A knack for network security

The emerging technique of network access control offers a way to secure networks with precision<@VM>Sidebar | Get the right NAC, and then get NAC right

USER FRIENDLY: Idaho's Glenn Haar said ease of managment was important. 'I'm not getting any more human resources.'

WPN photo by Glenn Oakley

When Glenn Haar, an information technology resource manager at the Idaho Tax Commission, started in the computer business, the job was all about the mainframes ' a fairly easy job compared with today's duties. 'You used to have one person who took care of this system which hardly ever changed,' he said from his office in Boise.

These days, however, the same job requires looking after more than 60 servers, 'which are constantly [failing] and needing maintenance,' he said. 'That turned everybody into mechanics ' and turned them away from being oriented towards service for the user.'

'We realized we had to move people out of constantly having to fix things,' he added.

Any new approach that would help him better manage all those resources would be of value. So for the task of securing the network, Haar and his team looked into an emerging technique called network access control.

'We'd dabbled in intrusion protection before,' Haar said, 'but everything we were doing, we were adding on. You reach a point where you realize you need to look at the big picture.'

NAC can help IT shops address security from such an elevated stance.

NAC defined

In the broadest sense, NAC is simply a way of controlling access to the network based on security policies. When a new device tries to log on to a network, it is, in effect, interrogated. The machine must have the latest patches installed, and its antivirus software must be up-to-date. Network administrators can also add their own conditions for entering the network. Only those machines that meet all the qualifications are allowed on the network.

Such control can be administered from several different places. For instance, agent software on the network's endpoint devices can perform a self-check connecting to a network. NAC can also be administered from the network equipment itself ' by a server or even the network's routers and switches.

'It's an interesting time for it because there are so many approaches and a lot of big vendors are putting out some interesting approaches,' said Phil Hochmuth, a senior research analyst at the Yankee Group. NAC products seem to come from one of three types of vendors ' those offering operating systems, those that offer network hardware and those that offer security products.

Which one will dominate? 'I think it's up in the air,' Hochmuth said. NAC is still an emerging field, and with so many competing choices, network administrators will define NAC based on their individual needs ' and on which vendor they talk to first.

For Microsoft shops, the first stop may be the Redmond giant itself. When Microsoft finally ships Windows Server 2008, it will include the company's Network Access Protocol (NAP) for checking and enforcing access policies for devices connecting to the network. Microsoft describes NAP as a lightweight version of NAC, though one that could meet the basic requirements of many environments.

Gaining momentum

Unfortunately, Microsoft isn't expected to ship until February 2008 ' and the shipping delays are slowing down NAC adoption, said Lawrence Orans, a research analyst at Gartner. But there's good news, too. In a surprising move in May, Microsoft pledged that its NAP would become interoperable with the architecture of the Trusted Computing Group, an industry standards group whose members include Intel, IBM and Sun Microsystems. Microsoft's NAP will use a new protocol that should make it interoperable with other vendors' offerings in this space.
Microsoft technologists are pretty quick to admit that IT shops that need more robust NAC capabilities should look elsewhere. One obvious company to look to is Cisco, one of the largest vendors of network equipment.

'Cisco's going to go after solving the NAC problem based on the network,' said David Graziano, Cisco's manager of federal security. 'That's our biggest strength.'
Cisco offers its own network appliance for NAC. 'When you connect with your [virtual private network], it links to the NAC appliance, which will actually scan your device,' Graziano said. It performs a posture check on the endpoint device, using Cisco's agent software installed on the laptop.

One of Cisco's biggest strengths is the way it handles guest computers, Graziano said. The appliance can check whether the user is working on the government-furnished equipment provided for the job and, if not, route guests and other unmanaged users' onto a guest virtual local-area network. There, the device is checked against the Windows Service Update Service. If it isn't fully patched, 'we'll put a splash screen up that said you're out of policy, and we need you to do these things,' Graziano said.

The screen provides remediation instructions ' the latest release number for their antivirus software or patches that are missing ' with pointers for download locations. 'You don't have to call a help desk,' Graziano said. The instructions can even offer a choice of how to perform the remediation, for those who prefer using McAfee's Hercules software over the Windows Update server.
Cisco's appliance also offers role control ' limiting users to the parts of the network appropriate for their position ' and it has the ability to check for a smart card when authenticating.

The company also is working on a plug-in that can verify whether users have taken compliance testing or indicated their agreement to specific policies. And this feature may come in handy for one hurdle all government agencies must cross ' passing the yearly Federal Information Security Management Act audit. 'I've heard a FISMA auditor will walk into a conference room and plug in a laptop. If they can access your network, you'll get a lower score,' Graziano said. A fully deployed NAC implementation with compliance checks built in would go a long way toward passing that audit.

'Cisco has almost 80 percent of the LAN switch market,' Hochmuth said. 'If you're looking to take an infrastructure approach to NAC, it would be tough to not look at that.'

Field agents

Although controlling NAC from network devices makes sense, placing agents that can allow or deny access on the machines logging in can be powerful, too, Hochmuth said.

To this end, Symantec will introduce its NAC agent in the September release of its antivirus software, to be called Symantec Endpoint Protection.

Rich Langston, a Symantec NAC product manager, said 'a very large number of people in the world who run Symantec antivirus software can get started with that easy-to-deploy solution without deploying any additional hardware.'

The agent approach keeps NAC simple. 'You don't have to upgrade your network to get a lot of new features,' Langston said. 'Benefits can be obtained just with this software on the guy's computer. Rather than worry about having the network quarantine the user, the endpoint can quarantine using the agent itself. All you have to do is turn on this feature and make the rules.'

Bundling the agent is just a sign of the times, Hochmuth said. 'There's a movement to make NAC more of a standard checkbox item.'That's what Symantec's doing.' Langston hopes the company's move will encourage a wider adoption of network access controls. 'Because of the fact that it's built in, it'll be easier for people to decide to deploy it. I really expect this to provide the tipping point for NAC.'

Before connecting to the network, Symantec's NAC agent checks the device for up-to-date patches and antivirus software, and it can also be easily customized to carry out additional tasks.

'One of the things that's unique to our offering is the ability for the end-user administrator to make up any kind of rule he wants,' Langston said. 'Let's say you have an application that runs on all your desktops, and there's a known security vulnerability. You can make sure everybody upgrades to the next version.'

Noncompliance activates a firewall built into the agent, allowing the user to perform remediation while blocking communication with others on the network. The agent can even be used for device verification. 'Sometimes users will put watermarks on the computer that they can then look at and deduce that the system was installed by the IT department,' he said.

But what if a connecting device doesn't have the agent deployed? Like the other solutions, Symantec's NAC agent can handle unmanaged users. 'We'd rather use an agent,' Langston said. 'For your guests and anything else that can accept an on-demand agent, it comes down from a Web page. It's Java-based ' you say 'run', and we do an assessment. Or we can scan the device from the outside and determine if it's a fax machine and let it on.'

The agent is just one of Symantec's NAC solutions, which also include a gateway and different mechanisms on the LAN. Symantec can use an 802.11x protocol to create an authentication infrastructure on your Ethernet switch or wireless access point. 'When you plug into that Ethernet jack, that switch will ask your PC questions and will verify your answers with an authorization server,' Langston said.

The gateway solution allows network administrators to examine files and registry settings to check a device's compliance. 'We have a GUI that you use to create these rules,' Langston said. 'It's sort of like writing a script. You set up a rule that said IF ' and you say what ' and then THEN [take this action]. Some customers run a Visual Basic script that scans configuration files and performs any needed remediation. It's just as common for users to use these tools to check for the presence of software that's not supposed to be running.'

Out-of-band

Mirage Networks illustrates yet another approach to NAC ' the out-of-band deployment. 'We plug into a port on the switch, and we watch,' said Greg Stock, the company's president and chief executive officer. Because it's out-of-network, it's also switch agnostic, said Chief Technology Officer Grant Hartline.

This approach has an additional benefit. Such a software solution doesn't just scan for previously identified threats; it also monitors the network for suspicious behavior. 'We think it's the only way to stop a threat,' Hartline said. Malware can be quickly identified just by watching for tell-tale activities such as rapid propagation, bad packets and spoofing. 'We catch 99 percent of the rapidly propagating threats before they ever infect a device,' Stock said, 'because they tried to infect an unused IP address. We don't just monitor the used devices, we monitor every IP address.'

Addressing malicious software is important, Orans said. 'A lot of the NAC solutions and projects we hear about are people simply checking the configuration of the PC ' does it have the latest patches and antivirus signatures? Organizations will spend a lot of money on NAC and if they're not looking for malware on the PC, you can still have some kind of zero-day attack and have problems on your network.'

Gartner has been advising network administrators to check connecting devices for a recent scan by antivirus software or Microsoft's Malicious Software Removal tool. They should also look at the programs installed in the registry and the running processes and be sure to monitor network traffic.

AT&T is selling a managed service to many government customers using Mirage Networks technology, Hartline said, and their solution can also integrate its alerts into the console of IBM's ISS Proventia Management SiteProtector.

In short, there are a lot of vendors selling a lot of different kinds of network access control, Orans said, so it requires a clear set of requirements. 'Don't approach NAC first by googling 'NAC' and picking a list of vendors. You want to decide what you need first.'

Hochmuth agreed that the choices can be bewildering. 'The biggest issue IT people are having with NAC is just defining what it is ' what you can get out of it and what can it do for you. There's no real standard way to do it.'

Common sense in Boise

When it came time to find a NAC solution that would cover five branch offices, Haar faced down the NAC choices with some experience. He looked for ease of management as one of the chief requirements.

'I don't know about other places, but I'm not getting more human resources,' he said. 'I knew there was going to be administrative overhead, but I wanted it to be as small as possible so we could focus on protecting the customer's data.'
This requirement helped eliminate at least one vendor, one that ultimately proposed a dual solution that involved one setup for the agency's main office and one for its five branches.

'We'd have to maintain two solutions,' Haar said, 'and develop the technical understanding of how to maintain two solutions. I'm sitting there going, 'Good luck with that.' That just increases our care-and-feeding requirement ' and doubles our knowledge requirement.'

The IT department spread out the selection process over three months to get a proper overview of the choices. Eventually, the agency settled on McAfee's Network Access Control software, due in no small part to the management console.

'It's extremely critical that you're not going to spend the rest of your life trying to manage this thing,' Haar said. The McAfee console offered links for more information about new vulnerabilities and patches, including information from the Common Vulnerabilities and Exposures Web site.

'It gives you the connective tissue,' he said. 'It gave you the workbook you needed to actually solve the problem. If you've done this long enough, you realize you have to understand what's going on underneath.'

To test the software, Haar created a small-scale pilot program involving the 30 people in the IT group, 'the people we knew we could bother,' he said. They found the early glitches. 'My system would get a message saying I was a rogue system,' Haar said. After some corrective configuration, though, the software looked to be up to the job, and after the 2007 tax season had passed, the agency deployed it to production use.

As Idaho has learned, NAC can be installed relatively painlessly ' with careful planning. The trick is to define a reasonable scope, Graziano said. 'I've seen rollouts where the scope is so large that they never even get [the system] implemented. They're trying to solve too many problems at the same time.'
So with NAC, it's best to take on a little bit of the network at a time. But when you're done, you can have your entire network locked down. Not a bad deal.
Network access control has more than its fair share of vendors, from network appliance manufacturers such as Cisco Systems to security software providers such as Symantec. How do you choose the right product?

The field may be broadly defined, but when shopping for a NAC vendor, there are some obvious things to consider, said Phil Hochmuth, a senior research analyst at the Yankee Group.

'The first step is probably to assess what you have on the network that could actually be an element of a larger NAC framework,' he said. 'If you're a Cisco shop, that means taking a look at Cisco's architecture for NAC'and their Clean Access appliance.'

On the other hand, if your biggest problems are with malware, a more client-centric approach such as Symantec's might do, Hochmuth said. Or 'if you're a large open-type network with lots of machines getting on and causing issues, the appliance approach' could work better, he added.

Remember what you're after, agreed Glenn Haar, an information technology resource manager for the Idaho Tax Commission. 'Don't listen to the vendors until you've figured out what your goals are,' he said. 'I've seen this happen a lot [where IT shops would] invest resources trying to figure out the company's product and then to figure out if it meets [their] service requirements. Let's figure out our service requirements and then make the vendor invest their time in whether or not they can address it.'

Also, keep in mind that purchasing the product is only the beginning of the commitment.

'Any NAC solution you're going to put in place is going to require testing, deployment and support,' Hochmuth said. 'You're not just going to throw the switch and have NAC.' His recommendation? 'Start small and get the kinks out.'

Training also will be something to consider.

'Your NAC is only going to be as good as the people installing it,' Hochmuth said. 'Right now, there are certifications for different types of network security technologies ' but for NAC, there's nothing like that now. People are still trying to define what NAC is. That's something the industry is going to have to think about down the line.'

Because NAC is important, it's also important to allocate enough resources to get it properly installed and keep it running. 'These things can be done. [The question is] just to what extent do you have the resources to do it,' Hochmuth said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above