Writing an RFP for a Network Access Control Solution

By | February 12, 2007

When considering network security solutions, many organizations choose network access control (NAC) technology as an integral part of their security fabric. Many industry experts believe that NAC is vital to complete network security. NAC helps to ensure that devices entering the network will not introduce viruses or other potentially debilitating malware. Once devices have been risk-assessed and admitted to the network, NAC continuously monitors their activity the entire time they are on the network.

While the general concept of NAC may seem fairly straightforward, recent reports in network security trade publications underscore what we in the NAC world already knew: the NAC space is crowded and vendors’ messaging is often confusing – even to experts. So imagine the challenge of the IT decision-maker of any given enterprise that decides to undertake the daunting task of determining the NAC solution that will best suit their particular network. Some organizations simply do not know where to begin.

As with many industries, a good first step in the search for solutions is to issue a request for proposals (RFP). Developing a strong RFP that clearly articulates an organization’s needs can be laborious, often involving long debates and multiple revisions. The reward for such efforts comes in the proposal review process: The uniform format of the competing vendors’ proposals and the specific replies to each well-considered question makes the job of poring through many proposals a more manageable process.


The requirements for a Network Access Control Solution: Investigate and determine the security posture of devices connecting to the network, including O/S security patch and anti-virus compliance; Provide capabilities to place non-compliant devices and their associated network traffic into a quarantined environment.

Provide mitigation and remediation capabilities to permit security compliance adherence. Identify known and unknown users and allow unknown limited or no network access. Offer continuous monitoring and mitigation for ongoing policy and threat violations.

Network Requirements

Network/Switch Independent – The solution must be able to operate in a heterogeneous switching environment, and detect all device entry events, including devices connecting via unmanaged switches. Switch or firewall integration must not be required.

Network Medium Independent – The solution must be medium-agnostic and work over a wired, optical or wireless network.

Full Clientless Support – The solution must not require the installation of any type of end-user agent for proper device identification.

Please explain how the following devices are supported and protected: Laptops, Desktops, Servers, Printers, Point of Sale Devices, Network Attached Copiers, IP Telephony Devices.

Operating System Support – The solution must support all networked endpoints regardless of the operating system of the endpoint. The solution must be able to perform any applicable pre-/post-admission checks, and quarantine an endpoint regardless of the endpoint’s operating system.

Please discuss how the following Operating Systems are supported: Windows – All, Apple Mac, Linux Solaris.

NAC Response Safe Lists – The solution must allow for designated mission-critical and other special systems to be excluded from NAC functions.

VoIP and other Network Components – The solution should be compatible with voice over internet protocol (VOIP) and/or other non- OS/Headless devices among authenticated network nodes using the data network components and protocols.

Single Point of Failure – The solution must fail open to avoid creating a single point-of-failure in the infrastructure.

Out-of-Band Management Interface – Devices accepting both end-user and management connections must provide a separate, dedicated interface for management purposes, administrative access, Syslog and SNMP traffic, network device communications, etc.

Pre-Admission Network Access Control

Endpoint Status – Devices entering the network must be identified: IP Address, Authentication Status, MAC Address, Allowed or Visitor, Operating System Wired or wireless.

Network Access – Devices attempting to enter the network must be checked for the following compliance: Anti-virus status, Anti-virus definition, Firewall status, Service pack and patch level and Anti-Spyware Status.

Authentication – NAC solution must integrate with internal authentication system – Radius, Active Directory.

Failed Compliance – Devices that fail to meet the minimum standards are to be sent to be updated / patched.

Visitor Devices – Visitor PCs are to be granted limited network access.

Please explain how unknown devices / visitors are handled including granting access to Internet Only Services.

Post-Admission Network Access Control

Post-Admission Component – The post-admission component will be an integral part of any NAC solution deployed. This component will ensure that endpoints, which fall out of compliance after admission, are appropriately contained.

Policy Monitoring – Continuous monitoring and mitigation for policy violations such as IM, FTP, Mail Related and site/departmental rules.

On-going Threat Monitoring – Continuous monitoring and mitigation for threats such as port scanning, device scanning, mass mailer activity, and other “zero day” threat propagation.

Signatureless Technology – Solution must not require agents or signatures to be updated to catch new threats.

Quarantine / Remediation

Automatic Quarantine – Devices that fail Access, Policy or Threat status must be automatically quarantined.

Please explain how device quarantine is accomplished without: 802.1x integration, Switch ACL Management.

Configurable Quarantine – Quarantine function must direct devices to specific services for patch management, AV update services, Malware removal tools, Internet only access to name a few.

Please explain Quarantine functionality for:

Infected device scanning via a third party scanner – Nessus, Anti-virus update services, Operating System Patch Management.

Manual Quarantine. The system must provide the ability to manually add and remove endpoints from network quarantine via an administrative console.

Cross-Contamination. The quarantine mechanism and design must limit cross-contamination between endpoints in quarantine

Quarantine Communications. The quarantine function must provide appropriate communications and notifications of all quarantine events.

Forensic Data Gathering. For the purposes of forensics, the solution should provide the ability to collect flow-level data emitted from endpoints in threat-based quarantine.

End-User Notifications. The quarantine function should provide the user of a quarantined endpoint notification of quarantine state.

Management / Reporting

Centralized Management. The solution must be centrally managed, providing a unified interface for endpoint status rollup, threat posture, device software upgrades and maintenance, etc.

Role-Based Management Access. The management interface must provide for multiple administrative roles with configurable access and functional permissions for administrative controls, policy maintenance, and reporting. Preferably, access controls will be able to restrict the actions of administrators to a group.

Hierarchical Role Delegation –The solution must provide the ability to delegate administrative roles for a given set of network segments.

Syslog –The solution must be able to send syslog-formatted data in compliance with RFC 3164, BSD Syslog Protocol, to one or more external syslog servers.

SNMP –The solution should be SNMP-manageable with support for all applicable objects, addresses, strings, and other values specified in RFC 1213, Management Information Base v.2 (MIB-II) Standard, for network management protocols in TCP/IP-based internets.

Reporting – The solution must provide detailed reports with data storage for a minimum of 30 days.


This outline attempts to simplify the RFP process for organizations seeking the NAC vendor that will best meet their needs. It is intended as a guideline only – requirements will vary according to organizations’ network infrastructure, user profile and security needs. It is hoped that the guideline will help organizations to undertake the NAC vendor assessment process with a better sense of what they should realistically expect from, and know about, prospective service providers.

Leave a Reply