All About Network Access Controls

You are in the: Small Business Computing Channel

ť ECommerce-Guide | Small Business Computing | Webopedia | WinPlanet

Enter a word for a definition...	...or choose a computer category.

   Home
   Term of the Day
   New Terms
   Pronunciation
   New Links
   Quick Reference
   Did You Know?
   Categories
   Tech Support
   Technology Jobs
   About Us
   Link to Us
   Advertising

Become a Marketplace Partner

   Submit a URL
   Suggest a Term
   Report an Error

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Be a Commerce Partner

All About Network Access Controls

If you're planning to implement a network access control system to ensure that only authorized users with fully patched and virus-protected hardware can access corporate resources, then you're in good company. About a third of large U.S. companies are intending to start adopting it this year, according to research conducted by Cambridge, Mass- based analyst Forrester.

The key drivers for these companies are compliance considerations — having the capability to carry out network access control, and being able to prove that capability. There is also a financial driver in that manual access control is all about updating clients, and this can be very time-consuming and resource-intensive. Automating policy enforcement can free up a lot of people and cut calls to help desks dramatically.

A network access control implementation is likely to take about 18 months and cost anywhere from $100,000 to ten times that figure, and the key to a successful implementation, as always, is a thorough planning stage, according to Rob Whiteley, Forrester's senior analyst.
Implementing Cisco's Network Admission Control and Microsoft's Network Access Protection will affect security policies, network infrastructure like switches, and, of course, desktop and portable devices and the software running on them. In other words, access control is as much a framework as a series of technologies. What this means is that for a successful implementation you need to ensure the whole IT department, including desktop support staff, network administrators and security people, is involved from the start.
Then it's necessary to make some architectural decisions, and, specifically, you need to examine three choices. Are you going to implement access control though routing and switching hardware, by buying appliances or exclusively as a software solution? Each has it own benefits and drawbacks, but the three options can, to an extent, be mixed and matched.
Key Terms To Understanding Network Access Controls:
security policy
A security policy is a document that outlines the rules, laws and practices for computer network access.

network management
Refers to the broad subject of managing computer networks. There exists a wide variety of software and hardware products that help network system administrators manage a network.

Network Admission Control
Abbreviated as NAC, Cisco's Network Admission Control is a set of technologies and solutions that use the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources.

Network Access Protection
Abbreviated as NAP, Microsoft's Network Access Protection is a policy-enforcement platform built into the Microsoft Windows Vista and Windows Server Code Name "Longhorn" operating systems.

Using network hardware gives the most granular control, tying policies to access control dynamically. Instead of telling a switch to admit or deny a device based on some fixed attribute such as its MAC address, it can make decisions based on policies that can vary, and on compliance with those policies, which can also vary. The benefits of this approach are that it offers the highest performance and it is the most scalable solution. The obvious downside is the cost of upgrading large parts of the network infrastructure. However, given that the refresh cycle of network hardware is typically five to seven years, the chances are that at least some of your switching gear is due for replacement anyway.

An alternative that avoids replacing relatively new switches is to adopt access control appliances to do the work "in a box". This completely avoids touching the network infrastructure — access control is effectively implemented as a hardware overlay — and is likely to be considerably cheaper. The disadvantage of this approach is that it is less granular, less scalable and performance is likely to be lower.

The remaining possibility is to do the whole thing in software, and there are plenty of vendors such as McAfee, Check Point and Endforce that supply products to achieve this. Typically this software would be run close to the DHCP and Active Directory servers, and can be implemented quickly and cheaply. The downside is that whereas a network appliance has lockdown capabilities and can shut off access to a user at the network layer 2 or 3 level (effectively carrying out a function which has been offloaded from the switch) in software you don't have this network control. The most likely scenario is that the software is used to prevent hosts being assigned an IP address, or only an address from a particular, restricted, range. In fact, the software could be used to issue commands to a piece of network hardware> However, few network professionals would be happy with this soft of hack.

It's important to reiterate that these three architectures can be mixed and matched — it's perfectly feasible to install new switches at the corporate HQ, an appliance at one branch office and software solutions elsewhere in the organization. Or you could install appliances as an interim measure, and to replace them with new network hardware as it becomes time to replace it.

"The most important thing is to pick a vendor that is standards-based," says Whiteley. "It's no good putting in an appliance that has to be thrown out in two years — you need to make sure that whatever you get is (Cisco) NAC or (Microsoft) NAP compatible."

The obvious final question then is whether NAC or NAP will "win" in the long term. Both have their strengths. Cisco is good at enforcement and Microsoft is good at policy. The answer to the question was revealed last month when Cisco and Microsoft formally announced interoperability between the Cisco Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) solutions. Interoperability will be supported with the release of NAP in the future version of Windows Server which is scheduled to be available in the second half of 2007. The interoperability architecture allows customers to deploy both NAC and NAP incrementally or concurrently.

If your company is involved in financial services, health care or government work, regulatory requirements make network access control something you should be looking to implement right away. But whatever industry your company works in, security considerations mean that network access control is something you are going to want to implement sooner or later. Given the length of time it takes to implement, now is the time to start making plans.

Did You Know...
Deploying both the Cisco Secure Access Control Server (ACS) and the Microsoft Network Policy Server (NPS) will be required for the initial interoperability release. However, Cisco and Microsoft have cross-licensed the NAC and NAP protocols, which provides the opportunity for both companies to respond to future market and customer requirements for a combined policy product. [Source]

By Paul Rubens
Adapted from EnterpriseNetworkingPlanet.com.
Last updated: November 10, 2006

Open Networks Today
Networking news moves at a fast pace, and Open Networks Today lets you keep up with it. Open Networks Today offers its readers the ability to control how news is presented through customizing content filters, discussions, and news feed links.

EnterpriseNetworkingPlanet: NAC & NAP: Two Horses of the Same Color?
What's the largest risk in an enterprise network? It's the transient computers, not the ones you control and patch on a daily basis. It's the CEO's laptop that caught a virus at Starbucks, or a student's laptop that introduces a new worm behind your perimeter.

EnterpriseNetworkingPlanet: NAC: Buzzword Compliance Can Mean Blind Alleys
From a security perspective there are many things wrong with this concept. The primary concern is that of trusting an endpoint to report its own health. But the reasons that so-called network admission control (NAC) has not caught-on is it requires a massive investment in infrastructure to counter a problem that has already been addressed by patch and configuration management.

Introduction to Network Access Protection
Network Access Protection (NAP) is a new platform to perform computer health policy validation, ensure ongoing compliance with health policies, and optionally restrict the access of computers that do not comply with system health requirements. Network Access Protection provides an infrastructure and an API set for extending Network Access Protection functionality.

Immunize Networks with Policy Enforcement
NAC Appliance technology, based on the Cisco Clean Access product line, provides rapid deployment with self-contained endpoint assessment, policy management, and remediation services.

Cisco Network Admission Control Program
The Cisco Network Admission Control Program integrates an intelligent network infrastructure with solutions from more than 75 manufacturers of leading antivirus and other security and management software solutions.

EnterpriseNetworkingPlanet
EnterpriseNetworkingPlanet provides practical advice and news for running and managing an enterprise network. In-depth articles and news cover topics such as network management, network monitoring, servers, communications, Internet telephony, operating systems, and much more.

Do you have an interesting piece of computer-related trivia that you would like us to explore?
Tell us about it.

WebMediaBrands Corporate Info

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Whitepaper: Introducing the Azure Services Platform
Whitepaper: Introduction to Microsoft .NET Services for Developers
Whitepaper: Securing Microsoft's Cloud Infrastructure
Internet.com eBook: Becoming a Better Project Manager
Microsoft Partner Portal: What Azure Means for Microsoft Partners

Internet.com eBook: Web Development Frameworks for Java
Internet.com eBook: Developing a Content Management System Strategy
Article: Ten Things IT Professionals Should Know About Windows 7
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Get Started with .NET Services

MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Amyuni: PDF & PDF/A Engine for .NET and ActiveX Apps
Red Gate Free Trial: SQL Toolbelt
Iron Speed Designer Application Generator

Download Award-Winning Red Gate SQL Backup Pro
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
Internet.com Hot List: Java EE 6 Platform Highlights the JavaOne Conference

MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES