NAC attack Part 1: What is NAC?

Network access control is hot. At all the public venues, in the trade press, in customer conversation - everyone wants to talk about NAC. But as with almost all of the new new things I've seen over the past 15 years, NAC - the term - is being bent, stretched, and manipulated to suit the needs of vendors trying to take a leading role in the space.

So before I start evaluating everyone's strategies and discussing what is important (at a high level anyway), let's level set a bit and get on the same page as to what NAC means to me.

Network access control is about controlling the flow of traffic through a network in order to prevent unauthorized access. That's pretty generic, eh? Doesn't add much clarity, I get that. But I need a sufficiently nebulous definition because the act of ensuring the right folks access the right resources (and nothing else) on the corporate network is becoming very important.

Why? Basically mobility, outsourcing and the "insider threat." I'm sure I've written these before and certainly discussed in the webcast I did with ForeScout back in February, but let me revisit albeit briefly. Security practitioners do not know where traffic is coming from anymore. It's just as likely that someone will connect into the network from Starbuck's or a partner site, as from their own desk. You've got external organizations that are taking over key business processes and they need access to some of your internal data stores. You've also got insider's some malicious, some not that will do the wrong thing.

All of this means, we need to get a feel for how traffic is flowing through the network and start to apply some policies to it. For a long time, the enemy was outside, so you built a wide and deep moat for protection. We can't make that assumption anymore, so everything is fair game.

There is also a decent amount of confusion about what NAC does. Let me go through the key phases, which is roughly how we'll see the market develop.

1. Phase 1, Endpoint admission - this involves checking the hygiene on devices that connect into the network. Do they have AV that works? Have they patched correctly? Are they authorized? Do they have bad software/malware on board? Depending on the answer, they may be put onto a quarantine network - where they can't hurt anything. They could be sent to a remediation server (or site) to fix the issues. Or they may be denied access altogether. There is a lot of overlap with the "endpoint security" market. I expect endpoint security to be subsumed into the category called NAC. That means current endpoint folks better have a NAC story and NAC vendors better interoperate with all of the prevalent endpoint security options.
   
   
2. Phase 2, Flow control - Once the right folks are on the network, you need to make sure they get to the right stuff. This is the "AC" of NAC and commonly forgotten about in current NAC discussion. I think this is wrong. Sure you need to focus on admitting only the right folks that won't hurt anything, but what happens once they are on? Similar to Web access management, depending on who you are, only the right applications, devices, etc. are available to you. This is a lot harder to implement because it involves reconfiguring the network in real time and assigning different resources to different groups very quickly. I guess that's why most folks don't want to talk about Phase 2.
   
   
3. Phase 3, Real time automated policy - The holy grail of NAC is to be able to enforce (and change) policies in real time without administrator intervention. Cisco calls this the "self-defending network." They do have great marketing.
   
   So if a device, all of a sudden starts to behave erratically - it's pulled off the network. If you find an issue, you may want to cordon off the application traffic instantaneously. This involves greater intelligence and is even further away. There is also some resistance to automatically reconfiguring anything in the end user community. Most don't even use the blocking capability of IPS because they are scared of false positives. Just imagine if you bungle a NAC policy and your email is offline. That's a bad day for you, so the policy controls (and testing) must dramatically improve for folks to get comfortable with this.

I'm sure there are other use cases, but those are the ones I feel are most reasonable and what the great majority of customers are looking/praying for. Fact is, the heat is around endpoint admission right now, but I don't think that really addresses the problem of mobility, outsourcing or the insider threat. But it's a start and every journey begins with the first step.

In the next post, I'll look at a series of posts made by John Gallant of NetworkWorld that detail the NAC strategies of Cisco, Juniper, Microsoft, and the Trusted Computing Group.