Skip Links

Access control: The evolving tool set

Enterprises struggle to find the sweet spot -- in cost, complexity and capability -- as they adopt user-centric security

By Joanne Cummings, Network World
October 09, 2008 12:00 AM ET

Network World - Smart enterprise IT executives know that who you are and what you're doing mean a whole lot more than which device or network port you're using.


This story is part of a special Security Trend Watch issue, in PDF format. Download now.
User-centric security begs for process overhaul. Read more.


Craig Richard, IT director for NaviMedix, a Cambridge, Mass., company that manages electronic communications among health insurers and physicians, gets it. "You may have a port with access to parts of the network that should be protected. But someone could easily plug a device into that port and have that same level of access, even if they weren't authorized to have it. Access needs to tie directly to the user," he says.

Mobility has forced the issue. In the past, ports and IP addresses were reasonable proxies for identities, says Andreas Antonopoulos, a partner at Nemertes Research and Network World "Security Risk and Reward" columnist. "I [once] had a Solaris workstation that weighed 300 pounds and was connected to the network by an Ethernet coaxial cable as thick as my thumb. My mobility was rather limited, and my IP address literally did not change once in three years. So, there was a very direct association between IP address and user," he says.

That has all changed because the types of devices people use and the ways they connect to the network are so varied. "The IP address of my BlackBerry changes every few hours, and the IP address on my laptop changes depending on if I'm using Wi-Fi, 3G, a LAN, a VPN or whatever," Antonopoulos says. "The IP address has become very transient. You might have a dozen users using the same IP address during the period of one day."

That transience is a nightmare for network security teams, especially when they investigate incidents or demonstrate compliance. In either case, being able to link an IP address in a log to a specific user is highly desirable if not outright necessary.

"If you're lucky, you have a DHCP server that keeps good logs of who got which IP address when," Antonopoulos says. "And if you're really lucky, that DHCP server is properly time-synchronized to an atomic clock or [network time protocol] source so those logs can be correlated. And if you're even luckier, all of your other logs sync to the same source. Then you can say that this IP address accessing this application at this second was issued to this user, on this media access control-addressed machine. It's not easy," he says. (See "SIEM: Finding the proverbial needle,")

Getting there

Fortunately, security tools are evolving beyond the simple IP address and IP port focus, and increasingly are becoming more user-centric, working their way slowly up the Open Systems Interconnection stack. Network-access control (NAC) is the primary transportation for this move. Depending on the vendor, NAC handles everything from Layer 2 endpoint security to access control, ID management and behavior-based monitoring at Layer 7 - which all rely on a user's identity and role in the organization. Most of the marketing thunder surrounds such big-name tools as Microsoft's Network Access Protection and Cisco's Network Admission Control; many other NAC flavors offer their own slants on solving the problem. (Compare NAC products.

Enterprise interest is plentiful. In a recent Network World survey, 63% of 483 reader respondents said they consider NAC either an important or extremely important piece of their enterprise security plans. Forty-eight percent of respondents have deployed NAC products, while another 11% expect to do so within the next 12 months. NaviMedix is in the former category.

For user-centric security, it uses Bradford Networks' NAC Director, a policy-based appliance. NAC Director works with a company's LAN switches to manage individuals' identities by associating them not only with IP and media access control addresses, but also the individuals' roles in the company and the applications they are authorized to use.

Because NAC Director focuses on identity, it eliminates the problem of insecure ports. "When everything is tied to a user account and identity, it's far easier to secure," NaviMedix's Richards says. "No valid user account, no access. And that means zero possibility for unauthorized users to get to the protected parts of the network."

In addition, NAC Director integrates with Microsoft's Active Directory service, which NaviMedix uses. This integration lets the firm base application access on Active Directory group membership using virtual LANs. "With the VLANs, only certain individuals and departments can get to certain parts of the network," Richards says. "Together, NAC and Active Directory grant authorized individuals access to their data wherever they are in the company. Their VLANs follow them, so they get what they're supposed to get based on who they are. And they get proper access, no matter where they login or what device they use."

The forklift route

NaviMedix chose Bradford's NAC appliance because it didn't require network changes. Richards could make the out-of-band appliance work with the company's existing Cisco switches, none of which were the latest and greatest.

While clearly not necessary, network overhauls do provide a simpler entry into user-centric security. Such was the case at Ferrum College in Virginia, which recently implemented Juniper Networks' new EX 4200 and EX 3200 LAN switches together with its Unified Access Control flavor of NAC. Ferrum primarily needed the new network for better stability and support for an online-learning management system and upcoming move to VoIP, but user-focused security was a consideration, too. (Compare access switch products.)

"Rather than basing security on machines, we wanted to base it on people," says Christine Stinson, CIO at the college, which has 1,400 students and 300 faculty and staff. "We wanted groups to access certain resources, while locking out others, and we wanted to be able to track all that," she says.

Ferrum uses VLANs to segment the network, keeping guests and students separate from such business functions as admissions and the registrar's office. Managing users and their access levels is relatively easy, Stinson says. "Once you have one VLAN set up, you can copy the settings, modify what you need to modify and basically create a new VLAN," she says. "And it's easy to move users from VLAN to VLAN. Once the groups are defined, we simply say this user is in this group, or this user is in these two groups. That's not a problem at all," she adds.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News