June 21, 2010, 1:51 PM — To understand how access control is done in NAC products, you have to look along three dimensions: where access controls are enforced, how access control is communicated, and the granularity of access control.
But first you need to decide if you want to enforce access control at all. There are two reasons why you might not want to.
One, actual enforcement may not be a goal. For example, if you just want to know your level of compliance with end-point security policies, NAC can help you detect and report on that, even if you don't want to kick someone off the network for being out of compliance.
You may think you have compliance already covered because, in theory, the end-point security products running on your desktops and laptops already do this when hooked back to the central management console.
But because NAC actually checks the compliance of everyone who wants to connect to the network, the reality is that you can find systems using NAC that the enterprise consoles don't know about.
The second reason not to enforce NAC is if your plans call for an initial "report-only" phase, prior to moving to enforcement. All the products we tested will let you operate in "report-only" mode.
In the products we tested, enforcement is not a big red switch that you flip. Instead, there's usually the option to not send enforcement instructions into the network, which may take a little digging to find.
Of course, depending on the type of NAC deployment you have, even "non-enforcing" NAC may be intrusive to network operations. For example, if you are planning on using 802.1X for authentication and enforcement, you have to get the basics of 802.1X right, or people won't necessarily be able to get on the network.
If you are very concerned about interfering with network traffic, you may want to look at Bradford Network Sentry, ForeScout CounterACT, and Trustwave NAC, all of which have an exceedingly light touch on the network when used in "observe only" mode.
Let's say you do decide to enforce access controls. There are four ways to do so: edge enforcement, deep in-line enforcement, protocol-based enforcement and hybrid enforcement.