Dynamic NAC FAQ

Dynamic NAC FAQ

Q. What is DNAC?

A. DNAC (Dynamic Network Access Control) is software that turns ordinary PCs into enforcers that control other endpoint access to the network. DNAC differs from host based solutions because the enforcers control other PCs access to the local subnet and to other networks, not just traffic to itself.

DNAC lets administrators authorize, evaluate, and remediate wired, wireless, and LAN users and their machines prior to allowing users onto the network. DNAC identifies whether networked devices such as laptops, IP phones, personal digital assistants, or printers are compliant with an organization's security policies, and helps repair vulnerabilities before permitting access to the network.

Q. What role does DNAC play within the NAC market?

A. General NAC solutions provide network identity, keep rogue endpoints off the network, ensure consistent configurations for PCs, and let administrators know what's on the network. Despite these benefits, the cost and effort to deploy NAC has slowed its deployment in many organizations.

InfoExpress is making NAC easily deployable with a software-based option that requires much less time and effort to deploy, and does not need updates, upgrades, or changes to the network equipment or configuration.

Q. How is DNAC installed and how long does it take?

A. DNAC comes as a software installer that provides a complete NAC solution for the LAN. The software installs on a Windows 2008 or 2003 server. The time to install a DNAC evaluation on a single network is typically a few hours and does not require changing infrastructure devices.

Q. Why would an organization need DNAC?

A. The greatest inadvertent threat to network security is the end user. Because each endpoint is a potential conduit into the network, it is increasingly important for users to bring their machines into compliance with their organizations' security policies. The DNAC software uses the incentive of network access to ensure compliance, and uses the capabilities of compliant endpoints to bring noncompliant machines up to requirements.

Q: Why deploy DNAC now instead of waiting?

A: The growing numbers of partners, customers, and remote employees creates a need to secure endpoints from threats arising from increased mobility and presence of unmanaged devices. Furthermore, failing to provide accurate reports and audits may result in costly penalties. With DNAC, organizations can benefit from NAC without costly infrastructure upgrades, or difficult configuration.

Q. What is the relationship between the DNAC software, the CyberGatekeeper Server, and the CyberGatekeeper Remote appliance?

A. The DNAC software and CyberGatekeeper Server provide a complete NAC solution. When using the VMWare or HyperV versions of the policy server, everything can be run on a single Windows 2008 or Windows 2003 server. The CyberGatekeepr virtual servers support multiple enforcement methods, including 802.1x, DNAC, and CGSI/HIC, used for Alcatel Lucent switches and DHCP servers.

The CyberGatekeeper Server is also available as a standalone appliance. The CyberGatekeeper Server appliance suports all enforcement methods in the virtual policy server, and adds in-line traffic enforcement.

The CyberGatekeeper Remote appliance is similar to the CyberGatekeeper appliance, but only supports the in-line access control method. The CyberGatekeeper Remote appliance is primarily designed to provide an in-line solution for WLAN controllers and remote access VPNs.

Client software includes desktop agents for Windows 7, Windows Vista, Windows XP, MacOS X, and Linux. Dissolvable web agents are available for the Windows platforms.

Q. What is the difference between products from networking infrastructure vendors like Cisco and DNAC?

A. Infrastructure equipment approaches to NAC typically use port based control access through (i) 802.1x RADIUS EAP on a switch with agents and RADIUS server, or (ii) SNMP to manage VLANs for certain ports.

DNAC enforces individual hosts, whether real or virtual, by turning ordinary PCs into enforcers that police the network. This approach does not require new subnets or other network changes to control access. As DNAC software proliferates, networks containing the endpoints become capable of performing NAC. Feedback from customers who have installed DNAC have indicated installation effort is reduced by several times competing NAC solutions.

Q. What are the key differences between NAC products that use IPS or port monitoring, compared to DNAC?

A. Using IPS or port monitoring requires selecting choke points on the network. This is typically an appliance at critical locations on the LAN for IPS, or attaching the monitoring appliance to a monitoring port on the switch. The choke points filter rogues with access control rules or by sending DOS attacks against the rogues.

These approaches provide granularity only whent he monitoring/choke point is moved close to the endpoint. However, this incurs a significant cost when multiple locations are present and can lead to load issues on choke points with heavy traffic. For IPS solutions, the choke points also become potential points of failure.

Q: What features does DNAC offer compared to other NAC solutions?

A: DNAC provides the authentication, quarantining, remediation, and posture assessment that infrastructure NAC solutions provide, with even greater quarantine granularity. With DNAC, endpoints can be quarantined by individual machine, even if connected to the same switch port or even when multiple endpoints are running on the same machine (e.g. Virtual Machine). For example, PCs, laptops, virtual machines, VoIP phones, printers, and network access devices are independently quarantined, even if connected to the same port on the switch. Because it uses the CyberGatekeeper NAC software for policy assessment, DNAC provides granular policy constructs, direct and integrated remediation options, and excellent end-user communication.

Q. What is the difference between DNAC and host-based firewall or DHCP NAC?

A. Desktop software approaches assume the user is running the vendor's security software. If this assumption is invalid, such as on an intruder's PC, the NAC solution offers no protection at all. The DHCP NAC approach places a DHCP proxy between the DHCP server and the switches.

Using DHCP is easily overridden by assigning a static IP to the endpoint. Furthermore, the DHCP approach also requires extra subnets to be configured for each switch under management. introduced solutions that enforce policies on individual endpoints.

The DNAC enabled endpoints are different, because enforcers control access for other endpoints on the network besides themselves. This means that each endpoint on the network is independently validated by a 3rd party before it gains access to the network. As a result, DNAC solutions are more effective, and integrate into the network with greater ease than either host-based or infrastructure based approaches.

Q. Is DNAC specific to LAN users? Do I need a separate product to enforce policies on my remote-access users?

A. The DNAC software applies a set of policies to all devices attaching to the network through the LAN or WLAN. These policies also apply to devices attaching through a remote access VPN, through the CyberGatekeeper Remote or CyberGatekeeper appliances.