Evolution of NAC
First-generation NAC
started out as an endpoint checking system to verify endpoint
security; appropriate network access was then either allowed or
denied. This definition later expanded to include a methods to
remediate failed endpoints and then to recheck endpoints
periodically after they are admitted. First-generation NAC was an
authentication-focused point solution that required major upgrades
to network infrastructure, but many companies found that this was
too complex and expensive to implement.
Later, multiple vendors offered second-generation NAC solutions
that leveraged their strengths (endpoint-based or network-based),
but this view was limited to solving half of the problem well and
the other half not as well. In its second generation, NAC standards
such as TNC, IETF and 802.1x were
still emerging, so meant that most available solutions were
standalone and did not leverage the existing enterprise
infrastructure.
Forrester Research is predicting a huge year ahead for NAC,
claiming in a recent report that this watchdog technology is fast
becoming “a critical component in making many security
initiatives efficient and a seamless part of the network
infrastructure.” (Forrester Research 2008) Even with economic
issues reducing demand for IT products across the board, Infonetics
estimates that worldwide NAC sales will increase by 21 percent in
2009.
A vendor-centric product evolution cannot solve these issues. What
is needed is a fundamental rethinking of NAC technologies to align
with the corporate existing infrastructure and address real
business problems.
Addressing business problems with NAC
After
extensive interviews with customers and analyst firms, McAfee sees
NAC usage as falling into one of three solution areas.
Guest and contractor access
With so many
unprotected Ethernet ports inside a typical enterprise, companies
need to ensure that a visitor plugging into a port is not spreading
infection or accessing sensitive network resources.
Contractors are a special type of guest that needs more access than
a guest but less than an employee. Contractors need to access
certain applications or data to do their job, but the risk of the
contractor’s machine being infected or theft of data is always
prevalent.
Compliance of employees to IT standards
Enterprises have spent millions on security tools only to have
self-administering users turn off anti-virus protection, create
gaps in their firewall rules, or disable security tools that slow
system performance.
NAC not only ensures that security controls are in place, but also
that IT standards are met. In addition to corporate IT standards,
NAC improves compliance with government and industry standards.
such as Payment Card Industry Data Security Standard (PCI DSS) and
Sarbannes-Oxley (SOX):
PCI section 7.1—Requires that companies limit access to computing
resources only to those whose job requires it SOX 404—Requires
that companies monitor access to the company’s financial systems
PCI section 10.2.4—Requires that companies record entries for all
systems for invalid login access
attempts. While deploying NAC does not alone make a company
compliant, a NAC solution with identity-based
controls helps support these specific objectives.
Reduced security problems
By preventing
infected or insecure devices and potentially malicious applications
from entering your network, security disasters can be mitigated or
avoided altogether. A great example can be seen with the Conficker
A and B worms, which have infected millions of PCs worldwide. These
worms exploit a Microsoft Windows vulnerability for which a patch
has been written, but has not been applied in as many as one-third
of all Windows systems. Conficker is difficult to remove because it
alters PC settings to prevent needed Microsoft patching or
connection to remediation websites for removal information.
First-generation NAC started out as an endpoint checking system to
verify endpoint security; appropriate network access was then
either allowed or denied. This definition later expanded to include
a methods to remediate failed endpoints and then to recheck
endpoints periodically after they are admitted. First-generation
NAC was an authentication-focused point solution that required
major upgrades to network infrastructure, but many companies found
that this was too complex and expensive to implement.
Later, multiple vendors offered second-generation NAC solutions
that leveraged their strengths (endpoint-based or network-based),
but this view was limited to solving half of the problem well and
the other half not as well. In its second generation, NAC standards
such as TNC, IETF and 802.1x were
still emerging, so meant that most available solutions were
standalone and did not leverage the existing enterprise
infrastructure.
Forrester Research is predicting a huge year ahead for NAC,
claiming in a recent report that this watchdog technology is fast
becoming “a critical component in making many security
initiatives efficient and a seamless part of the network
infrastructure.” (Forrester Research 2008) Even with economic
issues reducing demand for IT products across the board, Infonetics
estimates that worldwide NAC sales will increase by 21 percent in
2009.
A vendor-centric product evolution cannot solve these issues. What
is needed is a fundamental rethinking of NAC technologies to align
with the corporate existing infrastructure and address real
business problems.
Addressing business problems with NAC
After
extensive interviews with customers and analyst firms, McAfee sees
NAC usage as falling into one of three solution areas.
Guest and contractor access
With so many
unprotected Ethernet ports inside a typical enterprise, companies
need to ensure that a visitor plugging into a port is not spreading
infection or accessing sensitive network resources.
Contractors are a special type of guest that needs more access than
a guest but less than an employee.
Contractors need to access certain applications or data to do their
job, but the risk of the contractor’s machine being infected or
theft of data is always prevalent.
Compliance of employees to IT standards
Enterprises have spent millions on security tools only to have
self-administering users turn off anti-virus protection, create
gaps in their firewall rules, or disable security tools that slow
system performance.
NAC not only ensures that security controls are in place, but also
that IT standards are met.
In addition to corporate IT standards, NAC improves compliance with
government and industry standards. such as Payment Card Industry
Data Security Standard (PCI DSS) and Sarbannes-Oxley (SOX):
PCI section 7.1—Requires that companies limit access to computing
resources only to those whose job requires it
SOX 404—Requires that companies monitor access to the company’s
financial systems
PCI section 10.2.4—Requires that companies record entries for all
systems for invalid login access attempts
While deploying NAC does not alone make a company compliant, a NAC
solution with identity-based controls helps support these specific
objectives.
Reduced security problems
By preventing infected or insecure devices and potentially
malicious applications from entering your network, security
disasters can be mitigated or avoided altogether. A great example
can be seen with the Conficker A and B worms, which have infected
millions of PCs worldwide. These worms exploit a Microsoft Windows
vulnerability for which a patch has been written, but has not been
applied in as many as one-third of all Windows systems. Conficker
is difficult to remove because it alters PC settings to prevent
needed Microsoft patching or connection to remediation websites for
removal information.
Core Applications
With NAC in place,
machines without appropriate patches could be denied access, and
the infected machines would not be able to propagate the malware
inside the network. Even if an infected machine does gain access
with post-connect monitoring NAC, the behavior of the worm probing
and propagating could be blocked or the machine could be knocked
offline altogether.
Usage Scenarios
Through extensive customer evaluation and research, McAfee has
developed six key usage scenarios required by medium-size to large
organizations. These scenarios should be part of any NAC product
evaluation.
Important NAC User Scenarios
1. Guest or Contractor Access Visitor or contractor using an
unmanaged system
Guests or contractors with their own equipment pose a risk any time
they plug into a network. A NAC solution should assess whether an
endpoint is a managed employee or an unidentified device and then
place that user in the proper subnetwork or guest access
portal—or provide Internet access only. It should be able to
identify contractors by their Microsoft Active Directory
credentials and give them appropriate access to the network and
applications. Active Directory credentials or gives them
appropriate access to the network and applications through a
pre-approved guest access portal. The McAfee solution needed for
this is the McAfee NAC Appliance or NAC add-on to the McAfee
Network Security Platform.
2. Managing Employee Access
Assess endpoint health per IT standard ToPS Advanced or McAfee NAC
(MNAC)
To ensure that endpoints have the correct security configurations,
up- to-date operating system patches, and other required
applications, a method for endpoint health assessment is required.
A typical use case of preadmission NAC would be to prevent clients
with out-of-date anti-virus signatures from connecting to sensitive
servers. The McAfee solution required for this is the McAfee
Network Access Control endpoint agent, which is included with
McAfee Total Protection(ToPS) for Endpoint-Advanced software suite,
or available as a separate purchase.
3. Sustaining the Health of Connected Devices Continual Assessment
of Endpoint Configuration ToPS Advanced or McAfee NAC
There are many devices that never leave the office, such as
desktops, which are usually in a constant state of admission.
Post-admission health assessment makes health and enforcement
decisions based on user actions or changes in system health state
or changes in policy after those users have been granted access to
the network. For example, a user may have installed a peer-to-peer
application that violates IT policy.
Those applications should be scanned for and removed. The McAfee
solution required for this is the McAfee NAC endpoint agent, which
is included with McAfee Total Protection for Endpoint-Advanced
software suite or purchased separately.
4. Malicious User or Malware Assess all infected or malicious
endpoints doing damage
IPS+NAC Add-on Machines that have already been admitted to a
network can become infected with malware, such as bots or worms.
Users can also
inadvertently or maliciously install applications that can
compromise data. What is required is a NAC system with an
integrated intrusion prevention system (IPS) to continuously
monitor networks via signature- and behavioral-based analysis. The
McAfee solution needed for this is the NAC add-on to Network
Security Platform.
5. Unknown or Risky User Behavior
User on the network, risking damage or data loss Network User
Behavioral Analysis
Threats can come from
authenticated users who have gained access to a network or who have
maliciously bypassed access controls. For example, finance users
could have their credentials stolen by a malicious user who then
starts to search the network looking for valuable data in the
engineering source code or legal department. What is required is a
solution that analyzes user behavior against a dynamic baseline,
highlights outlying behavior, and provides real-time alerts. The
McAfee solution needed for this is the McAfee Network User Behavior
Analysis (Securify)
6. Discovery of Unmanaged/
Unmanageable Devices Smart phones, medical devices, printers ToPS
Advanced or McAfee NAC
Many companies are unaware of all of the devices attached to their
networks. Personal laptops, game consoles, medical devices, Linux
or Macintosh machines, and unauthorized printers can all exist in
the environment and pose a threat. What is required is a solution
that scans your network for any unmanaged or unmanageable IP-based
device and alert IT staff for action. The McAfee solution needed
for this is the rogue system detection capability in ToPS for
Endpoint Advanced.
When selecting an NAC solution, users should prioritize the
business problems and user scenarios they want to solve and
consider a solution that examines endpoint health, validates user
identity, monitors applications accessed, and detects malicious
behavior.
McAfee NAC process
McAfee Unified Secure
Access delivers complete access control by constantly monitoring,
assessing, and tracking identity and actions, and by providing post
admission control for users and applications for the ultimate
control and security of the internal network. The following chart
shows the recommended process for deploying and managing NAC.
Policy
1. —The first, and some would say
most difficult, part of deploying NAC is to define the “people
policy“; for example, what happens when a vice-president’s
anti-virus software is two months out of date? What happens when a
contractor in Italy fails an endpoint health assessment? A
system
that has the granular policy capabilities along with role-based
management access is required—and McAfee ePO fills the
bill.
Discover
2. —Unified Secure Access
discovers any IP-based devices on your network, whether unmanaged
or unmanageable, such as a game console or medical device. Because
Unified Secure Access contains rogue system detection technology,
it will find new devices as the network evolves.
Endpoint health status
3. —Before gaining
network access, endpoint devices are checked for system
vulnerabilities, security software configuration parameters and
more. Further network access decisions are based on the results of
this examination.
Identity-based access control
4. —Access
can be easily based on existing organizational roles/users (for
example, Microsoft Active Directory). Once endpoints authenticate,
they can roam across networks and be managed from a common NAC
policy server.
Ongoing monitoring
5. —Devices are
continuously monitored for noncompliant behavior. If detected, a
range of remediation options are available. Behavior-based anomaly
detection leverages the full power of IPS to knock risky users or
machines off the network in real time.
McAfee Unified Secure Access
A true next-generation NAC solution should leverage and integrate
into the existing corporate infrastructure, work with a single,
centralized management system, and ensure that machines are
compliant both before and after admission to the network. It also
must play an integral part in enforcing compliance. A
next-generation NAC solution needs to adequately encompass the
endpoint strategy to cover all aspects of network access.
McAfee has taken these factors into consideration and created a
next-generation NAC solution called Unified Secure Access. With the
introduction of Unified Secure Access, the promise of NAC has
undergone a considerable expansion: now endpoint security, network
security, access control, and compliance concerns are addressed
through a comprehensive, holistic solution.
Unified Secure Access contains the latest technologies, allowing
both preadmission and post-admission control of employees,
partners, and guests. Because Unified Secure Access supports
adaptive policies, it detects (and mitigates when needed) changes
on the endpoint, user identities, application access, and it
constantly monitors systems for malicious behavior. Adaptive
policies are granular and multilevel policies can be managed by
multiple IT teams regardless of location.
McAfee adaptive policy technology allows IT managers to tailor
security tools to high-risk areas, reducing complexity and errors
while increasing scalability and security. Adaptive policy
technology goes beyond traditional NAC to monitor, assess, track,
establish identity for users, devices, and applications, ensuring
ultimate security and control of the network inside and out.
Out-of-compliance end nodes can be detected and remediated with
little or no intervention by the end user or IT workers. For
example, if an employee installs an application that is not
allowed, it can be detected at the time of the next NAC scan and
then taken off the network, remediated, and returned to the network
when it is compliant.
Adaptive policy technology expands your security posture by
combining multiple security approaches into one NAC solution, such
as signature-based detection of host changes and identity- and
applications-based technologies. Investment is protected by
leveraging currently installed network and system components and by
taking advantage of McAfee integrated management through ePO.
Compliance with internal policies and the ability to prove and even
enforce compliance with standards such as Health Insurance
Portability and Accountability Act (HIPAA) and PCI is also easily
demonstrated with ePO.
McAfee NAC provides preadmission and post-admission scans that are
easily configured to validate the required software and patches so
that desktops are updated and functioning. Many of these
requirements are supplied as predefined rules within McAfee NAC.
Custom rules to check for other software are readily added with an
intuitive wizard. Policy groups are created based on dozens of
predefined criteria, as well as custom criteria–by user, user
groups, domains, applications, operating system, central processing
unit, subnet, and time zone. These groups can be associated with
policies, reports, NAC administrators, notifications, and
administrative tasks. NAC policies themselves can include any of
the more than 3,000 predefined checks, which can be applied to
institution-specific groups.
Responses to system noncompliance include auto-remediation, user
education and coaching, and redirection to the remediation
portal.
Unmanaged hosts can be securely provisioned with Unified Secure
Access through secure control and pre provisioning for guest access
portals. Once admitted to the network, comprehensive post-admission
control is available through application protocol,
source/destination addresses, ports changing, host posture, and
IPS-detected malicious behavior.
Adaptive Policy Technology reduces errors and helps desk
calls
With comprehensive NAC monitoring and reporting
included, reports on access logs (who, when, where) and action
taken make day-to-day security and compliance management easy,
accurate, scalable, and reproducible.
Sample network architecture
Deployment
options are flexible and include both deploying in dynamic host
configuration protocol (DHCP) mode or inline behind a virtual
private network (VPN) or local area network (LAN).
Analysis appliance for user anomaly analysis Internet Managed
systems may be quarantined at the system according to policy.
Unmanaged systems (rogue and intruders) may be quarantined at
network layers two and three, as well as at DHCP and VPN.
McAfee NAC provides extensive reporting features. Reports may be
run ad hoc or scheduled. They may be viewed, written to disk, or
emailed, as necessary and are highly customizable with several
display options. They can also be saved in several file formats.
Several hundred values may be reported on and include details on
detection, scanning, compliance, enforcement, and remediation. All
reports are configured and run by McAfee ePolicy Orcehstrator®
(ePO™) with no dependence on any other reporting
infrastructure.
Unified Secure Access offers flexible control of all types of
network users. Many initial NAC deployments are to control guest
users (for example, a guest meeting facility or consultants).
Unified Secure Access makes it easy to set up guest networks, but
it also scales to even the largest environments.
Compared to switch or router-based solutions, which require
expensive forklift upgrades to network infrastructure and complex
and brittle policy definitions, McAfee Unified Secure Access
solutions adapt to the threat level you want to address, the
applications you want to protect, the users you want to allow, and
the systems you want to conform to your security
policies.
Why choose McAfee?
As with any purchase, cost is a significant factor. However, a
point solution that requires separate consoles, new endpoint
agents, user training, and introduces unreliability into the
ecosystem contains hidden costs that can only be fully exposed by
looking at the return on investment and whether the solution
leverages the existing infrastructure.
• Lowest Operational Cost
• One console for endpoint security, compliance, and access
control
• Automatic self-remediation
• Supports compliance initiatives, such as PCI and SOX; reduced
audit time and complexity
• Leverage Your Existing Investments
• Simple software add-on to Network Security Platforms
• Easy upgrade from existing McAfee products (anti-virus,
ePO)
• Integrates with Microsoft infrastructure, including Active
Directory, NAP, XP, Vista
• Unified Secure Access provides compelling TCO analysis because
it leverages the existing ePO infrastructure to deploy and enforce
policies. Implementation and training costs are minimal compared to
point solutions, and McAfee products do not cause undue network
disruption. Unified Secure Access is a simple upgrade from existing
McAfee products, rather than a new point product with its own
console and a lengthy and expensive deployment project. Based on
ePO and enterprise-class McAfee Network Security Platform, Unified
Secure Access is exceptionally scalable.
Summary
Most NAC solutions available to date have been complex, costly,
inaccurate, non-scalable, and not secure. McAfee Unified Secure
Access is the world’s first NAC solution to unify endpoint and
network security with access control and compliance. Its adaptive
policy technology surpasses current NAC solutions by controlling
access and securing networks against threats inside and out.
McAfee Unified Secure Access simplifies deployment with ePO,
leverages the ToPS-Advanced single agent, and uses McAfee IPS
devices for network enforcement. It provides significant advances
in security and compliance with zero additional footprints.
Contact McAfee today to see how Unified Secure Access provides the
lowest total cost of ownership of any NAC solution on the
market.
![McAfee Internet Security 2009 3-User [OLD VERSION]](http://ecx.images-amazon.com/images/I/418Mt9XzikL._SL160_.jpg)
![McAfee Total Protection 2009 3-User [OLD VERSION]](http://ecx.images-amazon.com/images/I/51RIcjVTVYL._SL160_.jpg)
![McAfee VirusScan Plus 2009 1-User [OLD VERSION]](http://ecx.images-amazon.com/images/I/31c-wrDs98L._SL160_.jpg)
