Enterasys NAC sales triple

Q & A session with Enterasys security expert Dennis Boas on why the Enterasys NAC solution has been so successful lately.

Last month, Network World reported that Cisco lost market share across the board. Meanwhile earlier this week, network security vendor Enterasys, issued a press release revealing that its NAC sales revenue grew 317% in 2009 compared to the same consecutive quarter in 2008. This growth rate contradicts many security industry analysts and pundits, who say that NAC will never get off the ground with enterprise users because it’s complicated, expensive and requires too much up-front investment. Naturally, I felt it was an opportune time to get a "feel" for why the Enterasys NAC solution is doing so well. Interestingly, Enterasys security expert Dennis Boas believes that end users can and do invest in NAC – if the product is the right fit. So in the below Q & A session, Boas shares his insight on the most prevalent threats to the enterprise network, customer-proven best practices of network access control (NAC), enterprise concerns about the financial and management aspects of NAC, and why the Enterasys NAC solution is in such high demand. Boas also led an educational session at the Gartner Security Summit this week too. 1. As alarmingly described in the video below, a Black Hat attack on Cisco's network admission control (NAC), compromised the Cisco agent installed on the end system. So Dennis, what do you have to say about this video and the Cisco NAC design flaws that the folks at Black Hat so alarmingly described?

Dennis Boas: Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications. Additionally, with Enterasys NAC, the end system agent can be downloaded dynamically from the assessment server – and only after the end system is successfully authenticated. Another option with Enterasys NAC is agent-less assessment based on a network scan, which eliminates agent compromise-type attacks. Also note that Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system, including device type, authentication method, authenticated role, location of the end system (switch, port, SSID), and time of day. Customers who have concerns about these type of attacks have strong, secure, and flexible options with Enterasys NAC.

2. Well, with all the security solutions from anti-virus to next-generation firewalls available – why in the bejesus would an enterprise need a NAC solution in the first place? Pardon my skepticism, but I love to hold vendor's feet to the fire.

Dennis Boas: Firewalls and AV are nice and they are part of the solution, but they aren’t a complete solution. Firewalls and DMZs only protect you from external threats. Your AV and your firewalls don’t give you the visibility you need to control your network and be secure. AV and firewalls won’t tell you what and who is connecting to your network, where they are connecting from, and whether their status meets your security policy requirements. NAC fills in these gaps.

3. Why should I worry about people connecting to the network from inside my firewall?

Dennis Boas: The real battle today is at the network access layer. The threat here is from systems connected behind your firewall. Keep in mind that threats from network users don’t always have to be malicious. Users often introduce threats unintentionally, such as an infected jump drive, media card or laptop. Current statistics back this up. Ponemon Institute reported that more than 88% of all cases in their data breach research this year involved insider negligence. Just think about the number and kinds of non-employees – guests, contractors – that connect to an enterprise network every day. Enterprises must address the dual challenge of enabling their guests and contractors to be productive with the network access they need to do their jobs, and at the same time protect the network from threats users can unintentionally introduce.

The diagram below represents the Enterasys Secure Networks capabilities and their relationship to the Enterasys NAC solution: 4. What can enterprises do with all this overwhelming information about who is connecting inside the firewall?

Dennis Boas: You need this information to grant an appropriate level of network access. You want to grant a level of network access based on the type of system connecting. For example, access for an IP phone is different from an employee desktop. You also have to consider the health of that user’s system, each employee’s role in the organization -- what resources he needs access to; the employee’s location – where he’s connecting from (secure, unsecure, wireless), the time – working hours or is it at midnight? For example, even if a person authenticates as the CEO, but is trying to access the network from a wireless connection from the parking lot, do we really want to give him access to the card holder data environment?

According to Enterasys, assessments, or health-checks, can be separated into two methods: Agent-less: Network Based - a network scanner scans the end system remotely (over the network). Applet Based - a java applet is used to launch assessment functions on the end system (web browser based). Agent-based: Thin Agent - a temporary agent (can be loaded and unloaded on the end system using various vendor-specific techniques). Fat Agent - a persistent suite of assessment software with firewall and host intrusion detection established on the end system. During an assessment, end systems are checked for compliance and/or vulnerabilities. This also includes testing the end system embedded firewall and other applications for vulnerabilities. 5. I've read about enterprises damaging their corporate image with bad press that discloses they've lost customer information. So given the existence of such bad press, how does NAC work as a security tool -- for example, how does it prevent a user, authenticated as the CEO, from accessing over wireless from the parking lot?

Dennis Boas: A major retailer recently had a well publicized data breach caused by a hacker accessing the network over wireless from the parking lot. A properly deployed NAC would have prevented this by executing the access policy that says users coming in over wireless from the parking lot do not get access to sensitive data. By the way, the PCI standard says users coming in over wireless should not be allowed to access the card holder data environment.

According to Enterasys, policy-based networking and NAC enable a dynamic firewall capability right at the switch port in the network. Policies define what is allowed and not allowed on the network, what priority a device, user, or application can have on the network, and how much bandwidth each are allowed to use. With policies you have the capability of distinguishing between different systems and services, and there is no need for separation with VLANs. In addition to the authorization, traffic can be classified through many characteristics and can be treated individually: Typical policy examples:

DHCP at the user port is not allowed.
Applications like Skype or P2P can be limited.
SIP traffic is labeled with the correct quality of service information.
Single flows can be pushed to other VLANs without the client noticing.
Legacy protocols like IPX or unusual traffic are detected directly at the switch port.
HTTP access to a quarantine/remediation server is always allowed, and any further access only after successful assessment.

6. What are the best practices for protecting a network against insider threats?

Dennis Boas: A secure network means that only the right users have access to the right information, from the right place at the right time. Best practices include several critical components: authentication and authorization; endpoint security assessment, or baselining; enforcement, continuous monitoring and management. First, you must detect connecting end systems. It’s important to keep in mind that this may be a user on a laptop or mobile device or any other connected device such as an IP phone or printer. Then, for each connecting device there is a continuous process: the user and device is authenticated, the health of the device is assessed, the user/end-system is granted access, denied access or quarantined based on the system’s health and enterprises’ policies, and the user/end-system is monitored for continuing compliance with the security policy. The policy enforcement mechanism is embedded in the network or in-line appliance.

According to Enterasys, its NAC includes a combination of in-band and out-of-band NAC technology integrated into a single cohesive solution. This flexible solution allows NAC traffic enforcement to take place directly at the access edge for intelligent infrastructure devices, and near the access edge at the distribution/aggregation layer for areas of the network with less capable or unmanaged switches: 7. O.K. the process sounds kind of logical, but the average enterprise network comes with a lot of moving parts, usually from different vendors, and you've got to admit most administrators aren't about to take on any additional risk with their network's availability. So given this stark reality, how in the heck is an enterprise going to overcome the barriers to a purchase and implementation of a NAC?

Dennis Boas: With NAC, or any other deployment, there are a number of critical network infrastructure components that must seamlessly integrate and work together. Enterprises with successful NAC deployments deal with the challenges in two ways: First select a complete NAC solution that is open, based on networking standards such as 802.1X, RFC 3580, RFC 3576, and second deploy in phases. An open NAC solution that is based on widely used networking standards will work in any network regardless of the technology or vendor. The best NAC product offers a complete solution but with functionality that can be efficiently deployed in phases to mitigate risk.

The following figure illustrates how the Enterasys NAC Gateway and the other Enterasys NAC components provide network access control for a network with third-party switches that support RFC 3580: 8. What kinds of phased approaches to NAC installations have you seen enterprises successfully use?

Dennis Boas: We’ve seen enterprises identify phases of their NAC deployments to address specific business problems. These enterprises successfully gain the increased protection of NAC as well as recognize immediate business value. For example, we see some customers start with simple detection and location and then later add other functionality, such as assessment and automated remediation. We’ll see an initial NAC deployment for detecting when end systems connect and tracking end systems across the network. This level of deployment addresses many auditing and compliance requirements. Other customers want to focus initially on guest access.

According to Enterasys, a well architected solution should integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access:

Detect - Detection and identification of new devices connecting to the network.
Authenticate - Authentication of users and/or devices.
Assess - Assessment of end systems regarding their compliance and/or vulnerabilities.
Authorize - Authorization to use the network based on the results of the authentication and the assessment.
Monitor - Monitoring users and devices once they are connected to the network.
Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment.
Remediate - Remediation of problems with the end system and/or user.

9. I hear a lot today about guest access control. How does it work? And what about enterprises that have 50 or more guests per day? For example, I’m thinking specifically about training institutions that have hundreds of students per day for class. How labor intensive is it to enroll and manage guest users?

1 2 Page 1
Page 1 of 2
IT Salary Survey: The results are in