Over the past five years, IT departments have seen a steady increase in the use of mobile devices in the form of seemingly ubiquitous wireless access and smaller, more powerful laptops—together with a general business acceptance of these technologies. Businesses want and need to exchange data with outsiders in ways besides sending email or visiting Web sites. Consultants and contractors shift between jobs and may request to connect their laptops to your network. Vendors visiting your company may request to connect to your network and presentation projector. Employees may even bring in their own home equipment and physically connect to the company network. As portable technology becomes more prevalent and remote access proliferates, networks have become more vulnerable, and many companies have discovered that they need to regularly readjust their security policies and the technical controls guarding their networks. An emerging approach to security, Network Access Control (NAC), hopes to tame these steadily increasing requests. NAC offers significant security benefits but can be pricey and complicated. Some vendors in this emerging market are already offering options to help you protect your data in an increasingly mobile world.
NAC goes by different names with different vendors. Cisco calls its solution Network Admission Control, and Microsoft's offering is called Network Access Protection. But all of these names represent technologies that evaluate the security posture of a computer before allowing it to connect to a sensitive network. When you use NAC, all computers that connect to your network physically, wirelessly, or remotely must pass a series of checks before they can communicate with other computers on your network. The checks vary by vendor but usually include requirements such as updated application and OS security patches, current antivirus signatures, operational antivirus software, and functional host-based firewall software. Computers that satisfy the check are permitted access to the corporate network. Those that fail are either sequestered in a quarantine network or completely denied access.
But I Already Have a Three-Letter Defense System
NAC is a fairly recent addition to a field that offers other seemingly similar technologies, such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). IDSs alert you when suspicious behavior has occurred. IPSs block suspicious behavior, typically at network choke points or on hosts, as the behavior occurs. NAC attempts to validate a computer's security health before it's even permitted onto the corporate network.
Depending on your network's security requirements, these three technologies can complement each other. For example, you might deploy IDS sensors at perimeters and choke points to look for attacks from external or compromised computers. Then, you might consider using IPS to moderate traffic in front of your sensitive servers. Finally, you might use NAC to ensure that users don't accidentally infect your network by introducing an unmanaged or unsecured computer on your network. Using these three technologies together creates a robust defense.
NAC Can Get Complicated Quickly
NAC solutions' abilities to scan a device vary by vendor, and many solutions require cooperation of network gear, back-end servers, and host computers. This is NAC's greatest challenge: overcoming the complexity of its deployment. Figure 1 shows an example enterprise NAC solution like the one that Cisco offers. As you can see, NAC can affect nearly every piece of technology between your host and server, which means deploying NAC isn't for the faint of heart.
Some vendors recognize these challenges and have already begun to offer NAC solutions that don't require overhauling existing network equipment. Juniper Networks introduced Unified Access Control, which combines installations of real-time agents, a policy server, and Juniper firewalls to provide NAC without 802.1x-compliant switches. Also, both LANDesk Software and CheckPoint Software Technologies offer NAC solutions that can leverage 802.1x but don't require it. So you still have options, even if you don't have the advanced security of 802.1x-based NAC. (For a short description of the 802.1x security protocol, see the sidebar"802.1x Security Limits Data Access.") You might sacrifice some level of security, but deploying a limited NAC solution might be better than no NAC at all.
Network-Based NAC with 802.1x Support
802.1x-based NAC is the leading, most secure NAC technology to date. However, most network switches older than a few years don't include 802.1x support, which increases the expense of deploying an 802.1x-dependent NAC solution. If you want the latest, most secure NAC technologies, you might be forced to upgrade your network infrastructure. Let's walk through Figure 1 from left to right and identify the 802.1x-based pieces to look for in an NAC solution.
In Figure 1, the wireless laptop connects to an 802.1x-enabled wireless access point, and the desktop computer connects to the LAN through an 802.1x-enabled switch. A firewall or ACL-enabled router, which sits between the clients and the network, permits or denies traffic from authenticated clients to internal parts of the network.
When a client requests access to the 802.1x switch, the switch forwards the request to the access server sitting behind the firewall. The access server determines whether the client has a trust agent, host-based software that scans every client for its health and security posture. The posture validation server then sends instructions to the client defining what the client needs before it can access the secure network. If the client doesn't have a trust agent installed, the access server denies the client access to the internal network and instructs the 802.1x switch or Wireless Application Protocol (WAP) to put the client in a quarantine Virtual LAN (VLAN). At this point, the client would have an IP address in the quarantine subnet and could access nonsecure parts of the network based on the firewall ACLs. For example, usually a quarantined client could access an installation point for the trust agent and access the remediation server to install needed security software or updates.
If a trust agent is installed on the requesting-client, the access server contacts the posture-validation server and compares the client's health to the corporate policy. If the client is deemed healthy, the posture-validation server tells the access server to permit the client access to the corporate network. If the client isn't healthy, it's relegated to the quarantine subnet, and the access server notifies the user of the problems. Then, the user can access a remediation server to install the necessary patches.
The main benefit of an 802.1x solution is that access is enabled at the switch-port level, which makes the solution difficult to circumvent. Every time you unplug and plug in a new device to any switch port, this security check occurs.
Alternatives to 802.1x-Based NAC
As Figure 1 shows, deploying 802.1x NAC requires security-enabled network equipment that many companies don't have and that might be cost-prohibitive to deploy. Vendors recognize this problem and have come up with alternative NAC solutions that offer varying levels of security.
For example, LANDesk supports both the Cisco 802.1x NAC solution and its own proprietary access solution, which doesn't require an 802.1x infrastructure. The LANDesk proprietary NAC solution works with any network switch. In the LANDesk approach, the vendor adds its own DHCP server in front of your corporate DHCP server. When new clients request an IP address, the LANDesk DHCP server determines whether the LanDESK trust agent is installed and whether the client is healthy based on your corporate policy. If no trust agent is installed or the client is deemed unhealthy, the LANDesk DHCP server returns an IP address in the quarantine subnet. If the client is healthy, the LANDesk DHCP server forwards the request to the corporate DHCP server, which returns to the client an IP address for the corporate network.
Unlike the 802.1x NAC security solution, which limits access at the network port level, the DHCP approach is IP-based and can be circumvented. If your primary goal is simply to ensure that your own managed computers are healthy, this approach might be satisfactory. However, if you want to limit any new computer accessing your network, the 802.1x solution provides this additional security.
A third approach, Juniper Networks' combination of Secure Sockets Layer (SSL) VPN, firewall, real-time agents, and policy server, creates secure, authorized communications between endpoints and servers. Solutions from Mirage Networks and Info-Express offer NAC solutions that use still different architectures and technologies. For example, Mirage Networks detects communication to unused IP addresses and unusual protocol usage (e.g., SMTP mail originating from a unofficial mail server), then uses techniques including ARP management to try to contain the anomalous network traffic.
Whereas the 802.1x NAC solution requires a network infrastructure that many companies don't have, the DHCP solution doesn't require footing the bill for additional network hardware—but it's less secure than 802.1xbased NAC. Both solutions usually require that a trust agent be installed on the host. This means that if client computers are running unsupported OSs—or if vendors choose not to install your trust agent on their computers—the clients will have access only to your quarantine network.
Beyond Connections: The Policy
The NAC policy is just as important as the network architecture supporting your NAC implementation. NAC solutions include some sort of a security policy server in which you create rules that define what constitutes a healthy computer in your environment. For example, you might require that clients have all Microsoft Windows security patches and current antivirus signatures from your antivirus software vendor. Typically, you'd define the policy on the posture-validation server; the policy consists of the different checks that the clients must pass to access the network. The posture validation server compares the state of the client against the published policy to deem whether a client is healthy. The complexity of the policy varies by vendor. For example, LANDesk supports checking antivirus definitions, driver updates, LANDesk client software versions, security threats, software updates, detected spyware, and vulnerable software such as the OS application patches. For example, if a peer-to-peer application was installed on your client, you could configure your NAC solution to quarantine the computer until the program was removed.
One NAC struggle that you must deal with is how to address hosts that might need access to your network but can't install the NAC client—for example, vendor laptops, computers running an OS that your NAC vendor doesn't support, printers, mobile devices running Windows mobile, or other WiFi enabled devices. If you don't make exceptions for these devices, they will remain on your quarantine subnet and won't be able to access your network. But when you make exceptions, you could open holes in your otherwise secure network. Sometimes leaving devices in quarantine is OK—you might get by with creating ACLs on your quarantine networks to permit some access. For example, you can give the quarantine network access to the Internet and a terminal server or other computer inside the sensitive network, but prohibit full access.
New Technologies on the Horizon
NAC offers new solutions to the changing security problems you face, and NAC architectures vary. Because of the expense and complexity of 802.1x solutions and the potential subversion of DHCP solutions, some vendors are seeking innovative approaches to NAC. At the time I wrote this article, nearly all of the major NAC vendors were gearing up for significant new releases. Keep your eyes peeled for new technologies.