By Steve Tsai, Managing Editor, Internet Journal
Network Computing held a forum on Network Access Control at Fairmont
Hotel in San Jose on January 25, 2007. John Siefert, the publisher of Network Computing (www.networkcomputing.com), was very gracious to invite me to the forum. The forum participants included both the NAC vendors as
well as the NAC users, mostly the IT directors and the CISOs. NAC vendors present were Symantec, HP, Microsoft, Nortel, Foundry, Lockdown, Bradford, Vernier, ConSentry, and Camas.
This report highlights some of
the issues discussed in the forum. In next week's RSA conference there is dedicated sessions and demo for the NAC vendors interoperating with Microsoft NAP in Vista and Longhorn environment.
NAC (Network Access
Control) is a part of the overall security framework. It deals with security policies, authentication and compliance check, policy enforcement (admission, or quarantine and remediation), access control, and on-going
monitoring. From a user viewpoint, standards in NAC is clearly needed to improve the interoperability among these solutions. The debate about whether the in-band or out-of-band solution is better is missing the bigger
picture, since the checking and monitoring is only a part of the overall NAC requirements. Conceptually, the policy setting and policy enforcement should be separated. From the user standpoint, the more practical
- Close match with the stated (business) objectives and requirements
- Ease of implementation
- Minimal impact on existing infrastructure
- Granularity of the access control
- Flexibility for future expansion
- Ease of isolation, quarantine, and the transparency in remediation
- Ease of on-going security administration, monitoring, and mitigation
The IT Perspective
It is always interesting to hear the users' perspective on the
problems they face in the real world. This panel discussion has the following participants:
- Steve Campbell, director of network services, Beckman Coulter, a biotech company and a user of Lockdown Networks' solution.
- Mazen Abu-Hijley, director, networking, Cedars-Sinai Medical Center and a user of Vernier Networks' solution.
- George Owoc, director, business admin, EADS Astrium North America, a defense and aerospace company
- Brian Nichols, chief IT security & policy officer, Louisiana State Univ. a user of Microsoft NAP.
- Steve Berg, director of IT, Omneon, a digital media storage company and a user of ConSentry Networks' solution.
Here are some highlights of the key issues that these IT security people are facing and how they approach them>
At Cedars-Sinai, there are patient access, guest
access, and contractor access, in addition to the internal staff access. Using Vernier's solution, patients and guests have access to the Internet only; contractors can access some resources in a restricted area.
Omneon, a hi-tech company, Internet access is expected, you can't refuse to let CEO's guests access the Internet for information they need. Employees may bring in infected laptops, these must be quarantined right away
and the users should be identified, not the IP addresses, for quick trackdown. ConSentry does that well.
What are the requirements?
In hospitals, the focus is to save lives. IT is to
provide services both to the hospital personnel as well as the patients and visitors. It has to be transparent to them.
Interoperability is important. The solution must work with the existing environment without
forklift or massive change to the infrastructure.
What is the ROI?
For hospitals, if there is a computer virus outbreak in the hospital, everything go back to paper process, this is
unacceptable. Therefore, having the policy and the granularity to enforce it is critical.
In-band or out-of-band NAC?
Users may use the in-band NAC solutions like Vernier, ConSentry, or
Caymas, but they will try them in the lab initially as an out-of-band monitoring tool. Once they gain the confidence that they function properly, they will turn on the in-band monitoring, still in the test environment.
Once it is proven working, they will then roll it out, still initially as an out-of-band monitoring tool and gather information first.
Words of wisdom
Define the problem you try to solve first (usually a business problem) and then find solutions and work with the vendors.
Keep cost in mind. Universities don't have a lot of money to spend.
KISS, keep it simple, the real cost is labor and downtime to the company, not the cost of the product.
NAC deals with access control for those users (for authentication) and machines (for compliance) that can physically connect to the corporate network. The users and machines
and contractors on the corporate premises, remote branch offices, at home employees, or mobile employees. Since some of these users are inside the premises of a corporation, therefore, they have already gone beyond the
NAC consists of policy setting, verification of credential and compliance, control the access – either admission or quarantine, if admitted, continued monitoring for compliance and abnormal behaviors and
enact containment if security breach occurs. If the inspection fails, block the access or quarantine the machine and perform remediation.
For IT decision makers, the following guidelines are helpful in selecting the NAC solutions:
- Define the business and regulatory requirements first
- Have an overall picture of the current and future IT infrastructure regarding network topology, user types, access methods, and security layers.
- Keep the cost of implementation and on-going operations and the cost of security breaches (real or false alarm) in mind in addition to the cost of the solution when evaluating a NAC solution.
- Keep it simple, use centralized policy console for ease control and management, minimize the number of appliances or end point agents required to implement the NAC.
- Choose flexible access control policy setting to allow for role based, location based, connection type based, and time based access permission for a granular access control.
- Communicate with the user communities to educate and prepare them for the NAC deployment.
About The Author
Steve Tsai is the Managing Editor of the Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any
comments about Internet Journal, please send email to email@example.com.