Over the past five years, IT departments have seen a steady increase in the use of mobile devices in the form of seemingly ubiquitous wireless access and smaller, more powerful laptops—together with a general business acceptance of these technologies. Businesses want and need to exchange data with outsiders in ways besides sending email or visiting Web sites. Consultants and contractors shift between jobs and may request to connect their laptops to your network. Vendors visiting your company may request to connect to your network and presentation projector. Employees may even bring in their own home equipment and physically connect to the company network. As portable technology becomes more prevalent and remote access proliferates, networks have become more vulnerable, and many companies have discovered that they need to regularly readjust their security policies and the technical controls guarding their networks. An emerging approach to security, Network Access Control (NAC), hopes to tame these steadily increasing requests. NAC offers significant security benefits but can be pricey and complicated. Some vendors in this emerging market are already offering options to help you protect your data in an increasingly mobile world.
NAC goes by different names with different vendors. Cisco calls its solution Network Admission Control, and Microsoft's offering is called Network Access Protection. But all of these names represent technologies that evaluate the security posture of a computer before allowing it to connect to a sensitive network. When you use NAC, all computers that connect to your network physically, wirelessly, or remotely must pass a series of checks before they can communicate with other computers on your network. The checks vary by vendor but usually include requirements such as updated application and OS security patches, current antivirus signatures, operational antivirus software, and functional host-based firewall software. Computers that satisfy the check are permitted access to the corporate network. Those that fail are either sequestered in a quarantine network or completely denied access.
But I Already Have a Three-Letter Defense System
NAC is a fairly recent addition to a field that offers other seemingly similar technologies, such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). IDSs alert you when suspicious behavior has occurred. IPSs block suspicious behavior, typically at network choke points or on hosts, as the behavior occurs. NAC attempts to validate a computer's security health before it's even permitted onto the corporate network.
Depending on your network's security requirements, these three technologies can complement each other. For example, you might deploy IDS sensors at perimeters and choke points to look for attacks from external or compromised computers. Then, you might consider using IPS to moderate traffic in front of your sensitive servers. Finally, you might use NAC to ensure that users don't accidentally infect your network by introducing an unmanaged or unsecured computer on your network. Using these three technologies together creates a robust defense.
NAC Can Get Complicated Quickly
NAC solutions' abilities to scan a device vary by vendor, and many solutions require cooperation of network gear, back-end servers, and host computers. This is NAC's greatest challenge: overcoming the complexity of its deployment. Figure 1 shows an example enterprise NAC solution like the one that Cisco offers. As you can see, NAC can affect nearly every piece of technology between your host and server, which means deploying NAC isn't for the faint of heart.
Some vendors recognize these challenges and have already begun to offer NAC solutions that don't require overhauling existing network equipment. Juniper Networks introduced Unified Access Control, which combines installations of real-time agents, a policy server, and Juniper firewalls to provide NAC without 802.1x-compliant switches. Also, both LANDesk Software and CheckPoint Software Technologies offer NAC solutions that can leverage 802.1x but don't require it. So you still have options, even if you don't have the advanced security of 802.1x-based NAC. (For a short description of the 802.1x security protocol, see the sidebar"802.1x Security Limits Data Access.") You might sacrifice some level of security, but deploying a limited NAC solution might be better than no NAC at all.
Network-Based NAC with 802.1x Support
802.1x-based NAC is the leading, most secure NAC technology to date. However, most network switches older than a few years don't include 802.1x support, which increases the expense of deploying an 802.1x-dependent NAC solution. If you want the latest, most secure NAC technologies, you might be forced to upgrade your network infrastructure. Let's walk through Figure 1 from left to right and identify the 802.1x-based pieces to look for in an NAC solution.
In Figure 1, the wireless laptop connects to an 802.1x-enabled wireless access point, and the desktop computer connects to the LAN through an 802.1x-enabled switch. A firewall or ACL-enabled router, which sits between the clients and the network, permits or denies traffic from authenticated clients to internal parts of the network.
When a client requests access to the 802.1x switch, the switch forwards the request to the access server sitting behind the firewall. The access server determines whether the client has a trust agent, host-based software that scans every client for its health and security posture. The posture validation server then sends instructions to the client defining what the client needs before it can access the secure network. If the client doesn't have a trust agent installed, the access server denies the client access to the internal network and instructs the 802.1x switch or Wireless Application Protocol (WAP) to put the client in a quarantine Virtual LAN (VLAN). At this point, the client would have an IP address in the quarantine subnet and could access nonsecure parts of the network based on the firewall ACLs. For example, usually a quarantined client could access an installation point for the trust agent and access the remediation server to install needed security software or updates.
If a trust agent is installed on the requesting-client, the access server contacts the posture-validation server and compares the client's health to the corporate policy. If the client is deemed healthy, the posture-validation server tells the access server to permit the client access to the corporate network. If the client isn't healthy, it's relegated to the quarantine subnet, and the access server notifies the user of the problems. Then, the user can access a remediation server to install the necessary patches.
The main benefit of an 802.1x solution is that access is enabled at the switch-port level, which makes the solution difficult to circumvent. Every time you unplug and plug in a new device to any switch port, this security check occurs.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Previous
steina August 10, 2006 (Article Rating: