Solved

NAC (Network Access Control) - ET

Posted on 2014-01-09
2
744 Views
Last Modified: 2014-01-10
We're doing a proposal for a customer who is requesting NAC services on their LAN switches. They would like to control which computers are able to access the network (by mac address). Other NAC services would also be helpful such as:
 - Check computer for AV software prior to connecting to network.
 - Connect guest computers (non authorized PCs) to separate LAN

I dont know much about NAC. So far i found two; HP Identity Driven Management Software and Bradford Networks. Does anyone have experience with these or others?

Typically we use HP switches so would prefer to stick with those however are open to others.
0
Comment
Question by:tabush
2 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39769137
I have experience with Cisco ISE, but don't know how well it would work with HP switches.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39770214
I've tested them all, I swear it. Far and away the "best" is ForeScout, but that isn't saying too much. PacketFence is a free open source solution that was better than most commercial offerings you'll find on Gartner's MQ.

Scanning for patches and AV is going to make the admins happy on one hand, sad on the other. The happy part, you get a great inventory, esp with forescout, but the sad part is you cannot do anything to the users machines directly using the NAC products. Especially guests, or non-company hosts. Would you let another Admin from a separate and probably unrelated business patch and "secure" you user's computers? Do not go down the "remediation" path, all NAC systems fail. The only thing you can do with nac is a glorified inventory.
I'll bring in my computer, your NAC scan's it, sees I have AV patched updated, the OS is updated too. I use a "free" AV I got from a russian site, has all the same settings and registry entries, does no real scanning. Nac is only a CYA technology, and it doesn't cover you *** that well. a user can turn off their AV, or a virus can, or a user can be infected while updated and fully patched. NAC does nothing other than inventory in the end.
I tell my customers, you've gone this long without it, keep it that way. Ban BYOD, it's your network, you do not have to let everyone else dictate what you allow on your network... Setup a internet only guest wifi, and give them that. People can then check their email over webmail/gmail etc... There is no reason to let people on your FULL internal network. NAC can automate some tasks for guests, and lock them down, but what for, all they need is internet, so cut out the middle man.
http://www.experts-exchange.com/Security/Misc/A_12736-Bring-Your-Own-Device-Security-NAC-MDM.html
-rich
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question