Here is what happens.

Every pc that comes into our shop has its HW specs, user and mac pounded into a database.

When a PC powers up, it requests a DHCP lease- using CNR, we authenticate that request against the DB. If it is legit we allow the request to proceed. If its not legit, it sends an email and calls another custom script to kill the port via SNMP.

We prevent static IP’s by using DHCP snooping combined with DAI on the switches.

This gets us what NAC does without requiring software agents all over the place.

Obviously, it’s much more complicated under the hood than what I’ve laid out in half a paragraph, but it gets you the general idea that folks are doing “rouge” device detection and mitigation, without buying into the NAC hype.

Mike

Everyone in a company should be able to find ways to improve business performance and outcomes. If the only way to do that is to ‘hide’, then that is what happens.

The money spent on NAC should be spent on more servers, more skills, more people so that business units or projects do not feel that they have to these kind of things to get the job done.

Again, is NAC is the answer, what was the question ?

NAC does not improve everything, but it will give the IT-department better knowledge of what machine they have connected to the network. This way they can start adding unknown machine to the security and IT policy used in the company.

It is mumbojumbo to assert that NAC improves everything. It makes hosts and networks more complex thus delivering negative outcomes for business.

It stops users from adapting and adopting new ways of working, and thus causes companies to stagnate and ultimately fail. It is the ugliest face of security consulting gone too far.

If NAC is a viable technology that has real meaning then it must be introduced as part of the OS, and not as some sort crufty add on.

If you cannot see your network, hosts and servers with the tools we have today, then you are not using other technologies correctly.

NAC is not the answer, its a failure to ask the right question.

As I have done both Ciscoís NAC framework and Clean Access installations in real networks, the effect is the same. As soon as we reach the point where we add a ‘block-filter’, the number of server and client machine not known are more then expected. The security in NAC, as I see it, are that the host people suddenly will see *all* machines on the network and they can start incorporate them in IT-policies. Network people already know itís more then the official numbers, by counting the great number of switch-port in use. But host people normally only ‘know’ the number by the SMS, AD-accounts, AV-tools . . which of course only show ‘known’ machines.

NAC gives the possibility to ‘see’ everything connected on the network, which have never been easy before. Every customer I visit tells me that they have ‘good’ knowledge of their connected machines, but all my NAC installation proves thatís not true.

I agree that the agent part is a pain, but that goes for all SW installed in any computer when the underlying OS is changed. But if the people working with the computers, not the network, handle NAC, I think it has a feature. Network people have to be involved, especially when NAC is deployed, but they should not be ëin chargeí of NAC.

The problem I see is how to handle machines which should not be handle by NAC, like copy machines, IP managed air conditions, IP based keyboard/mouse/screen adapters . . . name it, you will have more then you ever believe and the number will grow. I have tried to combine NAC/802.1x/VLAN/MPLS to keep ‘strange’ machines out of NAC; it seems to work pretty well. But everything starts with deep knowledge in networking, system and applications. Knowledge is the key whatever technology used.

Best Regards
- Per HÂkansson
SpeedApp AB
CCIE 2446

PS: Defense & military seems to be the people who have best control already, I think there are many other companies who needs NAC even more.