Primer: Network Access Control

What is it? Network Access Control takes a proactive approach to identifying insecure and possibly corrupted computers quickly—before they get permission to connect to your network. Instead of applying strict controls only to connections coming from outside the corporate firewall, proponents of NAC say every network plug in every cubicle and conference room ultimately should be treated with the same suspicion and scrutiny.

Why should I care? NAC is attracting attention as companies come to grips with mobile computing, remote access, and wireless networking technologies that give cyber security threats an opportunity to sneak right past the firewall. Dynamic Host Configuration Protocol (DHCP) servers, which automatically assign an IP address to computers requesting network connectivity, make it easy for a contractor or other visitor to plug a laptop into your company’s network, even without having privileges on specific corporate systems. If that laptop is infected with malicious software, it can wreak havoc.

How does this fit in with other technology? A networking standard called 802.1X helps address this requirement. Network switches and wireless access points that support 802.1X make it possible to challenge the identity of users and the integrity of a laptop or desktop PC before it is assigned an IP address. The integrity check can determine whether the computer has received the latest antivirus updates and operating system security patches.

Do I need equipment that supports that standard? No, but 802.1X support in equipment makes it easier to implement a better system. Most wireless access points now support the standard; wired network nodes typically do not, although network equipment manufacturers are beginning to include 802.1X in their high-end products. NAC systems must also support alternate approaches, such as embedding client integrity checks in DHCP server software.

Is there a single approach? Not yet. The Trusted Computing Group, a standards organization devoted to hardening computers against attack, has a Trusted Network Connect subcommittee working on this issue. In May, this group released a set of programming interfaces for vendors of antivirus, firewall, and other security products to support as part of a standard NAC architecture. It is currently working on a set of data transmission standards for communication between client computers and security servers.

Meanwhile, Cisco has enlisted its own circle of security systems vendors to support its NAC framework. Because of Cisco’s market power, this could become a de facto standard for its customers, and Cisco has also pledged to submit the basic protocols to the Internet Engineering Task Force as a standards proposal by the end of 2006.

The third major effort is Microsoft’s Network Access Protection initiative, scheduled to be included in a 2007 release of the Windows server operating system.

How bleeding-edge is this? Few organizations have deployed full-fledged network access control security, although many are investigating it, particularly in security-sensitive industries such as finance, health care and defense.

“Everybody’s looking at it, but not many are deploying it,” says Steve Hanna, senior engineer at security vendor Funk Software and a co-chair of the Trusted Network Connect group. “Anytime you’re coming between your users and their business needs, you’d better make sure there’s not a roadblock there.”