SlideShare une entreprise Scribd logo

Nac appliances shortcut to access control

IT Tech
IT Tech

Nac appliances shortcut to access control

Technologie
1  sur  4
NAC Appliances: Shortcut to Access Control Infrastructures that check endpoint health before network access have generated plenty of buzz, but precious little deployment. Some companies are waiting for a winner to emerge from the chief contenders: Cisco's Network Admission Control (NAC), Microsoft's Network Access Protection (NAP), and TCG's Trusted Network Connect (TNC). Others have tested these infrastructures and found that full deployment requires massive network upgrades and agent installations that will likely take years. To fill the gap between consumer interest and investment, several vendors now offer "NAC-in-a-box" -- appliances that deliver many of NAC's promised benefits, with far less fuss. Simplifying NAC NAC, NAP, and TNC are distributed architectures that differ in detail but share a common goal: proactive eradication of threats introduced by hosts connecting to corporate networks. All three extend network infrastructure to audit health and verify compliance before each endpoint connects to that network. All require coordination between an agent on the endpoint itself, devices that deliver network access, servers that provide authentication, systems responsible for policy decisions regarding health and compliance, and elements that help enforce those decisions and remediate failures. Baking admission control into a network's fabric is conceptually attractive, but it takes time and money to upgrade networks with dozens of servers, hundreds of routers and switches, and thousands of hosts. Alternatively, some of these functions can be consolidated into a singular appliance, positioned between the endpoints to be scanned and the network to be protected. NAC appliances insert themselves into 802.1X, VPN, or domain authentication flows, scanning the endpoint for malware and required security measures. Endpoints that are clean and compliant are granted access to authorized resources to conduct business as usual. Endpoints that are unknown or unsafe may be shunted into quarantine and/or granted limited access. How appliances accomplish these tasks -- and the degree to which they do so -- varies widely. But most NAC appliances try to avoid requiring installed agent software or network/server upgrades. Instead, they use an overlay approach to augment what you already have in place. What to expect in a NAC appliance Unlike point products that fit into a distributed NAC infrastructure, appliances tend to minimize dependency on third-party systems by absorbing as much of the NAC burden as possible. This does not mean that NAC appliances have no external interfaces -- indeed, they must interoperate with surrounding systems to avoid network redesign. Choosing the right NAC appliance requires a good understanding of the role(s) it will play in your network and the functions it must or may provide.
Factors to consider when choosing a NAC appliance include the following. OS independence: To lower TCO, NAC appliances can usually function without installed endpoint agents. Some appliances use network scans to probe any endpoint, regardless of OS, including embedded devices like VoIP phones. Several appliances use ActiveX to scan the host, or SMB protocols to query the host, introducing Windows dependencies. Some offer an optional installed agent with advanced scanning or remediation features. Take a hard look at any NAC appliance to understand endpoint OS coverage and what features (if any) are limited to specific OSes. Access methods: NAC appliances insert themselves into the network admission process at various points, such as when a LAN user logs into a domain, when a wireless user passes 802.1X, or when a remote user tunnels into a VPN. Most appliances support 802.1X for wired and wireless LAN endpoints. If you have not yet invested in 802.1X -- or want to support guest access -- look for an appliance with Web portal login or DHCP-time checks. Related considerations include support for your VPN client/concentrator and single-sign-on so that NAC does not result in multiple user logins. Network independence: Unlike Cisco NAC (which requires Cisco IOS and ACS) and Microsoft NAP (which requires Microsoft Vista and Longhorn), NAC appliances are designed to drop into existing heterogeneous networks. But what does "drop in" mean? Most NAC appliances connect to a Layer 2 switch, between access and distribution or core layers. Some connect to a Layer 3 switch, near the network core. NAC appliances may operate out-of-band (consulted only during admission) or in-line (passing traffic as a bridge or router after admission). Each has pros and cons -- for example, out-of-band appliances avoid adding latency, but in-line appliances simplify enforcement. Some appliances support both options, letting you decide the best fit for your network. Authentication methods: Most NAC appliances assess and enforce policy based on endpoint user identity -- preferably authenticated. A Web portal on the appliance is common for guest access, but you probably want to authenticate employees against existing servers and databases. Most NAC appliances can proxy LAN access requests to your existing Active Directory, LDAP, or RADIUS authentication server, then use results to enforce user or group-based policies. Some NAC appliances also support certificate and two-factor authentication, primarily needed for VPN or 802.1X users. If you must deal with "headless" devices like IP printers, look for an appliance that can use simple MAC ACLs to assess and map unauthenticated devices onto specified VLANs. Policy definition: NAC assessment is based on policy, but what does that policy look like and how is it defined? Start by checking the endpoint's health: Is it infected with
viruses or spyware; is it listening to trojan ports? Next, compare endpoint security posture to defined requirements: Is the OS version allowed, are security patches and signatures current, are anti-virus and firewall programs present, or are forbidden services running? NAC appliances diverge on these nitty-gritty policy details, so look carefully at built-in policies, custom policy granularity, and ability to assess or invoke the endpoint security programs used by your workforce. For example, most appliances can quickly check services for common threats, but only some can launch a host AV scan if problems are detected. Look for appliances that take user identity, group/role, past compliance, threat history, and exceptions into consideration. For example, you may want lightweight assessment of guest endpoints given Internet-only access, while requiring previously quarantined employee endpoints to be thoroughly scanned. But remember: Deeper endpoint audits introduce host software dependencies; this is where NAC/NAP/TNC agents will add real value (and deployment cost). Enforcement and remediation: Ultimately, a NAC appliance must deny admission to non-compliant endpoints. Blocking could be accomplished through authentication failure, but to cut help desk cost, NAC must assist with self-remediation. Most NAC appliances can quarantine endpoints into a VLAN or subnet, redirecting Web requests to a remediation server where the user can apply missing patches or remove malware. In-line appliances can directly enforce quarantine through VLAN switching or routing. Out-of-band appliances may redirect traffic using ARP or send SNMP/CLI ACL updates to nearby switches, routers, or firewalls. This is another area where NAC appliances diverge, so look closely at enforcement reliability and granularity, as well as self-remediation and limited access controls. For example, are quarantined endpoints isolated from each other, or do they share one "VLAN of death"? Also pay close attention to how endpoints exit quarantine -- the appliance should avoid help desk intervention for simple fixes, while escalating more serious problems via email, traps, or trouble tickets. Scalability and performance: A small network might be satisfied with one NAC box, but NAC really appeals to larger companies where threats are difficult to cost-effectively avoid and mitigate. Most NAC appliances are therefore product suites, where several assessment/enforcement boxes can be managed by a central policy server (software or hardware). Boxes are distributed for geographic reach, coverage, performance, and redundancy. In a recent CMP poll, the top technical issues associated with NAC were ensuring that failure would not compromise fault tolerance, and providing security without compromising LAN performance. This demonstrates the importance of selecting NAC appliances that are sized for your network. For example, Mirage appliances range from four VLANs/100 endpoints to 32 VLANs/2500 endpoints with high availability. Future direction: Companies that are not yet ready to take the NAC/NAP/TNC plunge
can use NAC appliances to reap immediate benefits and learn more about assessment and remediation. In the long run, NAC appliances are expected to integrate with those infrastructure solutions. Customers with heavy Cisco investment may prefer appliance vendors that participate in the Cisco Compatible for NAC program. Those planning to move aggressively to Vista and Longhorn may look for vendors in Microsoft's NAP program. Large heterogeneous networks will benefit from appliances that eventually implement TNC's open interfaces. But avoid over-emphasis on today's alliances. Many NAC vendors are hedging their bets by participating in multiple programs. Finding NAC-in-a-box Many vendors already offer NAC appliances, and analysts expect this market to explode over the next few years. Purpose-built NAC products that use hardware appliances to assess endpoint integrity and control network admission include products from Caymas, ConSentry, FireEye, ForeScouot, Lockdown, Mirage, Nevis, StillSecure, Symantec and Vernier, as well as Cisco's Clean Access. In addition, most network equipment vendors are adding NAC features to managed switches, wireless access points, and remote access concentrators. Examples include Cisco, Enterasys, Extreme Networks, Hewlett-Packard, and Juniper Networks. Many host security software vendors are adding NAC features to their offerings, including InfoExpress, McAfee, Senforce, and TrendMicro. These NAC-enabled devices and programs are helping to lay the foundation for infrastructure-based network admission control. Note that Cisco currently participates in both markets -- this trend is likely to expand as vendors try to capture customers by offering NAC appliances today, and hold onto them by offering NAC infrastructure solutions tomorrow. More Networking Tips: Networking Tutorial Goes to Basic PPP Configuration When Do You Use Static Routes? BGP Routing Protocol Tips You Need to Know Routing Information Protocol & RIP Configuration How to Configure IGRP (Interior Gateway Routing Protocol)? How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?

Recommandé

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 

Recommandé

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsIT Tech
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...IT Tech
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & consIT Tech
 
5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performanceIT Tech
 
Cisco 1921 series key features & benefits
Cisco 1921 series key features & benefitsCisco 1921 series key features & benefits
Cisco 1921 series key features & benefitsIT Tech
 
Guide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeGuide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeIT Tech
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewIT Tech
 
How to choose a server for your data center's needs
How to choose a server for your data center's needsHow to choose a server for your data center's needs
How to choose a server for your data center's needsIT Tech
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 

Contenu connexe

Plus de IT Tech

Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsIT Tech
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...IT Tech
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & consIT Tech
 
5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performanceIT Tech
 
Cisco 1921 series key features & benefits
Cisco 1921 series key features & benefitsCisco 1921 series key features & benefits
Cisco 1921 series key features & benefitsIT Tech
 
Guide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeGuide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeIT Tech
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewIT Tech
 
How to choose a server for your data center's needs
How to choose a server for your data center's needsHow to choose a server for your data center's needs
How to choose a server for your data center's needsIT Tech
 

Plus de IT Tech (20)

Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngips
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...
 
Various raid levels pros & cons
Various raid levels pros & consVarious raid levels pros & cons
Various raid levels pros & cons
 
5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance
 
Cisco 1921 series key features & benefits
Cisco 1921 series key features & benefitsCisco 1921 series key features & benefits
Cisco 1921 series key features & benefits
 
Guide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeGuide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica node
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overview
 
How to choose a server for your data center's needs
How to choose a server for your data center's needsHow to choose a server for your data center's needs
How to choose a server for your data center's needs
 

Dernier

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 

Dernier (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 

Nac appliances shortcut to access control

  • 1. NAC Appliances: Shortcut to Access Control Infrastructures that check endpoint health before network access have generated plenty of buzz, but precious little deployment. Some companies are waiting for a winner to emerge from the chief contenders: Cisco's Network Admission Control (NAC), Microsoft's Network Access Protection (NAP), and TCG's Trusted Network Connect (TNC). Others have tested these infrastructures and found that full deployment requires massive network upgrades and agent installations that will likely take years. To fill the gap between consumer interest and investment, several vendors now offer "NAC-in-a-box" -- appliances that deliver many of NAC's promised benefits, with far less fuss. Simplifying NAC NAC, NAP, and TNC are distributed architectures that differ in detail but share a common goal: proactive eradication of threats introduced by hosts connecting to corporate networks. All three extend network infrastructure to audit health and verify compliance before each endpoint connects to that network. All require coordination between an agent on the endpoint itself, devices that deliver network access, servers that provide authentication, systems responsible for policy decisions regarding health and compliance, and elements that help enforce those decisions and remediate failures. Baking admission control into a network's fabric is conceptually attractive, but it takes time and money to upgrade networks with dozens of servers, hundreds of routers and switches, and thousands of hosts. Alternatively, some of these functions can be consolidated into a singular appliance, positioned between the endpoints to be scanned and the network to be protected. NAC appliances insert themselves into 802.1X, VPN, or domain authentication flows, scanning the endpoint for malware and required security measures. Endpoints that are clean and compliant are granted access to authorized resources to conduct business as usual. Endpoints that are unknown or unsafe may be shunted into quarantine and/or granted limited access. How appliances accomplish these tasks -- and the degree to which they do so -- varies widely. But most NAC appliances try to avoid requiring installed agent software or network/server upgrades. Instead, they use an overlay approach to augment what you already have in place. What to expect in a NAC appliance Unlike point products that fit into a distributed NAC infrastructure, appliances tend to minimize dependency on third-party systems by absorbing as much of the NAC burden as possible. This does not mean that NAC appliances have no external interfaces -- indeed, they must interoperate with surrounding systems to avoid network redesign. Choosing the right NAC appliance requires a good understanding of the role(s) it will play in your network and the functions it must or may provide.
  • 2. Factors to consider when choosing a NAC appliance include the following. OS independence: To lower TCO, NAC appliances can usually function without installed endpoint agents. Some appliances use network scans to probe any endpoint, regardless of OS, including embedded devices like VoIP phones. Several appliances use ActiveX to scan the host, or SMB protocols to query the host, introducing Windows dependencies. Some offer an optional installed agent with advanced scanning or remediation features. Take a hard look at any NAC appliance to understand endpoint OS coverage and what features (if any) are limited to specific OSes. Access methods: NAC appliances insert themselves into the network admission process at various points, such as when a LAN user logs into a domain, when a wireless user passes 802.1X, or when a remote user tunnels into a VPN. Most appliances support 802.1X for wired and wireless LAN endpoints. If you have not yet invested in 802.1X -- or want to support guest access -- look for an appliance with Web portal login or DHCP-time checks. Related considerations include support for your VPN client/concentrator and single-sign-on so that NAC does not result in multiple user logins. Network independence: Unlike Cisco NAC (which requires Cisco IOS and ACS) and Microsoft NAP (which requires Microsoft Vista and Longhorn), NAC appliances are designed to drop into existing heterogeneous networks. But what does "drop in" mean? Most NAC appliances connect to a Layer 2 switch, between access and distribution or core layers. Some connect to a Layer 3 switch, near the network core. NAC appliances may operate out-of-band (consulted only during admission) or in-line (passing traffic as a bridge or router after admission). Each has pros and cons -- for example, out-of-band appliances avoid adding latency, but in-line appliances simplify enforcement. Some appliances support both options, letting you decide the best fit for your network. Authentication methods: Most NAC appliances assess and enforce policy based on endpoint user identity -- preferably authenticated. A Web portal on the appliance is common for guest access, but you probably want to authenticate employees against existing servers and databases. Most NAC appliances can proxy LAN access requests to your existing Active Directory, LDAP, or RADIUS authentication server, then use results to enforce user or group-based policies. Some NAC appliances also support certificate and two-factor authentication, primarily needed for VPN or 802.1X users. If you must deal with "headless" devices like IP printers, look for an appliance that can use simple MAC ACLs to assess and map unauthenticated devices onto specified VLANs. Policy definition: NAC assessment is based on policy, but what does that policy look like and how is it defined? Start by checking the endpoint's health: Is it infected with
  • 3. viruses or spyware; is it listening to trojan ports? Next, compare endpoint security posture to defined requirements: Is the OS version allowed, are security patches and signatures current, are anti-virus and firewall programs present, or are forbidden services running? NAC appliances diverge on these nitty-gritty policy details, so look carefully at built-in policies, custom policy granularity, and ability to assess or invoke the endpoint security programs used by your workforce. For example, most appliances can quickly check services for common threats, but only some can launch a host AV scan if problems are detected. Look for appliances that take user identity, group/role, past compliance, threat history, and exceptions into consideration. For example, you may want lightweight assessment of guest endpoints given Internet-only access, while requiring previously quarantined employee endpoints to be thoroughly scanned. But remember: Deeper endpoint audits introduce host software dependencies; this is where NAC/NAP/TNC agents will add real value (and deployment cost). Enforcement and remediation: Ultimately, a NAC appliance must deny admission to non-compliant endpoints. Blocking could be accomplished through authentication failure, but to cut help desk cost, NAC must assist with self-remediation. Most NAC appliances can quarantine endpoints into a VLAN or subnet, redirecting Web requests to a remediation server where the user can apply missing patches or remove malware. In-line appliances can directly enforce quarantine through VLAN switching or routing. Out-of-band appliances may redirect traffic using ARP or send SNMP/CLI ACL updates to nearby switches, routers, or firewalls. This is another area where NAC appliances diverge, so look closely at enforcement reliability and granularity, as well as self-remediation and limited access controls. For example, are quarantined endpoints isolated from each other, or do they share one "VLAN of death"? Also pay close attention to how endpoints exit quarantine -- the appliance should avoid help desk intervention for simple fixes, while escalating more serious problems via email, traps, or trouble tickets. Scalability and performance: A small network might be satisfied with one NAC box, but NAC really appeals to larger companies where threats are difficult to cost-effectively avoid and mitigate. Most NAC appliances are therefore product suites, where several assessment/enforcement boxes can be managed by a central policy server (software or hardware). Boxes are distributed for geographic reach, coverage, performance, and redundancy. In a recent CMP poll, the top technical issues associated with NAC were ensuring that failure would not compromise fault tolerance, and providing security without compromising LAN performance. This demonstrates the importance of selecting NAC appliances that are sized for your network. For example, Mirage appliances range from four VLANs/100 endpoints to 32 VLANs/2500 endpoints with high availability. Future direction: Companies that are not yet ready to take the NAC/NAP/TNC plunge
  • 4. can use NAC appliances to reap immediate benefits and learn more about assessment and remediation. In the long run, NAC appliances are expected to integrate with those infrastructure solutions. Customers with heavy Cisco investment may prefer appliance vendors that participate in the Cisco Compatible for NAC program. Those planning to move aggressively to Vista and Longhorn may look for vendors in Microsoft's NAP program. Large heterogeneous networks will benefit from appliances that eventually implement TNC's open interfaces. But avoid over-emphasis on today's alliances. Many NAC vendors are hedging their bets by participating in multiple programs. Finding NAC-in-a-box Many vendors already offer NAC appliances, and analysts expect this market to explode over the next few years. Purpose-built NAC products that use hardware appliances to assess endpoint integrity and control network admission include products from Caymas, ConSentry, FireEye, ForeScouot, Lockdown, Mirage, Nevis, StillSecure, Symantec and Vernier, as well as Cisco's Clean Access. In addition, most network equipment vendors are adding NAC features to managed switches, wireless access points, and remote access concentrators. Examples include Cisco, Enterasys, Extreme Networks, Hewlett-Packard, and Juniper Networks. Many host security software vendors are adding NAC features to their offerings, including InfoExpress, McAfee, Senforce, and TrendMicro. These NAC-enabled devices and programs are helping to lay the foundation for infrastructure-based network admission control. Note that Cisco currently participates in both markets -- this trend is likely to expand as vendors try to capture customers by offering NAC appliances today, and hold onto them by offering NAC infrastructure solutions tomorrow. More Networking Tips: Networking Tutorial Goes to Basic PPP Configuration When Do You Use Static Routes? BGP Routing Protocol Tips You Need to Know Routing Information Protocol & RIP Configuration How to Configure IGRP (Interior Gateway Routing Protocol)? How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?