Network Access Control (NAC) solutions are often deployed with the goal of providing Guest Access on the network in a way that allows visitors and contractors access to network resources while helping to mitigate the risk these unmanaged devices pose to the security of the network. Further, NAC has been hailed as a way to ensure that all devices currently under management are compliant with network security policy. As the concept of NAC and the technologies used to drive it have matured, security has increasingly been built into the fabric of the network. In fact, many industry researchers and thought leaders, point to the future of NAC being in the form of embedded security, writes Michael Markulec, Chief Operating Officer, Lumeta and Member, Trusted Computing Group.
As this movement continues, there are two major challenges that organizations face as they look to embed security into the network. The first is that the value of proprietary NAC solutions, which saw higher initial adoption, will become questionable because of the changing and heterogeneous nature of networks today. The second challenge in highly dynamic networks is to ensure that NAC policy decisions are being made on the most comprehensive information available.
Single vendor approaches
Embedded security as a concept defies the proprietary model, as networks are heterogeneous and require security solutions that will offer open architecture and standard interfaces to support components from a variety of vendors.
This is particularly true at the large enterprise level, where it is easy to see that although today when a NAC solution is deployed, all devices may be of a certain type. As the business changes, say through an acquisition, it may become necessary to manage security across multiple vendors. In this environment is it clear that a proprietary NAC solution, relying on assessments through proprietary protocols, could not possibly be making decisions based on all of the best available information? A NAC solution that supports an open architecture is then able to assess the new sets of devices, regardless of the vendor or protocols used.
Dynamic active access control assessments
There is an additional distinction to be made between pre-admission and post-admission NAC solutions, both of which have potential shortcomings. When considering pre-admission NAC for instance, today you can have devices that come onto the network in a clean state, but after a user opens a PDF that contains a Trojan, the device suddenly changes state. A strictly pre-admission solution would fall short in this instance. Conversely, post-admission NAC solutions analyze behaviors of users on the network, recognizing changes and quarantining or disconnecting the suspect devices.
Fully comprehensive network access security, enabled by intelligent policy decisions and dynamic security enforcement, will function on a hybrid model assessing the state of a device prior to its admission, and further actively probing the state of that device while it is connected.
In order for organizations to respond in real-time to changes in security posture, or to maintain compliance and ensure continuous network service availability, they require in-depth network and security awareness and coordinated defenses among deployed networking and security solutions. To support a standardized, dynamic data exchange among a variety of applications, the Trusted Computing Group (TCG), a nonprofit, open industry standards group with members from all aspects of computing and networking,
defined an open architecture that enables access control and enforcement of policies for endpoint security. As part of the TNC architecture, the group has developed IF-MAP, a standard interface between the Metadata Access Point and other elements of the TNC architecture. The IF-MAP open standard provides a common language for NAC, dynamic endpoint security, and automated network policy assessment. It allows data on network devices, policies, status, and behavior to be shared in real-time. This protocol can be embedded into products and is available free from the TCG.
Automation
When it comes to network security, knowing what’s on the network and ensuring that only devices which are known, managed and clean are allowed to connect, are critical parts of any security plan. Consider the scenario of a user who tethers her brand-new Blackberry to her laptop, which is connected to the corporate network. Potentially, this user could be connected to another network via her Blackberry and thus would have created a back-door that could be used for infiltration.
Unfortunately, most of the NAC solutions on the market are vendor-specific. As the number of IP-connected devices on the network continues to grow exponentially, a vendor-neutral, standards-based NAC solution will become the only comprehensive and sustainable way to embed security and automate policy decision-making.
By the time most organizations are considering adopting NAC, they have already invested a significant amount in security tools. Vendor-neutral NAC approaches allow for organizations to further leverage the investments that have already been made, driving more value from the security function. Further, moving toward a NAC solution which bases policy decisions on communications from a host of security tools greatly improves the quality of the basis of that decision making, giving organizations confidence to fully automate those processes, reducing man-hours spent on remediation and log analysis.
Trusted Computing Group is exhibiting at Infosecurity Europe 2011 – the information security industry event from April 19 to 21, at Earl’s Court, London. The event provides a free education programme, exhibitors showcasing new and emerging technologies. For further information visit –
