|
NETWORK SECURITY
December 2006
Communications News
|
Why you don’t need an agent
Achieve complete access control without adding management overhead.
by Ray Wizbowski
Network
access control (NAC) has emerged as one approach to dealing with the
challenge of controlling who and what gains access to the corporate network,
ensuring that connected devices meet a baseline security policy. Even with
the promise of what NAC can do, there are still several questions that need
to be considered in order to get the right technology to address all
access-control issues. Appropriate evaluation criteria should include:
1. Does the
NAC system require additional software to be installed to manage connecting
endpoints?
Agent-based technologies provide the ability to continually check the device
even when it is not connected to the network. Upon connection, the agent
reports the health of the system and the NAC product makes a determination
if this meets the security criteria of the network. The challenge with this
type of deployment comes in the level of management involved in ensuring all
endpoints have the agent installed and running.
Users introduce an
additional level of complexity to this type of deployment in that they have
the ability to disable the agent or behave in a way that inhibits the
agent’s effectiveness. Additionally, agents are specific to the operating
system of the endpoint, limiting the scope of devices that can be covered.
The alternative to an agent-based system is going clientless. Clientless NAC
solutions detect and interrogate every connecting device to ensure the
device meets network security policies without introducing the complexity
and management of an installed agent.
With this type of system, the same level of security compliance can be
enforced on endpoints without regard for what type of device is connecting.
This broadens the scope of the NAC protection to cover non-user devices,
such as printer and VoIP phones, as well as industry-specific equipment that
would be connected to the local area network (e.g., imaging devices in a
hospital).
This capability becomes important when dealing with non-managed devices,
such as those belonging to guests, contractors or auditors. These
individuals need specific access to segments of the network, but they should
not be given a free pass to the entire IT infrastructure. A clientless
system should be able to identify the device as a network guest and provide
the appropriate level of access.
Some solutions include
the ability to logically segment the network, providing granular access
privileges specific to a device and/or user, allowing access only to IP
resources specific to the user’s job/contact function. Other broad-based
policies can also be put into place, which leverage the existing IT
infrastructure to provide a guest/contractor network.
For example, upon
detection of a guest/contractor device, the NAC solution should be able to
move the device from a public virtual LAN (VLAN) to a quarantined VLAN. This
would allow the device to have Internet connectivity, but not to corporate
resources
2. Will policy enforcement disrupt productivity of corporate users?
This is one of the most significant questions to address when evaluating a
NAC product. If the NAC only provides a binary on/off response, then any
policy violation is going to keep employees from being productive. An
example of this on/off response is the corporate security policy stating
that all connecting laptops must have antivirus software installed and
updated once per week or they are denied access. If the connecting device is
out of compliance by one day, this may not be a critical security breach
requiring the user to be denied access to the network.
In order to address this type of minimal-risk security violation, the NAC
system should provide a full spectrum of enforcement options, ranging from
alerting the appropriate IT staff, to engaging the user and providing
remediation options, to being able to modify the user’s access privilege,
and ultimately being able to block a user’s connection if the security
violation merits such harsh action.
3. Will the NAC solution address self-propagating malware?
Even though
the number of widespread network worms has decreased over the last couple of
years, the threat of a mobile device getting infected while outside the
corporate network, and introducing that infection upon its return,
continues. This problem is compounded with the number of remote workers
connecting via VPN to the corporate network, at times using non-managed
devices to connect. From a security standpoint, this is a nightmare
scenario, but it is a scenario that security operations professionals deal
with every day.
In this complex security environment, the NAC solution should be able to
defend the network from the self-propagating threats. Ideally, this would be
integrated into the underlying platform and could be leveraged to conduct
instant checks of connecting devices to ensure this type of threat does not
take down the network.
If this type of check is in place, then connecting devices are allowed to
gain access to the network while deep interrogation of the device is
completed for all other security policies. This allows a user onto the
network quickly without creating a security risk.
4. Will the
NAC solution be difficult/disruptive to deploy?
One of the
challenges NAC has faced is that it is viewed as potentially disruptive to
network operations. This perception was gained from the infrastructure
companies pushing inline solutions, which require infrastructure overhaul or
replacement in order to fully work. There are other alternatives, however,
that allow companies to achieve the same level of protection without the
challenge or complexity introduced by an inline product.
Out-of-band appliances, for example, allow for the deployment of a
NAC solution without the requirement of taking the network offline for
installation. This approach provides the ability to leverage the existing
infrastructure to achieve access control.
In evaluating a NAC product, understanding the level of interaction the
product can provide with existing heterogeneous systems is important. Some
of the areas that should be considered are: Which switches are supported?
Does the product integrate with the directory or identity management
products (e.g., active directory), leveraging this information to provide
role-based access? Does the NAC product integrate with trouble ticketing or
remediation services? Does the NAC solution provide a high-availability
option?
These are just a few of the integration points in which the appropriate NAC
solution can leverage existing infrastructure in order to provide a greater
level of IT automation without significantly disrupting the network or the
end-user. At the end of the day, the most appropriate solution is one that
provides the required level of security, while allowing business to carry on
with minimal or no disruptions.
Ray Wizbowski is vice president of marketing for ForeScout Technologies,
Cupertino, Calif.
For
more information:
www.rsleads.com/612cn-261 |