General

Bolting the Back Door with NAC
Part 1: Introduction

Firewalls may guard their front door, but many networks remain vulnerable to threats originating inside the perimeter. Network Access Control (NAC) can batten down those hatches by stopping malware-infested laptops and restricting LAN resource use.

by Lisa Phifer VP Core Competence, Inc. [June 20, 2007]

The buzz surrounding Network Access Control (NAC) has reached a fevered pitch. According to Infonetics Research, NAC appliance sales reached $83 million during 2006 and will double again this year. Last month at Interop, over a dozen vendors participated in a standards-based NAC interoperability demo, including heavyweights Microsoft, Juniper, Nortel, HP, Extreme, Enterasys, Aruba, and Trapeze. To date, Cisco has certified nearly 40 vendor products that fit within its proprietary NAC framework, with scores more under development.

Why this flurry of NAC activity? What the heck is NAC anyway? And why should you care? In this four part series, we examine the business needs driving NAC, compare today's major flavors of NAC, and show NAC in action by taking one popular implementation for a test drive: Juniper Network's Unified Access Control.

Turning network security inside out
Over the years, perimeter defenses have gradually improved. Today, almost everyone understands that private business networks must be protected from perils posed by the public internet. However, many network owners still turn a blind eye to threats emanating from internal systems connected to their own wired and wireless LANs.

Historically, all systems inside the network perimeter have been viewed as trustworthy, and their users have enjoyed a great deal of freedom to reach private servers and data. Compared to measures commonly applied at the internet edge, internal LAN access controls are frequently weak or absent.

Many organizations still rely on physical security measures like entrance badge checks and wall port disablement to deter unauthorized LAN access. Every system that manages to connect to a physical or virtual LAN becomes a trusted endpoint that can send packets to every other network endpoint, without regard to system integrity or user identity. While logins are often required to actually use sensitive services or fileshares, those measures do nothing to insulate the network itself from attack or misuse.

In truth, the assumption that LAN endpoints are trustworthy was always shaky. Insider attacks by disgruntled employees have long been a significant but under-appreciated risk. For example, the 2006 CSI/FBI Computer Crime and Security Survey (1.5 MB .pdf file) found that 2 in 5 companies attributed over 20 percent of their cybercrime losses to insider attacks. But over the past few years, evolving business conditions and network technologies have rewritten the ground rules and imposed costly penalties.

• Workforces have become increasingly mobile, carrying corporate laptops (and more!) from work to home to hotspot. When those endpoints connect to external LANs, they are directly exposed to a myriad of network-borne threats. Laptop anti-virus and personal firewalls help, but easily become outdated or disabled. When a compromised endpoint returns to work and connects to the internal LAN, it becomes a source of infection or intrusion. Trojan downloaders, keyloggers, and other spyware have become especially troublesome, resisting removal while causing identity theft or financial loss.
  
  
• Most offices are now visited daily by guests, contractors, auditors, and other users who require some degree of public or private network access. If accommodations are not made, visiting endpoints are likely to find their way onto your LAN anyway—for example, by borrowing a cubicle Ethernet jack or an employee's WLAN access password. When connected in this fashion, visitors become like any other trusted endpoint, gaining access to confidential documents, financial records, personnel files, management systems, and other sensitive resources.
  
  
• Malware recovery is costly, but pales in comparison to the fear instilled by government and industry regulation compliance. For example, companies that process credit/debit card transactions must comply with the Payment Card Industry (PCI) data security standard by protecting and controlling access to cardholder data. Public US companies must now comply with the Sarbanes-Oxley Act (SOX), a law created to deter accounting errors and fraud. Hundreds of regulations exist worldwide that require organizations to not only secure affected networks, systems, and/or data, but to prove they have done so through logs and audits. Breach or audit failure due to non-compliance can result in direct costs, legal fees, hefty fines, even imprisonment.

The role of network access control
These changes have caused many organizations to reconsider internal network security policies, implementations, and practices—in many cases, following C-level mandates to reduce associated business risk. While no silver bullet, NAC can help to address these concerns by overhauling the way we control access to internal network resources.

NAC is an evolving strategy with many possible implementations. At an abstract level, NAC avoids granting unfettered LAN access to known/trusted endpoints. Instead, NAC bases network access decisions on individual user identity, the security state of that user's endpoint, and policies which define who should be allowed to use which resources, under what pre-conditions.

Identity-based controls let us differentiate between employees, contractors, and guests and treat them accordingly. Assessing each endpoint's health and policy compliance lets us spot compromised laptops before they can communicate with the rest of the network. Mapping those endpoints onto defined authorizations lets us dynamically permit or deny access on a "need to know" basis. For example, we could give guests internet-only access while admitting only healthy accounting department users to the finance LAN.

Furthermore, instead of the static pass/fail approach associated with conventional ACLs, NAC can reshape permissions on the fly. An infected endpoint might be re-directed to a remediation server for cleansing, while an endpoint missing critical patches or programs might be sent to a download server. Remedied endpoints could then be automatically re-authenticated and receive trusted resource access, while healthy endpoints that fail periodic re-assessments could be sent right back to "quarantine."

This utopian vision of NAC involves a large number of moving parts, all working together seamlessly to enforce and audit defined security policies. In reality, today's early-adopter NAC deployments are far less ambitious. Juniper estimates that 57 percent of companies want to deploy NAC incrementally, starting with a pilot that addresses a specific near-term need in a confined network segment. For example, many companies pursue NAC to enforce policy compliance for selected managed (employee) endpoints. Others deploy NAC to facilitate unmanaged (guest, contractor, phone) access. In fact, the first step towards NAC deployment is deciding what you hope to accomplish.

On to Part 2.

—End