Solved

NAC (Network Access Control) - ET

Posted on 2014-01-09
2
754 Views
Last Modified: 2014-01-10
We're doing a proposal for a customer who is requesting NAC services on their LAN switches. They would like to control which computers are able to access the network (by mac address). Other NAC services would also be helpful such as:
 - Check computer for AV software prior to connecting to network.
 - Connect guest computers (non authorized PCs) to separate LAN

I dont know much about NAC. So far i found two; HP Identity Driven Management Software and Bradford Networks. Does anyone have experience with these or others?

Typically we use HP switches so would prefer to stick with those however are open to others.
0
Comment
Question by:tabush
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39769137
I have experience with Cisco ISE, but don't know how well it would work with HP switches.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39770214
I've tested them all, I swear it. Far and away the "best" is ForeScout, but that isn't saying too much. PacketFence is a free open source solution that was better than most commercial offerings you'll find on Gartner's MQ.

Scanning for patches and AV is going to make the admins happy on one hand, sad on the other. The happy part, you get a great inventory, esp with forescout, but the sad part is you cannot do anything to the users machines directly using the NAC products. Especially guests, or non-company hosts. Would you let another Admin from a separate and probably unrelated business patch and "secure" you user's computers? Do not go down the "remediation" path, all NAC systems fail. The only thing you can do with nac is a glorified inventory.
I'll bring in my computer, your NAC scan's it, sees I have AV patched updated, the OS is updated too. I use a "free" AV I got from a russian site, has all the same settings and registry entries, does no real scanning. Nac is only a CYA technology, and it doesn't cover you *** that well. a user can turn off their AV, or a virus can, or a user can be infected while updated and fully patched. NAC does nothing other than inventory in the end.
I tell my customers, you've gone this long without it, keep it that way. Ban BYOD, it's your network, you do not have to let everyone else dictate what you allow on your network... Setup a internet only guest wifi, and give them that. People can then check their email over webmail/gmail etc... There is no reason to let people on your FULL internal network. NAC can automate some tasks for guests, and lock them down, but what for, all they need is internet, so cut out the middle man.
http://www.experts-exchange.com/Security/Misc/A_12736-Bring-Your-Own-Device-Security-NAC-MDM.html
-rich
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ransomware backup 8 139
Developers / Staff Setup 10 48
Cisco ACS second root certificate 3 13
Mesh Router system for 10,000 Sq ft office? 18 22
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question