a lot of time with our end-user community to understand where they go. The most complicated part of the process is understanding the business needs of your end users. We're still working on it. We're probably at 20 percent potential of the product.

Rein says that the most important thing for businesses considering NAC is to thoroughly test the gear being considered. "There are a lot of promises out there these days from vendors that will cure and fix all your woes. Test them before you buy them because the promises are out there but the delivery is minimal," he says. "NAC is a really great idea in concept, but it's a lot of analysis up-front."