Skip Links

Network World

  • Social Web 
  • Email 
  • Close

In search of safe network access

By Rodney Thayer , Network World , 05/02/2005

Access to network resources has become an easy problem to solve. Using LAN connections, wireless access points, remote VPNs and Internet-enabled coffee shops, users can pretty much access a network from almost anywhere. Unfortunately, the bad guys can do the same thing.

The iLabs Full Spectrum Security Initiative investigated two basic questions that apply here: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?

Simply stated, policy-based network access is implemented by enhancing the protocol stacks in the clients and in the network infrastructure to control when and where users are allowed to send packets.

Products - such as the wireless access points from Extreme Networks, Trapeze Networks, and switches from HP, Extreme and Foundry Networks - use the 802.1X protocols to regulate wireless and LAN access, and 802.1Q VLAN tagging to control to which portions of the network a user has access.

Another group of products - from Microsoft, Cisco and The Trusted Computing Group, among others - generally consist of a policy enforcement point (PEP) that uses either an in-line appliance that controls network access or a combination of 802.1X, RADIUS and policy enforcement client software, to validate a system before it is allowed on the network.

In the iLabs testing, we saw that systems from Check Point and Sygate can check a system for policy compliance before it can access the network. Policy checks can consist of simple authentication or check a user's system to make sure it hasn't been infected or compromised by accessing malicious software. These products also can be used to set up fine-grained network control, allowing only legitimate users access to specific portions of a network.

Once you can (appropriately) block access, you can start to defend the network from viruses, unpatched systems and policy violations. If a machine is found to have a problem or is noncompliant with the defined policy, use the network access technology to take action to remediate the problem. If a machine simply requires an update, the PEP can use 802.1Q virtual LANs (VLAN ) to reconnect the machine to an isolated section of the network where it can be patched. Worm outbreaks and unauthorized peer-to-peer traffic can be controlled through the use of policy enforcement when it's tied to a switch's management capabilities.

Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.

Download the white paper.

Unauthorized applications: Taking back control

Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?

Download the white paper.

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed
Get instant email notification when white papers, webcasts, executive guides are added to our library. Stay informed and up-to-date with the latest on IT Technologies with Network World's Resource Alerts.