NAC Extends 802.1X to Achieve Network-wide Security, Control and Visibility
The decision of whether to implement 802.1X or NAC, or a combination of the two, comes down to the specific needs of an organization as well as consideration of the challenges and benefits of deploying each within a given network environment. In practice, most organizations will find that 802.1X alone is not enough, and instead a combination of 802.1X and NAC is most beneficial to provide the level of security, control, and visibility needed in today’s networks.
NAC can augment 802.1X to provide additional capabilities, or in many cases (depending on the NAC architecture) it can be a viable substitute for 802.1X altogether. In wireless networks, NAC is commonly used to augment 802.1X in order to provide endpoint compliance validation or for more advanced management of guest access than 802.1X alone allows. In wired networks, NAC is more commonly used as a substitute for 802.1X due to the number of deployment challenges for 802.1X in these environments.
Like many technologies, NAC has evolved over a number of years, and some NAC solutions have evolved to provide advanced capabilities and added value. As noted previously, these advanced NAC solutions can greatly enhance network visibility, in addition to offering other functions such as dynamic profiling of endpoint devices, comprehensive guest management, as well as detailed logging, reporting, and audit trails that are extremely valuable for regulatory compliance.
Case In Point – Regional Hospital Deploys NAC & 802.1X
Sarasota Memorial Health Care System (SMH) is an 806-bed regional medical center in Sarasota, Florida, with a network of outpatient centers as well as long-term care and rehabilitation facilities. The network at SMH consists of over 4,000 wired LAN ports and more than 350 wireless access points.
When SMH set out to solve a number of network security challenges, it first tried to do so using an 802.1X-based NAC solution offered by its IPS vendor. However, IT staff quickly found that while the solution worked adequately for its wireless network, it was insufficient for its wired LAN due to a number of deployment challenges.
“802.1X worked fine for our wireless network,” said John Bozer, Director of Information Systems, “but there were too many difficulties trying to implement it over the wired network, especially in the case of PCs connected to the network through VoIP phones.” He also needed a solution that would allow various medical devices incapable of supporting 802.1X to be identified on the network and to have network access provisioned appropriately for those devices.
SMH replaced its 802.1X-based NAC solution with Network Sentry from Bradford Networks to manage access control on its wired and wireless networks. “Network Sentry gives us a much greater level of security, with endpoint compliance, complete network visibility, and control over the users and devices on our network,” Bozer said. “On our wired network, it provides 802.1X-like functionality to recognize users and devices so we can assign role-based access and block unauthorized users. We can easily identify devices that are out of compliance and ensure remediation. Because we can keep the production and guest networks separate, there is no impact to SMH-owned systems, including medical devices that directly impact patient care.”
© 1999-2013 Bradford Networks. All rights reserved.