Access Control Concepts
Network Access Control Technologies
However, there are some drawbacks to using software-based agents:
■Deployment—Installing the agent on each endpoint consumes time and IT resources. Even if the user downloads the agent manually, that instal- lation requires the one-time user interaction.
■Memory consumed on endpoints—The agent remains on the endpoint permanently, which does take memory. However, most agents are rela- tively small files.
Transient Agents. Manually installing the agent permanently on every endpoint is not always feasible, particularly for companies that must accommodate guests that bring their own devices.
Some solutions offer a modified agent-based solution that relies on a transient agent. This agent is installed on endpoints only for the duration of the compliance scan, which usually occurs when the endpoint first connects. The endpoint downloads the transient agent, an executable program often delivered through ActiveX. The agent then begins working with the network access controller to complete the compliance scan. When the scan is finished and the endpoint is declared compliant or non-compliant, the agent is erased from the endpoint. For this reason, transient agents are sometimes called “disposable” agents.
Transient agent-based solutions have several benefits:
■Ease of deployment—Time and resources are saved because the solu- tion itself manages the installation of the transient agent.
■Control—Like a permanent agent, a transient agent is designed to work with your network compliance solution, so it may be able to help the endpoint fix problems as specified by that solution.
But transient agent-based solutions are not without drawbacks:
■Time to connect—Installing permanent agents on every endpoint may be time consuming, but it is a one-time process for each individual endpoint. With transient agents, users must always wait for the agent to download before they can connect to the network. If your network enforces post-connect testing, the transient agent must download again every time the NAC tests the endpoint.
■Imperfect deployment—Some endpoints still might fail to receive the agent either because the user refuses the download or because the endpoint’s security policies prohibit downloading executable files.
