The decision to deploy a Network Access Control (NAC) or Network Management system may seem simple at first, but many questions remain beyond realizing that initial need. There are a number of factors you should consider when determining what type of NAC is right for you and how it might be deployed, as some tradeoffs exist that will affect your business model depending on what you are trying to accomplish. The following tips, although technical in nature, break down the trade-offs with easy-to-understand explanations.
1) Identifying your users as fixed or mobile – With fixed users, apartment buildings and offices can usually rely on what is called a MAC address to identify which users have access to the network. The MAC address is the unique address that comes with every networking card and wireless card on a computer.
However, the downside of using MAC address authentication is that many users like to be able to change computers or allow guests to login from their own machines. The only practical way for an ISP to deploy a MAC authentication system is when the ISP is able to install customer premise equipment such as a cable modem. The modem and its MAC address act as a gateway to the apartment or office and can be authenticated or shut off if a customer does not pay their bill.
Another issue to consider is that many installations need to be more dynamic, since people like to take their laptops out of their office or apartment and into a common area. The same is true for hotels and similar environments. Although every user on your network has an IP address, they are not unique to that user and can easily be spoofed. So, this essentially leaves you with only one option: Login-based authentication.
2) Login-based authentication – Login-based authentication lasts for the duration of the session when a user is logged in. It is controlled by username and password and the user is given a temporary IP address for their session, making it unlikely, but not impossible, that a hacker can steal the session.
Yet, there are some things that must be considered with a login based user session. Here are a few other key considerations when using a login-based authentication:
3) Automatic log out? – You can’t expect users to always log out or tell you when they are finished accessing the network, so you must log them out after a period of inactivity. This is especially true when users are paying for a limited amount of access time, or when a user may be utilizing multiple computers. The easiest way to do this is to program the NAC to log users out after a set amount of time of inactivity.
4) How to bill – You must decide if a user account gets billed by the calendar regardless of whether they use it, or simply by login time. If you’re likely to have a steady stream of multiple users who will want to log on for short amounts of time – like in an airport or coffee shop – it may make more sense to charge by the hour rather than by the month.
5) Do you want to offer different levels of service? – Many providers offer users a few different options with varying speeds. So, for example, you may want to tier your service with bronze, gold, and platinum levels, with users paying more in order to get faster speeds. This allows users who may just want to check their e-mail to do so at a lower cost than the users who are looking to stream videos or update their podcasts.
6) Can an account have more than one simultaneous login? – For example, you could sell access under a single account to a group of people for a sales meeting or convention, which would allow multiple users to access the Internet at the same time from their individual computers. Supply and demand really come into play here, so you need to make sure to allocate enough bandwidth for the multiple users, but also not run the risk of impacting others on your network.
7) Making the most of your space – You may also want to sell marketing space on your login page, which you are able to customize. Say, if you’re a hotel, I’m sure the local pizza place would love to place an ad – especially if they take orders online. This gives you the option of supplementing your existing income from network subscribers with a steady stream of advertising revenue.
8) How much support do you provide? – Do you have a support center available to give refunds for people who miss a charge or can’t get service after purchasing? The ease with which this can be done often depends on the setup that you’re running. For example, in a hotel, support can simply be provided at the front desk. This is a decision that will obviously also be based on your past experience with your network access controller. If problems don’t usually come up, then having around-the-clock support most likely won’t be necessary.
9) Easy instant billing? – Again, this will likely depend on your individual setup and what your customers will want. If you wish to use credit card processing on the fly for a login, you’ll need a merchant account with a bank that supports online authentication. The vendor who you purchase your system from will also need to know how to work with this account. But, if you’re just providing access to groups that have planned access with you ahead of time, the instant online billing probably isn’t needed.
While you’re likely to come across additional questions once you’ve got your network access controller in place, these considerations simply illustrate a sampling of what issues you may want to take into account. As mentioned throughout, in most cases, a final decision will ultimately depend on how and why your NAC is being used. Of course, for many, this may change on a regular basis. Therefore, you don’t necessarily need to have exact plans set in stone before implementing your NAC, but rather simply choose an option that will allow some flexibility. What’s important is that you remain in control.
December 9, 2009 at 3:41 AM
This has certainly gives me some ideas. Thank you