Subscribe
About

Developing a knack for NAC

Increasingly elastic corporate boundaries necessitate the need for tight network access control.
Mike Hamilton
By Mike Hamilton
Johannesburg, 30 Jun 2008

The automation of business processes has increased corporate dependence on network-based information. At the same time, the user community has become more diverse and corporate boundaries have become more elastic.

Outsourcing and the growing use of contractors mean companies must provide network and application access to a dynamic workforce with differing needs and operating from numerous locations.

Corporate "outsiders", such as customers and guests, have even come to expect Internet access at the very least from waiting areas and conference rooms.

In addition, the adoption of new technologies has led to a proliferation of devices on the network, such as IP phones, security cameras, bar code readers and industrial robots.

Amid this new era of openness, enterprises are under pressure to put stringent access controls in place to protect critical, sensitive data - ranging from finance and credit card information to patient health records.

Companies are faced with a growing number of security vulnerabilities that are compounded by an explosive growth in malware and breaches.

Crucial component

Against this background, the network access control (NAC) approach to security has become essential for today's networks. NAC applies to methods of secure access for remote users.

Network operators can use NAC solutions to define policies, including the types of computers or roles of users permitted to access defined areas of the network, and enforce them in switches, routers and network middleware.

These policies must address the full range of access control challenges and operate from the LAN edge to the data centre. They must ensure that only authenticated users and devices that comply with network and security policies gain access to the network and authorised resources.

NAC solutions should be able to unify network endpoint security technologies - such as anti-virus, host intrusion prevention and vulnerability assessment techniques - and enforce dynamic, continuous pre- and post-admission network access controls to ensure users operate within corporate policies.

It is important that all users be addressed, whether they are on the local LAN or remote, via a tightly integrated set of solutions from the edge to the centre.

The edge may be client-based, clientless (via Web browser), or unmanageable device (via MAC address).

What's more, NAC solutions should work across any vendor's 802.1X based access point or switch (generally at layer 2) and any vendor's firewall/IPSec/IDP appliances.

'Unified' NAC solutions should be able to be integrated into an existing LAN infrastructure without the need for a 'rip and replace' exercise.

They should provide coordinated, end-to-end access control that's applicable to all classes of users and devices, and include the network's switches servers, applications, stored data and the like.

Scalable and easy to use, they should let enterprises monitor and control network and application access based on a variety of parameters, including user and/or device identity, location, and compliance with network and security policies.

Ample choice

Note that there are basic differences among various NAC systems on the market. Some simply use scanning and network inventory techniques to determine access criteria, shunning agent software. Others are more comprehensive.

Increasingly, it is the opinion of industry watchers that a NAC should consist of three key components:

* An NAC software agent
* A policy management server
* Identified enforcement points

It is important that all users be addressed, whether they are on the local LAN or remote, via a tightly integrated set of solutions from the edge to the centre.

Mike Hamilton is CEO of Channel Data.

The NAC software agent, effectively a downloadable software client, is central to the solution because it serves as an 802.1X supplicant and includes the ability to gather host posture information. This means it has the ability to collect user credentials and assesses the network's endpoints security state via 'host checker' functionality that should be integrated into the agent.

An agent-less mode should be available to address circumstances where software downloads aren't practical - such as guest access.

The policy management server is at the heart of the solution and is the engine for NAC policy enforcement as well as the interface to existing enterprise infrastructures.

It should have the ability to push the agent software to endpoint devices (or collect information in agent-less mode), gathering user authentication data and determining endpoint security state and location.

In an ideal application, it will combine this collected information with corporate-defined compliance rules, implement the appropriate access policy for each user/session, and propagate that policy to enforcement points throughout the network.

Enforcement points are other key elements of an optimal NAC solution. They should control access to the network and its resources based on policies created on, and provisioned by, the policy management server. At the network edge, for example, Ethernet switches could be configurable to act as enforcement points.

Within the network core and data centre, all firewalls and intrusion, detection and prevention appliances could act as enforcement points and permit or deny access to a server or WAN router.

One of the hurdles facing many companies is that not all network switches support the range of enforcement actions that NAC makes possible.

The ability to support a rich set of enforcement actions across its switch platforms should be a design goal of the NAC vendor, with all switch ports acting as enforcement points, controlling traffic based on the dynamic policies created and propagated by NAC.

* Mike Hamilton is CEO of Channel Data.

Share