The iLabs Full Spectrum Security Initiative investigated two basic questions: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?
Access to network resources has become an easy problem to solve. Using LAN connections, wireless access points, remote VPNs and Internet-enabled coffee shops, users can pretty much access a network from almost anywhere. Unfortunately, the bad guys can do the same thing.
The iLabs Full Spectrum Security Initiative investigated two basic questions that apply here: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?
Simply stated, policy-based network access is implemented by enhancing the protocol stacks in the clients and in the network infrastructure to control when and where users are allowed to send packets.
Products - such as the wireless access points from Extreme Networks, Trapeze Networks, and switches from HP, Extreme and Foundry Networks - use the 802.1X protocols to regulate wireless and LAN access, and 802.1Q VLAN tagging to control to which portions of the network a user has access.
Another group of products - from Microsoft, Cisco and The Trusted Computing Group, among others - generally consist of a policy enforcement point (PEP) that uses either an in-line appliance that controls network access or a combination of 802.1X, RADIUS and policy enforcement client software, to validate a system before it is allowed on the network.
In the iLabs testing, we saw that systems from Check Point and Sygate can check a system for policy compliance before it can access the network. Policy checks can consist of simple authentication or check a user's system to make sure it hasn't been infected or compromised by accessing malicious software. These products also can be used to set up fine-grained network control, allowing only legitimate users access to specific portions of a network.
Once you can (appropriately) block access, you can start to defend the network from viruses, unpatched systems and policy violations. If a machine is found to have a problem or is noncompliant with the defined policy, use the network access technology to take action to remediate the problem. If a machine simply requires an update, the PEP can use 802.1Q virtual LANs (VLAN ) to reconnect the machine to an isolated section of the network where it can be patched. Worm outbreaks and unauthorized peer-to-peer traffic can be controlled through the use of policy enforcement when it's tied to a switch's management capabilities.
802.1X is used to control access at the link layer, using encryption, RADIUS authentication, and VLAN switching. There's new supplicant and authenticator software in the clients, the wireless access points and the Ethernet switches to support this, along with supporting infrastructure components within the network.
Making a shopping list
Policy-based access control products are certainly the new toys in the security playpen. Here are a few things - culled from this iLabs testing - to consider if you're looking to buy them:
Make sure the protocol implementations are working. We still see problems with 802.1X implementations failing. We also see glitches in vendor interoperability when they start doing sophisticated things such as switching client machines among VLANs.
Don't get caught buying a steel door for a grass hut. Great network access software running on an appliance that you manage with cleartext telnet using unauthenticated certificates isn't secure.
Make sure the products fit into your network management infrastructure. Does it generate an event log you can feed into your central log management system? Make sure the product scales so that you can manage multiple PEPs from a single location.
Be wary of ties to vendor access control initiatives (Cisco Network Admission Control , TCG's Trusted Network Connect, Microsoft Network Access Protection, Juniper Endpoint Defense Initiative). These alliances are evolving and the notion of just what "compliance" is hasn't stabilize.
Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, Calif. He can be reached at rodney@canola-jones.com.