The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."         Thomas Mann, 1896

Understanding Network Access Control

Contributed by: Mirage Networks, Inc.




Today’s technology environment is defined by mobility. It’s a productivity enhancement few organizations can be without - but the gain in productivity is causing an explosion of network security concerns. Consider the dramatic increase in the number and capabilities of mobile devices: according to Gartner, the dominant trend in computer buying has shifted to notebooks, which now make up 29% of computers sold in the US and 31% of those sold worldwide. And not only are laptops becoming the computer of choice for many corporate employees, more and more IP-enabled devices are coming into the mix - PDAs, mobile phones, and gaming systems, to name a few, each bringing new security vulnerabilities onto the network. Further enhancing productivity - and jeopardizing network security - is the ubiquity of access. Whether at home, in a hotel, at a Starbucks, or even on a park bench, users require and expect access to corporate networks at a data rate that enables full productivity. The widespread adoption of broadband and wireless networking has made mobile computing the standard, not the exception.

This has created great challenges for IT and security professionals. Controlling the devices accessing the network has become increasingly problematic as these devices move in and out of protected corporate networks, and as the line between office and personal computer blurs or even disappears. And now, it’s easier than ever for unmanaged IP devices to make their way into corporate networks.

This technology shift has IT security professionals asking two questions:

How do I control the access to my corporate networking resources?

- and -

How do I ensure that the resources that are allowed on my network aren’t creating a security risk?

Before we can answer these questions, we must understand the roots of IT security.

The correlation between productivity-enhancing technology and security technology is not new. As new technologies are adopted, criminal elements find ways to misuse them. Let’s examine the origins of three prevalent security technologies: antivirus software, firewalls, and Virtual Private Networks (VPNs), the development of each driven by key advancements in non-security technologies.

  • Antivirus - In the early to mid 1980s, antivirus technology development was driven by the success of MS-DOS, and its impact on businesses and home PCs. A key new capability provided by personal computing was the ability to easily share and transfer files via floppy disks. As file sharing became standard behavior, the first viruses evolved to exploit it. This malware attached itself either to individual files or to the boot sectors of PCs to infect all floppy disks subsequently used on that PC. Antivirus technology arose and was widely adopted to preserve the value of data transfer through external media.

  • Firewalls - Firewalls are often associated with the advent of the Internet, but they actually came about as a result of networking and routing technology. As businesses began to connect their small departmental networks to larger shared networks, concerns arose about the ability of  individuals to access computing resources and data on networks that didn’t belong to them; the development of the firewall was the result. The firewall inserts itself as a barrier between a local trusted network and one or more external networks, regulating traffic between networks to prevent access to network and system resources from unknown or unauthorized sources. Connection to the Internet and its millions of worldwide users has made firewalls mandatory, and a standard part of virtually all networked environments.

  • Virtual Private Networks - VPNs, while not quite as prevalent as antivirus and firewall technologies, are found in almost all medium to large organizations. The need for VPNs was driven by two factors. First, corporations were looking for alternatives to expensive private networks connecting remote sites. Second, companies needed to enable their employees to connect to their corporate networks remotely. And of course, confidentiality of the data in transmission was critical: because this connection was going over open networks, it was susceptible to eavesdropping for both passwords and data. VPNs provided a mechanism to protect the confidentiality of the data and assure that the connection being made was legitimate.

These advances made the network perimeter stronger, acting as a moat between data and threats. But as perimeter security evolved, so did the methods designed to get at that data.

The Need for Something New

Today’s threats are not entering corporate networks through the perimeter, protected as it is by the technologies reviewed above, and others, like intrusion detection systems. Rather, they are taking aim at the network’s soft underbelly, through authorized endpoints, which, as known devices, completely bypass perimeter defenses.

An Example:  The Zotob Worm

A recent example of this occurred in August 2005, during which the Zotob worm took advantage of a Microsoft Windows Plug and Play vulnerability. The worm infected PCs and propagated across networks by looking across random Class B addresses and sending a SYN packet (connection request) to port 445 on remote systems it found active. Upon finding a vulnerable machine, the worm exploited the vulnerability by downloading a copy of itself, infecting the PC and looking for other targets. Networks were flooded with traffic and crashed, costing organizations untold amounts in productivity.

Incredibly, this worm should never have been able to spread. Its propagation methodology required access to a TCP port through which other worms, most notably Sasser and Nimda, already had spread threats. Thanks to the notoriety of these other worms, almost every organization with an Internet connection blocked traffic to port 445, and assumed that they did not need to be concerned about Zotob. Despite this, Zotob quickly spread around the world, becoming one of the fastest spreading worms in history.

Beyond simply proving the clich that assumptions are dangerous, this incident highlighted a crucial flaw in traditional network security: the ability, or rather, the lack thereof, to manage every device that plugs into the network. In the case of Zotob, for example, the worm entered organizations when known, infected mobile PCs entered the network, either directly or through VPN connections.

Which brings us full circle to the question of controlling endpoints to minimize security risks without impeding business.

VOIL: Network Access Control

Network Access Control (NAC) aims to do exactly what the name implies: control access to the network. It is still an emerging technology space, and many vendors are taking advantage of this lack of definition to jump on the NAC bandwagon. But if we boil down NAC to its essence, we are referring to the ability to:

  • Enforce security policy and restrict prohibited traffic types

  • Identify and contain users that break rules or are noncompliant with policy

  • Stop and mitigate day zero and other threats In the beginning…

Early on, Cisco and Microsoft created their own proprietary standards that led to the creation of key NAC concepts, prompting standards bodies to influence the direction of further development.

Proprietary Standards

The first standards developed were those of vendors, recognizing the need to test devices that enter a network to see if they meet a baseline security policy.

Cisco Network Access Control

Cisco initiated its Network Admission Control (NAC) program in 2004 in an effort to provide a mechanism to check endpoints as they enter the network. As defined by their initial program, there are three key elements of Cisco’s NAC.

1. The first element is the reliance on endpoint software to provide both security functionality to the endpoint and an integration point to the NAC infrastructure. This requires two endpoint agents: the Cisco Trust Agent (CTA) and Cisco Security Agent (CSA). The CTA communicates with Cisco NAC-enabled security agents to gather key security information and pass it on to the Cisco infrastructure. The CSA is Cisco’s recommend security software, although antivirus software and/or personal firewalls can be substituted.

2. The second element of Cisco’s NAC strategy is contained in the software of their Network Access Device (NAD), i.e., a router or a switch. After upgrading, the Cisco networking operating system is able to recognize endpoints on entry to the network and check them for the presence of the CTA. Upon finding that agent, it gathers security information relevant to the state of the device entering the network. The NAD can then forward this information to the third element of their NAC strategy, the policy servers.

3. The third element, the Cisco policy server, consists of their Access Control Server (ACS) (which is a RADIUS Authentication, Authorization, and Accounting (AAA) server) that can grant access to the network based upon the results of the host agent results. In Cisco’s homogeneous solution with CSA, the information passed to the ACS server is relevant to the Operating System version and patch level. Through integrations with antivirus vendors and other endpoint security solutions, it can also check such things as AV signature level, if security agents had recently found or mitigated threats, and other security policy information. Once a system has passed these checks, it is allowed on the network with an appropriate level of access. Different access levels are usually enforced by assignment to various VLANs.

Cisco rolled out its NAC solution initially on Layer 3 devices (routers) for protection and checking of remote access devices. It has since launched a solution that supports Layer 2 capabilities (switches). As with all Cisco initiatives, for Cisco NAC to function optimally, it must be in a homogenous Cisco network, with new, NAC-ready infrastructure elements.

Microsoft Network Access Protection

Microsoft was the second major vendor to deliver its own NAC standard. Called Network Access Protection (NAP), it was designed to check the security policy compliance of Windows devices entering the network. There are three distinct aspects of NAP: health policy validation, health policy compliance and network isolation.

1. For health policy validation, an endpoint must have Microsoft’s or a supporting vendor’s System Health Agent (SHA), which checks the current security state of the device, such as the status of OS patches and antivirus updates. The SHA reports to a System Health Validator (SHV) that determines whether or not the endpoint is adhering to corporate security policy.

2. After policy validation, health policy compliance features may be used to fix any identified shortcomings of the device. In this case, after the system is identified to be non-compliant, it can be fixed automatically using services such as Microsoft’s Systems Management Server (SMS).

3. Finally, network isolation can be implemented through one of several enforcement options. Currently these options include DHCP quarantine through the use of a DHCP Quarantine Enforcement Server (QES), VPN quarantine using a VPN QES, 802.1x quarantine where the network access device can limit the access of the endpoint to specific protocols or VLANs, and finally IPsec quarantine using an IPsec QES. Each of these isolation options have certain capabilities and limitations that can be explored further on Microsoft’s website.

Microsoft NAP is expected to be delivered and available in conjunction with the release of Microsoft Vista in late 2006. As with all Microsoft initiatives, NAP will work optimally only for networks and devices running on a Microsoft OS.

Open Standards

In response to Cisco’s and Microsoft’s approaches, the Trusted Computing Group (TCG), through its Trusted Network Connect (TNC) subgroup, kicked off an industry initiative to influence the development of vendor-neutral NAC solutions.

Trusted Computer Group - Trusted Network Connect

The goal of the TNC was to establish a standard for ensuring host integrity of devices connecting to the network, where integrity indicates that the device is both free from malicious code and that the device is up to date in its own protections against threats, with current patches and the like. The TNC architecture can be broken into three major components; the Access Requestor (AR), which is the device entering the network; the Policy Decision Point (PDP), which compares the AR’s credentials against an established security policy; and the Policy Enforcement Point (PEP), which can grant, deny, or limit access for the AR.

The configuration of the AR includes a TNC Client (TNCC) that runs on the AR and interfaces with another software application, the Integrity Measurement Collector (IMC) one or more of which runs on the AR. The IMC checks for antivirus signature level, operating system patches and other host based security measurements. The TNCC aggregates inputs from the IMC(s) and communicates this information to the PDP. The PDP uses this information to analyze the host’s security measurements determine their compliance to established security policies. Once the AR’s adherence to or variance from policies is determined, the PDP decides what level of network access the AR should have. The PEP is used to enforce these decisions. A PEP almost always resides in the network and is part of the entry process in some way: PEP enforcement mechanisms can include integrations with the Authenticator in 802.1x, with AAA servers during the authentication process, and with secure DHCP servers for the assignment of IPs and VLANs. They can also be implemented in the network infrastructure itself, either through a network security appliance or through integration with the network access device and the use of Access Control Lists (ACLs).

Independent Vendor Solutions

As standards-based approaches to NAC become accepted, many vendors who play in adjacent markets are taking the opportunity to claim their spot, integrating into the above frameworks and performing part of the NAC process. Most of these solutions take the role of either or both a PDP and/or a PEP as described by the TCG TNC architecture.

Many of these solutions have gone beyond the initial concept proposed by Cisco to provide a more complete approach to NAC throughout a given endpoint’s access lifecycle, an approach that analysts like Gartner, advocate.


Mobile technology is rapidly rendering the network perimeter moot; protecting the “soft, chewy center” is critical. Designed for exactly this environment, the NAC approach is a promising one. There are myriad NAC solutions on the market. Deciding which one works for a given organization can be challenging. Key elements to look for include pre-admission NAC, post-admission NAC, and quarantine and remediation capabilities.

In Part 2 we shall examine pre-admission NAC in detail; and in Part 3, we shall focus on post-admission NAC and quarantine and remediation; and in Part 4 we shall discuss the key considerations you should keep in mind when deciding on what NAC strategy will work for your organization.

Visit the Authors Web Site

Website URL:

Your Name:
Company Name:

Inquiry Only - No Cost Or Obligation

 3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description

Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join     Why Sponsor    Tell-A-Friend     Contact The Business Forum


The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign


Copyright The Business Forum Institute 1982 - 2009  All rights reserved.