IT Infrastructure - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  IT Infrastructure


How Various Network Access Control Technologies Work



 By: Paul Gann
2008-07-11
Article Rating:starstarstarstarstar / 54


There are 0 user comments on this IT Infrastructure story.


Rate This Article:
Poor Best
There are a lot of ways to handle Network Access Control, some good and some not so good. According to network engineer Paul Gann, deciding which is which depends on your management needs and your network.

From the perspective of end users, a Network Access Control deployment should be transparent, as if it's running all by itself. As users log on to the network, their systems should be checked, quietly in the background, for their level of compliance to internal security policies.

Examples of what NAC would vet the endpoint for include its current patch levels and functioning, and up-to-date anti-virus and personal firewall software. Only when something has gone awry should users be made aware that their systems aren't up to par. Then, most commonly, they'll be guided to an intranet portal where the system is brought up to appropriate security levels.

For small businesses and large enterprises alike, there is much to be gained from this highly dynamic level of security. An NAC-enabled network not only runs more securely but also more productively, within regulatory compliance, and it generates fewer help desk calls. While the benefits of NAC are straightforward, the ways that different NAC solutions get the job donewhether they are hardware-based, inline, out-of-band, agent or agentlessis a little more complex.

Hardware-based NAC

Resource Library:

Let's first consider how hardware-based approaches work. This form of NAC typically requires an appliance that operates either inline or out-of-band with network traffic. Some of these appliances displace access switches, while others operate between the access layer and network switches. Either way, there are a number of deployment, management and operational changes to consider.

First, hardware-based NAC solutions have a number of inherent drawbacks. The foremost is that they create a single point of failure on the network. They also can be disruptive to network traffic, and may not be ideal for geographically dispersed or highly segmented networks. Not only does an appliance have to be installed at every location, but the further up the network, the less visibility these approaches provide into network traffic. There's little sense believing you're more secure with NAC when you can't see or stop an intruder's traffic on a large subnet.

Also, out-of-band approaches, such as those that use 802.11, too often require a high level of network and server configuration change and ports to track. This not only increases administrative costs but also increases the risks of error.

Agent and agentless-based NAC

Next up is the much-maligned agent-based approach. No one wants yet another endpoint application to install, update and maintain. It's an additional burden for the IT team and another catalyst for flurries of help desk calls.

The upside of using agents is that, because they reside on the endpoint, a higher level of scrutiny can be conducted, which should help to improve security. The reality is that agents can be the least disruptive solutions available, especially when it comes to network traffic. This is because the agent runs quietly in the background, only sending periodic updates to the policy server and making sure security is enforced thoroughly. But let's face it: No one wants another application to install, no matter how high the security payback may be.

Next up: agentless NAC. A common approach with agentless NAC involves running vulnerability or policy assessment scans or both on endpoints before they're permitted to access the network fully. Needless to say, this can place undue traffic stress on busy networks. The scan results are sent to a policy server and remedial action, if necessary, is taken on any noncompliant systems.

The promise of agentless NAC is obvious: There aren't any agents to install. Unfortunately, it's not that simple. There's always a downside and, in this case, agentless approaches don't provide a consistent way to thoroughly evaluate the status of the endpoint. Also, because identity is ascertained by examining network traffic, users can fool this tactic.

Dynamic NAC

That brings us to dynamic NAC. With dynamic NAC, there are agents but they're only installed on a certain percentage of systems. Also known as peer-to-peer NAC, this approach doesn't require any network changes or software to be installed on every system. These agents, some of which become "enforcers," are installed on trusted systems and, much like a police force, only a small ratio of law enforcement to the general population is needed to make certain everyone is in compliance. In this way, it's possible to attain the high levels of security associated with agents and all of the benefits of NACwithout the hassles of hardware-based NAC or deploying software on every networked device.

For instance, suppose a number of enforcers are installed on desktops within a LAN, and an untrusted system attempts to log onto the network. These enforcers will restrict its network traffic until it has been vetted. Also, these agents communicate continuously with the central policy server about what remediation, if any, is necessary. So, a system could be fully quarantined or blocked from certain network segments, or only allowed Internet access.

As you can see, there are considerable differences in the ways that NAC systems work. It's important that you evaluate your options to find the most effective NAC solution for your network that is also the most cost-efficient to operate.

 Paul Gann has more than 10 years of experience in the networking industry. Currently, he is a network and security engineer for Ipreo, an industry-leading global financial software company based in New York. Paul holds a diploma in network engineering and data communications from the Chubb Institute. He can be reached at paul.gann@ipreo.com.





  Reader Comments: How Various Network Access Control Technologies Work
>>> Be the FIRST to comment on this article!
 

 
 
>>> More IT Infrastructure Articles          >>> More By Paul Gann
 


x}ks8q8c=mGJɶkc[^K7SJ"!c䒔|9u_zPd2{A4Fh4~ 'I"nZΘ\̦dwꚃ>}K$oB}NUQR C7((bP<HwO7n[cQ0R?`᳙*,wBgxodYǝ (ƻfՉziZgdh-vux;2oF֠}lui!l 1!o ݿ!HlRvn7o\ 25I2C[0,HmfC@ڮSVPfFԲ;o tG oc=uק&Y! !$f >v?$ RI'6qOF^_1'@8:)|y[6'0l_k|uv3< 3~5 CoZe؄j%ozcnć!LjZ L|:j/EӝF3l˸-:4 PS+}(Z}rL>-g`*sN_{JU4Eٿ]vή $Qw; V҃uT\ti\v? 9NF7߉+QR"jt8MQI 1q${/@B oVS7B-hZIArija[E4b‰EU}$N"?Zڗu&u}X6&ZiCA+Wte`9=y\toz{MN;'w:Rڟ+̊k*~k p6O|iķx0`kh`cR^ٗ[$NOWm2 Շ1)H|S: Yu'PZ,/ fRrZ~@X*V0Uhf5 x CX&%Ge)" :u %ͪ5A\[PĿ"E/lꎓz>:AGAtišh4ϬP7&h`C:}ҍ;LZ ? 'pGbd.x: }C 04mLH"wM h&rkI7.[A0? ; O`r]ɝ5E0%ݻCi`y1yj =*~3`=g{`tև &SsfPBOPVTyQ`*hXqFc p, 7RiBI1?,x{ۣeXLRT2q)( f+7TuRԟȦ5S܏> P^!͘}wʠ:F'(E_ ۝-ý-K;xN"UVC_K+8~9ep7 Pܼ?ir5G|@]x# d\46(V,'`#Cҵ; ¢w^\Sv˖?~F|4^ۄ#V!0\ zD30`,e?B;_&]1VW=ZSYdX(%UMpl"zd\s˰2X>rGmAutn\?(yS+rf! sMqN!ӐPS@ b^4(Nu=(U5GQvPc63[!䚻!`Tcfqu-Tn\wlSIBo@mTSDq! ֚pD r.c";2$t`n̂_HE"}[+pp\U.)L0:Jj 2,XTB4⦼6tW݂bIu`1:C5f>z_{=2dB4^Ef,w{LRKz-AZUU+òZPQx]*(S,i0ȁ;u`ћxooũ1FtIJo?u :tɕK-ޫp #.Z$ c0+Y /ÊTU5 ܧ i ~>CV6őG@=q?@+:2 XZ 0(E{h⢉!H{+4+pý225\˥e;OPd[wk%}f{B[$`@"gKjEv~ia#f~~+ˣ [i#f MaFž nJm^R+{9iXoY:i3 9f5N+};N`[%J+fx+,s Jb+ͤV(EcDyx߆gyϤM͋hR|5y ,>s)~7'zER7ƹW<sƇ~ڷBYHjF N|9~ܔyeb@mjE@?}誦URCSe6e'ß=~ ]O U<@n<"w>sԳйdNkl sƻ~rnf@ƫh> k i>~5O}pv'< hr͵m7f" NS\tc'YoOn[JEVK`uEZ%c^f.g|]~kLQXGTUe@5yģT1Cy $v=.EZЋr}cj&lĦOm[e7M3:PZZp9Ѓu^IC#,ͦ'kj@'?F>n!ɵFڽv?!IzG{EY*,.EMTjjEIz,pe%vd iW&{ \x&\_3Kbo)Q^~ TW*.-wD<4ϰ;}Nb i4ǴWՄθ ā3Of#[iYyVum4IdH$5}`MٸU V|2.izIR“sG:(8=.]ţ%Qh2)nQ==Օћ[^Hh# ;wk~ʁn*i7JղAkJZ8qG+a#ra&3 G ɲ\' ׫UVگp.g(X9H(P+ Yr>۷mpH75 SXp| ޠ[PHHHD>QkfR{e"nkR2/-1Ή݋{>LMПBP`n&ц pmI@ NEw%]7)il{ٗN[OxŹǏDNӽ< "hCr;)z{Bv5 }U\q@*V%]w?\Hֻ6?MF&{fB, 8ݯIvI!ͧ^Y{{:9\y6yEh0\< =ШQ^8wK%y;$˶u߽9$ ;.X G>9>oÏOM1+&03hĢ8⑩!g`&V P8I TυUs:TzF_j,49ψAT p0Z!Β#s}uXLP($S0r(`$X*Xe2ӻ:o}Okgen/ m D78%S*PW<2EHiAN' <>9hEщڎBپ~YVST t~iџ.`m eIbaKf+VI'{GHI NN:os_,ĨChpF1xc|o}-6ؾJ9 4SJd"8Q%;?m[=PRvGP2)bvҩ(IZ[Ű ݖ:`<5s2)Mz.ϓp|Li+'iZVӼ6X(4%44QЌOCYB*dC7' һj]np6<5ަmWxvImc%3 TgKEҊ Pk qbG-g+y--E#]}+ iN,#zSa!J fR_,wuO5mOwX{Er?gF'q?Iȸ:Gw*b,_Aݞpner0jw{t=z;Ojw]SqƄ{@95zDלO)|siE1iפubAc$H~"Z0;'|&A1|_M@uSOf 95C/rE}l(=lG_t?wOJw{ѧ}y4 7t3V* 94XH!Hn X|EVeΜtٓN|*<9qgd7Yu (f^/yaҒ91>onR;54z0ׇJP>AcqU~(;ݝfO"J鲇v9c]MZ㽤|>O90)7=E$/Af} mD.Ekg[D:*tc^yO||nF?m?C4ȥN4=vWw6BfP IV1a+ }kUH!q` k c*Yv4.߮ B;FJX<N>۴rUCaUk§ ,'iƿ_/QFD5|{ rx|SvZ 1g.o(#ڟ w %U1)%`PBHpN̼V&S~2*7C_ƥE/.qh&pbwx7 r`f[w|!rtV>` ~ē?JM+)X)^lo&z,8['a leXߨ6W_>ot8=y2O&rYfC-FQ#[[_]|u̲Lwt؉1\6"XYNS.ɝNm#j·MuHGt_gNN m2Ig $P$` :1_MI0S|rկ;&}Pm0q)uN?Gd&e.V7C[ 39jE4SyǖН;_B~ˣnλ99CT|9-;vmiNF6<ߞ~[nzrҷT|w{ ſ2Yq:\ϜVHaWfN8x!Ιiygf5lNmcym&I$z?hV &`zlj-1,VċQ{$hkkqdEN;u^)Kbrk>qbLLpzlï^BYf%2Ċ4NQ+i錂qn ]iSƚe$L1pͦ l1ڿ4i Su&߯&[zϩwD#? KD)`G%_(B~xMww+GOAr4%E/ <5jʹ&Pt$[?ē{n qGtbDݵg#Z-gs^b+]̐5XmÈE2Cכ .TmS_ǝ~ B7T5s®UJO({ôcsWF%3{H JD 4+~AX^qP3"I"w~6#uT_6&  0B(_BVgB8AXJzXDJPa _y"K&5\U;^R,oqn/ =J9?l*b6K-'!*}L1N9id;:'G K]ɖ1xy[/Oz'5!L6VE(U^3H>PSak OUH*4h ^5g5̈ xm; ]ֶz^CuK[7]5S.W@O[f≡Ě:QSIe ;\cxbaE8ee ߼(gG2Cmf|5,\ \>BπJl>A4`}*hZ$24Ư^U'{ʋzhNu_ZהV/`eEFo{j//ȵFqS!3:{ؖs.dړGF^NFyKjfmݷi+8,VK#֔кeO}K[RJP`o2ɿSB1Q>h@'Ǫ%chٱ!TWK0!)D(>syԃ/0s{EMF^[H̉":ul'&vUZ R z' W[ "yFsgU?qbS~fb^ +KN,fp_`h+ZK<+ b1q< @ə莥aсHzoV̏XJ1獘_[FFVM 7X,5bt!obF).m2N[!ĻekS0qL!E % rU%wޠ~z*ޟO@e~jnZ]}}5hM-ã;w|U:Qf|%w҅n,ǟMCh%17M֤k¨`*UI٫T~* ѻh:QhTJu o`|$w{>̥7b?= .θ9M boEҖIv# ,@ҧ$y슍Bx56D:nY CsN.7v߾@<3[L`#qa#a=d<qT2 !'@vt-B"aKG\v|^B8 ܰJ7ǟo8g+H0jICB9ҔlooFeOWJQݹ!?1! g@L-ƕaDiAX#hBGH[1~ ~1&IE< ,iMPm!ah\6"))Ĵ0m ^ &"7,ǰgL#|- Q ݋쑏ccZ|E,{{GǙ;fSZ,Ws ʾY6@P"`@J]N"@ g  sn ^JDͼ͍$ԇ:m3;%̔,041:la`t.t?Oðq?]_GA͆S+$f)u^ n9 :jeOLg>򽉡{:YՋ)s)aR;:PIJ qXZ~DB(s VVHo u7@F`p3W VjMDO"ӁR:C KTUbWv x1nV?4%WPRh 4 V #vFCT(^GL€،Pr,4[WWiuMzzם~{I4 5{0<;*(hO1v{qt/ۅfdRZ9yN{(S+S~ ׫ˏ[@.wsʑO'c(?^]~ 9;Vu ͳI9)ureN9B}/Z]~sk^"g">"\/ryC@9Ȧc˼=>w槴Ix帝C&J2o-7cENz9.~Qxd\$h{dZc+mDgcHD1KA1_w9S"\2fA8I8\> { opmnxK %> SG075ip~[~r^<^ȬUUj.7m(!O1y}2oف. vo\gU>n{d$oqACxg4[`oeZ7㌰6{ 0AחU]=tfF}ǰiJÉN#ьF7@jdr Er!4螩zĢ N46ǝ́a[; o6eM+5VkZpWrHi3="BS]FTMVYi2ZUٯk% Q<3 .M3^e&MȡN!3pC&J-F@ Ptlώ)UYm\RH6T<'U~ m't j1I525~/#͙P<,cI:Fcc>mTώ;]:sW.vԙ%-H_>=qb^:.~=IT>IxҍHIh/>~ElC~!OG]L`{ , B`p;Щ1 \NJʶ)E9b\Qm`%xa[Ajb=x辉=/lk[ȅn`TLx븝9m{0|>,lp/>:G[ 0rcfz,ƫ li12ePCdk9I;;Q0&|iE-ȓl`Cv_)~ph[?2YA wVǰ>dBO7 S O80Ux|-h\l};xrmx0#Ÿrz,ŀ~UŒBd+KW̵1%X^٠C^"f@0jPLP>9-z0~ L\KkÔüpa#fS {߂ TɴjuXXC *f"Z*bB؉ZIpRMΡmlP aڇl&~H&TH.Yl{ۺнDntUs."ӳ/ 6A|>hy6xL 귖g UjT;IhdM_l+:cSEᘸe=WFq(1{6J†mJPUN91KiK.^|)֦O*LΗ K&|&R2ֱ=RZ`'l/Z6w? _)