Network mapping for NAC implementation
A comprehensive network inventory is necessary for NAC implementation, and can be full of surprises.
By Tim Greene, Network World | Network World US | Published: 00:00, 06 April 2007
One of the first things that needs to be done in NAC implementation is figuring out just exactly what devices are authorised to be on the network and how they should be authenticated.
Getting a comprehensive network inventory is always full of surprises. Network executives report they find devices like hubs that they’d long ago forgotten about, but are still in use. Many offices have small, unauthorised switches attached to Ethernet drops. And many employees use the extra port in their cubicle for an unauthorised wireless access point.
Performing such an inventory by hand is daunting. It takes a team of at least two - one in the wiring closet, one in the office space - tracking down what device is plugged into what port.
This inventory is important because not all devices can be authenticated in the same way.
For instance, a network could demand 802.1x authentication from a properly equipped PC. That would not be possible with a printer or a VoIP phone that lacks 802.1x support, but they both have just as much right to be on the network as the PC.
There are tools that can help with this network mapping. One such tool is Great Bay Software’s Beacon Endpoint Profiler, which also has other benefits. These appliances map networks and categorise each machine that is attached, and they can assign 802.1x policies to non-802.1x devices. So if all the printers on a network can be assigned a policy that allows access only via certain TCP ports, the Beacon device can distribute that policy so 802.1x switches apply it to all printers on the network, for example.
Check with your NAC vendor to find out whether it has its own or a partner’s technology that can meet this need.