A Knack for Access

Network control needs to be important topic for any organization

• By Richard Hyatt
• Apr 09, 2007

NETWORK access control is one of the hottest topics in IT today. Despite this, available approaches are either fragmented or not ready for widespread implementation. In order to understand this phenomenon, users must evaluate current approaches and understand the process of implementing a NAC solution.

When implementing network access control, the first set of decisions that need to be made regarding network policy. The first necessary question for a NAC project is: Why does it need to be implemented and what is expected from implementation? Depending on the type of organization evaluating NAC solutions, there are several different answers to fulfill the requirement. ISPs and universities look for solutions to reduce the risk of zero-day exploits and an effective way to meter network access. But government or healthcare organization will look to NAC solutions to help secure or restrict access to confidential records or data. A corporate enterprise will have an entirely different emphasis in its NAC strategy and goals.

Once a clear understanding is reached as to what drivers are pushing NAC adoption, necessary network admission and use policies will be much easier to design and implement.

Motivators for a NAC Solution
When evaluating NAC alternatives, there are four areas that require due diligence. Depending on drivers for adoption, the type of technology implemented may vary. Organizations must have goals and baseline requirements around authentication, authorization, administration and audit—all of the topics require advanced knowledge of the network. In many cases, IP address management solutions are a key-enabling technology that assumes control of the areas to act as the command-and-control center for the network.

Authentication. Identity management is a function of IPAM and is key to NAC and managed networks. Although RADIUS has been the standard in this area, LDAP, Kerberos, Active Directory and RSA/token authentication methods are gaining in popularity. Centralized authentication is as critical to managing network resources as it is for user accounts and file access. NAC works with corporate authenticators to verify user identity and, in some cases, combines information with a hygiene scan prior to granting network access.

Authorization. Allowing only authorized use of a network is accomplished through IP management and traffic-shaping, using technologies such as DHCP, DNS, VLAN, VPN, firewalls, switches, routers and intrusion detection/prevention systems. The ability to enforce network authorization is essential to mitigate threats to a network and to implement acceptable usage policies. Pre-connect NAC solutions (solutions that scan end points with an agent-based architecture prior to granting access to the network) use DHCP as an enforcement point to grant authorized access to the network.

Administration. The ability to monitor devices for traffic throttling and MPLS implementation to ensure quality of service means more in-depth knowledge and active monitoring of end points on the network is required. This level of administration is essential on current networks that mix data and voice traffic, and will only become more important in the future. NAC works alongside DNS, DHCP and other logical services to provide secure access. In large organizations, this adds a high degree of difficulty when thousands of users might be managed. IP address management is typically used alongside NAC to simplify and streamline the administrative burden.

Audit. The ability to audit and report on the state of a network and its hosts is not only essential for administration and security, but may indeed be mandated by external regulations such as SOX and HIPAA. NAC authentication is an essential link that connects the user to information about network usage and permits meaningful network traffic analysis. While NAC does not provide a facility to track access, it does work with IP management solutions to provide comprehensive logging of network access throughout an organization. Not only does this provide accountability, but also an additional level of forensic capability in the event of a breach.

Detection and Monitoring
Once an organization has developed a framework for network-acceptable use, a strategy has to be developed around evaluating the host systems that will operate within the confines of the policy. There are various criteria that come into play for different kinds of endpoints. A personal computer running Microsoft Windows® will have a very different type of network profile than VoIP. So, some elements of NAC, such as virus and vulnerability scanning for security issues and spyware, would be more appropriate for a personal computer than for securing IP telephony end points. A printer, server or other piece of network infrastructure will have a much different presence on the network than a host system. Each different type of host requires a strategy to ensure it meets the necessary evaluation criteria.

Pre-/Post-Connect
The two principal types of NAC are pre-connect and post-connect. Pre-connect NAC involves determining the health and security level of a device prior to connection to its desired LAN, VLAN or VPN, and then providing an appropriate level of network access. Post-connect NAC involves monitoring behavior and security health of a device after it is connected to the network, and then adjusting its access based on a comparison of the device's behavior and assigned network use policy.

These two strategies must be employed in concert, as a device can be compromised or used in a prohibited way after it has connected to the network. Although pre-connect NAC solutions are still the initial and most essential management point for host devices, networks cannot be considered secure without ongoing monitoring of traffic and host status and behavior.

Visibility and the Moat
Until recently, secure network design has evolved around the principle of us and them. The internal network, where devices could freely intercommunicate, was separated from servers in a demilitarized zone—and the outside world using firewalls and application firewalls/proxies. The best expression of the design philosophy is the NAT gateway, hiding entire networks behind a single IP address. This provides a level of security through obfuscation as administrators create a moat around a permissive internal network. A NAT gateway maps communications from various internal hosts to ports on its single IP address. This has been an effective tool in combating the scarcity of IP addresses on the Internet under the IPv4 protocol by placing internal networks within private, reserved address spaces.

But, devices that communicate using several protocols at once on many ports are overloading the capacity of NAT gateways to translate in real time. Also, some applications, such as VoIP, file sharing and secure communication protocols like IPSec, require endpoints in the communication to have full visibility with each other for security and functionality reasons. This is not possible using a NAT-based infrastructure.

The fact is, on modern networks, threats or attacks are not all launched from the perimeter of the network—the bad side of the moat. Infected client systems and malicious users have changed the level of protection required on internal networks. The spread of various worm viruses in recent years and the system-by-system mitigation approach adopted by anti-virus vendors is a good example of evolution in network security requirements. Microsoft Vista Personal Firewall is a good indicator the host-level approach to network security will become the future for general network traffic. Modern network hosts need to be protected and must be monitored to make sure the hosts are only self-protecting. Host also need to ensure the behavior on the network is within the bounds of the network policy framework.

With the evolution of the Internet and other networks onto the IPv6 protocol, end-point visibility will be facilitated by the availability of enough IP addresses to reference all network devices uniquely in a global address space. The pieces are in place to enable newer technologies to move out from behind the NAT gateway. The level of network information and security required to make the transition will require a more sophisticated approach to network management through a modern IPAM system.

Mitigation Questions
IP management can be used as a NAC tool through DHCP, VLANs, VPN and 802.1x. All of these technologies control the membership of a computer on the network and govern the availability of network resources for hosts. Of all of these technologies, only DHCP can be implemented without the use of extra infrastructure hardware beyond what is generally available on a typical network. VLANs, VPN and 802.1x not only require hardware to be implemented, but also add extra traffic and complexity to networks when implemented.

Traffic shaping is an approach that can be implemented by switches, routers or another device that has the ability to manipulate network traffic. These will generally be devices that are inline and that allow the flow of segments, packets or frames. Other options, such as the out-of-band, purpose-built intrusion detection system with built-in threat interception and quarantine capabilities, use ARP manipulation to reactively remove threats from the network prior to causing widespread trouble. The essential principle behind the traffic-shaping approach to NAC mitigation is that packets that do not conform to network use policies are manipulated or dropped to mitigate a perceived security risk. Traffic shaping also can be used to create an ad-hoc quarantine to prevent further security issues and enable the client to bring host systems into compliance with network policies and rejoin the larger network.

Host-based approaches generally involve agentless scans and/or an agent-based evaluation of the host. Scans will generally involve a sweep of open ports and a vulnerability scan with a product such as Nessus. Agent-based evaluations can check for operating system patches, viruses, spyware and other vulnerabilities.

Tactical Solutions
Tactical solutions, such as DHCP, security appliances, IDS/IPS, and virus and spyware scanners, have been available for some time from many vendors. All of these solutions are effective at some aspects of NAC. However, none of these solutions provide a complete NAC or interoperability strategy.

Infrastructure-Based Solutions
There are three different principle infrastructure approaches to NAC. Cisco CNAC and Microsoft NAP can be considered together, not only because the approaches are similar, but because the two companies have partnered on NAC initiatives. Both technologies depend heavily on the use of agents at the host level and on homogeneous network environments—at the network level for Cisco and the host operating system level for Microsoft. This makes the approaches a poor choice for environments not dedicated completely to the technologies. Also, both technologies are in the early stages, and Gartner estimates full implementation by 2009. Even then, the adoption of technologies, such as VoIP, will have limited usefulness for many applications.

The Trusted Computing Group has developed a strategy based on the idea that several tactical NAC solutions, called trusted network connect, can act as a framework that drives interoperable NAC and hygiene packaged as an infrastructure-based solution. The approach revolves around host accessing the network, evaluation and decision points based on policies and mitigation points. TCG/TNC is rapidly being adopted by a number of other ISVs within the market, including BlueCat Networks, Juniper Networks, Mirage, McAfee, Symantec and Trend Micro. The benefit of the approach is it unites several tools to provide a defense-in-depth NAC strategy while extending the value of existing infrastructure investments.

Defense-in-Depth Strategy
The term defense-in-depth originally applied to DMZs and application proxies, and was popularized by Cisco Systems. The term now denotes security throughout the entire network. The current defense-in-depth approach to network security involves a recognition that all security precautions are imperfect—that it is better to have several systems working together to improve the odds of successfully identifying and mitigating a network threat. A clear understanding of the network topology and hosts is necessary for an effective defense-in-depth strategy. IP address management systems are designed to track and manage all hosts using a network, as well as being the tool used for the design of the network itself. DHCP and DNS servers can be used by an IPAM system to control not only the level of network membership of a client system, but also the DNS view of the network that is presented to the client. This provides the IP management portion of the NAC solution. IPAM/DHCP/DNS, coupled with effective detection and mitigation tools, represents a full NAC solution. Traffic monitoring and shaping also can be driven by an effective IPAM solution, as long as it provides an open API for intercommunication with network devices such as routers, switches IDP/IPS and firewalls. When this type of IPAM is combined with an effective, host-based strategy for scanning host vulnerabilities, a complete defense-in-depth NAC solution is available.