Can you really afford to wait 45 seconds? A 15-second answer.

The dilemma between Pre Connect/Post Connect methodologies is one of the hottest issues being discussed in the world of Network Access Control (NAC) today. It addresses the perpetual challenge to balance the prime objectives in network access security; enabling   the right users to access corporate network resources securely, whilst maintaining the flow of business continuity and productivity in the organization at the same time.

Lately, a major NAC provider published an article relating to the pre/post connect dilemma.  The article was based on research carried out by network professionals that included an experiment performed for investigating different  implications in (NAC) practices.

The author of the article wanted to see how long it would take another vendor’s NAC software to identify a device on the network. Using his mobile phone, he logged on to the corporate network and noted the seconds passing. He found that it took 45 seconds for that vendor’s solution to identify his device on the network.

His simple experiment highlighted a fundamental flaw with the vendor’s software; it could only identify the device 45 seconds after it had connected to the network. Those 45 seconds left an “unmonitored window of time” during which the network was exposed to potential threats (malware, viruses, hacking into corporate data, etc.),  before a theoretical rogue device would eventually have been detected and booted off. Whatever security measures that could have been taken at that point were therefore close to futile, because the damage would already have been done.

Admittedly, the Pre-Connect Visibility and Control phase is a crucial phase, but how can it be integrated into an optimal solution? Well we don’t think it can.

Pre-connect holds substantial drawbacks when it comes to productivity. To achieve the ideal state of NAC where only fully authenticated and compliant devices are connected, organizations need to rethink the traditional pre/post approaches and consider a more flexible approach that combines modular post/pre/partial modes to achieve the optimal balance.

To strike the appropriate balance between security and productivity, Portnox™ includes a Partial Pre-Connect mode that combines both pre and post connection validation methodologies. This mode allows specific network connections access to the network based on a minimum bar of authentication, whilst at the same time still affording the ability to continue device interrogation and potential access denial once interrogation is complete. This approach is critical in high-assurance environments but also highly recommended in high-risk environments such as conference rooms, lobbies, guest offices, where the chance of a potentially infected or malicious device connecting is even higher.

This hybrid mode has proven to be the most effective policy and is utilized with the majority of Portnox customers.