Nortel Webinar Sept 20
Stay Current

Features

Network Access Control: Securing the Perimeter


Rolling out a corporate NAC requires questioning the rights of all trusted users.

By Chip Brookshaw on March 17th, 2007

Until now, IT’s main security-related job has been authenticating and granting access to trusted users, while keeping the bad guys out of the network. Yet, as several high-profile incidents have shown, the systems of trusted users can wreak system wide havoc by inadvertently introducing malware, viruses and other threats into the network.

Mobile technologies and dispersed workforces have blurred the edges of the corporate network. Remote access means flexibility and freedom for employees, but it also introduces a slew of vulnerabilities. Add the need for a company’s partners, customers, contractors and other guests to connect to the corporate network, and you have the makings of a security meltdown.

IT now needs to ensure that trusted users and devices don’t create security risks. That’s the problem that Network Access Control (NAC) seeks to solve.

Building Blocks of a NAC Solution

The reality of NAC implementation is, of course, far from straightforward. However, there are basic building blocks to a NAC solution:

  • Developing security policies
  • Monitoring postures
  • Comparing postures to policies
  • Taking action

Before implementing a NAC solution, it’s vital to develop a complete set of security policies that define access requirements. This involves analyzing business requirements and building consensus between different groups in the organization. It’s nitty-gritty work, yet it’s critical to getting value from a NAC deployment.

First, policies must address basic security issues. Which workers/contractors/customers get access to which network resources? From where? Using what types of devices?

With NAC solutions though, there’s a deeper layer that also needs to be addressed. What is the required security posture for each user/device that uses the network? Are anti-virus, anti-spam and firewall tools up-to-date? What about operating system patches? Are users running any prohibited programs?

IT also must determine the steps to be taken if a user/device falls short of policy thresholds -- either on initial access (pre-admission) or while connected (post-admission). Is the user routed to a quarantined network space, or denied access entirely? NAC solutions can also manage remediation, applying the latest anti-virus definitions or OS patches, for instance.

Types of NAC Approaches

NAC solutions take three main technical approaches, although many products integrate one or more of these methods:

  • Standalone appliances
  • Software agents (persistent and/or dissolvable)
  • Switches with NAC functionality

Inline solutions, such as appliances or switches, examine all incoming traffic and manage access as needed. This approach offers a range of mitigation options, but it can also degrade network performance and add a single point of failure to a network.

Out-of-band solutions monitor access points and typically require software agents on trusted systems. This approach doesn’t add a single point of failure, but it relies on existing network infrastructure to deal with policy violations.

State of the Market

Dozens of vendors vie for a slice of the NAC market. Several large infrastructure players now include NAC functionality in their products, while numerous pure-play vendors jockey for position and market share. Although there has been some work on standards setting, progress in this area has been slow.

Cisco Systems was an early leader in the NAC market with its Network Admission Control technology, which is embedded in the company’s hardware. Microsoft’s contribution to the market is the Network Access Protection platform, which the company is integrating into its operating systems. The two companies are also collaborating to build interoperability between their respective technologies.

Meanwhile, the Trusted Computing Group is leading the Trusted Network Connect initiative, an attempt to develop standards for the NAC market in the hopes of advancing interoperability.

 

Down the Road

It’s not yet clear how NAC solutions will evolve to deal with other aspects of network security, such as intrusion detection and client management. Perhaps NAC functionality will be integrated into other types of security products. Security vendors such as Symantec and Trend Micro already offer solutions that combine NAC with client-side security.

Regardless of how the market evolves though, it’s a good bet that companies will want to approach security more holistically to create efficiencies and improve their overall security posture.

 

Related Articles:

Network-Based Intrusion Detection

Network Intrusion Prevention Security Systems

The Top 5 Internal Security Threats

NAC Security: The New Hotness

Article Tools:       

Comments

After being taken to task by malware, I went out and invested in a NAC solution. I have NOT been disappointed. Run do not walk!

Posted by: Pete, 22:10:04 on 2007-03-21

All fields are required. Your E-mail will not be published.







Nortel Webinar Sept 20