impossible for ideas to compete in the marketplace if no forum for
Understanding Network Access Control
Contributed by: Mirage Networks, Inc.
Todayâ€™s technology environment is defined by mobility. Itâ€™s a productivity enhancement few organizations can be without - but the gain in productivity is causing an explosion of network security concerns. Consider the dramatic increase in the number and capabilities of mobile devices: according to Gartner, the dominant trend in computer buying has shifted to notebooks, which now make up 29% of computers sold in the US and 31% of those sold worldwide. And not only are laptops becoming the computer of choice for many corporate employees, more and more IP-enabled devices are coming into the mix - PDAs, mobile phones, and gaming systems, to name a few, each bringing new security vulnerabilities onto the network. Further enhancing productivity - and jeopardizing network security - is the ubiquity of access. Whether at home, in a hotel, at a Starbucks, or even on a park bench, users require and expect access to corporate networks at a data rate that enables full productivity. The widespread adoption of broadband and wireless networking has made mobile computing the standard, not the exception.
This has created great challenges for IT and security professionals. Controlling the devices accessing the network has become increasingly problematic as these devices move in and out of protected corporate networks, and as the line between office and personal computer blurs or even disappears. And now, itâ€™s easier than ever for unmanaged IP devices to make their way into corporate networks.
This technology shift has IT security professionals asking two questions:
How do I control the access to my corporate networking resources?
- and -
How do I ensure that the resources that are allowed on my network arenâ€™t creating a security risk?
Before we can answer these questions, we must understand the roots of IT security.
The correlation between productivity-enhancing technology and security technology is not new. As new technologies are adopted, criminal elements find ways to misuse them. Letâ€™s examine the origins of three prevalent security technologies: antivirus software, firewalls, and Virtual Private Networks (VPNs), the development of each driven by key advancements in non-security technologies.
These advances made the network perimeter stronger, acting as a moat between data and threats. But as perimeter security evolved, so did the methods designed to get at that data.
The Need for Something New
Todayâ€™s threats are not entering corporate networks through the perimeter, protected as it is by the technologies reviewed above, and others, like intrusion detection systems. Rather, they are taking aim at the networkâ€™s soft underbelly, through authorized endpoints, which, as known devices, completely bypass perimeter defenses.
An Example: The Zotob Worm
A recent example of this occurred in August 2005, during which the Zotob worm took advantage of a Microsoft Windows Plug and Play vulnerability. The worm infected PCs and propagated across networks by looking across random Class B addresses and sending a SYN packet (connection request) to port 445 on remote systems it found active. Upon finding a vulnerable machine, the worm exploited the vulnerability by downloading a copy of itself, infecting the PC and looking for other targets. Networks were flooded with traffic and crashed, costing organizations untold amounts in productivity.
Incredibly, this worm should never have been able to spread. Its propagation methodology required access to a TCP port through which other worms, most notably Sasser and Nimda, already had spread threats. Thanks to the notoriety of these other worms, almost every organization with an Internet connection blocked traffic to port 445, and assumed that they did not need to be concerned about Zotob. Despite this, Zotob quickly spread around the world, becoming one of the fastest spreading worms in history.
Beyond simply proving the cliché that assumptions are dangerous, this incident highlighted a crucial flaw in traditional network security: the ability, or rather, the lack thereof, to manage every device that plugs into the network. In the case of Zotob, for example, the worm entered organizations when known, infected mobile PCs entered the network, either directly or through VPN connections.
Which brings us full circle to the question of controlling endpoints to minimize security risks without impeding business.
VOILÁ: Network Access Control
Network Access Control (NAC) aims to do exactly what the name implies: control access to the network. It is still an emerging technology space, and many vendors are taking advantage of this lack of definition to jump on the NAC bandwagon. But if we boil down NAC to its essence, we are referring to the ability to:
Early on, Cisco and Microsoft created their own proprietary standards that led to the creation of key NAC concepts, prompting standards bodies to influence the direction of further development.
The first standards developed were those of vendors, recognizing the need to test devices that enter a network to see if they meet a baseline security policy.
Cisco Network Access Control
Cisco initiated its Network Admission Control (NAC) program in 2004 in an effort to provide a mechanism to check endpoints as they enter the network. As defined by their initial program, there are three key elements of Ciscoâ€™s NAC.
1. The first element is the reliance on endpoint software
to provide both security functionality to the endpoint and an integration
point to the NAC infrastructure. This requires two endpoint agents: the
Cisco Trust Agent (CTA) and Cisco Security Agent (CSA). The CTA communicates
with Cisco NAC-enabled security agents to gather key security information
and pass it on to the Cisco infrastructure. The CSA is Ciscoâ€™s recommend
security software, although antivirus software and/or personal firewalls can
2. The second element of Ciscoâ€™s NAC strategy is contained in the software of their Network Access Device (NAD), i.e., a router or a switch. After upgrading, the Cisco networking operating system is able to recognize endpoints on entry to the network and check them for the presence of the CTA. Upon finding that agent, it gathers security information relevant to the state of the device entering the network. The NAD can then forward this information to the third element of their NAC strategy, the policy servers.
3. The third element, the Cisco policy server, consists of their Access Control Server (ACS) (which is a RADIUS Authentication, Authorization, and Accounting (AAA) server) that can grant access to the network based upon the results of the host agent results. In Ciscoâ€™s homogeneous solution with CSA, the information passed to the ACS server is relevant to the Operating System version and patch level. Through integrations with antivirus vendors and other endpoint security solutions, it can also check such things as AV signature level, if security agents had recently found or mitigated threats, and other security policy information. Once a system has passed these checks, it is allowed on the network with an appropriate level of access. Different access levels are usually enforced by assignment to various VLANs.
Cisco rolled out its NAC solution initially on Layer 3 devices (routers) for protection and checking of remote access devices. It has since launched a solution that supports Layer 2 capabilities (switches). As with all Cisco initiatives, for Cisco NAC to function optimally, it must be in a homogenous Cisco network, with new, NAC-ready infrastructure elements.
Microsoft Network Access Protection
Microsoft was the second major vendor to deliver its own NAC standard. Called Network Access Protection (NAP), it was designed to check the security policy compliance of Windows devices entering the network. There are three distinct aspects of NAP: health policy validation, health policy compliance and network isolation.
1. For health policy validation, an endpoint must have Microsoftâ€™s or a supporting vendorâ€™s System Health Agent (SHA), which checks the current security state of the device, such as the status of OS patches and antivirus updates. The SHA reports to a System Health Validator (SHV) that determines whether or not the endpoint is adhering to corporate security policy.
2. After policy validation, health policy compliance features may be used to fix any identified shortcomings of the device. In this case, after the system is identified to be non-compliant, it can be fixed automatically using services such as Microsoftâ€™s Systems Management Server (SMS).
3. Finally, network isolation can be implemented through one of several enforcement options. Currently these options include DHCP quarantine through the use of a DHCP Quarantine Enforcement Server (QES), VPN quarantine using a VPN QES, 802.1x quarantine where the network access device can limit the access of the endpoint to specific protocols or VLANs, and finally IPsec quarantine using an IPsec QES. Each of these isolation options have certain capabilities and limitations that can be explored further on Microsoftâ€™s website.
Microsoft NAP is expected to be delivered and available in conjunction with the release of Microsoft Vista in late 2006. As with all Microsoft initiatives, NAP will work optimally only for networks and devices running on a Microsoft OS.
In response to Ciscoâ€™s and Microsoftâ€™s approaches, the Trusted Computing Group (TCG), through its Trusted Network Connect (TNC) subgroup, kicked off an industry initiative to influence the development of vendor-neutral NAC solutions.
Trusted Computer Group - Trusted Network Connect
The goal of the TNC was to establish a standard for ensuring host integrity of devices connecting to the network, where integrity indicates that the device is both free from malicious code and that the device is up to date in its own protections against threats, with current patches and the like. The TNC architecture can be broken into three major components; the Access Requestor (AR), which is the device entering the network; the Policy Decision Point (PDP), which compares the ARâ€™s credentials against an established security policy; and the Policy Enforcement Point (PEP), which can grant, deny, or limit access for the AR.
The configuration of the AR includes a TNC Client (TNCC) that runs on the AR and interfaces with another software application, the Integrity Measurement Collector (IMC) one or more of which runs on the AR. The IMC checks for antivirus signature level, operating system patches and other host based security measurements. The TNCC aggregates inputs from the IMC(s) and communicates this information to the PDP. The PDP uses this information to analyze the hostâ€™s security measurements determine their compliance to established security policies. Once the ARâ€™s adherence to or variance from policies is determined, the PDP decides what level of network access the AR should have. The PEP is used to enforce these decisions. A PEP almost always resides in the network and is part of the entry process in some way: PEP enforcement mechanisms can include integrations with the Authenticator in 802.1x, with AAA servers during the authentication process, and with secure DHCP servers for the assignment of IPs and VLANs. They can also be implemented in the network infrastructure itself, either through a network security appliance or through integration with the network access device and the use of Access Control Lists (ACLs).
Independent Vendor Solutions
As standards-based approaches to NAC become accepted, many vendors who play in adjacent markets are taking the opportunity to claim their spot, integrating into the above frameworks and performing part of the NAC process. Most of these solutions take the role of either or both a PDP and/or a PEP as described by the TCG TNC architecture.
Many of these solutions have gone beyond the initial concept proposed by Cisco to provide a more complete approach to NAC throughout a given endpointâ€™s access lifecycle, an approach that analysts like Gartner, advocate.
Mobile technology is rapidly rendering the network perimeter moot; protecting the “soft, chewy center” is critical. Designed for exactly this environment, the NAC approach is a promising one. There are myriad NAC solutions on the market. Deciding which one works for a given organization can be challenging. Key elements to look for include pre-admission NAC, post-admission NAC, and quarantine and remediation capabilities.
In Part 2 we shall examine pre-admission NAC in detail; and in Part 3, we shall focus on post-admission NAC and quarantine and remediation; and in Part 4 we shall discuss the key considerations you should keep in mind when deciding on what NAC strategy will work for your organization.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business