Network Security: Getting the NAC of It - Systems Management News On The Web

CHANNELS

ON THE WEB

PRINT EDITION

BZ MEDIA

AS OF 8/20/2008 9:20AM EST

Network Security: Getting the NAC of It
By Jennifer deJong

July 15, 2008 — The old way was easy. Build a wall to keep them out. Open the door only to those who know the code.

But in a climate where employees routinely conduct business on the road, partner with outside contractors for brief engagements and work from home, the physical boundaries of the enterprise are disappearing. And the police-the-perimeter approach to keeping intruders out is no longer effective for managing network access.

“The perimeter is disappearing fast,” said Cisco solutions marketing manager Steven Song. It used to be enough to put up a firewall and secure the borders and set up remote access for employees working outside company walls, he said. “But there is no clear security boundary anymore.”

As a result, network access can no longer be regulated the same way, said Ray Wizbowski, vice president of secure network access tools provider ForeScout Technologies. Today, a network security strategy has to address the needs of mobile employees who may connect from several different locations in a single day, not necessarily using the same device, he said. “The salesperson needs access from the hotel, from Starbucks, from the customer’s office and from home, after hours.”

In addition to ensuring that an employee is who he says he is—and granting access to e-mail, the Internet and key company data accordingly—network administrators have to make sure that mobile employees don’t subject the company network to new threats such as viruses and worms. When mobile workers connect from the outside, they have missed updates for their machine and they might also have contracted something, said Wizbowski. “You have to manage that risk.”

Is It Safe?
One way to do that is NAC, which stands for Network Access Control or Network Admission Control. NAC is essentially a set of tools and a strategy for securing access to e-mail, the Internet and corporate data that reside on the company network—regardless of where mobile workers are physically located when they request those resources and what device they are using.

What NAC solutions include varies from toolmaker to toolmaker, but the concept marries two basic ideas: “The ability to check on end users and the ability to check on devices,” said Song. In other words, NAC offerings make sure a user is who he says he is and they also zero in on what device is being used to access the network.

Understanding those two things enables network administrators to grant or deny access according to pre-defined policies. And it also lets them enforce security measures and take the necessary action, such as scanning an incoming laptop for infected files. The ability to detect the device—not just the user—adds a critical piece of security, said Wizbowski. “If you can’t see the device, you can’t enforce the policy.”

If there’s a problem with a user or an incoming machine—a virus is detected, for example—the machine can be quarantined so as not to infect the rest of the network, said Wizbowski. Of course, NAC tools can be configured to deny access entirely. But unless that is warranted—as in the case of hacker masquerading as an employee—a more moderate approach is a better first line of defense, he said. “If you block connectivity, employees can’t do their jobs.” Network administrators have traditionally come down hard on anyone who doesn’t comply with the letter of the law. But it’s crucial to consider business continuity as well, he said. “You have to ensure the productivity of the network and the productivity of the user.”

There are a lot of options for devices that have violated a policy, said Wizbowski. Step one is alerting IT and informing the user. For example, a NAC tool can issue a trouble ticket, letting the salesperson and IT know that anti-virus software is due for an update. The next level is taking remediation measures, such as downloading anti-virus patches or redirecting the browser to update itself, he said. “You can do it transparently from behind the scenes, putting in motion a background activity to fix the problem.”

Managing this effectively is a matter of setting policies. A lot of organizations make decisions based on the device accessing the network, said Rich Campagna, senior product line manager at Juniper Networks, which sells a wide range of network and security products. If the employee uses a personal device (a home desktop, for example) instead of a corporate-issued machine, the policy may permit network access but place some resources out of reach, he said. For example, “You can get e-mail and Internet, but not the CAD drawings [that reside on the company network].”

What’s allowed and what’s not is often determined by industry and by company culture, said Song. “Banks tend to have strict policies in place. ‘If the computer does not belong to our bank, we disallow it.’ But engineering companies are typically much looser.” They may let employees use any computer to access the network, largely because employees demand it, he said. “They say, ‘If you allow us to use only IT assets, you are preventing us from doing our jobs.’ ” These issues have to be determined ahead of time, said Song. “You have decide what you are going to do, and get buy-in from the parties involved.”

Figuring out who is allowed to access what, and on what device, is typically done by defining groups of users (HR, finance, marketing) and associating permissions with each group. “But trying to manage access and define the rules breaks down when you have 10,000 employees,” said chief logging evangelist Anton Chuvakin of LogLogic, which sells data capture software.

An alternative is to simply set up rudimentary policies up front (setting crucial data off limits) and then monitor employee behavior and look for deviations that occur. If a user touches a file he has no business accessing, an alert is triggered. “You can discipline the user, blocking in real time, if necessary.” That data helps tweak access control policy, instead of having to define every scenario up front, he said.

Trouble Can Lurk
Many attacks originate from legitimate, authorized users, said Campagna. “You need to be able to detect what’s happening on the network and react in real time.” If a user is sending text to a back-end application server, for example, that may be an attempt to steal crucial company information, he said. “You have to shut off access and take action on the user.”

Knowing an employee is authorized to use the network is just a first step, echoed Lancope VP of engineering Jason Anderson. Lancope sells tools that monitor network behavior. “You have to protect company resources and make sure employees continue to behave,” he said.

Behavior that breaks the network security rules isn’t necessarily malicious in intent, said Anderson. For instance, an employee who has been granted access to the company financial outlook for the fourth quarter may share that data with a colleague, accidentally exposing the enterprise. “It’s hard to anticipate when that might happen. You have to clean up afterwards.”

Another activity that isn’t malicious, but most companies want to watch out for is the use of technologies, such as streaming video that take up a lot of bandwidth and without contributing to employee productivity. “You have to determine what is business traffic and what’s not, and take action accordingly,” said SonicWALL product manager Matthew Dieckman.

Managing bandwidth-hogging activities often goes hand-in-hand with HR policies that dictate what Web sites employees are allowed to visit at work, he said. Such policies are designed to prevent employees from engaging in activities like online shopping on company time.

“People engage in more risky behavior when the boss isn’t looking, noted Song. “You have to keep an eye on them.”

Related Search Term(s): Networking, security

EMAIL THIS ARTICLE

SEND FEEDBACK

MORE SPECIAL REPORTS

SUBSCRIBE TODAY!
Systems Management Week

PDF & PRINT EDITION

Download Current Issue!
ISSUE 8/15/2008 PDF

Need Back Issues?
DOWNLOAD HERE

Receive The Print Edition?
SUBSCRIBE HERE

GET NOTIFIED!
About all of the latest Resources

HOME SITE MAP RSS CURRENT ISSUE BACK ISSUES SUBSCRIBER SERVICES ABOUT US CONTACT US BZ MEDIA