802.1x experience for Network Access Control
Since the introduction of NAC about a decade ago, 802.1x has been put forth as a technology that could make the implementation of NAC easy, standards-based, and inexpensive. Then came stories in Network World and other publications about the real world. Stories about large enterprises who saw their 802.1x deployments taking months or years and costing much, much more than expected. Last year, Spire Security wrote their thoughts on the current suitability of 802.1x for network access control.
As manager of ForeScout Professional Services, I live in the trenches. In the real world, IT security managers try to avoid career-limiting moves. Such as blocking massive numbers of people from doing their jobs. Unfortunately, 802.1x and the products that utilize 802.1x risk doing just that.
The universal problem that I see, when organizations bring my team in to help them get things sorted out, is that NAC products that utilize 802.1x do not provide enough information about the endpoint before deciding to block the endpoint. And they don’t provide enough remediation options. In the real world, about 10% of the corporate-owned devices are not properly manageable or have some sort of problem with their security posture. I’m talking about problems with domain login, antivirus agents being turned off, patch management not installed, etc. So in the real world, a simplistic 802.1x system would make the black-white decision that these devices have some sort of problem and therefore should be blocked from the network. The concept of identifying problems and remediating these problems first--so the 10% of non-compliant systems becomes more like 0.5%--tends to be missing from most NAC products, especially those that rely on 802.1x. And that’s why my team keeps busy.
Maybe, there are organizations who are successful deploying NAC based on 802.1x, and they find it a breeze to manage on an ongoing basis (whitelist maintenance for printers, etc.). I just never hear about it.
Are you one of these customers? Let me know if your experience with 802.1x has been highly positive.