“NAC has become a catchall for various security technologies in search of a home,” said Robert Whiteley, senior analyst for Forrester Research. “Cisco’s original definition of network admission control was explicit. It was, obviously, about admissions, but NAC has since evolved beyond that.”
Well beyond that. The various NAC vendors have two things in common: identity-based network admissions and a shift from external to internal security. Beyond that, each vendor emphasizes different features and security postures.
In terms of identity, the NAC idea is that the more you know about a user, what devices that users logs on with, and what resources he or she should access once inside, the more secure your network is.
When it comes to internal security, NAC vendors argue that perimeter security, while important, is not even close to enough protection for sensitive assets. On one hand, network perimeters are disappearing. VPNs, poorly secured WLANs, ever-evolving communication applications like instant messaging and Skype, and even new peripherals like iPods or Bluetooth-enabled cell phones all find their way onto the network without being vetted by IT.
Every Domain is Now “Untrusted”
At the same time, networks are increasingly opening up to remote workers, corporate guests, contractors, and partners. “There used to be a big difference between trusted and untrusted domains,” said Michelle McLean, senior director of product marketing for NAC vendor ConSentry Networks. “Now, the untrusted domain is everywhere. The perimeter is gone.”
From a productivity standpoint, these trends are mostly beneficial. From a security standpoint, they are a nightmare. The Achilles heal is authentication and identity – which really boils down to the weakness of user names and passwords.
How do partners, guests and customers access network resources or collaborative applications? In many cases, a user name and password will still get you in.
A final consideration is that even the most vetted user, a valid in-office employee, may be up to no good. If you must pass stringent multi-factor authentication to get into the network, what happens afterwards? Often sensitive applications are protected by user names and passwords alone.
The U.S. Commerce Department estimates that intellectual property theft costs U.S. business about $250 billion each year, while also resulting in the loss of nearly 750,000 domestic jobs – and those numbers are considered conservative, due to underreporting.
According to McLean, it’s important to remember that not all insider threats are intentional. Employees who fall victim to phishing attacks or who unintentionally bring a worm into the network on a USB device pose nearly as much of a threat as someone with malicious intent.
Checking for Clean Machines
Current NAC offerings secure the internal network through two key processes: pre-admission identity controls and post-admission enforcement features. A pre-admission check ensures that the user has valid credentials and is using a proper device.
“Early solutions focused on who you were and whether or not a machine was clean,” McLean said. A clean machine was one without a worm. “That was about it, a binary choice about admissions.” You’re in or you’re out.
The subsequent generation of pre-admission checks then started to demand a little bit more from devices entering the network, such as making sure anti-virus software was installed.
Now, more sophisticated checks are in the works. “There is so much more information a NAC solution can ask,” said Brendan O’Connell, product manager for Cisco NAC solutions. “What type of operating system is the machine running? What applications are installed? Are your patches up to date?” If you want to get to a sensitive part of network, your organization’s NAC may require you to have a certain operating system along with the absence of applications like instant messaging or Skype.
Next in the evolution of NAC came the post-admission piece of the puzzle, and this is where the most heated vendor debates are taking place. “NAC has evolved into something truer to solving insider threats by looking not only at who you are, but also what role you have. What are you allowed to do?” McLean said.
For instance, once an engineer is in the network, should that person be accessing payroll information? If the user isn’t in the finance department, the answer is no. Access will be disallowed and the attempt to access that application will be logged.
Next page: When Printers Act Like Mail Servers
“What are you doing that would constitute a violation?” Whiteley asked. Some solutions take shortcuts, say, requiring IT to whitelist certain devices that can’t be scanned, such as faxes and printers. The premise is that those devices pose little risk to the network.
“This approach is not sufficient,” Whiteley argued. “The whitelists usually rely on IP and MAC addresses, which can be spoofed.” Better is a policy-based system that restricts a machine’s behavior as stringently as a user’s. “A behavior-based policy says that since a device is a printer, it shouldn’t be making a thousand connections per second. A printer wouldn’t do that.”
The post-admission piece of the puzzle was pioneered in the WLAN space, with vendors like Newbury Networks and Bluesocket attempting to overcome the geographical spill of wireless signals (which penetrate through walls and out of the office, after all) by focusing on identity and role. The trouble with the wireless approach is repeating it on the wired LAN.
Where, then, should organizations turn for useful NAC solutions? Unfortunately, the answer isn’t all that helpful: it depends.
If you are a strictly Cisco shop, it makes sense to use their solutions, especially since they’ve been working with Microsoft on interoperability. If endpoint enforcement is your primary concern, Symantec and Elemental fit the bill.
If you’re looking to segment the access process from network traffic, then the out-of-band solutions from ForeScout, Lockdown, and Juniper will work. Do you want a software only solution? If so, go with Endforce, StillSecure, or ExaProtect. If you’d prefer to focus on inline access control and policy enforcement, investigate the offerings from ConSentry, Vernier, or Nevis.
Further down the road, the promise of NAC is that it will give IT more fine-grained control of networking. “NAC will eventually deliver a more intelligent usage of network resources,” O’Connell said.
Eventually, the more sophisticated solutions will evolve from protecting against data leakage by, for instance, not letting developers access software code when in a public conference room to, perhaps, enabling differentiated quality of service based on identity and role.
Next page: What to look for in a NAC solution
1. Stop and identify the business drivers first.
“When you peel back the layers, the first driver is usually about unmanaged or guest users, such as consultants, contractors, partners, and even customers,” said Forrester’s Whiteley. “If this is your only concern, you can get away with a turnkey box that provides a ‘hotel experience.’ However, if you try to send every single wired user through that box, it will be costly. You’d be better off with something that integrates with your existing networking architecture.”
2. Make sure the solution identifies both users and devices.
“It’s critical to know who and what you’re talking to. I’m not going to give a guest the same access as an employee, and I’m going to run more checks on a laptop that has left the office than a stationary PC,” said Cisco’s O’Connell.
3. Does the solution enable comprehensive health checks?
“NAC promises to deliver an enterprise-wide architecture for compliance, saying that, perhaps, you need a Windows patch or an anti-spyware program running. It’s an ongoing access control system that checks a user’s compliance with policy,” Whiteley said.
4. Are there posture assessment and enforcement mechanisms?
“I know who I’m talking to. Now what do I give them? Based on policy, a human resources person shouldn’t have access to an engineering domain,” said O’Connell.
5. Decide what your organization will do about quarantine and remediation.
“This is where the real value is, but it’s the hardest part to do. Once you violate a policy, can I fix you so you are compliant, or are you on your own?” Whiteley asked.
6. Determine the appropriate architecture, be it software, hardware, or one based on current vendor relationships.
“Architecture affects function. What the best one? It depends on your goal. If you want to monitor users, it implies that you can see traffic, meaning the device must be inline. You may have agents on endpoints, but you need something centralized in the network,” said McLean of ConSentry.
7. Look ahead to centralized policy management.
“The problem is that there is no central policy standard. The vendors aren’t playing well together, so there are many separate islands of policy, ranging from Cisco to Microsoft to those of patch or anti-virus vendors,” Whiteley said.