Having a NAC for network security

Building a great network access-control scheme means first narrowing your requirements, then picking the right gear – all while ignoring the confusing buzz.

Network access control stands out as one of the most promising security technologies, but it also is one of the most misunderstood.

Defining NAC

The first step in cutting through the hype is to define NAC. According to Forrester Research, "NAC is a mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy."

Available products that fall into this category include those that make up Cisco's Network Admission Control architecture and Juniper's unified access-control environment. Single devices fitting the bill include products from ConSentry Networks, StillSecure and Vernier Networks. Other NAC vendors, such as Lockdown Networks and Mirage Networks, work in conjunction with partners.

Buzz Box

NAC and you

Before you decide whether network-access control products are right for your enterprise…

ASK YOURSELF

How much risk is posed to my network by endpoints that can become infected prior to connecting to the network?

Which of the three major NAC schemes (Cisco, TNC or NAP) would most easily integrate into my existing security environment and can I afford to wait for standards and interoperability testing for my chosen scheme?

How important is NAC compared with other security initiatives I am working on?

How much network disruption can I afford when implementing NAC?

ASK YOUR VENDORS

Where does your product fit into the broad NAC architecture? Does it authenticate, scan endpoints, check policy compliance, enforce policy, create policies or manage policies as the status of individual machines changes?

What is your road map for how your NAC products will evolve over time?

How much network infrastructure would need to be upgraded or replaced to support your NAC equipment?

Do you support mobile access?

Can you demonstrate an ROI for your products?

The Trusted Computing Group (TCG), an industry group writing NAC standards to promote multivendor interoperability, also has a NAC scheme. The Trusted Network Connect (TNC) specifies product interfaces that vendors can use to fit their gear into the TNC architecture. The TCG defines NAC as "an open, nonproprietary specification that enables the application and enforcement of security requirements for endpoints connecting to the corporate network."

So, a vendor might build its products to TNC's NAC standards but rely on other products to flesh out an operable NAC deployment.

That's the high level. In practice, NAC is a process for scanning computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is their virus-scanning software up-to- date? Is their operating system patched? Do they have a personal firewall in use?

That process requires an engine capable of matching scan results to policies to see whether the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.

Understanding the NAC universe

That is the core of NAC. Some companies call themselves NAC vendors, but what they really mean is that their products fit into a broader NAC environment.

For example, CA says it has joined Cisco's NAC plan, which it has, by virtue of its eTrust antivirus and antispyware software being able to deliver status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network.

Similarly, IBM's Tivoli Security Compliance Manager is compatible with Cisco's NAC because it scans machines coming onto the network. By itself it can't enforce whether the device gains access. It still needs infrastructure from Cisco or some other vendor to enforce policy.

ETrust and Security Compliance Manager software fit into NAC architectures but can't create NAC environments on their own. Cisco, Microsoft and TCG list scores of partners whose gear fits in their NAC schemes and can claim to be NAC vendors. Customers must find out what a vendor means by "NAC support."

Another major complicating factor is that Microsoft has its own NAC architecture called Network Access Protection (NAP). Because it involves Microsoft and its pervasive server and desktop software, NAP is a major factor in the NAC universe. The problem is that key components aren't available, making interoperability impossible to test beyond limited beta versions of Microsoft's NAP platforms.

On the upside, 75 vendors have pledged to make their gear interoperable with Microsoft NAP components when they become available. This includes Cisco, with which Microsoft is developing NAP and Cisco NAC interoperability. Cisco, which is pushing the IETF for NAC standards but does not participate in TCG, has about 30 partners shipping Cisco NAC-compatible gear and another 27 developing such products.

Figuring out NAC requirements

Regardless of vendor choices, enterprises must know what network challenges they are trying to solve before they embrace NAC, says Joel Snyder, senior partner at Opus One and a member of the Network World Lab Alliance. Surprisingly, many businesses are leaping into NAC without first defining the business need that will warrant the investment, he says.

Jon Schroth, Colorado State

One early NAC adopter with specific goals is Colorado State University College of Business in Fort Collins. It wanted to control visitor and student access to network resources but keep the infrastructure as open as possible, says Jon Schroth, director of technology at the school. He also didn't want to rip out hardware or be responsible for installing software on user devices, he says.

Schroth chose Vernier's EdgeWall appliance, which authenticates users, scans their machines and imposes policies based on data drawn from the school's Active Directory servers. "We are a Microsoft shop, and we like to be able to leverage that when we can," he says.

Because EdgeWall sits between access and core switches to enforce policies, it works with the school's mix of HP ProCurve and 3Com switches without altering network topology.

Other NAC schemes, such as Cisco's and TNC, use 802.1X port authentication on switches to enforce policies, and Schroth says he eventually may adopt one of those architectures. For now EdgeWall works and probably will be sufficient until the school's next switch upgrade in two years. "Maybe then we'll look at [a broader NAC architecture] if it's integrated in the switch," he says.

Another early NAC adopter says it was critical to protect a recent $250,000 investment in new Extreme Network switches when he added NAC. "I can't afford to rip out a quarter of a million in switches just to meet the needs of one project," says Robert Lemm, IT supervisor for KAMO Power, a power company serving Kansas, Arkansas, Missouri and Oklahoma and based in Vinita, Okla.

When looking for NAC gear to protect KAMO Power's network better from harmful traffic coming from energy co-op affiliates, Lemm says he considered but rejected Cisco NAC gear because it required Cisco switches. Even if he already had them, it would have cost extra to implement NAC on them, he says. "If we had had Cisco switches out there, we would have had to buy a license for each switch," he says.

Short of that, Cisco could have put CiscoSecure Access Control Server (ACS) NAC devices inline with KAMO Power's Extreme switches to enforce access policies, but that would have made each ACS device a single point of failure. "That's not very smart from a network reliability point of view," he says.

Lemm also ruled out Extreme's access-control system based on its Sentriant devices. At the time he looked at it last year, it screened at Layer 3 but not all the way to Layer 7, which is what he was looking for, he says.

He chose Juniper's Infranet Controller policy engine in conjunction with Microsoft Internet Authentication Service authentication server to determine what kind of access end devices should get. Extreme switches and Juniper Integrated Security Gateway devices combining firewall, VPN and intrusion detection serve as enforcement points.

The deployment prevented a lot of switch replacement, but it's not ideal, he says. Juniper needs an enterprisewide management system for all the pieces of its NAC system to save administrative time. Now he uses Web interfaces to directly manage individual machines or the NetScreen Security Manager to manage the Infranet Controller.

Early users

Some early users, such as Great Canadian Casinos, have bought into a single vendor's scheme. The Richmond, British Columbia, company chose Nortel with its Secure Network Access Switch, says Gary Ward, IT director for Great Canadian.

The company wanted to lock down access in public spaces, such as lobbies and conference rooms, where guests might log on, Ward says. The Nortel gear scans the devices trying to log on and enforces access policy via Nortel switches in the network. The endpoint check calls for the device to boot up its browser, which is a drawback, Ward says, but Nortel says it is working on a browserless version.

Important to Ward is that the Nortel architecture support other vendors' enforcement points, not just certain Nortel switches. Because Great Canadian is growing through acquisition, it is likely to buy a business entity whose network is built with another vendor's switches, Ward says, explaining that he would not want that diversity to stall universal NAC deployment. In its favor, Nortel has interoperability with other vendors' gear in compliance with TCG specifications, the company says.

Getting to NAC's bottom line

The bottom line on NAC is that while it may be a young and not yet fully defined technology, it can deliver value in the right circumstances. The key is to apply NAC only to address specific needs, says Rob Whiteley, an analyst with Forrester Research.

Look at NAC with an eye to how it is evolving, Whiteley says, so future security and network acquisitions fit into the still-developing, broader NAC architectures. "You want to make sure you don't deploy islands of security," he says.


< Previous story: FAQ on NAC | Next story: The ESB: Driving the SOA into the enterprise>

Learn more about this topic

NAC competition: Juniper’s infranet

4/3/06

NAC competition: Cisco’s network control

4/3/06

NAC competition: Trusted Network Connect

4/3/06

Panel discussion: NAC holds promise but tread lightly

9/20/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

IT Salary Survey: The results are in