Cisco today released a new network access control (NAC) product that the vendor claims will help users control...
guest access while also acting as a building block for a potentially broader Network Admission Control deployment.
The Network Admission Control Guest Server adds guest services to other Cisco NAC services. According to Cisco product manager Niall El-Assaad, the server can simplify the guest access process by shifting the burden from IT to other staff authorised under corporate security policies, such as receptionists and workers at the front desk.
Essentially, El-Assaad said, the NAC Guest Server, which can operate with the Cisco NAC Appliance or Cisco Wireless LAN Controller, allows authorised employees to provision guest accounts and grant access. Employees enter a Web portal and submit the guest's details and the start and end times for the access. From there, a username and password is generated and given to the guest either through a printout, an email or an SMS text message.
Along with allowing employees to grant access, the server can record the entire process, offering a detailed history of guests who have accessed the network. The server stores the information and can deliver reports for ongoing management or for auditing.
According to Cisco NAC marketing manager Irene Sandler, guest access is one of four core network access control services, the others being authentication, posture and profiling. Many companies, she said, will begin their NAC deployments at the guest access level and then work out from there.
"A key driver for NAC is a guest network," she said. "You want guests to have access to the Internet."
In a June 2007 report, Gartner analysts Lawrence Orans and John Pescatore highlighted the importance of guest access as a building block to a broader NAC rollout. In the report, the pair wrote: "Building a guest network is often the first step in implementing a broader network access control project. Organisations can reduce NAC costs by architecting guest networks with technology that can also be applied to protecting their internal networks from managed PCs."
El-Assaad said the server covers the four key components of a guest user's lifecycle: Provisioning, notification, management and reporting.
"You want to know what [guests] did and where they went," he said.
Simplifying the guest access process using a captive portal ensures that guests access only those parts of the network that are allowed, El-Assaad said, eliminating the worry associated with loose guest access practices.
"If it's hard to provision guest access, people will look for an easier way around the requirement," he said.
Andrew Stephenson -- IT architect for London-based Numis Securities, which offers financial management services globally and accommodates numerous customers and clients daily -- said that before the financial firm moved to its prestigious new office in the London Stock Exchange, it used a "homebrewed" wireless network. But that created management headaches, especially when it came to guest access.
"It was difficult and time intensive to administer and give guests access," Stephenson said, adding that guests and clients would be using different wireless devices, and ensuring the ability to allow access to all types was troublesome.
Having moved to the London Stock Exchange, it was time to re-evaluate the wireless network and ease the way guests accessed it, he said. The firm provisioned a new LAN and now runs two separate wireless networks, one specifically for guest access.
"We want to protect all of our assets," Stephenson said. "We don't want guests coming in and snooping around our network. That's a must."
But at the same time, Numis wants its guests to have access and receive it in a professional and seamless way.
Stephenson also said that because Numis has more receptionists than IT staff, it just makes sense to allow them to set up guest access without having to call or page IT personnel every time someone new enters the building.
"Because there are so many guests," he said, "we don't want to be overwhelmed and don't want to be burdened with setting up guest access."