How does NAC work in practice?

NAC products scan computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is virus-scanning software up-to-date? Is the operating system patched? Is a personal firewall in use? That process requires an engine capable of matching scan results to policies to see if the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.

Can other types of security products play a role in a NAC environment?

Yes. For example, CA's eTrust antivirus and antispyware software play in Cisco's NAC environment by delivering status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network. Similarly, IBM's Tivoli Security Compliance Manager is Cisco NAC-compatible because it scans machines coming onto the network. By itself it can't enforce whether the device gains access; it needs infrastructure from Cisco or some other vendor to enforce policy.

What key questions should network executives ask themselves regarding an investment in NAC?

- Do company decision-makers agree that the business needs different levels of access control?

- Does the infrastructure have a specific need that NAC can address, or does network security in general need beefing up?

- Does my road map adequately address a potential move from current products to the eventual industry-standard products if an enterprisewide NAC deployment becomes appropriate?

- Does the NAC product need to fit into my existing infrastructure or will NAC be part of a wide-ranging overhaul?

- Are tracking, monitoring and logging events controlled by NAC important for this organization?