In today’s business environment, connectivity is essential to keep pace with a global marketplace. No longer do companies sit as computing silos, but are part of an intricate and complex array of connections. And for all the strides in efficiency and collaboration, this shift has dramatically increased the challenge of securing corporate networks.
It is not uncommon to read about a data security breach at a major retailer or financial institution in which someone was able to bypass security measures and gain unauthorised access to sensitive information. So how do you fix this problem?
While there is no magical cure for all network security ills, there are new technologies that have made significant steps towards addressing the numerous security challenges introduced by a mobile workforce. Network Access Control (NAC) has generated a lot of attention in the past few years.
This is due, in part, to the promise it holds for dramatically simplifying security and providing complete protection from unauthorised access. While this concept is sound, and can provide a means to secure a world filled with mobile computing devices, it has met the reality of money already spent on a patchwork of security tools already living within the corporate network.
But adding NAC does not have to increase your pain. On the contrary, I believe there are several misconceptions about the challenge of deploying NAC. I would like to address a couple of these misconceptions:
NAC = rip and replace
One of the most common misconceptions about NAC is that it will require partial or complete replacement of the switching infrastructure. This idea finds its roots in the way Cisco originally described NAC, which at that time stood for Network Admission Control and was based upon the Institute of Electrical and Electronics Engineers (IEEE) 802.1x network admission protocol.
In essence, for NAC to work a new 802.1x enabled switch would need to be installed and all authorised devices would need to have an 802.1x supplicant (agent). Once installed, the switch provides access control through checking the connecting device for the supplicant. If no supplicant is present, the switch blocks the connection.
At the time this concept was introduced, there was significant excitement over this type of access control. But the concept quickly moved past just admission control. Leading IT professionals wanted more and quickly realised this approach was far too limited and came at a significant budgetary and human resource cost. But this is not the only approach to NAC.
There are several alternatives to gain the benefits of NAC without having to rip and replace your switching infrastructure. One option is to use an out-of-band appliance. In this approach the appliance works in conjunction with the switch and provides the benefits of NAC, including 802.1 x authentication, without the pain of infrastructure replacement.
NAC = another brick in the wall
Another misconception of NAC is that it will be, to quote a great technical guru, Pink Floyd, just another brick in the wall. For anyone who has lived in the IT trenches, this concept is all too familiar. There are an endless number of point problems requiring yet another point solution. And while one product might be amazing at addressing a specific security challenge, it leaves a gaping hole in another area.
In fact, it is not unusual for our enterprise customers to have multiple competitive products attempting to cover a particular security challenge. But when it comes to NAC, its promise was that it would be more than a point solution and would provide broader security coverage. And as NAC technologies matured, the breadth of that coverage continued to expand.
NAC should not be just another point product, but in order to realise the full value of access control technology the NAC platform must be able to integrate with the other security products already in place. When implemented correctly, an integrated NAC product provides the ability to set and enforce network security policies using both the built-in enforcement mechanisms and leveraging the ability of other technologies within the infrastructure.
For example, NAC should be able to provide a way to fix identified network security violations. While many NAC technologies only offer limited enforcement mechanisms, an integrated NAC solution should be able to leverage remediation systems already present within the infrastructure. Patch management is a perfect example of the value and cost saving introduced by an integrated NAC offering.
In this case, a device connecting to the network after being away for some period of time is determined to not be in compliance with the network security policy enforced by the NAC system due to a missing patch. Instead of blocking the access of the device, integrated NAC would trigger the patching system to install the patch without the user’s involvement. This automated remediation process significantly reduces the number of calls to the help desk, provides a more positive end user experience and increases the overall security of the network.
NAC: the security orchestrator
In the same way a conductor leads an orchestra, NAC can maximise existing security investments through coordinating the response to security violations, thereby automating the process of security policy enforcement. This integrated approach allows for policy enforcement to be taken to an unprecedented level. By using existing infrastructure, policy enforcement moves out of the world of binary action where all violations are subjected to a simple block or allow response.
For example, a policy can be established to prevent the use of instant messaging on corporate laptops, but instead of blocking a device that violates this policy, an integrated NAC solution can provide a multi-tiered response automating the process of remediation and user education. For instance, the enforcement for this violation could be to first, redirect the user’s browser to a customised screen in which the user is notified of the security violation.The user is then asked to acknowledge the notification creating an audit trail of the violation and the user’s response.
At the same time, the NAC solution integrated with the enterprise trouble ticketing system automatically opens a trouble ticket for the help desk, while using its connection with Active Directory to send an email notification to the employee’s manager. Or for a more direct response, the NAC system could automatically terminate the programme while still sending the appropriate notifications. By automating enforcement, NAC reduces management overhead and provides a more responsive and higher calibre of network security policy enforcement.
The real key to a successful NAC deployment is having the flexibility to work with the infrastructure you have today and provide a framework to adapt to inevitable network changes. This flexibility to tap in to your existing infrastructure increases the value of the whole system and moves past simply addressing individual pain points to providing a unified response across the network to identified security policy violations.
