COMPREHENSIVE NETWORK ACCESS CONTROL
With an
increasingly mobile population, organizations are facing new
threats. Viruses, worms, spyware, and noncompliant software loaded
onto computers gain access to the network and in turn contaminate
it. At academic institutions, that could mean the laptops and
desktops of students, faculty and staff. In enterprise
environments, the threat comes from employees, partners, vendors,
and other “guests” and their laptops.
As enterprise networks continue to add new access options, remote
users and increased geographical diversity, various approaches to
NAC have emerged. Bradford Networks believes that true Network
Access Control must integrate three key areas in order to be truly
effective.
The Bradford Networks approach to Network Access Control consists
of three integrated areas of focus:
• Identity Management: The most complicated area to manage
effectively, truly comprehensive Identity Management best-practices
must integrate the who (who is connecting to the network?) with the
what (what device are they using?), with the where (what is their
location?) to determine what level of access they are allowed and
to make real-time decisions on any actions that must be taken to
ensure network integrity.
• Endpoint Compliance: With remote, LAN and wireless access to
enterprise networks, malicious code and other security threats must
be identified and remediated in real-time to ensure productivity
and network security. Endpoint compliance must assess both
pre-admission and postadmission
vulnerability, as well as provide validations and ensure policy
compliance.
• Usage Policy Enforcement: A key component to ensure network
efficiency, usage policy enforcement protects bandwidth usage and
ensures integrity by tracking activity and enforcing acceptable
usage policies through identification, notification, problem
isolation and corrective action.
An effective NAC strategy will address all of these elements in an
intelligent environment, integrating increasingly complex network
software and hardware topologies, and allowing administrators to
leverage the security features of diverse network components to
boost network performance.
THE BRADFORD NETWORKS
APPROACH
Bradford Networks’ NAC Director is
an out-of-band, client-centric Network Access Control (NAC)
solution that provides core-based control and integrates all
network security applications/devices under one central management
system, actively monitoring and controlling network users and
devices to provide enhanced security. Through the enforcement of
network usage policies, the solution ensures that customer
networks
are safe and secure. NAC Director helps solve important network
issues such as: controlling unwanted users, implementing anti-virus
version control, enforcing network policies, controlling network
access, as well as overall user and device management.
Bradford Networks’ innovative approach delivers the three key
elements of effective NAC solutions - identity management, endpoint
compliance and network policy enforcement – in a single
integrated solution. NAC Director’s out-of-band architecture lets
IT teams implement the solution at any time and leverages existing
multi-vendor, multi-platform network infrastructures to deliver
automated security services without the need
for costly infrastructure upgrades.
NAC Director solution leverages the unique features of each type of
switch in the network. Bradford’s approach means that working in
a multi-vendor environment does not mean focusing on the least
common denominator, but rather, maximizing the embedded security
features in each type of switch, as well as providing true NAC at
the network edge.
Securing the Network:
Bradford’s Approach
The idea of the private
versus public internet is rapidly becoming antiquated. With users
accessing organizations’ networks from all over the world, simply
setting up roadblocks at the switch level is no longer sufficient
to ensure effective security. An Integrated NAC Approach, such as
the one employed by NAC Director, is the most effective way to
protect networks when devices, such as laptops, leave the network,
get infected, and then access the network again. It also protects
existing investments by working with the gear that is already in
the network – and leveraging the unique security features of
diverse switches.
Integrated NAC involves connecting NAC functionality to the
existing network and assimilating the configuration and traffic
data generated by the switches and routers. Bradford’s solution
maintains policy conditions and executes them in the network by
interfacing with the command and control functions in the switches.
Bradford’s NAC Director utilizes current network configuration
and traffic data from switches, wireless access points and other
infrastructure equipment to create a logical representation of the
network and correlates this with user identity information. When
violations occur, the solution determines the policy-based actions
needed and executes corrective action via CLI, SNMP or RADIUS
commands to corresponding network equipment Most networks are
multi-vendor, multi-platform, and contain new and older hardware
and software. Flexibility and choice are crucial. By integrating
NAC functionality with existing infrastructure, security policies
are driven by real-world activity, allowing network administrators
to identify security issues – viruses, network policy
infractions, unauthorized access – and take action
immediately.
Rather than focus on a single point in the network, Bradford’s
out-of-band approach brings NAC as far to the edge as possible,
monitoring user behavior, network policies and network access. This
client-centric approach, which triggers registry scans on all
devices prior to their being placed on the live network, provides
the highest level of security.
By bringing NAC to the edge, NAC Director offers a
three-dimensional approach to setting network policy, in contrast
to in-line solutions that work from a particular point in the
network. The client-centric approach makes it possible to address
all three pillars of NAC – identity management, endpoint
compliance, and policy enforcement – to make intelligent policy
decisions throughout the user session.
MAKING IT WORK: BRADFORD’S
TECHNOLOGY IN ACTION
Bradford’s
client-centric approach is driven by NAC Director’s Correlation
Engine, which collects information from the network, the connecting
client and the individual network components to make decisions in
realtime.
By understanding who is connecting, using what device, and where on
the network they are entering, the Correlation Engine leverages the
embedded security features of each individual switch, and compares
the connection profile with network elements and policies to make
intelligent network access decisions before threats are
introduced.
The NAC Director solution supports a breadth of solutions from
multiple vendors, allowing network managers to leverage any
vendor-specific feature as part of the NAC process. Bradford’s
solution produces a logical representation of the network –
including network infrastructure, operating systems, stand-alone
and embedded security applications and security infrastructure.
Bradford’s integrated approach includes extensive automated
network device discovery, providing a complete map of the network.
All components are mapped and managed, fully leveraging network
investments. The Correlation Engine proactively collects and uses
this data to best leverage all aspects of the network when making
policy and access
decisions.
The device discovery process uses a protocol-independent process
(SNMP, CLI over SSH, CLI over Telnet) to access the system object
ID for each device in the network and identify its unique security
features, such as group mobility for Alcatel switches, or private
isolated VLANs for Cisco devices. By utilizing multiple protocols,
NAC Director ensures that it identifies and activates the unique
features of any switch, understanding not only the vendor
information, but also the properties of each individual device.
This ensures true leverage of all security features native in the
network, a necessity in multi-vendor environments. It also
guarantees that all security policies are enforced by interfacing
with command and
control functions in each device.
BRADFORD NETWORKS NAC
DIRECTOR FEATURES
The Bradford NAC Director
solution collects information from the network, correlates that
information with established policies and allows network
administrators to effectively take corrective actions. The solution
provides the following benefits:
• Manage, secure, and control all users connecting via wired, VPN
or wireless network
• Reduce the time to detect and remediate network problems
• Self-help remediation – maximizing usage of network support
staff
• Vendor independent solution – extensive multi-vendor
interoperability
• Enforce network authentication and registration policies
• Integrate with existing authentication systems (RADIUS, Active
Directory, LDAP, and Kerberos)
• Identify, locate, and track network clients quickly – audit
trail of each network connection
• Connection-based security scanning – detect and verify
anti-virus, anti-spyware, and OS patch
levels
• Role-based network access assignment
• Isolate 'at risk' users in a Quarantine area
• Significant event alarms and notification
• Appliance based non-invasive solution
Identity Management
Ensuring network integrity begins by enforcing robust policies and
rules. Bradford’s NAC Director requires all users to register
prior to allowing them access to the network, providing an
invaluable tool for network administration staff. Among other
things, the registration process helps to:
• Control network access for both wired, VPN and wireless
users
• Assist in tracking all users by location, name or address (MAC
or IP)
• Provide role-based access and levels of service via dynamic
VLAN assignment
Implementing a user registration and authentication policy across
the network ensures each device has appropriate ownership assigned.
Each user is required to register their hardware before gaining
access to the network, which provides an added level of security
and control.
Users are prompted for user identification credentials via a
friendly web browser interface. The user is typically presented
with several screens, which they quickly scroll through. In
addition to being prompted for credentials, many administrators
post acceptable use policy information for the user to review and
accept before completing the registration process.
Endpoint Compliance
Bradford NAC Director automatically enforces security policies and
ensures each user attached to the network is compliant, protected,
and safe. Bradford NAC Director delivers comprehensive protection
to ensure maximum network availability and reliability.
Administrators can choose between persistent and nonpersistent
agents, which support Windows, Linux, and Macintosh users.
Endpoint compliance performs three significant functions, each a
critical step in ensuring that policies are strictly enforced and
the user's experience is friendly and efficient. Each step is
important toward obtaining a seamless solution that is automated
and effortless, yet disciplined and robust.
1. Every device is checked before being allowed to connect to the
production network.
2. Non-compliant 'at risk' devices are isolated in a Quarantine
area.
3. Remediation center provides 'self-help' services to resolve
issues without helpdesk intervention.
Bradford’s three-step approach minimizes network downtime and
protects against the human and capital costs that network
intrusion, viruses and downtime can cause.
Usage Policy Management
Bradford NAC Director is a powerful tool to help enforce the
network’s acceptable use policies. Whether it is tracking
unwanted activities, such as gaming, music file sharing, or instant
messaging, the functionality in NAC Director will help to enforce
specific network policies to ensure that clients on the network do
not abuse services. Using scheduled scanning, the solution applies
role-based identity information to ensure policies are
user-specific. This approach integrates all identity management and
endpoint compliance with usage policy to ensure optimum
performance.
NAC Director interfaces with third party solutions to gather
critical information to determine if network violations are
occurring. The result is identification, notification, problem
isolation, and corrective action. The solution allows network
administrators to:
• Enforce acceptable network use policies
• Control chatting, gaming, and file sharing
• Limit bandwidth usage
• Interface with IDS, traffic shapers, and other external
devices
Overall Solution
Approach
Comprehensive NAC strategies must
encompass both pre-admission and post-admission policies.
Bradford’s solution uses scheduled scanning to add role-based
identity to its three pillars approach, ensuring that systems are
re-validated after they have been given access to the network. This
ensures Identity Management both pre- and post-admission, both when
users connect to the network and then when determining usage
policies based on roles. This approach delivers truly complete NAC
functionality, integrating endpoint compliance, identity management
and usage policy management at every step of the process. By
delivering a comprehensive solution that addresses all of these
concerns, Bradford ensures a complete approach to Network Access
Control.
THE THREE PILLARS: A
FUTURE-PROOFED APPROACH
Network access has changed exponentially over the past few years,
and network administrators are already anticipating new threats. As
non-browser-based devices begin accessing networks, new threats
will arise. We are already seeing university networks allowing
gaming registration for Xboxes and PlayStation 2s, and corporate
networks allowing access to PDAs. Over the next 24 months, mobile
phones and other devices will begin connecting to networks as well,
further heightening the need for comprehensive NAC
strategies.
Wireless access to networks is, by definition, raising awareness of
the need for effective NAC strategies. As wireless standards
evolve, Bradford’s comprehensive approach will continue to
leverage the evolving features of network infrastructure devices.
Adding this robust capability to application-level authentication
could soon deliver on the promise of single sign-on.
Major technology vendors are already planning for this evolution.
Microsoft, a Bradford partner, is planning to release Network
Access Protection (NAP) for the Vista OS and recently announced an
interoperability partnership with Cisco. Bradford’s Integrated
NAC Approach, which incorporates the unique features of diverse
network components, will integrate these developments, and any
others, as the technology evolves, allowing network administrators
to truly leverage their network investments, using the unique
features of current equipment in their network infrastructure, and
ensuring the integrity of their networks.
