Cisco Broadens its NAC -- But is it a Good Idea?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Cisco has made an interesting addition to its Network Access Control (NAC) Guest Server. The company's new Secure Guest Access takes the load off the IT department by enabling authorized employees to create guest accounts. The story maps out how the process works and details what records are kept in association with each pass that is granted.


NACs are a pretty hot topic. These useful platforms control what devices get access to a network and where within that network devices connect. They ensure that security on the devices is up to date and, if not, take corrective action.


eWeek's description of the Cisco addition raises concerns. We certainly can be persuaded -- it's not fair to judge the concept behind a vendor's product before speaking with the company directly -- but the descriptions make this seem like it is more about making life easier for IT than improving security.


In general, IT departments are in charge of enforcing policies and granting access to vendors, partners, temporary workers and other people who tend to come and go -- both physically and in a conceptual sense -- more often than permanent employees. Our concern is that broadening the ways in which outsiders gain access doesn't seem to be a good idea in an era in which the insider threat is perceived as growing precipitously. A lot of these non-IT folks are likely to not be particularly careful about security.


Guest access is an interesting security sector. This Dark Reading story looks at a survey conducted by Applied Research that throws around a lot of numbers about NAC. The key number from the guest access perspective is that only 27 percent of respondents use NAC as a way to control guests on their networks. The writer points out that this type of access was one of the original arguments for NAC.


NAC vendors aren't the only companies dealing with the thorny issues of guest access. In early September, Trapeze Networks took a crack at the challenge of guest access on Wi-Fi. Noting that most guest access is facilitated over wireless connections, the company introduced SmartPass, a system that it says provides control over who is hooking to the network. The release says that most wireless guest access approaches are so cumbersome that companies tend to default to the simplest level. SmartPass, according to the company, simplifies operations and offers tight controls over who gets access and when.


At least one blogger -- at Knowledge of Wireless -- offers some advice on how to position guest access services within the bigger sphere of wireless security. If a company allows guest access, the post says, it is important to separate it from the corporate network. This should be done by either placing it completely outside the corporate network on within the DMZ. In any case, the blogger says, there should be a firewall between the guest and corporate network. A log and audit trail for every guest user should be maintained.