Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

NAC internal network security

Dear Experts,

I am planning to implement internal network security like NAC. please suggest me any best NAC solution.
Cisco NAC or others comparison features and how to implement it.

1 Solution
A side note that microsoft dropped their NAC from 2012 lineup....
What are you hoping to achieve? Standard 802.1x is a good baseline technology that is basically free to implement if your switches support it. 802.1x is not NAC, and does not do endpoint health checking and remediation.
Rich RumbleSecurity SamuraiCommented:
ForeScout is the best NAC there is right now, but NAC isn't all it's cracked up to be...
btanExec ConsultantCommented:
if we will to reference Dec 14 Gartner Magic Quadrant (MQ) for NAC, Forescout, Cisco and Aruba Networks are the Leaders, some point of comparison

Aruba ClearPass - Strong in BYOD And support EMM solution), has its own CA support several OS systems and very much into the education vertical. Also it has a guest network with granular policies to manage Apple and Chrome on guest log on to via its NAC enforcement (drilling into time/location etc).However, Sing sign on may not be its strong point for auto login. and it seems more prevalent for wireless rather than wired network.

ForeScout CounterACT - Strong contender with wide API fabric integration with various SIEMS, Adv threat device and security solution. Likewise BYOD is another of its strength with several EMM support  (in fact it carries one EMM offering, ForScout Mobile or with a EMM-Lite version). Quite established and widely deployed due to its versatility and granular polices controls and enforcement options. But this appliance will need to be at remote site for post admission threat protection hence can be costly with Enterprise running many such sites. Another minor point is the more common use of SPAN port for deployment which you need to ensure your network devices support that w/o affecting the performance and availability

Cisco Identity Service Engine (ISE) - Big also in BYODand run its own CA tpp and good for those Enterprise w/o own internal CA or need to hassle with another 3rd party CA. It uses endpoint profiling collected from the Csico switches, controllers such that it eliminate need for additional "sensor" to gather the profiling info required for NAC and assessment. Recently, they go into something called pxGrid which is to share info among the network and security  solution, partners include Splunk, NetIQ, Tenable etc, and of course Cisco's owned Sourcefire support that. Also has strong Guest enforcement. The caveat is ISE can be duplicative for the Cisco wireless aspect since Cisco has their own NAC per se called Meraki). ISE provide basic auth compared to the Meraki coverage (and we know why ISE go that "plain" basic as not to outshine ...) . Cisco has TrustSec role identity policies but I am not so savvy how this is widely used and supported per se. Its ASA should have supported that just last mid year and kinda of early adoption has not really matured...it is new and forefront but we probably looking at strong and resilience cum established deployment...

Looks like ForeScout - > Cisco -> Aruba may be my suggestion if cost is not factor (which I am also not savvy into that). As a whole, basic NAC should be performing below...
>Authentication :- the user to login or authenticate before network access is granted;
>Host posture assessment :- up-to-date operating system security patches, anti-virus software, anti-Spyware software;
>Quarantine and Remediation :- amount of network access is typically determined based on the user’s identity and the security posture of their host;
>Authorization :- enforce only resource given based on right and privileged of the login identity;
>Automated hotfix/version updating - auto updating checks is to remove the huge burden of manually having to track down

.. There are more expected for NAC like central mgmt, HA, Adaptive Auth, and etc but list is long ... good to get the technical sales from candidate to run through the comparison as they will have latest development ...

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now