| NAC’s functions fit better on the endpoint. We | | | | includes the experts on: |
| need to move beyond today’s scenario, where | | | | Switching |
| users struggle to implement NAC as a successful | | | | Virtual (VLAN) management |
| security framework. Just how bad is it? We’ve | | | | Routing IP address management. |
| found that 40% of enterprises surveyed had begun | | | | The network team is responsible for ensuring network |
| NAC deployments, but only 4% actually finished. | | | | availability and performance. It does not typically have |
| The majority of those that do finish are turning to | | | | any responsibility for endpoint assessment and |
| solutions focused on network hardware like appliances, | | | | remediation and does not care what the configuration |
| Ethernet switches, routers, and VPN gateways. But | | | | of any particular endpoint computer is. Its concern in |
| we believe this is the wrong approach. | | | | terms of the endpoint is to supply the appropriate level |
| NAC 1.0 and why it failed | | | | of service to a computer based on its role and |
| Organizations are increasingly turning to network | | | | compliance state. |
| access control technologies to provide better | | | | NAC and the network team |
| protection for their networks and data. However, | | | | The network team needs NAC to keep unknown or |
| many of the first generation “NAC 1.0” solutions | | | | unsafe computers from impacting network security, |
| were based on an inherently flawed model that failed | | | | availability, and performance. |
| to respect the expertise and ownership of different | | | | NAC needs the network team to manage the switch |
| groups in the organization. NAC 1.0 was also unable to | | | | fabric for enforcement (VLANs, access control lists) |
| react quickly enough to protect against rapidly evolving | | | | based on compliance state. |
| threats or to support the needs of an increasingly | | | | Desktop team |
| mobile workforce. | | | | The desktop team is concerned with managed |
| NAC 1.0 – fundamentally disconnected NAC 1.0 | | | | computers and all aspects of their configuration – |
| suffered a disconnect in perceived ownership, with a | | | | even when they are not connected to the network, |
| struggle for control between the two key teams who | | | | for example, while roaming. |
| brought two distinctive perspectives: | | | | The team drives the requirements for assessment of |
| The network team’s perspective – guest | | | | endpoint configuration, remediation of any |
| access. The network team interpreted “network | | | | misconfiguration, and patching and updating, including: |
| access control” as meaning a way to control or | | | | Selection, management, and updating of antimalware |
| block unauthorized access to the network. | | | | software and desktop firewall |
| The desktop team’s perspective – managed | | | | Desktop patch management |
| endpoint computers. The desktop team saw | | | | Implementation of best practices for secure |
| “network access control” as meaning a way to | | | | configuration. |
| control or ensure the security and productivity of | | | | NAC 2.0: A new model for a more secure future |
| users’ computers. | | | | NAC and the desktop team |
| NAC 1.0 – focusing on blocking guests | | | | The desktop team needs NAC as a tool to eliminate |
| Guest access was an easy target for many early | | | | configuration drift on the computers under its control |
| NAC 1.0 products, with access generally seen as a | | | | regardless of network location. |
| luxury rather than a business necessity, and often | | | | NAC needs the desktop team to define ideal |
| needed only in specific locations such as conference | | | | configurations and remediation mechanisms. |
| rooms. In addition, guests often do not have a formal | | | | Security team |
| relationship with the business and are not part of any | | | | The security team is focused on regulatory |
| of the organization’s identity management systems | | | | compliance and audit. Although it does not have dayto- |
| such as Microsoft Active Directory. It was fairly simple | | | | day operational responsibility for desktops and the |
| for many pointsolution appliances to provide a | | | | network, it sets the standards for compliance |
| mechanism to block guests’ computers until they | | | | throughout the organization. Some practices are |
| could be made compliant with the organization’s | | | | mandated by government regulatory bodies, such as |
| security policies. However, this NAC 1.0 focus on | | | | HIPAA (USA)3, PIPEDA (CA)4, and BS7799 |
| meeting the network team’s goal of controlling | | | | ISO27002 (UK/Int’l)5, while some come from |
| guest access missed a far greater problem in terms | | | | recognized industry bodies, such as the Center for |
| of an organization’s security, namely the much | | | | Internet Security (CIS Benchmarks)6 and the Payment |
| greater likelihood of devastating data loss from a | | | | Card Industry (PCI DSS)7. |
| misconfigured managed endpoint computer. With a | | | | In addition to its already formidable responsibility for risk |
| few exceptions, such as higher education, the sheer | | | | management, the security team is responsible for: |
| number of managed endpoint computers means they | | | | Determining which standards are applicable in their |
| present a much greater threat surface making them in | | | | organization |
| reality a much greater risk. | | | | Auditing the environment against those |
| NAC 1.0 – lacking agility | | | | Standards |
| First-generation NAC solutions failed to recognize that | | | | Showing proof of standards compliance. |
| the threat environment is constantly changing,with new | | | | NAC and the security team |
| threats and vulnerabilities appearing every day. | | | | The security team needs NAC to minimize the risk |
| Anti-malware vendors release a steady stream of | | | | from non-compliant, unknown, and unsafe computers |
| updates to detect and clean new threats. Operating | | | | and to provide comprehensive reporting and audit. |
| systems and applications vendors issue security | | | | NAC needs the security team to define standards for |
| patches on a daily basis. | | | | regulatory compliance and security best practices. |
| NAC 2.0: A new model for a more secure future | | | | NAC 2.0 – focusing on business goals |
| Many NAC products could not easily be updated to | | | | Unlike one-size-fits-all NAC solutions, NAC 2.0 |
| allow for the latest updates. When an antimalware | | | | recognizes that businesses have different goals for |
| vendor released a new update or a new version, the | | | | employees, contractors, and guests, and, when |
| administrator often had to update the assessment | | | | properly implemented, focuses on the requirements for |
| rules manually. With new operating system patches, | | | | each group. |
| administrators typically had to enter a new, complex | | | | Business goals for employees |
| set of registry entries corresponding to each new | | | | Enable – not block – access to the network and |
| patch for each operating system – if the NAC tools | | | | applications |
| supported patch assessment at all. The large effort | | | | Enhance productivity, security and compliance. |
| required to keep rules up to date meant that NAC | | | | Business goals for formal visitors, such as contractors, |
| assessment tools lagged far behind the real dangers | | | | partners, and consultants |
| facing organizations. | | | | Assess the level of risk posed by the unmanaged |
| Early mistakes | | | | computers of these visitors. |
| Intrusion Prevention Systems | | | | Provide restricted access appropriate to the |
| Some early NAC products were based on Intrusion | | | | authorization and level of risk. |
| Prevention Systems (IPS) that looked for anomalous | | | | Business goals for informal guests and unknown |
| network behavior. These were useful when threats | | | | computers |
| often consisted of worms with identifiable network | | | | Require proof of authorization |
| signatures. Today’s threats are frequently invisible | | | | Block network access unless authorized. |
| to behavior-based IPS in which case there will be no | | | | Many NAC project failures have been a result of too |
| identifiable network anomaly. | | | | great a vendor focus on the network enforcement |
| Network appliances | | | | mechanisms, and not enough on the practical |
| Some NAC vendors chose to deliver their solutions as | | | | prioritization of achievable business benefits against |
| network appliances. This was a choice madefor their | | | | each distinct use case. Successful NAC deployments |
| own convenience, not their customers’ needs. By | | | | have in common the primary objective of enabling |
| delivering as an appliance, the vendors were able to | | | | safe access to appropriate resources by authorized |
| limit their testing to a small set of predetermined | | | | people – and not an objective of blocking users |
| platforms. This seeming convenience is deceptive. | | | | from the network. In other words, NAC 2.0 focuses on |
| Networks often had to be redesigned to insert an | | | | enabling rather than blocking access. |
| appliance, funneling all traffic through a choke point and | | | | Security team |
| affecting performance and reliability. NAC appliances | | | | NAC 2.0: A new model for a more secure future |
| also lack deep assessment capabilities, good scalability, | | | | NAC 2.0 – providing dynamic flexibility |
| and the means to protect computers when they are | | | | IT departments now have available a much richer |
| not connected to the network. | | | | context in which to make decisions about authorizing |
| Network equipment | | | | access to company resources. In determining the |
| Network vendors are typically interested in upgrading | | | | appropriate level of access, they can now go beyond |
| switching and routing gear to include the latest | | | | simple user identity and role, and consider machine |
| features. They do not have a good presence on the | | | | identity, access location, access method, time of |
| endpoint and as a result attempts to control network | | | | access, device security posture and state, emerging |
| access with equipment alone were unsuccessful as it | | | | threats and available threat responses. The resulting |
| offered weak assessment and little or no policy | | | | authorization policies are dependent on increasingly |
| management. Networkbased NAC ignored the issue | | | | rapid real-time information about security updates. |
| of remote or roaming users, although ironically NAC | | | | Deciding if a computer is fully patched requires |
| has its roots in Host Integrity Checking for roaming | | | | up-to-date knowledge of available security patches. |
| users. | | | | Knowing if a guest computer’s anti-malware |
| NAC Frameworks | | | | protection is current means the system must not only |
| The original NAC Frameworks – such as Microsoft | | | | know about a company’s own chosen anti-virus |
| Network Access Protection (NAP), Cisco Network | | | | product, but also understand what threat detection |
| Admission Control (NAC), and Trusted Computing | | | | updates have been published by each anti-virus |
| Group’s Trusted Network Connect (TNC) – | | | | vendor at all times. Knowledge of the emerging threats |
| offered basic interoperation standards and little more. | | | | and available responses are both key to making |
| They provided some plumbing, but left organizations to | | | | authorization decisions and therefore, NAC needs to |
| do the work of fitting it all together. Policy | | | | have the native capability to provide this critical stream |
| management, updating, and audit were left out of the | | | | of information. |
| equation. | | | | Today’s best endpoint NAC solutions are evolving |
| There was also a critical flaw in the NAC Frameworks | | | | to enable effective management and control ofaccess |
| reliance on a “trust” model – selfpolicing by | | | | authorization by providing two distinct sets of |
| the very applications that have gone wrong. They | | | | capabilities: |
| required anti-malware software to report its own | | | | Network enforcement mechanisms that provide an |
| status, even though a failure in that software might be | | | | entry gate onto the network, alongwith the ability to |
| the very reason a computer was unprotected. | | | | restrict access using dynamic VLAN and/or ACL |
| Furthermore, unwanted and unauthorized software, | | | | assignments, delivered (unlike the special-purpose |
| such as spyware or peer-topeer applications, could not | | | | appliances of NAC 1.0) as a commodity capability |
| be expected to report their status to a NAC | | | | available within the standard networking switching |
| Framework, thereby breaking the trust model. | | | | platforms. |
| NAC 2.0: A new model for a more secure future | | | | A centralized policy management platform for directing |
| The future of NAC | | | | assessment, remediation, access control, reporting, |
| The new model for NAC, or “NAC 2.0”, that is | | | | audit, and alerting – covering all required use cases |
| now emerging takes into account the shortfalls of | | | | combined with rich native assessment and remediation |
| earlier approaches and aims to solve real business | | | | capabilities. |
| problems. It acknowledges and embraces the | | | | NAC 2.0 - protecting beyond security |
| functional roles and division of responsibilities found in | | | | Regulatory compliance, industry best practices, and IT |
| today’s organizations, supports the business goals | | | | governance are the new set of drivers behind the |
| of different groups and endeavors to meet the rapidly | | | | evolution and adoption of NAC. NAC as a tool for |
| changing requirements of today’s dynamic threat | | | | security, productivity, and compliance leads to better |
| environment. | | | | endpoint and network governance. NAC 2.0 will finally |
| NAC 2.0 – embracing functional roles | | | | enable organizations to get control of their systems |
| NAC 2.0 has operational impact on three teams in the | | | | – in spite of a rapidly evolving threat environment |
| IT organization. NAC 1.0’s focus on answering the | | | | and the changing nature of the network perimeter. |
| network team’s needs is matched by a real | | | | Summary |
| commitment to the needs of the desktop team, and a | | | | Network access control is a valuable new technology |
| new ability to encompass the requirements of the | | | | for protecting an organization’s assets from risk. |
| security team. | | | | Learning from the flaws of earlier solutions, NAC is |
| Network team | | | | now evolving into NAC 2.0, a more mature set of |
| As discussed earlier, the network team is where many | | | | integrated technologies that embraces the multiple |
| NAC solutions were originally embraced and it seemed | | | | functional roles in the organization, focuses on solving |
| natural for this team to be the primary owner of | | | | real business problems, and supports a dynamic |
| “network” access control, although in reality | | | | environment. NAC 2.0 is the future of network access |
| NAC is about more than just the network. This team | | | | control. |