By James D. Brown, CTO, StillSecure
Network Access Control products have to do a lot of work compared to other security products. It monitors the network for endpoints joining and leaving, matches endpoints to a particular security policy based on a variety of factors, checks endpoints for compliance, potentially fixes problems on endpoints, and then gives them the right level of access to the network, and that’s just for starters. NACs also help manage mobile devices and brought-from-home computing devices, provide guest access functionality, and provide an enterprise-wide snapshot across a variety of security tools, settings, and patch levels. I can’t think of another security tool that takes on so much in one solution.
Network Access Control (NAC) products spend a lot of their time (80-90%) checking endpoints for compliance before making a decision as to what level of access they should receive on the network. This time determines how long it takes users to gain access to your network, and it determines how expensive it is to scale a solution to meet the needs of a large enterprise. The faster a NAC can check compliance, the more quickly it can move on to other endpoints, and the fewer enforcement points you need for a given network.
Interestingly, NACs perform a lot of the same functions as vulnerability scanners, but under vastly different time constraints: a NAC has to test fast enough so that end users can become productive quickly. This means seconds: we humans are an impatient lot. Vulnerability scanners on the other hand only have to be fast enough so that they can test a network over the course of days or weeks. That means multiple minutes are often no problem. It should come as no surprise, then, that NACs that leverage vulnerability scan engines for compliance checking get left in the dust by purpose-built compliance engines in the market today.
Since NAC spends so much time scanning endpoints, it’s not a wonder that many vendors limit the number of checks significantly to make up some time, or that their appliances can scale only to a few thousand endpoints. Limiting the number of checks greatly limits capabilities, and deploying large numbers of enforcement points is painful, costly to manage, and difficult to justify. Throw in the fact that most NACs are hardware appliance-based, and can’t be virtualized, and you’re really in trouble.
StillSecure’s Safe Access was purpose built for compliance scanning back in 2004. It can test an endpoint for its entire test set of 1600 checks in 2 seconds or less, and uses only about 650KB of data transfer to do it. That’s real speed, and it allows Safe Access to manage an order of magnitude more endpoints than its nearest competitor on comparable hardware. That testing speed means you can deploy fewer policy enforcement points in your network, and get users productive quicker and at lower cost. And, if you don’t like the idea of buying more hardware, you can run Safe Access in a virtual machine and save a bundle.
This is why Safe Access has been deployed successfully for years in some of the largest intranets in the world.