Demand is high for a super system that can promise protection from external threats while organizations’ networks, data and software applications become increasingly interconnected.
Since Cisco Systems coined the term and released its first “network access control” system in 2003, interest in NACs has expanded to the point where it’s difficult to tell just what a true NAC is and what it should do.
This two-part series will take a look at the growing use of NACs, what they are and what they should do, as well as get some insights from key players.
The Buzz Surrounding NAC
There’s been a lot of activity, as well as hype, in the NAC market lately as vendors seek to capitalize on the hottest security technology — and for good reason. NACs are well-suited to establishing and enforcing security policies throughout the enterprise network, from in-house LAN (local area network) and WAN (wide area network) desktops, databases and servers to remote and wireless networks, nodes and end user devices.
“As the need for controlling devices with more granularity and visibility grows, so does the NAC market, and we have seen a drastic uptake in the amount of devices we are selling due to this increasing need for better protection,” Jeffrey Reed, cofounder and president ofClassic Networking, a network and security systems developer and value-added reseller, told TechNewsWorld.
The market is becoming more complex as business needs evolve, he added.
“Legislated compliancy also helps that progression move a little faster. The more we rely on the network, the more controls we need to put into place,” Reed said.
Defining NACs
As its name implies, this technology aims to control access to a network through various means. Cisco views NAC as requiring four key components: authentication/authorization; endpoint posture or health assessment; quarantine; and remediation.
“A solution without all four is inadequate at best, and counterproductive at worst,” Irene Sandler, marketing manager for Cisco NAC, told TechNewsWorld.
“For example, a solution that only has posture assessment and remediation can’t help find the owners of unhealthy machines,” she explained. “Nor can those machines be fixed. Very few solutions in the market today are able to claim useful functionality in all four areas. Cisco can.”
NACs are designed to enhance the effectiveness of other security products, such as host-based intrusion prevention systems, by making sure they’re not disabled, bypassed or out-of-date, Sandler noted.
The security technology can be present at every entry point into the network, whether it’s a wireless access point, a virtual private network (VPN), a port in a conference room, or a branch office, she added.
NACs and VPNs
Associated network security technologies — such as Secure Sockets Layer (SSL) and Internet protocol security VPNs — have some NAC features, but are limited by nature and do not cover them all, Sandler pointed out.
“The NAC products that have arisen from the SSL VPN market space are unable to apply consistent policies to the other methods of accessing the network,” she commented. “So, while they do address one pain point — that of protecting against inadvertently compromised remote access users — they are essentially point products that cannot replicate across the rest of the organization.”
SSL VPNs are an extension of the network and, like a firewall, one can open that network extension to various internal resources, added Classic Networking’s Reed.
NAC’s Evolution
Many NAC solutions borrow heavily from technology developed within the SSL VPN market, observed Lisa Phifer, vice president at Core Competence, a consulting firm specializing in internetworking, switched internetworking, and network management.
Concepts used include authenticating individual users, not devices; authorizing access to individual services/applications/objects, not entire subnets; and evaluating the integrity of the endpoint before granting access, she said.
“SSL VPNs focus largely on endpoints that are remotely connected over the Internet or another WAN,” explained Phifer, “while NAC solutions focus largely on endpoints that are locally connected via Ethernet or wireless LAN.”
Vendors that play in both markets — e.g., Juniper and Cisco — tend to view SSL VPN gateways as one of several NAC policy enforcement points, and have applied some of the technology they originally developed for SSL VPN to their broader NAC solutions, she noted.
“From a policy perspective, it makes good sense to merge these remote and local solutions, because many organizations will want to apply the same authentication and authorization decisions to users, no matter how they connect to the corporate network,” reasoned Phifer.
Differing Approaches
There are three primary NAC approaches, in Phifer’s view:
- NAC appliances, which are purpose-built devices that are designedto drop into an existing network and overlay NAC services withoutrequiring any change to network infrastructure or endpoint devices;
- Infrastructure NAC architectures like Cisco NAC and Trusted Computing Group’s Trusted Network Connect that embed NAC enforcement into existing network elements — routers, switches, authentication, authorization and accounting servers; and
- Endpoint NAC, which are software solutions that enforce NAC decisions on each endpoint, by using services embedded into the client operating system — Microsoft NAC or an agent that runs on the endpoint.
“These solutions differ in the place where NAC decisions are enforced, their impact on the network itself, and their transparency to the endpoint device/user,” Phifer pointed out.
Knocks Against NACs
As computing and network system architectures become more complex, protecting them also becomes more challenging. Given their overarching and pervasive nature, the difficulties associated with implementing and maintaining NACs, as well as their cost, have been confounding both providers and the growing number of organizations either using or looking to implement them.
However, Classic Networking subsidiary All Secure’s NetMD NAC solution is relatively simple to set up, company cofounder Reed said.
“The development of the security policy is probably a tougher thing to accomplish from a political standpoint within an organization than actually deploying NetMD,” he said. “Because we have fewer features, our solution is naturally easier to install and maintain as compared to Cisco and Juniper,” he added.
Cisco’s solution is based on an inline control server and requires a redesign of the network to get the server inline, Reed explained.
“The Cisco Clean Access Agent only communicates with the server when the PC is not inline, so to check compliancy, the server needs to be moved to a protected area where it can check in. This is pretty disruptive to computing,” he added.
Cisco has been working on consolidating its various agents to get them into the NAC architecture, and that should take a while longer, Reed noted.
“Typical of Cisco — to have a complete solution, you need to have a complete Cisco network,” he added.
Juniper has a solid solution since it purchased the Steel-Belted Radius solution, which gave it a mature Radius server and the old Odyssey desktop agent, Reed said.
Juniper is also proactive regarding 802.1x and it is a driving force behind the TNC Group, having demonstrated interoperability between other solutions within the TNC, he added.
Cisco’s Rebuttal
Cisco’s Sandler has a different perspective on her company’s product, arguing that NAC is straightforward from a deployment and network management perspective.
The “complexity” stems from two organizational issues, she said. Deploying NAC touches on three management areas — desktop, security and network operations — as it focuses on the interaction between the endpoint and network. Also, NAC can be applied to any number of problems, so the issue is “prioritization,” Sandler added.
“What policies need to be enforced first? How are they enforced? If a device fails a check, what happens to it? Does that depend on whether an employee or a contractor or a guest is using the device? Organizations that want to deploy NAC must first assemble the right personnel, then build consensus among them before even starting on the nuts and bolts of deployment,” he said.
After the organizational issues are resolved, many of Cisco’s customers have deployed Cisco’s NAC in under a week, according to Sandler.
“NAC is very much a front-loaded effort, but the benefit is that ongoing maintenance is relatively light, in large part because common rule-sets are preconfigured and downloaded from Cisco on an hourly basis. This means that if a particular rule changes — a definition file for antivirus is updated, for instance — a customer who is using that rule will automatically have that updated within an hour,” he said.