Day 6 of Incite: Get the NAC!

The increasing number of ingress points into corporate networks (mobile, contractors, VPN) forces users to migrate to a virtual network infrastructure with a secure net and an unsecured net. Network Admission Control (NAC) architectures gain traction in 2006 to facilitate this architectural construct, but do require homogeneity of equipment pushing the pendulum away from best of breed providers.

A couple of years ago, I worked with Dr. Peter Tippett, now CTO of CyberTrust. He used the term “Disappearing Perimeter” frequently to describe the need to open systems and networks up to trading partners and other folks that you may not have control over. I have no idea if he made up the term, or co-opted it from someone else, but it was a bit ahead of its time.

But now we have this issue in spades. Employees travel around the globe and connect into your networks over some pretty promiscuous networks. You ever see some of the characters that are pounding away at their laptops at hotels or Starbuck’s? You’ve got wireless access permeating your offices as well, probably intentionally since it does help productivity to be always connected.

We’ve got applications that are designed to be “open” and to share data, so these web services need to be available over the Internet. You’ve got “on-demand” services, where your enterprise applications (which house some presumably sensitive information) reside outside of your control. You’ve also got rampant outsourcing, especially of engineering and call center activities (no I’m not going to address the politics of outsourcing). This requires external personnel to access your most critical data (software intellectual property and customer account information) from outside of your organization.

Thus, we no longer have a choice. We’ve got to provide access to critical resources from external, unprotected, promiscuous networks. We’ve also got to allow non-employees to access resources from inside the perimeter. The Disappearing Perimeter is now reality.

Does that mean we just give up on regular perimeter defenses? Of course not. The vast majority of attacks still come through web, e-mail and application attacks from external, non-trusted devices. So you still need to have a strong perimeter posture. I guess there is a theory that if your internal network is very secure, you don’t need a strong perimeter. I think that theory is stupid.

Architecturally, the answer is to have (at least) two “virtual” networks, one secured to provide access to the corporate resources for “trusted” users. This is what I call the “secured” network. The other (“unsecured”) segments traffic from untrusted users to another network to ensure unauthorized parties are not doing damage. I get that my selection of words (secure/unsecure) in the Incite may be a bit confusing, since you still need to provide security on the “unsecured” net. But hopefully you get the picture.

The answer lies in NAC or Network Admission Control. Some folks call it Network Access Control. NAC is interesting because we as security professionals have not been able control who gets access to what since the days of the mainframe. Those wacky LANs and PCs really messed things up. NAC gives us the ability to enforce a rather sophisticated policy on the network to make sure only the right people, running the right software access the network.

Historically, if hackers got access to an Ethernet jack on your internal network they had free reign. They could scan your network, map your resources and find the soft spots to attack. With NAC you can shield sensitive resources and/or segments (like HR and Finance) from those prying eyes, regardless of whether they connect directly to a jack, over WiFi or through the VPN.

You can also check to make sure devices that connect to your network are up to date with the latest patches, software updates, anti-virus, etc. This is especially important for contractors, etc. that use their own devices on your network and mobile employees that may contract malware on public networks. Additionally, NAC also helps for compliance purposes, as being able to show a policy of who is able to access what resources shows strong “controls.”

In terms of deployment, there are lots of options for NAC. Some solutions require a client on each protected desktop and some don’t. Some are inline, meaning all traffic flows through the box and some use a management port or network tap to access the traffic without being in flow. Some enforce the policies on their own equipment and some reconfigure the switches and routers depending on the policy. As you can see, with NAC you have lots of options, so you’ll be doing a lot of research to figure out what makes sense for your environment.

The question should arise regarding whether this class of product is actually necessary, given my penchant for simplicity. To be clear you can segment out different users onto different subnets and effectively firewall off sensitive networks through existing networks switching mechanisms. But it’s not real time, it’s very time consuming, and it’s hard. But besides that, it’s a great strategy. So yes, I think pretty much every company of size should be looking at NAC. Yes, I believe NAC is poised to be a big market. How big is a matter of opinion.

But, there is a catch. Very few organizations have homogenous networks, supplied by one vendor. If you do, then implementation should be pretty straight forward. All the large vendors have some kind of NAC strategy. Be aware you’ll likely need to upgrade all of your equipment to the latest revs to get this advanced functionality. If not, then a key selection criteria for your vendor will be how easily (and dare I say, simply) does the new equipment fit into your existing infrastructure.

This year you will see a big effort on the part of the network infrastructure vendors, especially Cisco, to use NAC and “policy management” as big levers to push both for upgrades of your existing stuff and to displace other vendors that may not play as well into a NAC infrastructure. The dangers of homogeneity still ring true, but those must be weighed against the ability to cordon off parts of the network flexibly and easily. If you can do it without embracing a single vendor (and yes, it can be done), do that. But the path of least resistance for most organizations will be to bet the ranch on one vendor.

That’s Day 6. Tomorrow we’ll talk about content security.