NAC: Controlling access to your network

Have you heard the one about the printer repair technician and the malware outbreak?... A seemingly harmless printer repair technician arrived at the premises of Company X.

Needing to download the fix from the internet, the technician unplugged the printer from the network and plugged in his own laptop. The technician wasn't trying to spy on the company or steal confidential corporate information, just download a legitimate program.

Was the printer fixed? Probably, but Company X was hit by a bigger problem - a major worm outbreak, resulting in significant business and financial loss. And where did the threat come from? The technician's infected laptop.

As technology and business requirements continue to evolve, IT administrators are having to revisit their security set-up more often. Gone are the days when a company would have a network of machines, located in a building under lock and key, guarded by perimeter-based security.

Today, companies are opening up their network to remote workers, guest users, partners and offering wireless connectivity. As organisations’ networks are becoming more exposed they must look to secure these new gaps in the boundaries.

Securing networks through control

IT administrators need to implement a solution that will allow flexible working practices, without compromising the organisation's network. Only trusted machines, with up-to-date protection should have access to the network. Welcome to the world of Network Access Control (NAC).

NAC is not a new concept, however in the past it has been difficult to pin down, as the term has been used by different companies to mean a variety of things from intrusion detection, endpoint security and patch management, to name but a few.

In essence, its definition will depend on the main problems an individual firm is looking to solve. For example, is there a need to protect corporate data on desktop PCs? Is the organisation struggling to prevent users accessing restricted areas of the network? Is security being compromised by the use of peer-to-peer file-sharing applications?

Whatever the definition, NAC is an essential element in securing and controlling the endpoints within an organisation. NAC is a solution that works with an organisation’s current network infrastructure to control access of all users.

It is based on who the users are, where they are accessing the network and the security state of their computer as dictated by the organisation’s policies. NAC quickly enables you to control who and what is allowed onto your network; blocking rogue users, controlling guest access, and ensuring compliance with your company's security policy for legitimate users.

By controlling what users can access on the network, and helping maintain a policy regarding the "health" of PCs attaching to the business network, system administrators should find that a quality NAC solution can help significantly in securing their infrastructure.

It’s important to prioritise whose access needs to be controlled first, before segmenting all users into groups based on their profile.

This profiling should not just cover visitors connecting to the network, but also the level of access granted to employees on different levels and on the move.

Following this, a company can determine what information needs to be gathered from users before access is granted. This can be anything from authenticating that they are a member of the corporate directory, to ensuring they are not running blacklisted software such as Kazaa or Skype.

It could also mean checking to see if they’re running the required software, system patches and up-to-date security applications. A huge number of malware infections are caused not by computers being left unprotected, but due to problems rolling out updates, leaving individual workstations with out-of-date anti-virus software and therefore potentially exposed to emerging threats.

In addition, when a ‘foreign’ laptop accesses the network, the organisation must be able to effectively determine the action required to safeguard the network. For example, does the user require access to the whole network or can they be quarantined to internet-only access, or even blocked from accessing any resources until they’ve passed a health check?

In this last instance, the organisation must identify when the compliance check will take place – before or after the machine in question connects to the network.

Finally, there is a need to continually manage security policies for different user types and across different access methods. An employee working on their office desktop PC may be granted full access to all network resources, however it might be deemed more appropriate to limit this access if they’re working at home on their personal laptop.

Sophos and Network Access Control

Sophos NAC has four integral policy setting functions:

1. Definition and management of endpoint security policies
Setting up and managing a policy on who a user is and what needs to be running/not running on their machines to deem them safe and permit them access to the enterprise network.

2. Assessment of endpoint security policies
Providing a mechanism to assess the state of adherence to the endpoint security policies.

3. Enforcement of endpoint security policies
Providing/using a mechanism to automatically enforce endpoint security policies.

4. Reporting, alerting, and auditing
Providing a means to monitor the endpoints and the solution.

NAC: one size fits all?

So, you’ve revisited your network security and made the decision to deploy NAC – but which do you choose, software or hardware? Resources are stretched so can you buy it off-the-shelf?

There is no such thing as one-size-fits-all when it comes to access control; instead a NAC product must be able to meet all of a company’s security objectives, and crucially, it must also be able to integrate with any existing security solutions on the network, as well as with other vendors’ solutions.

NAC should be flexible enough to do what the customer needs. Administrators do not want to rip out their network hardware infrastructure to implement NAC, and nor do they wish their NAC solution to dictate which anti-virus solution they choose.

External guests on the network won't all be using the same products to secure their own devices - while it is possible to block network access to anyone that doesn't use software from a specific vendor, this is not generally the most practical solution.

Equally, if businesses choose to let employees access the network remotely from their personal laptops, they may be using a different security solution than the one deployed on company desktops.

Sophos NAC adopts a vendor neutral approach to all of the leading security products and network hardwares to make the integration of NAC as speedy and painless as possible.

Benefits of Sophos NAC include:

  • client and client-less assessment options for managed and unmanaged endpoints.
  • the ability to define endpoint security policies centrally.
  • the functionality to assess endpoint compliance proactively prior to network access and periodically during the network session.
  • easy identification and isolation of rogue endpoints.
  • flexible deployment for phased enforcement (Report Only; Remediate; Enforce).
  • Reporting of the state of endpoint compliance over time.
  • rapid response to new, unforeseen threats using custom application creation and enforcement.
  • systematic enforcement of endpoint security compliance policies.
  • enhanced ROI of existing security applications and network infrastructure.
  • unlimited 24-hour telephone, email, and online support, 365 days a year.

Remember that NAC is not as black and white as anti-malware protection, where any file recognised as containing malicious code is prevented from executing. The majority of the time, network guests will have perfectly legitimate reasons for accessing the network, and it’s a question of adherence to corporate policy and to outside regulation that is likely to determine the level of access they can be given.

This again is likely to differ from one person to another. At all times however, the need to safeguard the network against the threat of outside infection must take priority, and the companies that succeed at NAC will be the ones that ensure this is the case, while minimising the impact on all users.

Let’s return to Company X, the repair technician, but now add Sophos NAC into the security mix. The ‘foreign’ laptop would fail the health check in order to gain access to the internet. Having detected the infection, Sophos NAC would quarantine the machine for remediation. The network would not be compromised and Company X would save time, money and its reputation.

Real world business solution: US energy company

With more than 15,000 employees and hundreds of contractors, consultants and advisors serving millions of customers, this highly regulated company takes network security very seriously. If the enterprise network or any of the computers that connect to it were compromised, the possible loss of service, downtime, and outages would be unacceptable.

The potential exposure was highlighted by non-compliant user behaviour, such as disabling security applications, and the introduction of viruses, worms and other malware to the network by contractors and consultants.

The problem was compounded by the sheer size of the network, the need to integrate a security enforcement strategy with the existing DHCP infrastructure, and a planned upgrade to 802.1X-enabled switches.

A solution was required that would assess and enforce security on the company’s own varied desktop platforms, which employed a range of different security applications, and quarantine unauthorized computers prior to network access.

The IT department installed Sophos NAC Advanced with DHCP-based compliance and enforcement capabilities. The solution assesses the security status of computers when they connect to the network and at predefined intervals thereafter. Non-compliant users are notified and quarantined, protecting the network and providing a complete record of actions taken, enabling the firm to comply with local, regional and governmental regulations.

If you would like to know more about Sophos' range of products, please visit their website at Sophos