What are some of the challenges in deploying NAC? What are the alternatives for LAN security?

You're not alone in asking these questions - we see customers all the time who know they need to control guests and contractors on their LAN but don't know where to start. Most find they can keep the initial NAC roll-out simple, deliver on their primary goals, and then follow a simple plan for expanding the scope of their deployment's functionality. Mercy Medical Center, for example, is following exactly this course - starting with providing guests Internet-only access and letting employees go anywhere on the LAN.

In your NAC deployment, you're likely to encounter three main challenges - the impact it has on your network, the difficulty of establishing policies, and the scope of your initial deployment. The good news is you can do a lot to reduce these challenges and gain a lot from your NAC deployment.

To understand NAC's impact on your network, you need to look at the degree to which it mandates changes, if any, to your endpoints, switches, VLANs or ACLs, and identity stores. The more you can reduce this impact, while still gaining significant control over what users can do on the LAN, the greater the return on investment from a "time to deploy" perspective.

For example, some NAC devices require cooperation from switches to enforce policy, so typically the switches need at least a software update. These solutions often provide only rudimentary post-admission control, relying on dropping users into a VLAN to limit their reach on the LAN. So you'll need to change your VLANs to support role-based segmentation and update your ACLs to enforce the appropriate blocking between user groups.

The second major challenge concerns establishing the appropriate policies, which is not ultimately IT's responsibility. Instead, IT needs to work with the lines of business to translate their desired policies, such as IBM contractors should get access only to IBM blade servers, into constructs that the NAC equipment can use and enforce.

To ease this challenge, IT should look for NAC architectures that make it easy to deploy and test the policies, by putting devices in "monitor only" mode, for example, and watching how many policy violations occur. If the number of violations is really large, it's more likely that the policy is wrong than that lots of people are behaving wrongly.