Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


NAC internal network security

Posted on 2015-02-08
Medium Priority
Last Modified: 2015-04-19
Dear Experts,

I am planning to implement internal network security like NAC. please suggest me any best NAC solution.
Cisco NAC or others comparison features and how to implement it.

Question by:nainasipra
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 62

Expert Comment

ID: 40599215
A side note that microsoft dropped their NAC from 2012 lineup....
LVL 42

Expert Comment

ID: 40599285
What are you hoping to achieve? Standard 802.1x is a good baseline technology that is basically free to implement if your switches support it. 802.1x is not NAC, and does not do endpoint health checking and remediation.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40599732
ForeScout is the best NAC there is right now, but NAC isn't all it's cracked up to be...
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40600004
if we will to reference Dec 14 Gartner Magic Quadrant (MQ) for NAC, Forescout, Cisco and Aruba Networks are the Leaders, some point of comparison

Aruba ClearPass - Strong in BYOD And support EMM solution), has its own CA support several OS systems and very much into the education vertical. Also it has a guest network with granular policies to manage Apple and Chrome on guest log on to via its NAC enforcement (drilling into time/location etc).However, Sing sign on may not be its strong point for auto login. and it seems more prevalent for wireless rather than wired network.

ForeScout CounterACT - Strong contender with wide API fabric integration with various SIEMS, Adv threat device and security solution. Likewise BYOD is another of its strength with several EMM support  (in fact it carries one EMM offering, ForScout Mobile or with a EMM-Lite version). Quite established and widely deployed due to its versatility and granular polices controls and enforcement options. But this appliance will need to be at remote site for post admission threat protection hence can be costly with Enterprise running many such sites. Another minor point is the more common use of SPAN port for deployment which you need to ensure your network devices support that w/o affecting the performance and availability

Cisco Identity Service Engine (ISE) - Big also in BYODand run its own CA tpp and good for those Enterprise w/o own internal CA or need to hassle with another 3rd party CA. It uses endpoint profiling collected from the Csico switches, controllers such that it eliminate need for additional "sensor" to gather the profiling info required for NAC and assessment. Recently, they go into something called pxGrid which is to share info among the network and security  solution, partners include Splunk, NetIQ, Tenable etc, and of course Cisco's owned Sourcefire support that. Also has strong Guest enforcement. The caveat is ISE can be duplicative for the Cisco wireless aspect since Cisco has their own NAC per se called Meraki). ISE provide basic auth compared to the Meraki coverage (and we know why ISE go that "plain" basic as not to outshine ...) . Cisco has TrustSec role identity policies but I am not so savvy how this is widely used and supported per se. Its ASA should have supported that just last mid year and kinda of early adoption has not really is new and forefront but we probably looking at strong and resilience cum established deployment...

Looks like ForeScout - > Cisco -> Aruba may be my suggestion if cost is not factor (which I am also not savvy into that). As a whole, basic NAC should be performing below...
>Authentication :- the user to login or authenticate before network access is granted;
>Host posture assessment :- up-to-date operating system security patches, anti-virus software, anti-Spyware software;
>Quarantine and Remediation :- amount of network access is typically determined based on the user’s identity and the security posture of their host;
>Authorization :- enforce only resource given based on right and privileged of the login identity;
>Automated hotfix/version updating - auto updating checks is to remove the huge burden of manually having to track down

.. There are more expected for NAC like central mgmt, HA, Adaptive Auth, and etc but list is long ... good to get the technical sales from candidate to run through the comparison as they will have latest development ...

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question