Blocking Insecure Network Clients

You can have the finest perimeter security around, but if someone connects an insecure client inside your network, you've got a big problem. The Cisco Network Admission Control Program could help, and it's not the only system for qualifying clients before

One of the problems I hear about all the time, from analysts and vendors alike, is that of rogue mobile clients. Youve got perimeter defenses on your corporate network worthy of the Maginot Line, but mobile users can still travel, connect to the Internet on the road, pick up a germ on their notebook and release it when they log back in at the office.

There are many products and good practices to prevent this, but one of the trends I see developing is that of qualifying clients to connect to the network. When attempting to connect, the client is first queried for whether it meets any of a number of security parameters: Is it running a recent version of antivirus software? Are the definitions up to date? A firewall? Are critical Windows patches applied?

Ive seen this approach taken by a number of vendors, usually with a proprietary approach. The Symantec Series 300 small business security appliances can be set to enforce use of most Symantec antivirus clients. Another appliance vendor Ive been talking with has similar support for McAfees clients in beta.

But the most interesting and comprehensive approach to this is the Cisco Network Admission Control program (NAC). Its still not exactly clear what NAC will turn out to be, but at a minimum it will be a powerful tool for Cisco customers. Taken all the way, it could turn into a general framework for client security policy enforcement. It all depends on how much Cisco decides to open up.

I talked to David King, a director in Ciscos VPN and security business, about NAC. According to King, Cisco observed about a year and a half ago that conventional network defenses, such as firewalls and antivirus gateways, were not successful enough. (Gee, you must need an expensive consultant to tell you that; never would have occurred to me.)

Networks are porous for lots of reasons, not least of which is the traveling employee mentioned above. NAC helps to create what Cisco calls the "self-defending network."


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Next page: How Ciscos NAC program works.