Layer 4: Network Access ControlBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Layer 4: Network Access Control
Network access control products NAC for short operate similarly to identity management applications: They aim to let trusted parties into the network. In the case of network access control, however, the parties involved are machines rather than people. NAC products check devices connecting to the network for vulnerabilities, admit those that pass muster and quarantine offending machines for remediation.
NAC vendors include Aventail, Cisco, ConSentry, Juniper, Microsoft, Nevis Networks and StillSecure. Pricing typically starts at $4,000 to $5,000.
The Upper Canada District School Board, based in Brockville, Ontario, turned to network access control to address several problems. For one, teachers and students often use their own laptops on the school's network. The unmanaged devices sometimes introduced malware infections when they connected to the school's network, and that led to network downtime.
"Teachers and students feel they own the network and I.T. resources, and want to bring their own devices into the network, connect and access all the resources," says Jeremy Hobbs, the school board's chief information officer.
Upper Canada selected Nevis Networks' LANenforcer to get a better handle on devices seeking network resources. The school district runs five Nevis NAC appliances in its data center, along with one LANsight system. LANsight provides centralized configuration and monitoring for the LANenforcer systems.
The appliances conduct what Nevis calls an "end-point integrity check" on devices requesting network access. This check assesses whether a device has up-to-date operating system patches and current antivirus software. Machines that fail the test are quarantined shunted to an isolated segment of the network until their vulnerabilitiesare rectified.
Hobbs cites end-point scanning as a key driver for the deployment. NAC vendors refer to this feature as a pre-admission control. But the technology is also important for keeping tabs on devices once they enter the network, a task vendors describe as post-admission control. Hobbs says he has seen evidence that students have used a range of hacking utilities including port scanners and password crackers to probe the school district's data center.
Upper Canada, however, plans to use network access control to blunt attempts to crack internal systems. The school district, according to Hobbs, intends to "round out our implementation of policies on the Nevis appliances to respond to hacking tools by shutting down the port in question for a predetermined period of time."
Hobbs says that having one's identity management house in order is critical before launching a NAC deployment. This is particularly true regarding post-admission control, which comes into play after admission is granted and role-based access is reviewed.
"Getting a grip on identity is essential," Hobbs explains, noting that a "granular understanding of user identity" drives the school district's access approach.
Two years ago, the district's schools operated as 120 Windows NT 4.0 domains, each with local authentication. Upper Canada has since adopted a centralized ID management system built around Microsoft's Active Directory and Identity Integration Server. The latter integrates with Active Directory, providing a single source of identity information. The Identity Integration Server provisions Active Directory accounts to network users, placing them in the appropriate security group.
LANenforcer serves as the school district's enforcement mechanism, using the identity information from Active Directory to permit or restrict access to applications. In this context, network access control becomes "a layer that differentiates access based on identity," Hobbs says.
But that layer would not have been as effective without the centralized identity store, Hobbs suggests. "I think it would have been a different experience if we hadn't already made that investment in identity-driven infrastructure," he says. "We get that much greater bang for the buck having done some of the homework behind the scenes."