Why NAC Alone Is Not Enough

While a NAC solution blocks infected endpoints from entering the network, what happens when a connected PC becomes non-compliant?

by Ari Tammam

The development of Network Admission Control (NAC) products, which check that hosts connecting to a network meet the requirements needed to join that network, has blurred the boundaries of endpoint security. Whether it is the original iteration from Cisco, Microsoft’s NAP, or the Trusted Computing Group’s TNC, NAC is becoming an increasingly popular solution to stop infected machines from entering a secure network.

The technology is effective in stopping worms and viruses from gaining access to networks through authorized external users. However, depending on how many users you have and how far you need to go in your NAC deployment, NAC may not be the most cost-effective solution. While all NAC products ensure that a host is “clean,” some go far beyond verifying the presence of an up-to-date anti-virus and personal firewall client on the endpoint and ensuring the OS is properly updated (or patched) and that no malware exists on the machine. Some NAC solutions can be customized to include user-defined requirements for gaining network access.

Ultimately, a NAC solution will do what its name says—control network admission. What happens if an endpoint becomes noncompliant while it’s connected to the network? That’s where clientless endpoint security management (CESM) comes into play. CESM looks at the endpoint and its activity the entire time a user is connected to the network, making NAC and CESM complementary technologies.

CESM provides comprehensive command and control of all activity that occurs on the endpoints, including servers. Rather than focusing on a single endpoint problem (such as portable storage devices), CESM solutions look at all aspects of endpoint activity, from applications to processes to registry values. Because CESM is independent of other security solutions active in the network, it has a much broader view of the endpoint, including the existing security solutions that reside on that endpoint.

There are tradeoffs, however, between NAC and CESM. While a NAC product may resolve some issues that network endpoints suffer from, more often than not such products involve deploying a client on each endpoint to address those specific problems. CESM is a more cost-effective approach: because there is no client deployment, no time is wasted installing a client on every endpoint. A CESM solution can identify unauthorized applications, processes, start-up commands, devices, toolbars, and services that may be running on an endpoint; it can also identify and repair legitimate services that are misconfigured or are being used in an environment where they shouldn’t be—for example, a wireless connection being used inside a LAN. Finally, CESM is able to manage those third-party security clients (including the NAC client) that are so often disabled for one reason or another, leaving the network open to a potential attack.

CESM offers pre-NAC functionality by first cleaning corporate endpoints before deploying a NAC solution and providing the NAC product with requirements for checking endpoints. The CESM solution can provide reports and statistics identifying the main issues associated with the endpoint’s security posture; these issues can be added to the existing set of requirements the NAC solution checks before allowing a client to enter the network.

A typical NAC solution will quarantine an endpoint if it does not comply with certain prerequisites. If there are no built-in remediation capabilities, the chosen NAC solution will dramatically increase the overhead for network administrators and help desk staff, because they will spend most of their time fixing noncompliant endpoints. To be cost-effective, the chosen NAC solution has to be efficient and offer automatic remediation that minimizes the need for physical intervention and not a link or explanation to the user about how to remediate their own machine.

Costs and ROI

The cost of a NAC solution depends on the number of users or workstations connected to the network and the level of NAC functionality needed. A full-blown Cisco NAC deployment might require new switches and networking gear unless you already have the latest and greatest from Cisco installed. On the other hand, given that the cost of an internal breach can be prohibitively expensive, deploying NAC could be a very good investment, even with the added cost of new hardware.

Unfortunately, as with many preventative measures, determining the return on investment (ROI) on your NAC solution is not easy and is always based on the probability of a security event occurring. For most security solutions, ROI can be calculated as part of the Annual Loss Expectancy (ALE):

         Incident cost x Probability of incident occurring = ALE

This formula estimates how much a company would have to spend to either recover from or repair a security breach. The ROI of any technology purchased to prevent such a breach is based on the cost of the technology and the ALE related to that category of security breach.

Calculating the ROI for CESM solutions is much easier than for NAC solutions, because in addition to being a preventive measure like NAC, CESM increases productivity and automates management of endpoint security and remediation. The clientless technology allows administrators to do almost all of the remediation of problematic endpoints from their own workstation.

A CESM solution can also verify that third-party security agents are installed and available on all endpoints; if these agents are disabled, the CESM solution automatically re-enables them. Because remediation occurs in the background, there is no PC downtime and users can continue working while the administrator fixes problems remotely. These benefits, coupled with the relatively low cost of a CESM solution, make the ROI attractive.


NAC blocks infected endpoints from entering the network; CESM maintains security while the endpoint is connected and prevents unauthorized activity that could adversely affect the network. A complete solution includes both CESM and NAC functionality; however, given budget limitations, you may have to choose just one of those technologies.

If you have a limited number of roaming users and most work is done within the confines of the corporate network, a CESM solution will serve you well. If most of your employees roam or access the corporate network externally, or you have external partners (contractors, suppliers, etc.), accessing your network, then NAC makes sense.


Ari Tammam is vice president for channels at Promisec and can be reached at atammam@promisec.com

comments powered by Disqus