Network Access Control Is Achievable
By Ofir Arkin
Network Access Control (NAC) promises to allow only authorized and compliant devices to access and operate on a network. If implemented properly, NAC can improve the security profile of a network and lower the overall security risks faced by an enterprise.
The various approaches to NAC have created a significant and even highly contested debate across the IT security industry. The benefits of NAC are clear, although have yet to be realized on a widespread basis.
Many NAC offerings today are still expensive propositions that require network re-architecture and are based on a complex set of bypassable technologies. At the same time, many vendors failed to deliver on their claims by offering NAC solutions that do not offer full network coverage and leave an enterprise exposed to security vulnerabilities.
Any agent-based NAC solution requires a network discovery project prior to deployment to obtain the inventory of all the devices attached to the network. However, the standard discovery process is lengthy, requires significant manual input and cannot identify all devices, especially those that are firewalled or unmanaged. Likewise, appliance-based NAC solutions are not practical from a budgetary or deployment perspective in large, geographical distributed IT environments.
The result is a confused and increasingly skeptical marketplace.
Despite this, NAC is achievable. You can implement complete and real-time NAC with your existing network setup. Your NAC deployment can be accomplished within your budgetary and implementation expectations. You can ensure that all the devices connected to your network are and remain authorized and compliant throughout their lifecycle on your network.
Visibility - The Starting Point for NAC Deployments
Visibility and real-time device detection are the first building blocks of the NAC process and, if achieved, remove significant attack vectors and enable NAC coverage to be applied to the entire network infrastructure. If a NAC solution cannot identify all devices connecting to the network in real-time, IT managers will likely find that their network access controls will only cover known devices and will regularly miss unmanaged and rouge devices, which are the source of most security vulnerabilities.
Audit and Compliance - Understanding the Network before Activating NAC
Device profiling provides contextual information about each device on the network, including its user information, function and running software and hardware. Based on this vast audit information, an IT manager can determine the devices that are authorized to access the network according to the organization's policy regarding device and software configuration. In parallel, this audit information can enable an IT manager to identify non-compliant, unmanaged and rogue devices that should not be operating on the network even before activating the NAC processes.
NAC - Ensuring Full Network Coverage
A NAC solution must operate in real-time. Every device must be detected and included in the NAC process as it is being attached to the network. Without real-time detection, a device and/or its user is given a window of opportunity to maliciously act the network.
The quarantine mechanism used should not depend on the underlying IT infrastructure in any capacity. Internal political issues among the different departments in a large enterprise will prevent a NAC solution that relies on the IT infrastructure from scaling across the entire network. In addition, any configuration changes to the network of a bank or financial services company will never be authorized in the first place.
The user experience for managed and compliant devices should be as transparent as possible. A user of managed and compliant devices should pass through the NAC process without even knowing that the device was assessed by the NAC solution.
A NAC solution must scale across the entire IT infrastructure. The deployment must include all sites and not just a certain portion of the network. A NAC solution that is dependent on an appliance and/or the switching fabric is not a practical option in segmented networks. In addition, allowing guest users access only is the equivalent of putting your head in the sand. Any user can just connect a device to an uncovered network segment and gain access to any network resource.
NAC should be treated as a security methodology. Any worthwhile NAC solution must first allow provide intimate knowledge the network by profiling all devices connected to the network and identifying the non-compliant, rogue and unmanaged devices, even before the NAC processes are activated. This enables an IT manager to assess the impact of turning on the NAC solution. Finally, a NAC solution must be highly scalable with a relatively easy deployment across the entire IT infrastructure in order to deliver a fast time-to-value at a reasonable cost.
About the Author:
Ofir Arkin is the cofounder and CTO of Insightix, the provider stateful IT visibility and network access control solutions. Ofir is a renowned security researcher and author of numerous influential papers on the subjects of network access control, VoIP security and remote OS fingerprinting. Before cofounding Insightix, Ofir consulted to numerous multinational companies in the financial, telecommunications and pharmaceutical markets, leading various security projects.
NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
archives | advertising info | news headlines | newsletters | comments/feedback | submit article