Solved

NAC internal network security

Posted on 2015-02-08
4
308 Views
Last Modified: 2015-04-19
Dear Experts,

I am planning to implement internal network security like NAC. please suggest me any best NAC solution.
Cisco NAC or others comparison features and how to implement it.

thanks
0
Comment
Question by:nainasipra
4 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40599215
A side note that microsoft dropped their NAC from 2012 lineup....
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40599285
What are you hoping to achieve? Standard 802.1x is a good baseline technology that is basically free to implement if your switches support it. 802.1x is not NAC, and does not do endpoint health checking and remediation.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40599732
http://www.experts-exchange.com/Security/Misc/A_12736-Bring-Your-Own-Device-Security-NAC-MDM.html
ForeScout is the best NAC there is right now, but NAC isn't all it's cracked up to be...
-rich
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40600004
if we will to reference Dec 14 Gartner Magic Quadrant (MQ) for NAC, Forescout, Cisco and Aruba Networks are the Leaders, some point of comparison

Aruba ClearPass - Strong in BYOD And support EMM solution), has its own CA support several OS systems and very much into the education vertical. Also it has a guest network with granular policies to manage Apple and Chrome on guest log on to via its NAC enforcement (drilling into time/location etc).However, Sing sign on may not be its strong point for auto login. and it seems more prevalent for wireless rather than wired network.

ForeScout CounterACT - Strong contender with wide API fabric integration with various SIEMS, Adv threat device and security solution. Likewise BYOD is another of its strength with several EMM support  (in fact it carries one EMM offering, ForScout Mobile or with a EMM-Lite version). Quite established and widely deployed due to its versatility and granular polices controls and enforcement options. But this appliance will need to be at remote site for post admission threat protection hence can be costly with Enterprise running many such sites. Another minor point is the more common use of SPAN port for deployment which you need to ensure your network devices support that w/o affecting the performance and availability

Cisco Identity Service Engine (ISE) - Big also in BYODand run its own CA tpp and good for those Enterprise w/o own internal CA or need to hassle with another 3rd party CA. It uses endpoint profiling collected from the Csico switches, controllers such that it eliminate need for additional "sensor" to gather the profiling info required for NAC and assessment. Recently, they go into something called pxGrid which is to share info among the network and security  solution, partners include Splunk, NetIQ, Tenable etc, and of course Cisco's owned Sourcefire support that. Also has strong Guest enforcement. The caveat is ISE can be duplicative for the Cisco wireless aspect since Cisco has their own NAC per se called Meraki). ISE provide basic auth compared to the Meraki coverage (and we know why ISE go that "plain" basic as not to outshine ...) . Cisco has TrustSec role identity policies but I am not so savvy how this is widely used and supported per se. Its ASA should have supported that just last mid year and kinda of early adoption has not really matured...it is new and forefront but we probably looking at strong and resilience cum established deployment...

Looks like ForeScout - > Cisco -> Aruba may be my suggestion if cost is not factor (which I am also not savvy into that). As a whole, basic NAC should be performing below...
>Authentication :- the user to login or authenticate before network access is granted;
>Host posture assessment :- up-to-date operating system security patches, anti-virus software, anti-Spyware software;
>Quarantine and Remediation :- amount of network access is typically determined based on the user’s identity and the security posture of their host;
>Authorization :- enforce only resource given based on right and privileged of the login identity;
>Automated hotfix/version updating - auto updating checks is to remove the huge burden of manually having to track down

.. There are more expected for NAC like central mgmt, HA, Adaptive Auth, and etc but list is long ... good to get the technical sales from candidate to run through the comparison as they will have latest development ...
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now