Enterprises struggle to find a sweet spot -- in cost, complexity and capability -- for user-centric access control.
Smart enterprise IT executives know that who you are and what you're doing mean a whole lot more than which device or network port you're using.
Craig Richard, IT director for NaviMedix, a Cambridge, Mass., company that manages electronic communications among health insurers and physicians, gets it. "You may have a port with access to parts of the network that should be protected. But someone could easily plug a device into that port and have that same level of access, even if they weren't authorized to have it. Access needs to tie directly to the user," he says.
Mobility has forced the issue. In the past, ports and IP addresses were reasonable proxies for identities, says Andreas Antonopoulos, a partner at Nemertes Research and Network World "Security Risk and Reward" columnist. "I [once] had a Solaris workstation that weighed 300 pounds and was connected to the network by an Ethernet coaxial cable as thick as my thumb. My mobility was rather limited, and my IP address literally did not change once in three years. So, there was a very direct association between IP address and user," he says.
That has all changed because the types of devices people use and the ways they connect to the network are so varied. "The IP address of my BlackBerry changes every few hours, and the IP address on my laptop changes depending on if I'm using Wi-Fi, 3G, a LAN, a VPN or whatever," Antonopoulos says. "The IP address has become very transient. You might have a dozen users using the same IP address during the period of one day."
That transience is a nightmare for network security teams, especially when they investigate incidents or demonstrate compliance. In either case, being able to link an IP address in a log to a specific user is highly desirable if not outright necessary.
"If you're lucky, you have a DHCP server that keeps good logs of who got which IP address when," Antonopoulos says. "And if you're really lucky, that DHCP server is properly time-synchronized to an atomic clock or [network time protocol] source so those logs can be correlated. And if you're even luckier, all of your other logs sync to the same source. Then you can say that this IP address accessing this application at this second was issued to this user, on this media access control-addressed machine. It's not easy," he says. (See "SIEM: Finding the proverbial needle,")
Fortunately, security tools are evolving beyond the simple IP address and IP port focus, and increasingly are becoming more user-centric, working their way slowly up the Open Systems Interconnection stack. Network-access control (NAC) is the primary transportation for this move. Depending on the vendor, NAC handles everything from Layer 2 endpoint security to access control, ID management and behavior-based monitoring at Layer 7 - which all rely on a user's identity and role in the organization. Most of the marketing thunder surrounds such big-name tools as Microsoft's Network Access Protection and Cisco's Network Admission Control; many other NAC flavors offer their own slants on solving the problem. (Compare NAC products.)
Enterprise interest is plentiful. In a recent Network World survey, 63% of 483 reader respondents said they consider NAC either an important or extremely important piece of their enterprise security plans. Forty-eight percent of respondents have deployed NAC products, while another 11% expect to do so within the next 12 months. NaviMedix is in the former category.
For user-centric security, it uses Bradford Networks' NAC Director, a policy-based appliance. NAC Director works with a company's LAN switches to manage individuals' identities by associating them not only with IP and media access control addresses, but also the individuals' roles in the company and the applications they are authorized to use.
Because NAC Director focuses on identity, it eliminates the problem of insecure ports. "When everything is tied to a user account and identity, it's far easier to secure," NaviMedix's Richards says. "No valid user account, no access. And that means zero possibility for unauthorized users to get to the protected parts of the network."
In addition, NAC Director integrates with Microsoft's Active Directory service, which NaviMedix uses. This integration lets the firm base application access on Active Directory group membership using virtual LANs. "With the VLANs, only certain individuals and departments can get to certain parts of the network," Richards says. "Together, NAC and Active Directory grant authorized individuals access to their data wherever they are in the company. Their VLANs follow them, so they get what they're supposed to get based on who they are. And they get proper access, no matter where they login or what device they use."
The forklift route
NaviMedix chose Bradford's NAC appliance because it didn't require network changes. Richards could make the out-of-band appliance work with the company's existing Cisco switches, none of which were the latest and greatest.
While clearly not necessary, network overhauls do provide a simpler entry into user-centric security. Such was the case at Ferrum College in Virginia, which recently implemented Juniper Networks' new EX 4200 and EX 3200 LAN switches together with its Unified Access Control flavor of NAC. Ferrum primarily needed the new network for better stability and support for an online-learning management system and upcoming move to VoIP, but user-focused security was a consideration, too. (Compare access switch products.)
"Rather than basing security on machines, we wanted to base it on people," says Christine Stinson, CIO at the college, which has 1,400 students and 300 faculty and staff. "We wanted groups to access certain resources, while locking out others, and we wanted to be able to track all that," she says.
Ferrum uses VLANs to segment the network, keeping guests and students separate from such business functions as admissions and the registrar's office. Managing users and their access levels is relatively easy, Stinson says. "Once you have one VLAN set up, you can copy the settings, modify what you need to modify and basically create a new VLAN," she says. "And it's easy to move users from VLAN to VLAN. Once the groups are defined, we simply say this user is in this group, or this user is in these two groups. That's not a problem at all," she adds.
The NAC implementation ensures that the school balances the needs for open Internet access and strict data security.
"Academic freedom is a very strong part of our history and tradition here," Stinson says. "But we also have pressure from federal and state laws regarding privacy and security. We need to provide students and faculty with access but we have to be very concerned with the safety and protection of student, faculty and employee data. NAC helps us strike that balance."
The downside of NAC
Of course, Ferrum's greenfield, Layer 2-7 deployment - of a single vendor's LAN switches, NAC appliance, policy server and firewalls - is atypical. For most enterprises, such a forklift upgrade is neither financially nor logistically feasible - and that makes full user-centric security hard to do.
"NAC works as advertised only if you have a single-vendor network or applications suite," Nemertes' Antonopoulos says. "Or even better, a single vendor that covers both. The problem is that everybody has Cisco and Microsoft, and until those two figure out how to work together seamlessly from Layer 1 to 7 - plus include other products, like HP and 3Com switches, Nortel VoIP systems, Oracle and SAP applications, and IBM WebSphere - [their NAC approaches] won't be useful, especially for large companies," he says.
Standardization could help, but Cisco and Microsoft are trying to advance standards to their own ends - Microsoft from the application side via the Trusted Computing Group (TCG) it champions, and Cisco from the network side via the IETF's Network Endpoint Assessment group it spearheads. "Enterprises are stuck in the middle, waiting to see what happens," Antonopoulos says.
Companies' directory infrastructure often is a stumbling block, too. Rather than simply tying the NAC implementation to a single Active Directory, as NaviMedix was able to do, many large enterprises are stuck trying to integrate several directories.
"Every single organization above a certain size runs into this problem," Antonopoulos says. "They may have a legacy directory for Unix and one for Windows environments, but then they acquire Bank of Podunk, which uses a different one, so they'll try and integrate that. But before they're done, they've acquired yet another company," he says.
Managing user-centric policies and access-control lists is no picnic, either. "There is an operational complexity that can get in the way," says Joel Snyder, senior partner at Opus One and a Network World security product tester. "Once you say you want to decide what access everyone has, based on who they are, you're committing to management of a security policy across all users, so every single user needs to be pigeonholed. For some companies, that's just too difficult," he says.
Enterprise IT executives also are forewarned not to get caught up in the vendor focus on endpoint security, with its patch- and antivirus-checking. A true user-centric approach means being able to monitor user behavior after network and application access are granted and authorized.
"A guest contractor plugs into the conference room, and the NAC solution says, 'OK, you're using the IDs I gave you and you have the latest software updates. Go ahead and be on my network.' That contractor can then sit back and launch a zero-day attack," says Richard Stiennon, security expert and Network World security blogger. "You need post-admission controls in place - a way to identify when someone is spreading a worm and block that person's access - or you don't have true user-focused security," he says.
For now, post-admission control is a feature of smaller, single-vendor networks. This should change, however, as NAC companies begin adopting and integrating the Interface to Metadata Access Point (IF-MAP) post admission-control standard issued by the TCG in May.
Process, not technology, is key
Even with these roadblocks, large companies can move closer to user focused security by concentrating on processes, especially those having to do with identity life-cycle management, analysts say. They also can look to well-worn strategies, such as integrating disparate directories and implementing stronger user-authentication tools.
"Having strategic initiatives around identity management and directories, then working to integrate directories rapidly as your company changes can be much more effective approaches to identity-centric security than things like NAC," Nemertes' Antonopoulos says.
Security expert Stiennon agrees. "I would argue there isn't such a thing as full-blown NAC, and you probably shouldn't even attempt it," he says. "If you have dollars to spend on full-blown NAC, you should spend them instead on some good physical-token-based access-control system. It will get you to the same place, but cost a lot less."
Cummings, a freelance writer in North Andover, Mass., can be reached at firstname.lastname@example.org.