Burning NAC questions - Part 1

Answers to hot issues facing customers interested in NAC

NAC still has a way to go before it becomes a standard component of network security in most companies, but signs of growth are there, with vendors predicted to sell $629 million in NAC enforcement appliances by 2010, according to Infonetics. In the meantime, for those who are undecided whether to jump into the NAC frenzy here are the answers to some important NAC issues.

Part 1 of 2. Network-access control still has a way to go before it becomes a standard component of network security in most companies, but signs of growth are there, with vendors predicted to sell $629 million in NAC enforcement appliances by 2010, according to Infonetics. In the meantime, for those who are undecided whether to jump into the NAC frenzy here are the answers to some important NAC issues.

See part two: Shouldn’t I just wait for Cisco? Should I deploy NAC in-band or out-of-band? What is the best method of enforcing NAC policies?


Who needs NAC anyway?

Will NAC help meet regulatory compliance?

Shouldn’t I just wait for Microsoft?


Who needs NAC anyway?

The short answer is anybody who wants to check whether a machine meets a configuration health check before it is allowed on the network and anybody who wants the ability to restrict access rights if the machine violates policies after it is admitted.

Passing the health test doesn’t mean the machine is free of infections that can cause harm to the network, but it helps reduce the chances that the machine will cause trouble.

So far colleges and health facilities have embraced this aspect of NAC more so than other businesses because they both have large populations of users with mobile devices that attach, disconnect and reattach to networks. NAC helps give some assurance that these devices have maintained a sound security posture while disconnected.

The primary thing NAC does is decide which hosts are allowed to attach to networks and stay there. The criteria for making these decisions can vary widely, from a having a media access control address that is on a white list to passing a health check that looks for a range of parameters. These can include such factors as an updated antivirus software that is running a patched operating system, required registry settings and a properly configured personal firewall to name a few.

The criteria can also include whether a device remains in a healthy state and whether it behaves properly once it is admitted to the network.

The hope is this admission control will prevent machines that might have been compromised from contaminating networks with malware and from pilfering data. Mobile devices and devices brought onto networks by visitors and consultants are examples of potentially threatening machines.

NAC can also rerun the health checks periodically while devices remain attached to networks to make sure they don’t fall out of compliance. Some NAC gear checks whether hosts on the network misbehave by trying to access resources for which they are unauthorized. Devices found to be in violation can be restricted.

Organizations that find any of these capabilities useful may not need NAC, but NAC can be useful to them. Colleges say NAC reduces the time it takes to get student machines into initial compliance at the start of semesters, and helps keep them compliant as they jump on and off the network.

For instance, cleaning up student PCs was literally the only work the IT staff at Northwest Mississippi Community College  could get done for the first two weeks of every school year -- until this past fall when the college installed NAC gear that automates the process. Now, with that time freed-up for six full-time IT staffers plus student staff, Mirage Networks NAC equipment has just about paid for itself in one semester, says Chuck Adams, the network administrator at the school’s Senatobia, Miss., main campus.

“We wanted to get out of the touching-student-PCs business,” Adams says. “We're not 100% there, but we're almost there now.”

Before jumping into NAC, potential customers need to define clearly what restrictions are desirable and what constitutes a healthy host, says Mark Rein, director of IT at Mercy Medical Center in Baltimore. “You have to identify what you’re trying to protect, identify different [network] segments you might need to set up,” Rein says. That translates into policies set up for the NAC gear to enforce. “The policy gets to what you need to know and what you don’t need to see,” he says.

Who needs NAC?Network access control gets knocked for not being more than it is, but it's useful in its current form.

Businesses with visitors and consultants who need network access.

With no control over where users' roaming devices have been, businesses need to check their protections so they can shield their networks if necessary.

Organizations that need to restrict access to critical data.

NAC can grant access to specific resources in a variety of ways, effectively blocking unauthorized users from nosing around company information they shouldn't.

Networks at risk of being overwhelmed by unauthorized applications.

Some NAC products monitor and block traffic that networks may ban, such as peer-to-peer file sharing or instant messaging.

Customers who need to keep corporate machines in a healthy posture.

Many NAC products have or can integrate with other products that remedy the configuration shortcomings they discover.

In practice, businesses are not yet very aggressive deploying NAC, says Andreas Antonopoulos, senior vice president of Nemertes Research and a Network World columnist.

Being able to connect to a VPN is the only role for NAC with most remote hosts, he says, and virtually no businesses use access control on LAN ports, according to his poll of IT executives earlier this year. He says only about 14% of respondents apply endpoint checks for application and operating system patches; the presence of firewalls, antivirus or antispyware; USB-attached devices; and password strength.

But, he says, nearly 60% wish they could at the very least check for firewalls, antivirus and antispyware tools. About 40% would also like password and operating system checks. Less than a third want to check whether applications are updated, he says.

Will NAC help meet regulatory compliance?

It can, but don’t be confused: NAC alone won’t help you meet governmental or business regulations.

However, NAC can be a component of a broader plan to meet regulations by chipping in knowledge about who uses what network resources when, something regulators want to know if they’re tracking whether a business properly protected data. “Auditing capabilities in your NAC solution may allow you to find out what files users accessed, so if need be you can demonstrate someone was looking at information not pertinent to his or her job,” says Zeus Kerravala, an analyst with the Yankee Group.

He notes, though, that being able to say who accessed data doesn’t mean the data was protected from unauthorized eyes. Other technologies have to handle that, he says. But NAC can reduce the number of people who can reach critical resources. “NAC can restrict who can access sensitive financial or customer records,” he says, but NAC won't prevent that kind of data from leaving the network organization.

NAC also serves a useful function in the regulatory landscape by linking a user to a machine and an access method for purposes of authentication. That combination of information can help fine-tune individuals’ access to data. For example, a user authenticating from a LAN-linked, company-managed machine might get a broad set of access rights. That same user authenticating from a company-issued laptop over a VPN connection might get a more restricted set of rights. And if the user accesses the network via an unmanaged computer over the Internet, access might be ratcheted down even further.

Chris Labatt-Simon, of D&D Consulting near Albany, N.Y., says NAC was useful in dealing with regulations for one of his clients, an energy company he could not name for confidentiality reasons. The downside was that NAC was brought in after the company had already been whacked by a bad case of Zotob worm in 2005 that knocked down the network for two days. The cause: an infected machine connected to the network by a consultant. The outage resulted in more than $1 million in regulatory fines and time off for staff who couldn’t get any work done without the network, he says.

Deciding to use NAC to protect the network from mobile devices that come and go on the network was simple, he says. It was much harder to then go back and decide how to round out the NAC deployment so it offers a layer of protection that doesn’t necessarily correlate to compliance with a regulation. It would have been better to map out the strategy before deploying, he says. “The biggest hurdle we had was a very limited period of time to decide. As a result, one year later, we’re still figuring out how to complete" the NAC project, Labatt-Simon said earlier this year.

Shouldn’t I just wait for Microsoft?

Probably not.

Businesses that have well defined needs for NAC today are still looking at months of waiting before Microsoft will be ready. Microsoft’s Network Access Protection (NAP) policy server will be delivered on Windows Server 2008, scheduled to be released sometime next year.

Even then, customers will have to figure out how to integrate the NAP endpoint-checking component of Microsoft’s desktop clients and Windows Server 2008 with an enforcement infrastructure. Microsoft’s NAP scheme allows for enforcement via VPN gateways, 802.1X-enabled switches and DHCP assignment, each of which will require its own configuration.

Given the expected time it takes for any new release of software to stabilize, it makes sense for potential customers to spend significant time thoroughly testing NAP in their environments before deploying it.

Microsoft has been making efforts to keep its NAC initiative relevant by cooperating with Cisco in its CNAC architecture and with Trusted Computing Group (TCG) in its push to create open standards that any NAC vendor can follow. Earlier this year Microsoft published the protocol its NAP agent uses to transmit data about the status of endpoints from the endpoints to the NAC policy server that makes decisions about whether and how much access devices get.

Releasing the protocol means that other NAC vendors can use Microsoft’s system health agent -- a standard part of Microsoft Vista clients -- in conjunction with their own policy servers long as they comply with the protocol.

Juniper publicly demonstrated this compatibility at Interop earlier this year, but did not make that compatibility part of the most recent software release for gear in its NAC architecture, which it calls Unified Access Control (UAC). So even close Microsoft NAP allies are not rushing to get onboard.

“NAP in my mind is so far down the pike that I don’t think of it every day,” says Andrew Braunberg, an analyst for Current Analysis. He conducts a survey every year about demand for NAC, and this year’s results show that most customers don’t think about NAP every day either. “People aren’t interested in waiting for NAP,” he says.

His finding is that NAP is being hurt by Microsoft’s delays releasing the components necessary to deploy it. The percentage of respondents willing to wait for Microsoft to ship NAP has dropped since last year’s NAC Enterprise Demand Survey, and few respondents plan to deploy it when it is released early next year, Braunberg says.

See part two: Shouldn’t I just wait for Cisco? Should I deploy NAC in-band or out-of-band? What is the best method of enforcing NAC policies?

Learn more about this topic

See part two: Shouldn’t I just wait for Cisco? Should I deploy NAC in-band or out-of-band? What is the best method of enforcing NAC policies?

Wireless networks: The burning questions

06/11/07

SOA’s 6 burning questions

07/19/07

Six burning VoIP questions

07/05/07

1 2 3 4 5 Page
Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies