6 tips for selecting the right all-in-one NAC product

Product Test and Buyer's Guide This newsletter is sponsored by PlateSpin New Executive Guide Network World has recently published an executive guide entitled "Virtualization Meets Reality". Find out the 8 key challenges of virtualizing your data center. Download it now! Product Test and Buyer's Guide, 08/07/07 6 tips for selecting the right all-in-one NAC product By Joel Snyder The market is swimming in NAC all-in-one appliances. Here is some advice about how to narrow the field to offerings that suit your network’s needs. Network World VoIP and Convergence Buyers Guide Find the right products for your enterprise - fast. Our extensive database of detailed product information will quickly help you pinpoint the hardware or software you need to build out a converged voice and data network. With the side-by-side comparison tool you can evaluate product features and make the best decision for your enterprise. Click here to go to the Buyers Guide now. 1. Prioritize your requirements for authentication, endpoint security, access control and overall management before you start shopping. NAC products vary in how they mix these four components. We found that all-in-one NAC products tend to emphasize endpoint security over authentication, access control and management, because this is the biggest pain-point for network managers looking for an immediate NAC solution. This doesn’t mean you can’t find an all-in-one product that has strong authentication or enforcement features, but you will need to look a little deeper to be sure you understand how each product works in those areas to make sure they will meet your requirements. 2. Don’t be frightened by the scalability bogeyman. Most all-in-one NAC products have some inband component(s) — even if it’s inline only at some point during the user-connection process. Any time a device is in the critical path between users and their data, there is the potential for a performance bottleneck. All-in-one NAC products that are completely inline between users and the rest of the network are going to require careful performance engineering. Many all-in-one NAC vendors try to avoid the perception of a performance problem by taking a hybrid approach: Their products sit inline only during authentication, endpoint-security checking and/or enforcement procedures; then they get out of the way by reconfiguring your switching infrastructure on the fly. Some of these same vendors are responsible for spreading FUD about competing NAC implementation approaches. Avoid the FUD factor by realizing that all approaches have trade-offs, and there is no silver bullet that makes all performance problems disappear in all environments. Instead, make sure you know what your true performance requirements are — or will be — and communicate those to potential vendors clearly, whether their products sit inline or operate in some hybrid fashion. Put these same specifications in any purchasing documents so you have written backup in case there are performance problems. 3. Clarify your reasons for implementing endpoint-security posture assessment. Needing NAC to carry out compliance-checking is very different from wanting a NAC box to detect malicious behavior. This sharp distinction nicely differentiates the all-in-one NAC products from one another. Some enterprises look to NAC endpoint-security measures to determine whether a user’s desktop or laptop complies with corporate security policy. While no virus-checker or personal firewall can guarantee that a system is not compromised, a well-designed policy dramatically reduces the risk of problems. Other enterprises are not as concerned with security-policy compliance as they are with detecting and isolating misbehaving systems and users. Decide which camp you’re in and use your position to narrow the field of all-in-one products. We found that no single NAC product does both very well, so even if you are looking for both features, decide which is the more important and emphasize it in your own testing. Because you probably can’t test every possible endpoint-assessment combination, decide upfront what's most important to you and look at vendors that focus on the same area as you for their primary endpoint-security strategy. For the rest of Joel's tips, please click here.

TODAY'S MOST-READ STORIES: 1.Undercover TV producer booted from DefCon 2. Do Not Call Registry gets wake-up call 3. NAC alternatives hit the mark 4. Newspaper outs ‘Fake Steve Jobs’ 5. Cisco founder unveils the Next Big Thing? 6. Tech-support poser gets sensitive info from IRS 7. Cisco founder brings optics to the router guys 8. The case of the great hot-site swap 9. IBM saves $250M with Linux-run mainframes 10. Researchers flag VoIP exploits at Black Hat MOST E-MAILED STORY: Hogwarts IT director quits

Contact the author: Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com. This newsletter is sponsored by PlateSpin New Executive Guide Network World has recently published an executive guide entitled "Virtualization Meets Reality". Find out the 8 key challenges of virtualizing your data center. Download it now! BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007