Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Nac appliances shortcut to access control
1. NAC Appliances: Shortcut to Access Control
Infrastructures that check endpoint health before network access have generated
plenty of buzz, but precious little deployment. Some companies are waiting for a
winner to emerge from the chief contenders: Cisco's Network Admission Control
(NAC), Microsoft's Network Access Protection (NAP), and TCG's Trusted Network
Connect (TNC). Others have tested these infrastructures and found that full
deployment requires massive network upgrades and agent installations that will
likely take years. To fill the gap between consumer interest and investment, several
vendors now offer "NAC-in-a-box" -- appliances that deliver many of NAC's promised
benefits, with far less fuss.
Simplifying NAC
NAC, NAP, and TNC are distributed architectures that differ in detail but share a
common goal: proactive eradication of threats introduced by hosts connecting to
corporate networks. All three extend network infrastructure to audit health and
verify compliance before each endpoint connects to that network. All require
coordination between an agent on the endpoint itself, devices that deliver network
access, servers that provide authentication, systems responsible for policy decisions
regarding health and compliance, and elements that help enforce those decisions
and remediate failures. Baking admission control into a network's fabric is
conceptually attractive, but it takes time and money to upgrade networks with
dozens of servers, hundreds of routers and switches, and thousands of hosts.
Alternatively, some of these functions can be consolidated into a singular appliance,
positioned between the endpoints to be scanned and the network to be protected.
NAC appliances insert themselves into 802.1X, VPN, or domain authentication flows,
scanning the endpoint for malware and required security measures. Endpoints that
are clean and compliant are granted access to authorized resources to conduct
business as usual. Endpoints that are unknown or unsafe may be shunted into
quarantine and/or granted limited access.
How appliances accomplish these tasks -- and the degree to which they do so --
varies widely. But most NAC appliances try to avoid requiring installed agent software
or network/server upgrades. Instead, they use an overlay approach to augment what
you already have in place.
What to expect in a NAC appliance
Unlike point products that fit into a distributed NAC infrastructure, appliances tend
to minimize dependency on third-party systems by absorbing as much of the NAC
burden as possible. This does not mean that NAC appliances have no external
interfaces -- indeed, they must interoperate with surrounding systems to avoid
network redesign. Choosing the right NAC appliance requires a good understanding
of the role(s) it will play in your network and the functions it must or may provide.
2. Factors to consider when choosing a NAC appliance include the following.
OS independence: To lower TCO, NAC appliances can usually function without
installed endpoint agents. Some appliances use network scans to probe any endpoint,
regardless of OS, including embedded devices like VoIP phones. Several appliances
use ActiveX to scan the host, or SMB protocols to query the host, introducing
Windows dependencies. Some offer an optional installed agent with advanced
scanning or remediation features. Take a hard look at any NAC appliance to
understand endpoint OS coverage and what features (if any) are limited to specific
OSes.
Access methods: NAC appliances insert themselves into the network admission
process at various points, such as when a LAN user logs into a domain, when a
wireless user passes 802.1X, or when a remote user tunnels into a VPN. Most
appliances support 802.1X for wired and wireless LAN endpoints. If you have not yet
invested in 802.1X -- or want to support guest access -- look for an appliance with
Web portal login or DHCP-time checks. Related considerations include support for
your VPN client/concentrator and single-sign-on so that NAC does not result in
multiple user logins.
Network independence: Unlike Cisco NAC (which requires Cisco IOS and ACS) and
Microsoft NAP (which requires Microsoft Vista and Longhorn), NAC appliances are
designed to drop into existing heterogeneous networks. But what does "drop in"
mean? Most NAC appliances connect to a Layer 2 switch, between access and
distribution or core layers. Some connect to a Layer 3 switch, near the network core.
NAC appliances may operate out-of-band (consulted only during admission) or in-line
(passing traffic as a bridge or router after admission). Each has pros and cons -- for
example, out-of-band appliances avoid adding latency, but in-line appliances simplify
enforcement. Some appliances support both options, letting you decide the best fit
for your network.
Authentication methods: Most NAC appliances assess and enforce policy based on
endpoint user identity -- preferably authenticated. A Web portal on the appliance is
common for guest access, but you probably want to authenticate employees against
existing servers and databases. Most NAC appliances can proxy LAN access requests
to your existing Active Directory, LDAP, or RADIUS authentication server, then use
results to enforce user or group-based policies. Some NAC appliances also support
certificate and two-factor authentication, primarily needed for VPN or 802.1X users.
If you must deal with "headless" devices like IP printers, look for an appliance that
can use simple MAC ACLs to assess and map unauthenticated devices onto specified
VLANs.
Policy definition: NAC assessment is based on policy, but what does that policy look
like and how is it defined? Start by checking the endpoint's health: Is it infected with
3. viruses or spyware; is it listening to trojan ports? Next, compare endpoint security
posture to defined requirements: Is the OS version allowed, are security patches and
signatures current, are anti-virus and firewall programs present, or are forbidden
services running? NAC appliances diverge on these nitty-gritty policy details, so look
carefully at built-in policies, custom policy granularity, and ability to assess or invoke
the endpoint security programs used by your workforce.
For example, most appliances can quickly check services for common threats, but
only some can launch a host AV scan if problems are detected. Look for appliances
that take user identity, group/role, past compliance, threat history, and exceptions
into consideration. For example, you may want lightweight assessment of guest
endpoints given Internet-only access, while requiring previously quarantined
employee endpoints to be thoroughly scanned. But remember: Deeper endpoint
audits introduce host software dependencies; this is where NAC/NAP/TNC agents will
add real value (and deployment cost).
Enforcement and remediation: Ultimately, a NAC appliance must deny admission to
non-compliant endpoints. Blocking could be accomplished through authentication
failure, but to cut help desk cost, NAC must assist with self-remediation. Most NAC
appliances can quarantine endpoints into a VLAN or subnet, redirecting Web
requests to a remediation server where the user can apply missing patches or
remove malware. In-line appliances can directly enforce quarantine through VLAN
switching or routing. Out-of-band appliances may redirect traffic using ARP or send
SNMP/CLI ACL updates to nearby switches, routers, or firewalls. This is another area
where NAC appliances diverge, so look closely at enforcement reliability and
granularity, as well as self-remediation and limited access controls. For example, are
quarantined endpoints isolated from each other, or do they share one "VLAN of
death"? Also pay close attention to how endpoints exit quarantine -- the appliance
should avoid help desk intervention for simple fixes, while escalating more serious
problems via email, traps, or trouble tickets.
Scalability and performance: A small network might be satisfied with one NAC box,
but NAC really appeals to larger companies where threats are difficult to
cost-effectively avoid and mitigate. Most NAC appliances are therefore product suites,
where several assessment/enforcement boxes can be managed by a central policy
server (software or hardware). Boxes are distributed for geographic reach, coverage,
performance, and redundancy. In a recent CMP poll, the top technical issues
associated with NAC were ensuring that failure would not compromise fault
tolerance, and providing security without compromising LAN performance. This
demonstrates the importance of selecting NAC appliances that are sized for your
network. For example, Mirage appliances range from four VLANs/100 endpoints to
32 VLANs/2500 endpoints with high availability.
Future direction: Companies that are not yet ready to take the NAC/NAP/TNC plunge
4. can use NAC appliances to reap immediate benefits and learn more about
assessment and remediation. In the long run, NAC appliances are expected to
integrate with those infrastructure solutions. Customers with heavy Cisco investment
may prefer appliance vendors that participate in the Cisco Compatible for NAC
program. Those planning to move aggressively to Vista and Longhorn may look for
vendors in Microsoft's NAP program. Large heterogeneous networks will benefit
from appliances that eventually implement TNC's open interfaces. But avoid
over-emphasis on today's alliances. Many NAC vendors are hedging their bets by
participating in multiple programs.
Finding NAC-in-a-box
Many vendors already offer NAC appliances, and analysts expect this market to
explode over the next few years. Purpose-built NAC products that use hardware
appliances to assess endpoint integrity and control network admission include
products from Caymas, ConSentry, FireEye, ForeScouot, Lockdown, Mirage, Nevis,
StillSecure, Symantec and Vernier, as well as Cisco's Clean Access.
In addition, most network equipment vendors are adding NAC features to managed
switches, wireless access points, and remote access concentrators. Examples include
Cisco, Enterasys, Extreme Networks, Hewlett-Packard, and Juniper Networks. Many
host security software vendors are adding NAC features to their offerings, including
InfoExpress, McAfee, Senforce, and TrendMicro. These NAC-enabled devices and
programs are helping to lay the foundation for infrastructure-based network
admission control. Note that Cisco currently participates in both markets -- this trend
is likely to expand as vendors try to capture customers by offering NAC appliances
today, and hold onto them by offering NAC infrastructure solutions tomorrow.
More Networking Tips:
Networking Tutorial Goes to Basic PPP Configuration
When Do You Use Static Routes?
BGP Routing Protocol Tips You Need to Know
Routing Information Protocol & RIP Configuration
How to Configure IGRP (Interior Gateway Routing Protocol)?
How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?