Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

14 March 2008

Network Access/Admission Control

Some reports are stating that 70% of the attacks are internal attacks. So, perimeter Firewalls are Intrusion Prevention Systems are really good in protecting us from external attacks, but what about protecting the users from each other.

But wait a minute, I know what you are thinking of now. "Screw these reports, my employees are decent people, and I believe they don't have mean intentions to harm their company's resources!". Yes, you are right, they may not have mean intentions, but what if their antivirus is not up to date, isn't it possible that they may have a work that they are not aware of that may propagate into your network and cause some damage there? What about P2P applications, don't you warn them of using it as it utilizes all your bandwidth? Do they really listen to you? And what about those guests in your meeting room, or those guys who came today in order to fix some server in your server room, who decided to plug their laptops into your network in order to download some stuff from the internet? Can't they simply send or receive some traffic that they are not supposed to send nor receive?

We were installing the LAN infrastructure of one of the major financial institutes here in Egypt a long while ago, and then I was supposed to find out the best way to deploy such equipments from a security point of view. So, one of there features that we decided to enable on the switches was IEEE 802.1X, which is a protocol used in order to authenticate the hosts and/or the users before giving them access to the network, i.e. Network Access Control solution. But you know what, IEEE 802.1X is really cool, and it may help in solving some of the problems mentioned earlier, but in real life, they never deployed it, and so does many other customers.

Controlling users/hosts access to your network based on their identities is really useful, but not sufficient. We still need more vision and granular control. A certain host may have valid credentials to access your network, but still such host may not be really healthy - doesn't have End-Point Security softwares installed - and giving it access to your network may harm other resources connected to it. What you really need here is a combination of Network Access and Admission Control. And here comes the new trend of network security, NAC. It's a solution that can check the different hosts before giving them to the network, and it can also control the different switches, access points, and create dynamic rules on your firewalls and IPS's in order to granularly control the access given to each host to the various resources in the network based on their identity and security posture.

Some vendors have decided to build on the existing IEEE 802.1X standard in order to make sure that their solution will work in heterogeneous environments where that are different switches and security vendors. Some others decided to create their own proprietary protocols from scratch, some other decided to have their controls and policies in the hosts themselves by having installing agents there instead on relying on the existing infrastructure. And for sure some had mixtures of all the above.

References and Vendors:
Network World, NAC Topics
Got the NAC Blog, Steve Hanna
TechNet, NAP Blog
Cisco Systems, NAC Appliance (Clean Access)
Juniper Networks, Unified Access Control
Microsoft, NAP (Network Access Protection)
Symantec, Network Access Control
McAfee, Network Access Control
CanSentry Networks, Intelligent Switches

Tags: , , ,