NAC: A User's Guide

Are you confused by NAC? If so, you’re not alone. Even NAC (Network Access Control) vendors can’t agree on what exactly the concept means. They argue over whether to control access and identity at the network or application layer. They argue about pushing WLAN access protocols to the wired LAN. They argue about what to emphasize – their products emphasize everything from identity-based network admissions to endpoint enforcement to policy control.

“NAC has become a catchall for various security technologies in search of a home,” said Robert Whiteley, senior analyst for Forrester Research. “Cisco’s original definition of network admission control was explicit. It was, obviously, about admissions, but NAC has since evolved beyond that.”

Well beyond that. The various NAC vendors have two things in common: identity-based network admissions and a shift from external to internal security. Beyond that, each vendor emphasizes different features and security postures.

In terms of identity, the NAC idea is that the more you know about a user, what devices that users logs on with, and what resources he or she should access once inside, the more secure your network is.

When it comes to internal security, NAC vendors argue that perimeter security, while important, is not even close to enough protection for sensitive assets. On one hand, network perimeters are disappearing. VPNs, poorly secured WLANs, ever-evolving communication applications like instant messaging and Skype, and even new peripherals like iPods or Bluetooth-enabled cell phones all find their way onto the network without being vetted by IT.

Related Articles

he Many Myths of Endpoint Security Boeing Grappling With Data Theft Restoring Online Privacy Security Flaw Could Ground Wi-Fi Users FREE IT Management Newsletters bITa Planet CIO Update Intranet Journal Update Datamation IT Management Careers Datamation Newsletter Grid Computing Planet HTML E-Security Planet Newsletter E-Security Planet HTML DRM Watch HTML

Every Domain is Now “Untrusted”

At the same time, networks are increasingly opening up to remote workers, corporate guests, contractors, and partners. “There used to be a big difference between trusted and untrusted domains,” said Michelle McLean, senior director of product marketing for NAC vendor ConSentry Networks. “Now, the untrusted domain is everywhere. The perimeter is gone.”

From a productivity standpoint, these trends are mostly beneficial. From a security standpoint, they are a nightmare. The Achilles heal is authentication and identity – which really boils down to the weakness of user names and passwords.

How do partners, guests and customers access network resources or collaborative applications? In many cases, a user name and password will still get you in.

A final consideration is that even the most vetted user, a valid in-office employee, may be up to no good. If you must pass stringent multi-factor authentication to get into the network, what happens afterwards? Often sensitive applications are protected by user names and passwords alone.

The U.S. Commerce Department estimates that intellectual property theft costs U.S. business about $250 billion each year, while also resulting in the loss of nearly 750,000 domestic jobs – and those numbers are considered conservative, due to underreporting.

According to McLean, it’s important to remember that not all insider threats are intentional. Employees who fall victim to phishing attacks or who unintentionally bring a worm into the network on a USB device pose nearly as much of a threat as someone with malicious intent.

Checking for Clean Machines

Current NAC offerings secure the internal network through two key processes: pre-admission identity controls and post-admission enforcement features. A pre-admission check ensures that the user has valid credentials and is using a proper device.

“Early solutions focused on who you were and whether or not a machine was clean,” McLean said. A clean machine was one without a worm. “That was about it, a binary choice about admissions.” You’re in or you’re out.

The subsequent generation of pre-admission checks then started to demand a little bit more from devices entering the network, such as making sure anti-virus software was installed.

Now, more sophisticated checks are in the works. “There is so much more information a NAC solution can ask,” said Brendan O’Connell, product manager for Cisco NAC solutions. “What type of operating system is the machine running? What applications are installed? Are your patches up to date?” If you want to get to a sensitive part of network, your organization’s NAC may require you to have a certain operating system along with the absence of applications like instant messaging or Skype.

Next in the evolution of NAC came the post-admission piece of the puzzle, and this is where the most heated vendor debates are taking place. “NAC has evolved into something truer to solving insider threats by looking not only at who you are, but also what role you have. What are you allowed to do?” McLean said. For instance, once an engineer is in the network, should that person be accessing payroll information? If the user isn’t in the finance department, the answer is no. Access will be disallowed and the attempt to access that application will be logged.

Next page: When Printers Act Like Mail Servers