Februarys RSA Conference included a panel discussion called “Network Access Control: Industry Giants Debate the Future.” And debate they did: Cisco Systems bragged about 1,500 installed NAC clients; Microsoft said IP Security implementation was easy; and the Trusted Computing Group talked about the plodding pace of creating interoperable NAC standards.
While this particular debate was friendly, its clear that these organizations are gearing up to put their respective NAC frameworks head to head in a contest to see whether midsize and large enterprises are going to be using network- or software-based procedures to check endpoints such as laptops, desktops and a whole host of other network-connected devices.
Then theres the age-old contest of standards-based technology versus, as Kjaja Ahmed of Microsoft puts it, “methods that interoperate for the customer whether or not that process is standardized.”
The panel discussion, which was attended by eWEEK Labs, included all the right organizations, as NAC technology is currently dominated by Cisco, Microsoft and the Trusted Computing Group.
Representing the companies were Russell Rice, Ciscos director of product management; Ahmed, architect, Windows networking security, for Microsoft; and Steve Hanna, distinguished engineer, Juniper Networks, representing the Trusted Computing Group. (Hanna is co-chair of the Trusted Computing Groups NAC initiative and co-chair of the Internet Engineering Task Forces Network Endpoint Assessment working group.)
Despite all you hear about NAC these days, NAC frameworks are still relatively immature and unproven.
Lawrence Orans, Gartner research director and the moderator of the NAC panel at the conference, put it rather bluntly, saying that the frameworks are so immature that Microsoft is not expected to have its NAP (Network Access Protection) ready until the new Windows Server platform ships—likely in the second half of this year—and that he has not seen a single Gartner client actually implement a NAC solution based on the Trusted Computing Groups work.
Ciscos offering is called NAC Framework 2.0, with the “A” in “NAC” standing for “Admissions” rather than the more generally used “Access.”
The Trusted Computing Groups standards-based offering is called Trusted Network Connect.
While the panel members couldnt agree on the primary drivers that were pushing NAC, several common ideas surfaced: NAC technology prevents “sick” systems—whether owned by an organization or brought in by guests—from connecting to the production network, limiting guest access to necessary applications and network resources such as the Internet. NAC technology also checks endpoints (such as laptops, desktops, PDAs and printers) to ensure that they are up-to-date with operating system and application patches, anti-virus signatures and personal firewall settings and that they are not running prohibited applications.
NAC in Practice
NAC in practice
Network, application and security managers who are considering a NAC solution should be clear about the reasons for pursuing controlled network access before entertaining any vendor.
Managers should also keep in mind that NAC falls into the category of products that should be deployed in an IT environment first and then slowly rolled out to the general population of computer users.
In fact, a phased deployment is generally regarded as the best way to go with NAC technology. IT assets should be ranked in importance, with the most sensitive servers, networks and applications protected first. Phased deployments should enable IT managers to learn how critical functions of NAC work—before learning the hard way, with a flood a angry calls to the help desk when users cant connect.
Indeed, enforcement of access policy necessarily means that when an endpoint fails inspection, the machine is blocked from all areas of the network except the remediation VLAN (virtual LAN) or Web site.
In these locations, users can fix simple problems such as out-of-date anti-virus files or get more information on how to remove unauthorized software such as spyware or peer-to-peer applications.
Once remediation is completed, users should be able to go through inspection and gain appropriate network access. This quarantine-remediation-retry loop must be working seamlessly before using NAC in a production network.
As with any technology evaluation, IT managers should look ahead a few years to make sure that any product they evaluate will be viable in the foreseeable future.
In the case of NAC, the future is 802.1x. DHCP (Dynamic Host Configuration Protocol) is often the first enforcement mechanism used to implement NAC, wherein requests for an IP address trigger a posture check on the requesting endpoint.
802.1x provides a method for authenticated communication in the network, but it can be daunting to implement, especially for devices such as printers that may not be able to run an 802.1x supplicant.
Most of the RSA NAC panel agreed that while DHCP enforcement was likely to be seen in the first wave of NAC, IT managers should consider an upgrade path that includes 802.1x to build in greater network security.
Microsofts NAP will come with Windows operating systems with built-in IPSec, Microsofts preferred method for securing communications.
Microsofts Ahmed cited the ease of IPSec implementation, saying it was just an engineering issue. But the Trusted Computing Groups Hanna, speaking as an engineer, stated what was likely on the minds of many in the room: Implementing IPSec is a nontrivial problem.
Technical Director Cameron Sturdevant can be reached at firstname.lastname@example.org.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.