Go Premium for a chance to win a PS4. Enter to Win


NAC internal network security

Posted on 2015-02-08
Medium Priority
Last Modified: 2015-04-19
Dear Experts,

I am planning to implement internal network security like NAC. please suggest me any best NAC solution.
Cisco NAC or others comparison features and how to implement it.

Question by:nainasipra
LVL 62

Expert Comment

ID: 40599215
A side note that microsoft dropped their NAC from 2012 lineup....
LVL 42

Expert Comment

ID: 40599285
What are you hoping to achieve? Standard 802.1x is a good baseline technology that is basically free to implement if your switches support it. 802.1x is not NAC, and does not do endpoint health checking and remediation.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40599732
ForeScout is the best NAC there is right now, but NAC isn't all it's cracked up to be...
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 40600004
if we will to reference Dec 14 Gartner Magic Quadrant (MQ) for NAC, Forescout, Cisco and Aruba Networks are the Leaders, some point of comparison

Aruba ClearPass - Strong in BYOD And support EMM solution), has its own CA support several OS systems and very much into the education vertical. Also it has a guest network with granular policies to manage Apple and Chrome on guest log on to via its NAC enforcement (drilling into time/location etc).However, Sing sign on may not be its strong point for auto login. and it seems more prevalent for wireless rather than wired network.

ForeScout CounterACT - Strong contender with wide API fabric integration with various SIEMS, Adv threat device and security solution. Likewise BYOD is another of its strength with several EMM support  (in fact it carries one EMM offering, ForScout Mobile or with a EMM-Lite version). Quite established and widely deployed due to its versatility and granular polices controls and enforcement options. But this appliance will need to be at remote site for post admission threat protection hence can be costly with Enterprise running many such sites. Another minor point is the more common use of SPAN port for deployment which you need to ensure your network devices support that w/o affecting the performance and availability

Cisco Identity Service Engine (ISE) - Big also in BYODand run its own CA tpp and good for those Enterprise w/o own internal CA or need to hassle with another 3rd party CA. It uses endpoint profiling collected from the Csico switches, controllers such that it eliminate need for additional "sensor" to gather the profiling info required for NAC and assessment. Recently, they go into something called pxGrid which is to share info among the network and security  solution, partners include Splunk, NetIQ, Tenable etc, and of course Cisco's owned Sourcefire support that. Also has strong Guest enforcement. The caveat is ISE can be duplicative for the Cisco wireless aspect since Cisco has their own NAC per se called Meraki). ISE provide basic auth compared to the Meraki coverage (and we know why ISE go that "plain" basic as not to outshine ...) . Cisco has TrustSec role identity policies but I am not so savvy how this is widely used and supported per se. Its ASA should have supported that just last mid year and kinda of early adoption has not really matured...it is new and forefront but we probably looking at strong and resilience cum established deployment...

Looks like ForeScout - > Cisco -> Aruba may be my suggestion if cost is not factor (which I am also not savvy into that). As a whole, basic NAC should be performing below...
>Authentication :- the user to login or authenticate before network access is granted;
>Host posture assessment :- up-to-date operating system security patches, anti-virus software, anti-Spyware software;
>Quarantine and Remediation :- amount of network access is typically determined based on the user’s identity and the security posture of their host;
>Authorization :- enforce only resource given based on right and privileged of the login identity;
>Automated hotfix/version updating - auto updating checks is to remove the huge burden of manually having to track down

.. There are more expected for NAC like central mgmt, HA, Adaptive Auth, and etc but list is long ... good to get the technical sales from candidate to run through the comparison as they will have latest development ...

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question