Wedded bliss: NAC and identity management

Network access control is one of those technology categories that has a lot of promise but not a lot of users, despite the fact that solutions have been available for years. There are so many challenges to deploying a NAC solution, including cost, network security and infrastructure. A couple of veteran Cisco engineers set out to address those challenges and came up with a standards-based solution that combines NAC with identity management.

Network access control is one of those technology categories that has a lot of promise but not a lot of users, despite the fact that solutions have been available for years. There can be significant challenges to deploying an enterprise solution. For example, creating the policies that provide just the right level of security without being overly aggressive isn't easy. Also, it's difficult to find a solution that fits into a multi-vendor infrastructure, both on the network as well as the client side.

In 2006, a couple of veteran engineers from Cisco started a company to address those very issues that seemed to be holding customers back from deploying NAC. This was the birth of Avenda Systems and its multifunction platform for network access security. A design goal from the outset was to make sure Avenda's solution would work in any environment, regardless of network infrastructure, endpoint devices and identity stores.

Avenda's eTIPS appliance sits at the crossroads of traditional NAC and the identity management space. Traditional NAC typically focuses on remediating endpoint health problems before allowing a device to connect to the network. Identity management is a popular concept using identity-based policies to determine user access permissions. Avenda marries the identity information and the physical device information to provide a very granular set of access conditions.

Differentiated access based on role can be granted for employees, partners, contract or temporary workers, and guests to limit and control where on the network each group has access. Employees can be granted full network access privileges based on their job or group while guests may only be granted access to the Internet. Granular access privileges also can be granted based on type and health of endpoint, location, time of day and more. For example, an employee at a desktop may have access to more sensitive data than when connected to the network via a smartphone over a public VPN. Or in a hospital, a medical cart that gets plugged into the network can be given access only when it's on a specific floor or wing. To limit virus and malware attacks, endpoint integrity or health checks can be triggered to ensure that users are using required antivirus, antispyware and firewall applications.

You can use a full agent or a dissolvable agent on the endpoint devices to run a check to determine the health of each device. The agent reports back to the policy engine, which determines if the access requirements have been met. Once the check is complete, the agent can simply dissolve off the device.

Avenda uses the concept of policy building blocks to speed up the policy creation process. The elements of a policy are very definable; for example, authentication methods, authentication sources, internal posture, external posture and so on. Once you build a policy building block and populate it with the information you need for a particular service (such as your wired network), you can reuse the building block when you add additional services (such as a wireless network or VPN access). There are preconfigured templates that give you a starting point for your policies.

Once you create your policy, you can test it to be sure it's correct before deployment. This helps prevent over-aggressive policies. Avenda has a unique policy simulation engine that lets you test how the policy will perform. Once things seem to be working fine, you can put the appliance on the network in monitor mode. It will go through the actual policies but stop short of enforcement. However, this yields detailed reports that let you see the effects of the policies so you can make changes as necessary. Once everything is "clean," you can switch the appliance into enforcement mode and put it to work.

One of the main selling points of the Avenda solution is that it works with pretty much any type of endpoint device (e.g., Windows, Mac, Linux, smartphone); a wide variety of network devices; and multiple authentication protocols and identity stores. It is this openness that convinced the East Grand Rapids Public School district to deploy an Avenda access control solution.

Jeff Crawford is the manager of networking and security for the school district. His district has about 1,100 computers on its network, along with upwards of 200 guest machines at any time -- and that number is growing every year. The endpoint devices are a mix of Windows, Linux and Macintosh computers.

Before deploying the Avenda access control solution, the school district required guest users to fill out a form to request network access. An IT technician would evaluate the machine and determine if it should be allowed onto the network. This manual process was very time intensive and inconvenient. However, Crawford felt it was important to allow guests to connect to the school district's network.

"I'm a big believer that every school district should have a network access control system in place," Crawford says. "It's unsustainable for a district to try to provide a machine for every student. Therefore, you need to allow students, parents, speakers and other community members to bring in their own equipment and utilize some of the network services. At the same time, tax payers pay for this network, so we must be able to secure a user when they come to a school."

Crawford wanted to derive a policy-based identity solution that would help the district deploy a standards-based 802.1X NAC solution. Many of the solutions he looked at would have created a de facto vendor lock-in situation. "We looked at several solutions on the market. If we deployed 'Solution A' from a particular vendor, we'd have to go with all 'Solution A' components because they didn't rely on known standards," Crawford says. "Avenda Systems lets us keep whatever we already have in place. They work with anybody and everybody and aren't locking me into a certain switch or a certain wireless controller. This allows me to buy whatever makes sense for our school district."

Crawford says the solution allows guests to quickly plug into the network. The policy engine enforces a limited pre-posture check before allowing guests into a segmented area of the network that gives the user access to Web-based services but not to the school district's production network.

"Before we deployed the 802.1X technology, we had weak security," Crawford says. "Now we have better security as well as higher participation in the use of our network." Crawford also likes the direction Avenda is taking with its wizard-based user interface, which he helped provide input on. "This UI will make NAC available for the masses," he predicts.

Learn more about this topic

Why is NAC so confusing?

NAC software eases access rights management

Cisco, Avenda enable multivendor network access policy management

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.