Saturday, 21 June 2008

What is this NAC thing anyway?

A survey by Sophos reported that 39% of corporate computers scanned by thier NAC (compliance) modeules failed a basic security test.

Network world has a buyers guide for these products.

So what actually does a NAC device do?

NAC stands for "Network Access Control". NAC is a policy and compliance enforcement engine that helps both small and lerge organisation keep their networks and systems secure.

The main functions of a NAC include:

  • Vulnerability management,
  • Policy compliance, and
  • Standards and regulatory compliance (with respect to IT systems).

There are a variety of configuration options with NAC that range from policy separation, patch management and change control, security enforcement (anti-virus/malware defense, firewalls, monitoring and reporting, VPN control and system security and configuration management) and compliance management.

Want to learn more?

Qualys has provided a free download of "NAC for Dummies" on their site. Sophos has a good link on this topic as well. Cisco have mountains of NAC information.

I am not even being paid to plug these vendors.

Most systems are NOT secure. Most organisations I see are far from compliant or secure. NAC is a simple method of the 80-20 rule. If you automatically stop 80% of the issues, you will be likely to survive an attack against your organisations network.

This is not all that needs doing, but it does pose a begining.

No comments: