2007-12-06 19:02:04 by Posted By: Lawrence Orans, Research Director in IT Leaders - Security and Risk Management
Lately, I have been speaking with a lot of clients about guest networking. In nearly every discussion, a client will tell a "war story" about a visitor that plugged his or her laptop into the wall jack and brought down the network (either via a worm or via a misconfigured device). A guest network would prevent most of these problems, by providing only Internet access to guests (or possibly tightly limited internal access to a contractor).
A lot of people confuse guest networking and network access control (NAC). A guest network is really a subset of NAC: It authenticates a user or device before it gains access to the trusted network. NAC takes things a step further: It says "let's make sure that this device is not dangerous to our network before we grant it access." In other words, we baseline the PC to make sure that it is free of malware or that it is at least compliant with our device policies. The guest networking/NAC distinction is an important one. Not all guest networking projects can easily and cost-effectively evolve to a full-blown NAC implementation. But, any true NAC solution can first be used to perform basic endpoint authentication for guest networking and then evolve to a complete NAC implementation.
There are multiple approaches to building guest networks, and some vendors have started to offer dedicated guest networking products. Last month, Cisco announced its Network Admission Control Guest Server, an appliance for building guest networks. It includes a management application that makes it simple enough for any employee to sponsor a guest. Startup vendor Identity Engines sells a guest networking solution with similar features. Cisco's solution works best in Cisco environments (it needs to integrate with Cisco's NAC appliance or Cisco's wireless LAN controllers). Alternatively, Identity Engines' solution works best in an 802.1X environment (although it does have an offering for non-802.1X LANs). Some network managers that I have spoken with have implemented a homegrown guest network based on MAC address authentication (although this approach is not a good steppingstone to NAC, since it does not provide a mechanism for baselining endpoint health).
Gartner advises clients not to think of guest networking as a stand-alone point solution, but to think of it as the first step toward a strategic NAC implementation. When you design a guest network, you should do so with the end goal of NAC in mind; that's the most cost-effective approach. You can read more in "Findings from the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits."
A lot of people confuse guest networking and network access control (NAC). A guest network is really a subset of NAC: It authenticates a user or device before it gains access to the trusted network. NAC takes things a step further: It says "let's make sure that this device is not dangerous to our network before we grant it access." In other words, we baseline the PC to make sure that it is free of malware or that it is at least compliant with our device policies. The guest networking/NAC distinction is an important one. Not all guest networking projects can easily and cost-effectively evolve to a full-blown NAC implementation. But, any true NAC solution can first be used to perform basic endpoint authentication for guest networking and then evolve to a complete NAC implementation.
There are multiple approaches to building guest networks, and some vendors have started to offer dedicated guest networking products. Last month, Cisco announced its Network Admission Control Guest Server, an appliance for building guest networks. It includes a management application that makes it simple enough for any employee to sponsor a guest. Startup vendor Identity Engines sells a guest networking solution with similar features. Cisco's solution works best in Cisco environments (it needs to integrate with Cisco's NAC appliance or Cisco's wireless LAN controllers). Alternatively, Identity Engines' solution works best in an 802.1X environment (although it does have an offering for non-802.1X LANs). Some network managers that I have spoken with have implemented a homegrown guest network based on MAC address authentication (although this approach is not a good steppingstone to NAC, since it does not provide a mechanism for baselining endpoint health).
Gartner advises clients not to think of guest networking as a stand-alone point solution, but to think of it as the first step toward a strategic NAC implementation. When you design a guest network, you should do so with the end goal of NAC in mind; that's the most cost-effective approach. You can read more in "Findings from the 'Security' Research Meeting: Go Beyond Guest Networks to Achieve NAC Benefits."
