Vendor-Neutral Embedded Network Access Control In A Dynamic Network Environment

Network Access Control (NAC) solutions are often deployed with the goal of providing Guest Access on the network in a way that allows visitors and contractors access to network resources while helping to mitigate the risk these unmanaged devices pose to the security of the network. Further, NAC has been hailed as a way to ensure that all devices currently under management are compliant with network security policy.

As the concept of NAC and the technologies used to drive it have matured, security has increasingly been built into the fabric of the network. In fact, many industry researchers and thought leaders, point to the future of NAC being in the form of embedded security.

As this movement continues, there are two major challenges that organizations face as they look to embed security into the network. The first is that the value of proprietary NAC solutions, which saw higher initial adoption, will become questionable because of the changing and heterogeneous nature of networks today. The second challenge in highly dynamic networks is to ensure that NAC policy decisions are being made on the most comprehensive information available.

The problem of single vendor approaches

Embedded security as a concept defies the proprietary model, as networks are heterogeneous and require security solutions that will offer open architecture and standard interfaces to support components from a variety of vendors.

This is particularly true at the large enterprise level, where it is easy to see that although today when a NAC solution is deployed, all devices may be of a certain type. As the business changes, say through an acquisition, it may become necessary to manage security across multiple vendors.

In this environment is it clear that a proprietary NAC solution, relying on assessments through proprietary protocols, could not possibly be making decisions based on all of the best available information? A NAC solution that supports an open architecture is then able to assess the new sets of devices, regardless of the vendor or protocols used.

Dynamic active access control assessments

There is an additional distinction to be made between pre-admission and post-admission NAC solutions, both of which have potential shortcomings. When considering pre-admission NAC for instance, today you can have devices that come onto the network in a clean state, but after a user opens a PDF that contains a Trojan, the device suddenly changes state. A strictly pre-admission solution would fall short in this instance. Conversely, post-admission NAC solutions analyze behaviors of users on the network, recognizing changes and quarantining or disconnecting the suspect devices.

Fully comprehensive network access security, enabled by intelligent policy decisions and dynamic security enforcement, will function on a hybrid model assessing the state of a device prior to its admission, and further actively probing the state of that device while it is connected.

In order for organizations to respond in real-time to changes in security posture, or to maintain compliance and ensure continuous network service availability, they require in-depth network and security awareness and coordinated defenses among deployed networking and security solutions.

To support a standardized, dynamic data exchange among a variety of applications, the Trusted Computing Group (TCG), a nonprofit, open industry standards group with members from all aspects of computing and networking, defined an open architecture that enables access control and enforcement of policies for endpoint security.

As part of the TNC architecture, the group has developed IF-MAP, a standard interface between the Metadata Access Point and other elements of the TNC architecture. The IF-MAP open standard provides a common language for NAC, dynamic endpoint security, and automated network policy assessment. It allows data on network devices, policies, status, and behavior to be shared in real-time. This protocol can be embedded into products and is available free from the TCG.

Network Access Control and Automation of Endpoint Security Assessments and Policy Decisions in Vendor-Neutral Environments

When it comes to network security, knowing what’s on the network and ensuring that only devices which are known, managed and clean are allowed to connect, are critical parts of any security plan. Consider the scenario of a user who tethers her brand-new Blackberry to her laptop, which is connected to the corporate network. Potentially, this user could be connected to another network via her Blackberry and thus would have created a back-door that could be used for infiltration.

Unfortunately, most of the NAC solutions on the market are vendor-specific. As the number of IP-connected devices on the network continues to grow exponentially, a vendor-neutral, standards-based NAC solution will become the only comprehensive and sustainable way to embed security and automate policy decision-making.

By the time most organizations are considering adopting NAC, they have already invested a significant amount in security tools. Vendor-neutral NAC approaches allow for organizations to further leverage the investments that have already been made, driving more value from the security function. Further, moving toward a NAC solution which bases policy decisions on communications from a host of security tools greatly improves the quality of the basis of that decision making, giving organizations confidence to fully automate those processes, reducing man-hours spent on remediation and log analysis.

Michael Markulec has over 20 years of experience in computer networking and software. Michael’s experience is a combination of proven operational capabilities and the ability to plan and execute growth strategies resulting in significant returns. At Lumeta, Michael is responsible for both operational and strategic leadership of Lumeta’s Network Assurance solutions and the development of the IPsonar product suite. Michael leads Lumeta’s long-term research project on Internet Mapping.

  • NAC Webinar

    Webinar: Evolving Networks Demand New NAC Approaches

    Is all your network infrastructure equipment from a single vendor?

    Chances are, the answer is No. Networks are becoming increasingly diverse – both in terms of infrastructure and the devices connected to them. Yet many organizations are still relying on Network Access Control (NAC) tools designed for homogeneous network environments.

    In this exclusive event, Frank Andrus, CTO of Bradford Networks, will discuss why and how NAC must evolve in order to properly secure evolving networks.

    Register Now: http://bit.ly/g56evK