|
If you're planning to implement a
network access control system to ensure that only
authorized users with fully
patched and
virus-protected hardware can access corporate resources, then you're
in good company. About a third of large U.S. companies are intending
to start adopting it this year, according to research conducted by
Cambridge, Mass- based analyst Forrester.
The key drivers for these companies are compliance considerations —
having the capability to carry out network access control, and being
able to prove that capability. There is also a financial driver in that
manual access control is all about updating clients, and this can be
very time-consuming and resource-intensive. Automating policy
enforcement can free up a lot of people and cut calls to help desks
dramatically.
A network access control implementation is likely to take about
18 months and cost anywhere from $100,000 to ten times that
figure, and the key to a successful implementation, as always, is a
thorough planning stage, according to Rob Whiteley, Forrester's
senior analyst. Implementing
Cisco's
Network Admission Control and Microsoft's
Network Access
Protection will affect
security policies, network infrastructure
like switches, and, of course, desktop and portable devices and the
software running on them. In other words, access control is as much
a framework as a series of technologies. What this means is that for
a successful implementation you need to ensure the whole IT
department, including desktop support staff, network administrators
and security people, is involved from the start.
Then it's necessary to make some
architectural decisions, and, specifically, you need to examine three
choices. Are you going to implement access control though routing and
switching hardware, by buying appliances or exclusively as a software
solution? Each has it own benefits and drawbacks, but the three options can,
to an extent, be mixed and matched. |
Key Terms To
Understanding Network Access Controls:
security policy
A security policy is a document that outlines the rules, laws and
practices for computer network access.
network management
Refers to the broad subject of managing computer networks. There
exists a wide variety of software and hardware products that help
network system administrators manage a network.
Network Admission Control
Abbreviated as NAC, Cisco's Network Admission Control is a set of
technologies and solutions that use the network infrastructure to
enforce security policy compliance on all devices seeking to access
network computing resources.
Network Access Protection
Abbreviated as NAP, Microsoft's Network Access Protection is a
policy-enforcement platform built into the Microsoft Windows Vista
and Windows Server Code Name "Longhorn" operating systems. |
Using network hardware gives the most granular control, tying policies to
access control dynamically. Instead of telling a switch to admit or deny a
device based on some fixed attribute such as its
MAC address, it can make
decisions based on policies that can vary, and on compliance with those
policies, which can also vary. The benefits of this approach are that it
offers the highest performance and it is the most scalable solution. The
obvious downside is the cost of
upgrading large parts of the network
infrastructure. However, given that the refresh cycle of network hardware is
typically five to seven years, the chances are that at least some of your
switching gear is due for replacement anyway.
An alternative that avoids replacing relatively new switches is to adopt
access control appliances to do the work "in a box". This completely avoids
touching the network infrastructure — access control is effectively
implemented as a hardware overlay — and is likely to be considerably
cheaper. The disadvantage of this approach is that it is less granular, less
scalable and performance is likely to be lower.
The remaining possibility is to do the whole thing in software, and there
are plenty of vendors such as McAfee, Check Point and Endforce that supply
products to achieve this. Typically this software would be run close to the
DHCP and
Active Directory servers, and can be implemented quickly and
cheaply. The downside is that whereas a
network appliance has lockdown
capabilities and can shut off access to a user at the network layer 2 or 3
level (effectively carrying out a function which has been offloaded from the
switch) in software you don't have this network control. The most likely
scenario is that the software is used to prevent hosts being assigned an IP
address, or only an address from a particular, restricted, range. In fact,
the software could be used to issue commands to a piece of network hardware> However,
few network professionals would be happy with this soft of hack.
It's important to reiterate that these three
architectures can be mixed and matched — it's perfectly feasible to install
new switches at the corporate HQ, an appliance at one branch office and
software solutions elsewhere in the organization. Or you could install appliances
as an interim measure, and to replace them with new network hardware as it
becomes time to replace it.
"The most important thing is to pick a vendor that is standards-based,"
says Whiteley. "It's no good putting in an appliance that has to be thrown
out in two years — you need to make sure that whatever you get is (Cisco)
NAC or (Microsoft) NAP compatible."
The obvious final question then is whether NAC or NAP will "win" in the long
term. Both have their strengths. Cisco is good at enforcement and Microsoft
is good at policy.
The answer to the question was revealed last month when Cisco and Microsoft formally announced interoperability
between the Cisco
Network Admission Control (NAC) and Microsoft
Network Access
Protection (NAP) solutions.
Interoperability will be supported with the release
of NAP in the future version of Windows Server which is
scheduled to be available in the second half of 2007. The interoperability
architecture allows customers to deploy both NAC and NAP incrementally or
concurrently.
If your company is involved in financial services, health care or government
work, regulatory requirements make network access control something you
should be looking to implement right away. But whatever industry your company
works in, security considerations mean that network access control is
something you are going to want to implement sooner or later. Given the
length of time it takes to implement, now is the time to start making plans.
|
Did You Know...
Deploying both the Cisco Secure Access Control Server (ACS) and
the Microsoft Network Policy Server (NPS) will be required for
the initial interoperability release. However, Cisco and
Microsoft have cross-licensed the NAC and NAP protocols, which
provides the opportunity for both companies to respond to future
market and customer requirements for a combined policy product.
[Source] |
By Paul Rubens
Adapted from
EnterpriseNetworkingPlanet.com.
Last updated: November 10, 2006
Open Networks Today
Networking news moves at a fast pace, and Open Networks Today lets you keep up with it. Open Networks Today offers its readers the ability to control how news is presented through customizing content filters, discussions, and news feed links.
EnterpriseNetworkingPlanet: NAC & NAP: Two Horses of the Same Color?
What's the largest risk in an enterprise network? It's the transient computers,
not the ones you control and patch on a daily basis. It's the CEO's laptop that
caught a virus at Starbucks, or a student's laptop that introduces a new worm
behind your perimeter.
EnterpriseNetworkingPlanet: NAC: Buzzword Compliance Can Mean Blind Alleys
From a security perspective there are many things wrong with this concept.
The primary concern is that of trusting an endpoint to report its own health.
But the reasons that so-called network admission control (NAC) has not caught-on
is it requires a massive investment in infrastructure to counter a problem that
has already been addressed by patch and configuration management.
Introduction to Network Access Protection
Network Access Protection (NAP) is a new platform to perform computer health
policy validation, ensure ongoing compliance with health policies, and
optionally restrict the access of computers that do not comply with system
health requirements. Network Access Protection provides an infrastructure and an
API set for extending Network Access Protection functionality.
Immunize
Networks with Policy Enforcement
NAC Appliance technology, based on the Cisco Clean Access product line, provides
rapid deployment with self-contained endpoint assessment, policy management, and
remediation services.
Cisco
Network Admission Control Program
The Cisco Network Admission Control Program integrates an intelligent network
infrastructure with solutions from more than 75 manufacturers of leading
antivirus and other security and management software solutions.
EnterpriseNetworkingPlanet
EnterpriseNetworkingPlanet provides practical advice and news for running and
managing an enterprise network. In-depth articles and news cover topics such as
network management, network monitoring, servers, communications, Internet
telephony, operating systems, and much more. |
