Before implementing Cisco Network Admission Control (NAC) on your network, you'll first need to need to have some idea of what you're getting into; many times, NAC can be a large and complex project, no matter whose product you're implementing. I'll break down the project into five steps, and discuss the pitfalls that you need to look out for.
1. Define your objectives before implementation
Everyone may be talking about NAC, but don't jump the gun. First, ask yourself a few questions so that you can better define your objective before investing time and money:
- What is it that needs to be secured?
- Where are we currently lacking in security, and how can Cisco NAC help us resolve these issues?
- What would be the overall impact of implementing a Cisco NAC solution? Besides securing PCs (or whatever your goal was), what would the effect be on the help-desk staff, on the end users, on the traveling salespeople, and on the remote-access users?
- Are the benefits worth the impact that would be caused by a Cisco NAC implementation?
Should you even be looking at NAC at this point in time? The "NAC now or NAC later" question is difficult for any expert to answer. Certainly, NAC currently provides some great features and it will certainly make your network more secure. However, the technological capabilities and features of NAC are still in its early stages.
Examine what is driving you to NAC. Don't be one of the companies only going to NAC because it's trendy; ensure that the technology meets the needs of your company and will truly solve your security issues without being too much of a burden on your users or administrators.
Also, keep in mind that you may not have enough information to know the impact caused by implementing such a large solution. For example, perhaps you didn't know that traveling salespeople regularly connect to your network in the vice president's office. What if you implemented Cisco NAC and the vice president became mad that since this new piece of security was implemented, his favorite salesperson couldn't access the Internet? Those unknowns should be brainstormed so you can try to prevent these problems before they happen.
2. Define the scope of the NAC project
Before committing any funds to a Cisco NAC project, your Cisco reseller should be able to provide you with a scope of work, which should tell you, step by step, what the Cisco NAC project will encompass.
Take the scope of work and compare it to the benefits, needs, and pain points that you came up with in Step One. Does the scope fulfill your needs? Will what is being done really solve the issues?
3. How will your NAC system be designed?
Once you're satisfied that you aren't just buying into the latest trend, ask yourself how the NAC implementation will be designed. Since Cisco NAC can be implemented at different points in the network, it's important that firms know in advance where their enforcement points will be. NAC is typically deployed at one of three points: inline, out-of-band, or a software agent.
Actually, the question of enforcement points is one of the significant design questions that will come up in a NAC implementation. For example, if a company designed NAC their NAC system as "inline" and the NAC device failed, all the computers behind that device may not be able to access the network anymore. The IT administrators would have to be prepared with documentation and training to know what steps they have to take should this happen.
Finally, consider what type of NAC design will fulfill your security needs and still be as unintrusive to the end user as possible. For example, you could get an inline solution offered by Cisco, Nevis, or Vernier, or an out-of-band solution like ForeScout. On the other hand, you could also deploy NAC using software agents from Cisco, InfoExpress, or Elemental. It is my opinion that inline designs of Cisco NAC are more popular right now simply because they are less complex to deploy and administer.
4. Analyze and test your NAC options
Unless you have implemented NAC in the past, visualizing the design and analyzing the whitepapers may not be a lot of help compared to just trying it out for yourself. For that reason, you should never buy a NAC solution until you have tested it on your own network. Your Cisco reseller should be able to help out in this area.
Once you have a test NAC solution, you need to make sure it will do all that you need it to do. For example, NAC solutions should be able to run a pre-admission check, a post-admission check, and host posture check. In addition, a NAC should also be able to identify your network resources using the existing infrastructure. For example, a NAC should be able to use Windows Active Directory to identify users and computers.
Ask yourself what it will really cost to implement a NAC solution. Any sort of company-wide implementation of a product that touches every device can be very expensive. The cost of that implementation will depend on the design choices you make, so be sure you weigh your design choices with your implementation method. For example, rolling out software agents may be less costly than hardware-based methods.
On the other hand, inserting a single NAC appliance in the network may not take much time but the configuration could be costly, as could the need to have a backup unit in case the primary unit fails.
Examples of small tests might be:
- Setup a NAC solution for guest networking: Salesmen who come in only get access to a network that is secured with Cisco NAC. This way, their computers are checked for up-to-date antivirus definitions, operating system patches, and more.
- Setup a NAC solution for a small group of peers: This way, you all can see how intrusive NAC is before implementing it across the entire system.
- Setup NAC for wireless users only: If you don't have a lot of wireless users, test NAC with that small subset of users.
5. Implement NAC on your network
After all the proper planning, you decide to go forward with implementing NAC on your network, there are still more things to consider.
- Who will do the implementation? Does anyone in your organization have NAC experience, or will you depend on an outside company to do it?
- How does NAC fit into your network security policy? The implementation of NAC must go hand-in-hand with the changes to your network security policy to enforce it; you don't want people just finding a way to bypass NAC and the security you are putting in place.
- Will you do a phased or an "all or nothing" approach? In other words, how will you roll it out?
- What is the overall impact to users of this implementation?
- Finally, what does the implementation plan look like? Does the implementation plan meet your original needs? Who has reviewed the plan to ensure that it is as fool-proof as possible? Is it based on the live tests that were performed?
Implementing NAC on any production network is no small task; ensure that your implementation plan is tested and will go as planned.
Steps to success
Really, these steps don't have to apply just to Cisco NAC; they could apply to almost any NAC solution out there. While NAC is a hot topic today, make sure you don't fall into the trap of buying something just because it's hyped. You need to ensure that you have real security issues and that NAC can really relieve those issues. Take the questions asked in this article and use them to ensure that your NAC implementation is a success.