Despite some shortcomings, software-based network access control technology that enforces policies on network endpoints is often the first choice of customers who adopt the technology.
NAC endpoint client, minimizing the training and investment required, they say.
For example, Hidalgo County, Texas, looked into a Cisco NAC appliance deployment to solve its endpoint-compliance problems, says Renan Ramirez, the county's CIO. "The Cisco solution was going to cost six figures," he says, but the county chose a Sophos NAC, which cost about US$50,000.
The county was already about to buy Sophos antivirus software and the incremental cost of NAC made it worthwhile, he says. "Cost overrules everything," Ramirez says.
Ramirez and other potential customers have three basic options when picking NAC products, and endpoint-based NAC is one of them. The other two are infrastructure-based that uses switches to enforce policies, and appliance-based using a dedicated appliance to enforce policies (perhaps in conjunction with other network elements).
Each has its shortcomings. For example, NAC products that enforce policies via Dynamic Host Configuration Protocol (DHCP) proxy servers do nothing to stop machines that obtain static IP addresses and don't use DHCP to make their network connections. That makes significant portions of corporate networks invisible to the NAC access control products, says Ofir Arkin, CTO of NAC vendor Insightix. He is the author of a paper outlining NAC flaws.
Every customer must decide which architecture is best for them, says Rob Whiteley, an analyst with Forrester Research. "There is no one-size-fits-all," he says.
The upside of NAC that uses endpoint software to enforce policies is that it can provide comprehensive data about the endpoint as well as a remediation mechanism when the NAC agent is part of an endpoint security suite. It also gathers a wealth of data that can be used to prove to regulators that industry or governmental policies have been upheld.
The major downside to endpoint-enforced NAC is largely theoretical so far and one that customers seem willing to overlook. The problem is that rootkits can take over machines to make them lie about their health. This underlying endpoint problem can be mitigated by software that monitors behavior of machines to determine if they are acting badly. And lying endpoints haven't actually proven a problem for many customers.