Article
NAC - Network Admission Control
NAC (network admission control) technology has been around for a couple of years now, but has only recently started to appear in the IT environments of Safecoms’ client base. We reckon this is a security technology that will get onto the agendas of a lot of organisations over the next 12 months, so here’s an introductory overview of what its about, and what are the issues.
What’s The Problem?
When looking at any security technology, Safecoms’ start point is always to try to find out what problem it’s addressing (and if the answer is not immediately obvious, the technology in question may well be destined for the “clever but useless / solution looking for a problem” bucket).
So, why did anybody feel the need to invent the NAC? The short answer is that effective enforcement of network security policies is hard. It is complex, time consuming and labor intensive, and even if significant resources are thrown at it, individual policy breaches (that have the potential to trigger security breaches) can easily be missed. So, if a smart way could be found to automate these processes and make them as close to 100% effective as possible, then that would be a significant advance in the state of security.
That is what NAC technology sets out to do.
Overview
NAC technology utilises the network infrastructure to enforce network security policies out to all devices needing access to the corporate systems resources. (By network security policies we mean anti-virus and patch management, access to services on the network and enterprise authentication).
Importantly, the NAC enforces policies to all devices accessing corporate systems resources, irrespective of whether the device in question is part of the corporate asset register or is owned by a third party (e.g. a laptop belonging to a visiting consultant). Equally, the NAC solution does not differentiate between authentication via the internal network, VPN, or wireless. In all instances the network is protected from unknown or rogue devices.
Evaluation and Verification of Devices
When a device connects to the network switch, the device is evaluated for patch and antivirus levels. This evaluation is matched against the compliance list extracted from the security policy. If the device complies, then connectivity is achieved. If the device does not comply, then the system is quarantined and allowed to update the patching and antivirus software. The system then will go through another evaluation process and verify if the patching and antivirus levels are up to date. Once this is achieved the system is connected to the network and the security access policy is applied.
This is a significant step forward, particularly in organisations that have large numbers of visitors (e.g. contractors) who need to gain some level of network connectivity whilst on site. Traditionally, someone from the IT Department would have had to have taken time out to run a manual check on the antivirus and patch levels of every visitor’s laptop – a tedious and time consuming activity – and therefore one that was often “overlooked”.
Policy Compliance
Of course, it has previously been possible to apply some security policies through the group policy editor in the Active Directory. However, this has a number of limitations, occurs at the application level, and (by definition) only applies within the Windows environment. By contrast, NAC enables the implementation and enforcement of granular policies by validating the user’s identity against the particular device that is being authenticated, and checking it is running an approved operating system and that the required patch levels for that system are in place together with the current anti-virus.
Issues
As with any new technology there will be bugs and other issues arising. For example, there is a known bug in the Cisco 3750 Switch, which will not allow the NAC to run on multiple switches within the 3750 Stack. All NAC appliances need to be connected to the master switch. This will account for a loss in availability of the NAC should the master switch in the stack fail. Safecoms understands that Cisco is currently working on a patch for the IOS software on the switch to allow the connectivity to span many switches in the stack.
NAC is currently a relatively expensive solution, and, in Safecoms’ opinion, really comes into its own (from an ROI perspective) with larger networks where the costs of attempting to implement manually the kinds of security policies that NAC addresses are very significant.
Conclusion
In overall terms, Safecoms believes that NAC technology has the potential to make a significant improvement to the state of security in medium to large organisations. It addresses a number of important issues that are currently highly problematic to deal with, and automates procedures that are both complex and time consuming. We will watch with interest to see how keenly NAC technology is taken up over the next 12 months
What’s The Problem?
When looking at any security technology, Safecoms’ start point is always to try to find out what problem it’s addressing (and if the answer is not immediately obvious, the technology in question may well be destined for the “clever but useless / solution looking for a problem” bucket).
So, why did anybody feel the need to invent the NAC? The short answer is that effective enforcement of network security policies is hard. It is complex, time consuming and labor intensive, and even if significant resources are thrown at it, individual policy breaches (that have the potential to trigger security breaches) can easily be missed. So, if a smart way could be found to automate these processes and make them as close to 100% effective as possible, then that would be a significant advance in the state of security.
That is what NAC technology sets out to do.
Overview
NAC technology utilises the network infrastructure to enforce network security policies out to all devices needing access to the corporate systems resources. (By network security policies we mean anti-virus and patch management, access to services on the network and enterprise authentication).
Importantly, the NAC enforces policies to all devices accessing corporate systems resources, irrespective of whether the device in question is part of the corporate asset register or is owned by a third party (e.g. a laptop belonging to a visiting consultant). Equally, the NAC solution does not differentiate between authentication via the internal network, VPN, or wireless. In all instances the network is protected from unknown or rogue devices.
Evaluation and Verification of Devices
When a device connects to the network switch, the device is evaluated for patch and antivirus levels. This evaluation is matched against the compliance list extracted from the security policy. If the device complies, then connectivity is achieved. If the device does not comply, then the system is quarantined and allowed to update the patching and antivirus software. The system then will go through another evaluation process and verify if the patching and antivirus levels are up to date. Once this is achieved the system is connected to the network and the security access policy is applied.
This is a significant step forward, particularly in organisations that have large numbers of visitors (e.g. contractors) who need to gain some level of network connectivity whilst on site. Traditionally, someone from the IT Department would have had to have taken time out to run a manual check on the antivirus and patch levels of every visitor’s laptop – a tedious and time consuming activity – and therefore one that was often “overlooked”.
Policy Compliance
Of course, it has previously been possible to apply some security policies through the group policy editor in the Active Directory. However, this has a number of limitations, occurs at the application level, and (by definition) only applies within the Windows environment. By contrast, NAC enables the implementation and enforcement of granular policies by validating the user’s identity against the particular device that is being authenticated, and checking it is running an approved operating system and that the required patch levels for that system are in place together with the current anti-virus.
Issues
As with any new technology there will be bugs and other issues arising. For example, there is a known bug in the Cisco 3750 Switch, which will not allow the NAC to run on multiple switches within the 3750 Stack. All NAC appliances need to be connected to the master switch. This will account for a loss in availability of the NAC should the master switch in the stack fail. Safecoms understands that Cisco is currently working on a patch for the IOS software on the switch to allow the connectivity to span many switches in the stack.
NAC is currently a relatively expensive solution, and, in Safecoms’ opinion, really comes into its own (from an ROI perspective) with larger networks where the costs of attempting to implement manually the kinds of security policies that NAC addresses are very significant.
Conclusion
In overall terms, Safecoms believes that NAC technology has the potential to make a significant improvement to the state of security in medium to large organisations. It addresses a number of important issues that are currently highly problematic to deal with, and automates procedures that are both complex and time consuming. We will watch with interest to see how keenly NAC technology is taken up over the next 12 months