This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
A few years ago, industry pundits were declaring NAC dead—done in by complexity and rigidity. Today, however, BYOD and mobile computing in general are breathing new life into NAC. With a range of people and devices coming and going on the average enterprise network, NAC is (still) the best way to control who and what is on your network.
According to the 2014 Cyberthreat Defense Report for North America and Europe, 77% of survey respondents intend to use NAC as part of their mobile security strategy. Along with Next Generation Firewalls, NAC solutions are perceived as having the greatest potential to defend against today's cyberthreats. Survey respondents say they most commonly use NAC to identify vulnerabilities and security misconfigurations on endpoint devices in between full-network vulnerability scans.
In his 2010 article NAC: What Went Wrong? Joel Snyder wrote, "Network access control, which we're defining as a combination of authentication, end-point security checking and access control, emerged in response to the problem of mobile end users plugging infected laptops back into the enterprise network. NAC was intended to solve real problems and answer real questions: who is connecting to my network? Are they healthy? Can I control where they go? Can I shut them off if they misbehave?"
Those same questions are just as important, if not more important, today than they were in 2010. Since then, BYOD has exploded, and various government and industry regulations have tightened the penalties for not being able to answer the question of "who is on the network"? But there are a few questions Snyder didn't ask four years ago and they are critical today: What about the cloud? How can we control who accesses our cloud-based data and applications?
In short, companies need control over who and what is accessing their complete computing environment, no matter where the computing resources reside. That control is hard to come by, but the security company Portnox is out to change that.
With a NAC product generally available since 2008, Portnox is well entrenched in its home country of Israel (the company claims to have an 80% market share in Israel). Portnox is relatively new to the U.S. market but it does have more than 450 customers worldwide. What's more, the company says that more than 70% of its customers deploy the Portnox NAC solution across all of their sites, meaning all the way out to each and every branch location. Portnox says 80% of its customers have reached the "fully enforced" model of deployment, where the organizations have strong policy that is also automated and offers remediation, and they do this across all of the network layers (i.e., wired, wireless, virtual, VPN and cloud).
Portnox claims to be different from other NAC solutions because it requires no appliances, no agents on devices, and no infrastructure changes. The company says its solution will work with all existing network infrastructure and equipment, regardless of how old or heterogeneous it is. In addition to working with wired and wireless networks, Portnox says it considers virtual networks, VPNs and cloud to be first-class citizens of your network as well, since they are within the IT department's scope of responsibility. The super lightweight solution is said to scale to reach all corners of your computing environment.
Portnox is a software solution that sits on a physical or virtual Windows server. The hardware footprint needed to run the Portnox solution is significantly less than what other NAC solutions typically require. A single server is capable of handling up to 10,000 connected devices or monitoring 20,000 ports.
Portnox gains insight to the network by communicating natively with the switches, wireless access controllers, firewalls, routers and VPNs to get an inventory of what is on the network. There are no IP scans, no port mirroring or span ports or looking for duplicate packets. Portnox uses straightforward SNMP read plus traps sent back from the Ethernet switches, the wireless devices and the routers to the actual Portnox system. For non-Windows devices, Portnox uses telnet, SSH and other technologies to bring them into the fold. Portnox gets a live read of every single device currently connected and drawing power somewhere on the network.
By communicating with the networking infrastructure, Portnox resolves the connected device's MAC and then IP address. It then uses various methods to provide verification of identity and device health check. It can probe any number of characteristics to match your company's policies. For example, Portnox can ask questions such as: Are you a member of the domain? Are you in good health? Does the user have local admin rights on the device? Are there any databases or massive storage devices installed on the machine? You can use Windows Management Instrumentation (WMI) to query for virtually anything and start to factor that into your NAC decision.
In the BYOD realm, Portnox can work with an existing Mobile Device Management (MDM) solution to check device characteristics and its worthiness of network access. In the absence of true MDM, Portnox provides light MDM functionality to challenge the device.
As for remote locations, Portnox provides a piece of software called Knoxer that is designed to load in a remote network, phone home to the Portnox server that issued it, and become a remote point of presence and proxy into the Portnox server. Knoxer can communicate with the switches in the branch, determine what is connected to those switches, and interrogate the devices connected to those switches.
Knoxer can quarantine a device and run the quarantine traffic across its own VPN to the Portnox server so that when you are doing remediation all the way down to the branch, you don't need to set up separate infrastructure to do that. Knoxer creates its own VLAN for the quarantine purposes, allowing you not just to see what's happening in the branch but really adding control of what is happening in the branch.
Portnox doesn't charge for Knoxer licenses. Instead, the vendor looks at the totality of the infrastructure you want to protect, whether it is all in one place or segmented to hundreds of branches. This makes it cost effective to run the Portnox solution.
I mentioned that Portnox considers the cloud as an extension of your enterprise computing environment. This is true for SaaS applications as well as for IaaS/PaaS virtual segments in the cloud. For SaaS applications, Portnox uses federated authentication to identify users and their devices to ensure they meet corporate policies. For Iaas/PaaS, you can put an instance of Knoxer in the cloud in order to illuminate this virtual environment as you would a local switch.
In the near term, Portnox plans to offer the ability to deliver NAC as a service through the cloud, removing the need to have a Portnox server on premise. The company expects this will lower the barrier of entry for NAC. Some of the first applications for this cloud-based service will be for guest networking and BYOD.