The Secret Origin of NAC

By Rich
Once upon a time, an evil virus struck the land. But the people were prepared, and they stopped the virus before too many became sick… or so they thought. The virus really learned to hide, finding a home among wayward travelers outside the gates of the city. Weeks later these travelers returned home and unknowingly infected the cities. And weeks after that the next wave of travelers came to the cities, and more were infected. And then some scientists said, “Enough! No more will we let our cities become infected by these travelers. Now is the time to protect ourselves from the threats within!” The scientists created a new defense, called NAC, which would check the health of anyone before entering the city, and all was good. But NAC was new, and the first versions didn’t work as well as everyone would have liked. Then, two famous alchemists decided that they should control NAC. Rather than providing it to the people to use, they decided to tell everyone they would provide it. Eventually. And maybe it wouldn’t work quite as expected, but it would be good because it would be big. And then other alchemists decided that the people wanted NAC, but didn’t know what NAC was, so they removed the old labels from their elixirs and put on new NAC labels. And the people were confused. And they waited.

(Apologies for starting so many sentences with ‘and’, but you’ll get over it.)

I was listening to Alan and Mitchell’s StillSecure podcast the other day and, as usual, the subject of NAC came up. For those of you who don’t know, NAC stands for Network Admission Control or Network Access Control, depending on who you talk with. The technology was originally developed to provide pre-connect health checks when guests or mobile employees plugged into the office network. Alan was ranting on the dilution of the term, and as much as it pains me I have to agree with him.

When the SQL Slammer virus hit, most companies were well defended by blocking the port on their firewalls. Those companies then found themselves infected over the following weeks in waves, as mobile employees and contractors started coming back and plugging into the wall, behind the firewall. The concept of NAC was to prevent internal infections from systems physically connecting behind perimeter defenses. A computer would plug in and would then be scanned, or checked using an agent, before it was given an IP address or other network access. If the system wasn’t up to snuff, it could be quarantined off on a network segment outside the firewall (perhaps to download the missing security software), or simply denied access.

It’s a great idea, but like all great ideas a combination of big fish and bottom feeders wanted in. “NAC” kept getting expanded and integrated with everything from 802.1x for port-based authentication (only letting a computer get a usable IP address after a user is approved- a pretty good idea) to all sorts of real-time monitoring, quarantining, VLAN weirdness, and kitchen sinks. It’s a market that Cisco and Microsoft decided they want to control, and early on they started making waves without providing much in terms of functional product. It was a way for Cisco to get their endpoint agents onto desktops and to push clients to upgrade their networking hardware, since parts of their NAC don’t work if they aren’t built into the switch.

I like NAC, and if I had more than 6 computers on my network it’s the kind of thing I’d look at more closely. But I’d keep myself focused on the basics- protecting my network from malicious guest and mobile systems. I’d want a mix of agent and agentless (for managed and unmanged systems) and keep focused on pre- and post- connection health checks. I wouldn’t wait for the big vendors, knowing that in the long term they’ll own it all anyway, even if they have to buy it. Yes, Cisco has stuff now, but I hear it’s pretty complex to deploy.

NAC, like much of network security, will eventually be built into the network fabric. At best, we’ll have a separate security control plane for separation of duties. This is a hell of a long way out and not something that should affect your buying decisions today.

I’ll be the first to admit I have a lot more depth in data and application security than netsec, but I’ve watched for years as a great idea (NAC) has been pummeled by the market. I even did an interview on it over at SearchSecurity. It reminds me a lot of Data Loss Prevention/Content Monitoring and Protection (DLP/CMP). A good technology that provides immediate value, which quickly becomes far more confusing than needed as all sorts of people want in on the action.

If you want to protect yourself from potentially malicious systems plugging into your network (including remote access) take a look at NAC. If you want all the other bells and whistles you see running around out there you can look at them too, just don’t call them NAC.


p style=”text-align:right;font-size:10px;”>Technorati Tags: ,

No Related Posts

@windexh8er (BTW, where does that handle come from?):

I’‘ve thought about it at home, but haven’‘t found the need other than a science project. No kids yet, and a really locked down 802.1x. Good gateway firewall, although I do just use PPTP (with max encryption) for my VPN (long passphrase though).

I think next up for me is a virtual honeypot. It’s a more interesting project and more useful for my home network.

That, and I’‘m trying to get a Palo Alto box :)

By rmogull

Good run through…

Two comments:
1) Cisco NAC isn’‘t all that hard to deploy.  Does it work?  Kinda-sorta.  I, personally, feel it is kind of a half-baked product (typical these days), but it could be good—once Cisco does some more R&D into NAC appliances that actually work.

2) I’‘m surprised the Mogull doesn’‘t use even 802.1x port security at home.  Pretty simple to roll out, especially if you have something like PFSense or IPCop sitting there as your gateway—all you need is RADIUS.

By windexh8er

Rich - tried to track back but not sure it worked.  I am glad my ranting at least made you think. I actually agree with most of what you wrote. Of course I have my own take it on <a href="" rel="nofollow">here</a>

By alan shimel

Thanks for spelling that all out, Rich. When people can’‘t even agree on what the acronym stands for, you know the exact definition of the technology doesn’‘t stand a chance.

By Colin Steele

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.