NAC secures U.N. agency

The United Nations Population Fund (UNFPA) is using network access control at 11 regional offices around the world to keep potentially dangerous non-compliant machines from compromising the agency's core network in New York City.

"I had a few incidents, not many but a few, where people would come in from the field with machines that came back on the network that were heavily infected with viruses," says Douglas Concepcion, network infrastructure security specialist at the agency. "I needed a way to lock down each machine."

That was when the agency had one office in New York and staffers flew around the globe on business. Now with regional offices opening around the world and a mandate to give employees access to Web applications as if they are on the New York LAN, he needs a way to reduce the risk of infection coming in via remote access.

He also wants to identify visitor laptops on the headquarters' network and restrict what they can access, but his major concern is that machines making VPN connections to the agency server farm in New York might harbor viruses, Trojans and other malware that could propagate.

"I needed to do something that would apply policies from the user level down to the machine level and lock out [non-compliant] machines," he says.

That led him to consider NAC from four vendors that he chose based on their reputation, financial stability and, in one case, because it was also the agency's switch vendor. The vendors were Bradford Networks, Enterasys, ForeScout and Mirage Networks.

Enterasys is the agency's switch vendor, but deploying its NAC gear required three different pieces of equipment, and that created a concern about eating up too much space and power in his data center. So he never tested the equipment. (That was in 2006. Now Enterasys has a single-box NAC product.)

He eliminated Bradford because he could not get it to work with the switches over a four-month period. Mirage gear worked well, he says - too well. "The problem was it was too powerful, it needed too much administration overhead. You constantly had to be sitting on it," Concepcion says.

He chose ForeScout for its versatility. "I liked that it worked in line and out-of-band," he says. "The out-of-band I really liked because I didn't have to touch anything else in the infrastructure. You can shoot basically a firewall policy down to every user."

With a ForeScout device in each regional office, the NAC system will screen endpoints as they log in to make sure they have their Symantec antivirus software updated and that they have critical Microsoft Windows XP patches. NAC doesn't eliminate infections, Concepcion says, but it reduces the chances that the machines are compromised.

"It doesn't mean you are always 100%," he says. "Just the ability to function means you're already opening up holes to your network, but at least you're extending the same security model that you use at headquarters to the regional offices, so you are much more secure."

Layered on top of firewalls and intrusion-detection/prevention system gear from Stonesoft, he thinks NAC will adequately protect the network.