Today’s blog will set the stage for my future NAC discussions. It attempts to answer (albeit at a high level) the question “Why is deploying NAC vital to protecting your organization?”
With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past.
Information security is commonly characterized as a weakest link problem. The information you are trying to protect is only as secure as the weakest entry point to that information. Today’s networks provide multiple access points to users in the form of VPN, wireless, dial-in, B2B connections, web portals, and traditional onsite access to name but a few. Few organizations today are closed entities with well-defined security perimeters. This leads to the concepts of ubiquitous access and perimeter-less networks. Gone are the days when we had a nicely defined network security perimeter made up of a firewall that guarded against unauthorized access from the Internet. The rapid spread and adoption of e-commerce, B2B commerce, outsourcing, wireless, and VPN remote access have all helped to bring about the transformation of how we look at defending our networks and the information they contain. The demand to make network resources and information easily accessible will result in exposure to higher security risks. Security architecture is changing from a point defense perimeter approach to a defense-in-depth integrated network design. Although this architecture change is happening most networks are currently in the transition or adoption stage.
Today, networks are most secure at their traditional network perimeter, namely the Internet facing access points. However, the security of the internal networks behind those impressive perimeter fortress walls is sorely lacking. By and large, once a user gains access to the internal networks they are given free and unrestricted network access. In addition, a robust trust model usually exists between internal resources like servers, applications, and databases. This is typically done to make it easier to share information between systems and users. The problem is the trust model does not take into account who or what actually needs to be trusted, it just defaults to trusting everything. Yes, these resources are located internally, but, this is the same internal network that has very limited security in place, has seen a dramatic increase in the number of entry points into it, and gives everyone that connects free and unrestricted access. A cause for concern, you bet.
How much more secure would your internal networks be if every single PC on it had the latest operating system security patches, was running an up-to-date anti-virus and anti-Spyware client, and was scanned for the top 20 known worms and viruses every time they reconnected? The answer is obvious of course; it would be a lot more secure. If everything is up-to-date then the risks you have left are largely from mis-configured hosts, malicious users, and day zero attacks. Day zero attacks are those that are released into the wild before a patch or signature is available to catch them. The time between the public disclosure of a software vulnerability and the release of the exploit that takes advantage of the vulnerability is shrinking rapidly. This is driving the need for organizations to make sure that only up-to-date systems are allowed full internal network access.
Internal network security is the weakest link in most organizations network security architecture. The reasons given for this are varied, but typically include:
However, what organizations are starting to discover is that the risk associated with having little or no security controls on their internal networks is becoming unacceptable. The previous reasons given to justify the lack of internal security are not holding up anymore.
Given that security is a weakest link problem, it comes as no surprise that increasingly organizations are finding that most of their security problems are originating from internal or remote access sources. Due to the proliferation of mobile, contract, and guest users needing access to the internal networks of organizations it is increasingly common for a worm/virus outbreak to have been spread by a non-employee, mobile employee, or non-corporate PC.
It is startling that you can walk into almost any organization, sit down in an empty cube or office, plug into their Ethernet jack with your PC, and gain complete unrestricted access to their network. (Especially startling when that organization is a Health Care Institution and people’s lives are at stake) In too many cases this is true for wireless access as well, either because of lack of awareness or because some employee setup a rogue AP themselves.
All clients trying to gain access, by whatever means, to the internal network resources must first be authenticated, posture assessed, and authorized as described above. The hardening of your internal network in this way will give you ultimate control over who, how, when, where, and what connects to your internal resources.
The problems outlined above are the reasons that Network Admission Control technology exists and is such a hot market right now. Most companies understand that the security issues NAC addresses are real and need to be solved. NAC solutions, like Cisco’s NAC Appliance and others, provide a powerful host security policy inspection, remediation, and enforcement mechanism that is designed to solve these critical security issues. NAC allows organizations to enforce their host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access methods, ownership, device types, application configurations, and remediation models. NAC provides proactive protection at the network access layer. It allows for pervasive and in-depth security defenses throughout an organization's internal infrastructure with multiple points of protection.
NAC solutions go a long way towards beefing up a corporation’s internal network security. I’ll be delving into the details of NAC’s capabilities and features in future blogs, stay tuned. So with the most universal weakest link (internal security) strengthened, what becomes the new weakest link in network security?
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Good Article. Nicely written
Good Article. Nicely written