If you’re planning to implement a network access control system to ensure that only authorized users with fully patched and virus-protected hardware can access corporate resources, then you’re in good company. About a third of large US companies are intending to start adopting it this year, according to research carried out by Cambridge, MA- based analyst Forrester.
The key drivers for these companies are compliance considerations – having the ability to carry out network access control, and being able to prove that ability. There is also a financial driver in that manual access control is all about updating clients, and this can be very time consuming and resource intensive. Automating policy enforcement can free up a lot of people and cut calls to help desks dramatically.
A network access control implementation is likely to take about eighteen months and cost anything from $100,000 to ten times that figure, and the key to a successful implementation, as always, is a thorough planning stage, according to Rob Whiteley, Forrester’s senior analyst.
Implementing Cisco’s network Admission Control and Microsoft’s Network Access Protection will affect security policies, network infrastructure like switches, and of course desktop and portable devices and the software running on them. In other words, access control is as much a framework as a series of technologies. What this means is that for a successful implementation you need to ensure the whole IT department, including desktop support staff, network administrators and security people, is involved from the start.
Then it’s necessary to make some architectural decisions, and, specifically, you need to examine three choices. Are you going to implement access control though routing and switching hardware, by buying appliances or exclusively as a software solution? Each has it own benefits and drawbacks, but the three options can, to an extent, be mixed and matched.
Using network hardware gives the most granular control, tying policies to access control dynamically. Instead of telling a switch to admit or deny a device based on some fixed attribute such as its MAC address, it can make decisions based on policies which can vary, and on compliance with those policies, which can also vary. The benefits of this approach are that it offers the highest performance and it is the most scalable solution. The obvious downside is the cost of upgrading large parts of the network infrastructure. However, given that the refresh cycle of network hardware is typically five to seven years, the chances are that at least some of your switching gear is due for replacement anyway.
An alternative which avoids replacing relatively new switches is to adopt access control appliances to do the work “in a box”. This completely avoids touching the network infrastructure &–; access control is effectively implemented as a hardware overlay – and is likely to be considerably cheaper. The disadvantage of this approach is that it is less granular, less scalable, and performance is likely to be lower.
The remaining possibility is to do the whole thing in software, and there are plenty of vendors like McAfee, Check Point and Endforce who supply products to achieve this. Typically this software would be run close to the DHCP and Active Directory servers, and can be implemented quickly and cheaply. The downside is that whereas a network appliance has lockdown capabilities and can shut off access to a user at the network layer 2 or 3 level (effectively carrying out a function which has been offloaded from the switch) in software you don’t have this network control. The most likely scenario is that the software is used to prevent hosts being assigned an IP address, or only an address from a particular, restricted, range. In fact the software could be used to issue commands to a piece of network hardware, but very few network professionals would be happy with this soft of hack.