NAC in the spotlight

Figures just in from Information Week, the US publication, reveal that 85 per cent of US corporates either have NAC technology already installed on their networked IT resource or are planning to install a system in the next 12 months.

This contrasts with a figure of just 54 per cent a year ago, suggesting that NAC has at last evolved from being an interesting concept to a valid and valued component of enterprise technology.

Although there are no equivalent figures for companies in the UK and Europe, there is every indication that IT managers are adopting a similarly pro-active stance on this side of the Atlantic for this type of network security.

One of the key drivers behind companies adopting NAC as a standard IT security technology is the need for regulatory compliance.

In the US, the Sarbanes-Oxley Act effectively mandates the use of multi-faceted IT security systems. Here in the UK, the Companies Act of 2006 – the provisions of which will become law by November, 2008 - are less dracononian, but are sure to make IT security top of the management agenda as the Act's implementation date draws near.

So what's the big deal about NAC technology? Is it the universal panacea that some IT security vendors are claiming?

Our observations here at the ITProPortal.com suggest that, whilst it can never be a complete access control network in its own right, NAC is nonetheless a highly effective method of controlling access to a networked IT resource and one that neatly complements a network’s existing access control system.

This is an important point to grasp as, whilst a good NAC can block any unusual or inappropriate network behaviour, once an application has been given access to the network, the NAC may not be able to prevent any malicious user behaviour, such as SQL injection attacks into a Web application.

It also cannot stop data being saved out to removable media devices such as MP3 players or USB sticks. For this, companies must turn to full behavioural analysis software, which tends to be a more expensive option altogether.

Despite these modest limitations, within a given set of parameters, a good NAC system can perform its task well, as well as complementing other IT security technologies such as the aforementioned behavioural analysis software and/or more conventional anti-virus and anti-malware systems software.

So what is NAC technology and how does it function?

In use, a good NAC system will monitor network endpoints, enforcing enterprise security policies and block the spread of malware.

At its most basic, a good NAC system can determine whether interactive devices such as notebook PCs, PDAs and smartphones connecting to a network comply with a given set of security standards.

The depth to which an NAC system monitors the IT resource includes determining whether the interactive devices adhere to an enterprise's policy, including checking for up-to-date security patches and anti-virus software.

In essence then, a good NAC system seeks to do exactly what the name implies, namely control access to a network using a series of security policies - including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on the company network and, of course, what they are allowed to do on the network.

If this explanation sounds complex, this is because of the nebulous nature of what is still a relatively young IT security technology.

Some early vendors have sought to exploit the inevitable confusion about NAC in the marketplace by making wide-ranging claims for their products and services that mirror those of the earliest days of anti-virus software in the 1980s.

Let’s put it another way – if the security claims of a vendor appear to be too good to be true, then there is a strong chance they really are.

The good news about NAC, however, is that the technology has matured to the point where the vast majority of vendors now take a pragmatic view when it comes to talking about what their products are capable of.

This is a positive development when one considers the new generations of security threats that can pose a risk to the integrity of a network-based IT resource.

These threats include the so-called insider threat where an employee or contractor, often due to a misunderstanding or misapplication of the security rules, connects a device to the network they should not have connected.

This can include a USB stick or similar portable storage device, which can store all manner of malware, but which does not normally fall under the monitoring eye of NAC security technology.

To help prevent a disaster that could result from the innocuous plugging of a portable storage device, companies should be encouraged to install conventional IT security technology to run alongside the NAC system or, at the very least, implement a security policy that ensures that devices logging onto the network meet a basic set of security policies.

On top of this, IT managers should exercise extreme caution when allowing wireless devices to `hook up’ to the network and ensure that meet all the relevant security policies of the company concerned. They should also very closely monitor these wireless devices for any unusual activity

The plethora of wireless and directly connected mobile devices in the educational sector is one of the key reasons why the take-up of NAC technology has been so popular on educational campuses and in schools and universities generally.

This trend has been good news for the corporate sector as educational sites have often acted a beta test proving ground for NAC technology and its associated systems, allowing vendors to only release their commercial NAC products to major companies once most of the early problems have been ironed out.

Agent-based vs agentless NAC technology

One of the most interesting developments in recent times has been the evolution of agentless NAC technology. This is where the network scans the device without downloading a client application to that device.

Agentless NAC technology can be useful for scanning devices which use an operating system not supported by the parent NAC environment or where the device is portable but relatively passive in terms of network interaction (e.g. a USB stick or similar).

Several vendors are busy promoting agentless NAC technology as a key development in the IT security arena, but it should always be remembered that, if a client application (i.e. agent-based) is downloaded to the device in question, a number of additional functions are available.

These include the ability to scan a device whilst offline and report the findings of the agent when the device goes online. This can save time by reporting the scan results immediately on connection to the policy checker.

An agent-based system can also transparently run post-connection checks in the background to ensure that device protection remains in-place, without affecting the information flow to or from the device in question.

And as if this wasn’t enough, an agent-based NAC system can support additional types of device-based threat management such as a host-based Intrusion Protection System (IPS) and malicious code protection.

Agent-based NAC technology tends to suffer from the limitation, however, of being primarily a Windows-based function, meaning that the richest functions only tend to be available where the host system and its devices support Windows.

This means that cross-platform and non-standard operating system devices can often be more efficiently scanned using agentless NAC technology. This makes it important that a good NAC system supports both agent-based and agentless technology for maximum flexibility.This leads us nicely into the area of whether to install the NAC system in-line or out-of-band.

If the NAC controller is installed inline it can monitor, analyse and control traffic without any need to communicate with the main LAN switches or routers, but it is important that the system has the necessary processing power to carry out its tasks without impeding the overall data traffic flow.

If the NAC controller is installed at the network edge, the required performance and traffic volumes involved are a lot lower, although it should be noted that, if installed at the perimeter of the network – e.g. to support security checks on remote access – the traffic levels involved can be much higher and require the installation of redundant NAC controllers, which all adds to the expense.

TippingPoint’s NAC approach explained

TippingPoint’s NAC technology seeks to offer a flexible solution to most network topologies and environment, by enforcing device and user policies to ensure endpoint compliance and granular levels of network compliance, even after the application or client has entered the network.

This is achieved on an inline basis using an NAC Enforcer and on an out-of-band basis using DHCP (Dynamic Host Configuration Protocol) and/or 802.1X based technology.

The integration of device user and IPS-based traffic classification and enforcement is billed as offering much greater control over network access and usage, as well as reducing network vulnerabilities and enhancing policy plus regulatory compliance.

Providing network administrators with the ability to select, mix, and match these options for enforcement, identification, and posture assessment allows the appropriate technology to be used to set and enforce access policies throughout the enterprise.

The Policy Server creates a centralized policy management environment that can be viewed and/or controlled using a Web-based console that supports up to 5,000 users with drill-down access to more detailed reporting such as details of minutes used and bandwidth consumer based on a number of parameters such as device, user and access point.

The optional Policy Enforcer, meanwhile, is an in-line appliance that provides high levels of access control enforcement based on user and device criteria.

The central Policy Server allows network administrators to implement access rules base on user identity and device types across all enforcement methods that may be in use.

This approach is a more flexible one and, says TippingPoint, ideal for controlling mobile devices such as laptops, PDAs and smartphones that increasingly need transient connections to the network.

By working in tandem with the Policy Server, the Policy Enforcer can receive up-to-date policies for any new connection on the network, as well as adapting to any changes in a user’s authentication state in real time. In addition, radius responses and DHCP leases can be dynamically altered on the fly to provide out of band NAC enforcement.

This fully functional approach means that a reliable NAC system can be installed on a network without the requirement for an IPS to be present, although, in an ideal world, an IPS is a valuable addition to any IT security arsenal.

Conclusions and recommendations

From the above, it can be seen that the sheer diversity of devices attaching to a corporate network on a permanent, semi-permanent, transient and even guest basis, is a potential headache for any IT manager to control.

If an NAC system is to do its job well, it has to present the information to the manager in the best way possible.

There will almost always be a key issue driving the initial requirement for an NAC system, but the choice that an IT manager selects should be made with one eye on future requirements as well.

The days of when a single IT security application or suite could protect the corporate resource from harm are now, sadly, long gone, so the hard-pressed IT manager will usually have to make their choices of which security technologies to employ based on several constraints, one of which is almost certain to be budgetary.

A good NAC system will be both cost-effective and able to integrate closely with third-party IT security technologies. Perhaps more importantly, however, that same NAC system should be flexible and able to scale up (as well as down) to the users’ changing requirements.

IT managers must therefore go beyond the traditional processing power and price tag specifiers that normally influence their choice of IT security solutions.

To do this, they should employ the services of a known and trusted IT system reseller/systems integrator or, failing that, ask around their peers for recommendations.

Nothing is better than asking one’s peers for advice as to the best solution to a given product or service requirement. As well as supplying you with valuable information for use on an immediate basis, it can also forge new business relationships. But that, as they say, is another story entirely…