Corporate networks are increasingly vulnerable and network access control (NAC) solutions have become a very important part of the security strategy surrounding the protection of these key business assets. The evolution and proliferation of NAC solutions is, however, raising considerable debate regarding the merits of proprietary versus generic NAC solutions and the advantages of acquiring an all-in-one NAC solution rather than a range of diverse point solutions.
Martin Tassev, MD of Loophold Security Distribution, explains: "The corporate network lies at the heart of a business, providing access to mission critical applications and organisational information, enabling vital business processes and providing a platform for electronic and voice communications. If the network is compromised, it not only negatively impacts productivity but can bring business to a screeching halt.
"Advances in technology and changes in business practices are, however, making the corporate network increasingly vulnerable. Remote and mobile staff, contractors, suppliers and clients now all access the corporate network from virtually anywhere using wired and wireless technologies and a broad range of unmanaged client devices such as cell phones, PDAs, PCs and laptops.
"Knowing who is on the network, why and what resources they are accessing is only one part of the equation. To mitigate potential risks (introduction of viruses and malware, unauthorised exploitation of data, malfunctioning equipment etc.) organisations need to apply authentication and authorisation policies based on the security profile of the device and the identity of the user, as well as monitor the activity of the device while it is on the network. NAC has evolved to provide some of the answers but with so many of these solutions now available, selecting one that does not result in a complex, time consuming and expensive overhaul of the entire network is a challenge."
Tassev adds: "Selecting a NAC solution from a prominent vendor is not going to guarantee success. Cisco essentially created the NAC market with its Network Admission Control (C-NAC) technology. Microsoft was also quick to introduce its Network Access Protection (M-NAP) initiative. The reality is that technologies such as C-NAC and M-NAP are very complex and not all IT shops have the expertise, IT infrastructure, time or resources to deploy a full-blown NAC framework.
"In response to Cisco's and Microsoft's approaches, the Trusted Computing Group (TCG), through its Trusted Network Connect (TNC) sub-group, launched an industry initiative to influence the development of vendor-neutral NAC solutions. As the standards-based approach to NAC became accepted, many vendors who play in adjacent markets are taking the opportunity to claim their spot, fulfilling some part of the NAC equation."
The challenge? Despite the proliferation of NAC solutions from top vendors, a lack of standards can make implementation and use of these products a nightmare.
Says Tassev: "If companies want to make a long term investment in a NAC solution that can continue to serve the business as it diversifies and its needs change or grow, they need to ask some key questions and look for some key elements within the NAC solution before purchasing."
NAC solutions essentially allow organisations to apply a device / user focused policy for network access across LAN, wireless and VPN infrastructures. Some products focus on endpoint security while others home in on authentication and policy.
However, standalone solutions that only provided one or another of these elements have given way in popularity to full blown all-in-one solutions that provide authentication and authorisation, endpoint-security assessment, NAC policy enforcement and overall management.
Tassev says: "While different organisations will prize one element over another, finding a comprehensive solution for our clients that delivers the necessary functionality quickly, simply and inexpensively was high on Loophold Security Distribution's list of priorities. We did a thorough investigation of the market and selected Mirage Networks' NAC solution, Mirage Endpoint Control, for its ability to meet the key criteria we deem essential in a solution of this nature – regardless of the enterprises' focus."
According to him, the seven key elements to be looked for are:
* Agentless solution – You don't need to load yet another piece of software on desktops, laptops or PDAs.
* Supports all networks, all devices, all OSs – You can protect your network from any device, including printers, cameras, IP phones, etc.
* Infrastructure independent – You can install on any network, and you don't need managed switches or equipment that supports 802.1x / SNMP.
* Out of band deployment – No latency, no single point of failure.
* Full cycle: pre- and post-admission policy enforcement – Systems are monitored continuously, not just on-entry scans.
* Zero Day protection without signatures – No signatures. Faster protection.
* Effective quarantine and transparent remediation capabilities – Quarantine non-compliant devices without affecting other systems and make remediation simple and clear to the user.
"The ideal NAC solution is hardware, software and operating system agnostic. It should also be able to accommodate all networked devices, even those that don't use an of-the-shelf operating system (e.g., Printers, IP phones etc.)," says Tassev.
He notes that the chosen solution must work over a wired, optical, or wireless network, and should not require the installation of any end-user agent for proper device identification. It must also be able to perform any pre- and post-admission checks and quarantine any networked endpoints regardless of the operating system of the endpoint.
"Quarantines should not affect other systems that are uninfected or compliant and non-compliant devices should then be funnelled to a remediation service appropriate to the quarantine, allowing the end user to quickly return to the network," he says.
The post-admission component of NAC is crucial. It focuses on policy and threat monitoring, ensuring that endpoints that fall out of compliance after admission are appropriately contained. "To be cost-efficient, the solution must not require agents or signatures to catch new threats. Policies should be programmed into the security fabric and should provide on-going monitoring and mitigation for zero day threats," he notes.
Finally, he adds, the NAC solution must be centrally managed, providing a unified interface for endpoint administration, threat auditing, device software upgrades and maintenance.
Concludes Tassev: "Installing a NAC solution is a big decision, but one that few organisations can omit in the long term if they aim to fully protect their network assets. This solution, like any other, is in the throes of maturation, however, and organisations would do well to ensure they are aware of new developments that will assist them to extend the life of their investment as their organisation grows, technologies advance and threats continue to multiply."