Click to Play

Google and IBM Produce Cloud...
Google and IBM have joined together in what they believe to be a revolutionary cloud computing effort. The companies have had their project tested by many...

Recent Articles

Information Security Programs
If you ever have the chance, it is well worth your time to go through the information provided about the Masters of Information security programs at various colleges. If you take a very good look at them, and work on trying...

ISPs Tracking Everything You’re Doing Online
A controversial company in Britain is out to see everything you're doing online. And they are going straight to the source to find out - your ISP. They are about to partner with Britian's top ISPs (BT, Virgin and Talk Talk)...

Microsoft Will Prevail Over Open Source Software
An aspect of the open source software nirvana has been the end of Microsoft's dominance. Well, anyone who sees Linux, OpenOffice or another OSS project/product as the death nail in Microsoft's coffin is not living in reality.

Net Stalker's N-Stealth
If you need yet another tool in your tool box, and you want a good web site application level scanner, then you might want to check out N-Stealth from Net Stalker. Nstealth is a small footprint scanner that in the free...

A Recent Security Horror Story
This will teach folks to put out help wanted ads, seems a receptionist in Florida read a help wanted ad that her employer put on, and thought that she was going to be replaced. Rather than asking, and thinking that her...

The Un-Server: Using A MacBook
I started following through with some of my 2008 resolutions. First thing was to finally take the time to program our thermostat. I set it to 59 degrees at 10:00 PM, then to turn up to 64 at 7:00 AM, down to 62 again...

2007's Biggest Problem - The Trusted Insider
This has not been a banner year for insider hacks, and insider data loss across the board. In many ways we can most likely call this the year of the insider. Either through actual hacking, or through actual not compliance...

Security Around Social Initiatives
Read Write Web has a great digest of the entire last round of social applications, from open social to Facebook, android, Bebo and box.net. Understanding these applications from a security viewpoint is...



05.14.08

Network Access Control Is Achievable

By Ofir Arkin

Network Access Control (NAC) promises to allow only authorized and compliant devices to access and operate on a network. If implemented properly, NAC can improve the security profile of a network and lower the overall security risks faced by an enterprise.

The various approaches to NAC have created a significant and even highly contested debate across the IT security industry. The benefits of NAC are clear, although have yet to be realized on a widespread basis.

Many NAC offerings today are still expensive propositions that require network re-architecture and are based on a complex set of bypassable technologies. At the same time, many vendors failed to deliver on their claims by offering NAC solutions that do not offer full network coverage and leave an enterprise exposed to security vulnerabilities.

Any agent-based NAC solution requires a network discovery project prior to deployment to obtain the inventory of all the devices attached to the network. However, the standard discovery process is lengthy, requires significant manual input and cannot identify all devices, especially those that are firewalled or unmanaged. Likewise, appliance-based NAC solutions are not practical from a budgetary or deployment perspective in large, geographical distributed IT environments.

The result is a confused and increasingly skeptical marketplace.

Despite this, NAC is achievable. You can implement complete and real-time NAC with your existing network setup. Your NAC deployment can be accomplished within your budgetary and implementation expectations. You can ensure that all the devices connected to your network are and remain authorized and compliant throughout their lifecycle on your network.

Visibility - The Starting Point for NAC Deployments

Visibility and real-time device detection are the first building blocks of the NAC process and, if achieved, remove significant attack vectors and enable NAC coverage to be applied to the entire network infrastructure. If a NAC solution cannot identify all devices connecting to the network in real-time, IT managers will likely find that their network access controls will only cover known devices and will regularly miss unmanaged and rouge devices, which are the source of most security vulnerabilities.


Audit and Compliance - Understanding the Network before Activating NAC

Device profiling provides contextual information about each device on the network, including its user information, function and running software and hardware. Based on this vast audit information, an IT manager can determine the devices that are authorized to access the network according to the organization's policy regarding device and software configuration. In parallel, this audit information can enable an IT manager to identify non-compliant, unmanaged and rogue devices that should not be operating on the network even before activating the NAC processes.

NAC - Ensuring Full Network Coverage

A NAC solution must operate in real-time. Every device must be detected and included in the NAC process as it is being attached to the network. Without real-time detection, a device and/or its user is given a window of opportunity to maliciously act the network.

The quarantine mechanism used should not depend on the underlying IT infrastructure in any capacity. Internal political issues among the different departments in a large enterprise will prevent a NAC solution that relies on the IT infrastructure from scaling across the entire network. In addition, any configuration changes to the network of a bank or financial services company will never be authorized in the first place.

The user experience for managed and compliant devices should be as transparent as possible. A user of managed and compliant devices should pass through the NAC process without even knowing that the device was assessed by the NAC solution.

A NAC solution must scale across the entire IT infrastructure. The deployment must include all sites and not just a certain portion of the network. A NAC solution that is dependent on an appliance and/or the switching fabric is not a practical option in segmented networks. In addition, allowing guest users access only is the equivalent of putting your head in the sand. Any user can just connect a device to an uncovered network segment and gain access to any network resource.

Final Thoughts

NAC should be treated as a security methodology. Any worthwhile NAC solution must first allow provide intimate knowledge the network by profiling all devices connected to the network and identifying the non-compliant, rogue and unmanaged devices, even before the NAC processes are activated. This enables an IT manager to assess the impact of turning on the NAC solution. Finally, a NAC solution must be highly scalable with a relatively easy deployment across the entire IT infrastructure in order to deliver a fast time-to-value at a reasonable cost.


About the Author:
Ofir Arkin is the cofounder and CTO of Insightix, the provider stateful IT visibility and network access control solutions. Ofir is a renowned security researcher and author of numerous influential papers on the subjects of network access control, VoIP security and remote OS fingerprinting. Before cofounding Insightix, Ofir consulted to numerous multinational companies in the financial, telecommunications and pharmaceutical markets, leading various security projects.
About NetworkNewz
NetworkNewz editors, writers and contributors focus on both the big picture and the details of networking. At NetworkNewz our goal is to deliver to you The Key To Network Management.





NetworkNewz is brought to you by:

SecurityConfig.com NetworkingFiles.com
ITmanagementNews.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITmanagementNews.com





-- NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | newsletters | comments/feedback | submit article


The Keys To Network Management Ask Questions in the Networking Forum NetworkNewz News Archives About Us Feedback NetworkNewz Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact