Primer: Network Access Control

By David F. Carr Print this article Print

Network Access Control looks at every network plug in your company for potential threats, not just outside connections.

What is it? Network Access Control takes a proactive approach to identifying insecure and possibly corrupted computers quickly—before they get permission to connect to your network. Instead of applying strict controls only to connections coming from outside the corporate firewall, proponents of NAC say every network plug in every cubicle and conference room ultimately should be treated with the same suspicion and scrutiny.

Why should I care? NAC is attracting attention as companies come to grips with mobile computing, remote access, and wireless networking technologies that give cyber security threats an opportunity to sneak right past the firewall. Dynamic Host Configuration Protocol (DHCP) servers, which automatically assign an IP address to computers requesting network connectivity, make it easy for a contractor or other visitor to plug a laptop into your company's network, even without having privileges on specific corporate systems. If that laptop is infected with malicious software, it can wreak havoc.

How does this fit in with other technology? A networking standard called 802.1X helps address this requirement. Network switches and wireless access points that support 802.1X make it possible to challenge the identity of users and the integrity of a laptop or desktop PC before it is assigned an IP address. The integrity check can determine whether the computer has received the latest antivirus updates and operating system security patches.

Do I need equipment that supports that standard? No, but 802.1X support in equipment makes it easier to implement a better system. Most wireless access points now support the standard; wired network nodes typically do not, although network equipment manufacturers are beginning to include 802.1X in their high-end products. NAC systems must also support alternate approaches, such as embedding client integrity checks in DHCP server software.

Is there a single approach? Not yet. The Trusted Computing Group, a standards organization devoted to hardening computers against attack, has a Trusted Network Connect subcommittee working on this issue. In May, this group released a set of programming interfaces for vendors of antivirus, firewall, and other security products to support as part of a standard NAC architecture. It is currently working on a set of data transmission standards for communication between client computers and security servers.

Meanwhile, Cisco has enlisted its own circle of security systems vendors to support its NAC framework. Because of Cisco's market power, this could become a de facto standard for its customers, and Cisco has also pledged to submit the basic protocols to the Internet Engineering Task Force as a standards proposal by the end of 2006.

The third major effort is Microsoft's Network Access Protection initiative, scheduled to be included in a 2007 release of the Windows server operating system.

How bleeding-edge is this? Few organizations have deployed full-fledged network access control security, although many are investigating it, particularly in security-sensitive industries such as finance, health care and defense.

"Everybody's looking at it, but not many are deploying it," says Steve Hanna, senior engineer at security vendor Funk Software and a co-chair of the Trusted Network Connect group. "Anytime you're coming between your users and their business needs, you'd better make sure there's not a roadblock there."

This article was originally published on 2005-12-06
David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.