The iLabs Full Spectrum Security Initiative investigated two basic questions: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?Access to network resources has become an easy problem to solve. Using LAN connections, wireless access points, remote VPNs and Internet-enabled coffee shops, users can pretty much access a network from almost anywhere. Unfortunately, the bad guys can do the same thing.The iLabs Full Spectrum Security Initiative investigated two basic questions that apply here: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?Simply stated, policy-based network access is implemented by enhancing the protocol stacks in the clients and in the network infrastructure to control when and where users are allowed to send packets. Products – such as the wireless access points from Extreme Networks, Trapeze Networks, and switches from HP, Extreme and Foundry Networks – use the 802.1X protocols to regulate wireless and LAN access, and 802.1Q VLAN tagging to control to which portions of the network a user has access.Another group of products – from Microsoft, Cisco and The Trusted Computing Group, among others – generally consist of a policy enforcement point (PEP) that uses either an in-line appliance that controls network access or a combination of 802.1X, RADIUS and policy enforcement client software, to validate a system before it is allowed on the network. In the iLabs testing, we saw that systems from Check Point and Sygate can check a system for policy compliance before it can access the network. Policy checks can consist of simple authentication or check a user’s system to make sure it hasn’t been infected or compromised by accessing malicious software. These products also can be used to set up fine-grained network control, allowing only legitimate users access to specific portions of a network.Once you can (appropriately) block access, you can start to defend the network from viruses, unpatched systems and policy violations. If a machine is found to have a problem or is noncompliant with the defined policy, use the network access technology to take action to remediate the problem. If a machine simply requires an update, the PEP can use 802.1Q virtual LANs (VLAN ) to reconnect the machine to an isolated section of the network where it can be patched. Worm outbreaks and unauthorized peer-to-peer traffic can be controlled through the use of policy enforcement when it’s tied to a switch’s management capabilities.802.1X is used to control access at the link layer, using encryption, RADIUS authentication, and VLAN switching. There’s new supplicant and authenticator software in the clients, the wireless access points and the Ethernet switches to support this, along with supporting infrastructure components within the network.Making a shopping listPolicy-based access control products are certainly the new toys in the security playpen. Here are a few things – culled from this iLabs testing – to consider if you’re looking to buy them:Make sure the protocol implementations are working. We still see problems with 802.1X implementations failing. We also see glitches in vendor interoperability when they start doing sophisticated things such as switching client machines among VLANs.Don’t get caught buying a steel door for a grass hut. Great network access software running on an appliance that you manage with cleartext telnet using unauthenticated certificates isn’t secure.Make sure the products fit into your network management infrastructure. Does it generate an event log you can feed into your central log management system? Make sure the product scales so that you can manage multiple PEPs from a single location.Be wary of ties to vendor access control initiatives (Cisco Network Admission Control , TCG’s Trusted Network Connect, Microsoft Network Access Protection, Juniper Endpoint Defense Initiative). These alliances are evolving and the notion of just what “compliance” is hasn’t stabilize.Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, Calif. He can be reached at rodney@canola-jones.com.Return to iLabs home Related content feature 5 ways to boost server efficiency Right-sizing workloads, upgrading to newer servers, and managing power consumption can help enterprises reach their data center sustainability goals. By Maria Korolov Dec 04, 2023 9 mins Green IT Servers Data Center news Omdia: AI boosts server spending but unit sales still plunge A rush to build AI capacity using expensive coprocessors is jacking up the prices of servers, says research firm Omdia. By Andy Patrizio Dec 04, 2023 4 mins CPUs and Processors Generative AI Data Center feature What is Ethernet? History, evolution and roadmap The Ethernet protocol connects LANs, WANs, Internet, cloud, IoT devices, Wi-Fi systems into one seamless global communications network. By John Breeden Dec 04, 2023 11 mins Networking news IBM unveils Heron quantum processor and new modular quantum computer IBM also shared its 10-year quantum computing roadmap, which prioritizes improvements in gate operations and error-correction capabilities. By Michael Cooney Dec 04, 2023 5 mins CPUs and Processors High-Performance Computing Data Center Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe