NAC’s functions fit better on the endpoint. We need to move
beyond today’s scenario, where users struggle to implement NAC as
a successful security framework. Just how bad is it? We’ve found
that 40% of enterprises surveyed had begun NAC deployments, but
only 4% actually finished.
The majority of those that do finish are turning to solutions
focused on network hardware like appliances, Ethernet switches,
routers, and VPN gateways. But we believe this is the wrong
approach.
Organizations are increasingly turning to network access control
technologies to provide better protection for their networks and
data. However, many of the first generation “NAC 1.0” solutions
were based on an inherently flawed model that failed to respect the
expertise and ownership of different groups in the organization.
NAC 1.0 was also unable to react quickly enough to protect against
rapidly evolving threats or to support the needs of an increasingly
mobile workforce.
NAC 1.0 – fundamentally disconnected
NAC 1.0 suffered a disconnect in perceived ownership, with a
struggle for control between the two key teams who brought two
distinctive perspectives:
The network team’s perspective – guest access. The network team
interpreted “network access control” as meaning a way to
control or block unauthorized access to the network.
•
The desktop team’s perspective – managed endpoint computers.
The desktop team saw “network access control” as meaning a way
to control or ensure the security and productivity of users’
computers.
NAC 1.0 – focusing on blocking guests
Guest access was an easy target for many early
NAC 1.0 products, with access generally seen as a luxury rather
than a business necessity, and often needed only in specific
locations such as conference rooms. In addition, guests often do
not have a formal relationship with the business and are not part
of any of the organization’s identity management systems such as
Microsoft Active Directory. It was fairly simple for many point
solution appliances to provide a mechanism to block guests’
computers until they could be made compliant with the
organization’s security policies.
However, this NAC 1.0 focus on meeting the network team’s goal of
controlling guest access missed a far greater problem in terms of
an organization’s security, namely the much greater likelihood of
devastating data loss from a misconfigured managed endpoint
computer. With a few exceptions, such as higher education, the
sheer number of managed endpoint computers means they present a
much greater threat surface making them in reality a much greater
risk.
NAC 1.0 – lacking agility
First-generation NAC solutions failed to recognize that the threat
environment is constantly changing, with new threats and
vulnerabilities appearing
every day. Anti-malware vendors release a steady stream of updates
to detect and clean new threats. Operating systems and applications
vendors issue
security patches on a daily basis.
Many NAC products could not easily be updated to allow for the
latest updates. When an antimalware vendor released a new update or
a new version, the administrator often had to update the assessment
rules manually. With new operating system patches, administrators
typically had to enter a new, complex set of registry entries
corresponding to each new patch for each operating system – if
the NAC tools supported patch assessment at all. The large effort
required to keep rules up to date meant that NAC assessment tools
lagged far behind the real dangers facing organizations.
Early mistakes
Intrusion Prevention
Systems
Some early NAC products were based on Intrusion Prevention Systems
(IPS) that looked for anomalous network behavior. These were useful
when threats often consisted of worms with identifiable network
signatures. Today’s threats are frequently invisible to
behavior-based IPS in which case there will be no identifiable
network anomaly.
Network
appliances
Some NAC vendors chose to deliver their
solutions as network appliances. This was a choice made for their
own convenience, not their customers’ needs. By delivering as an
appliance, the vendors were able to limit their testing to a small
set of predetermined platforms. This seeming convenience is
deceptive. Networks often had to be redesigned to insert an
appliance, funneling all traffic through a choke point and
affecting performance and reliability. NAC appliances also lack
deep assessment capabilities, good scalability, and the means to
protect computers when they are not connected to the network.
Network
equipment
Network vendors are typically interested in
upgrading switching and routing gear to include the latest
features. They do not have a good presence on the endpoint and as a
result attempts to control network access with equipment alone were
unsuccessful as it offered weak assessment and little or no policy
management. Networkbased NAC ignored the issue of remote or roaming
users, although ironically NAC has its roots in Host Integrity
Checking for roaming users.
NAC
Frameworks
The original NAC Frameworks – such as
Microsoft Network Access Protection (NAP), Cisco Network Admission
Control (NAC), and Trusted
Computing Group’s Trusted Network Connect (TNC) – offered basic
interoperation standards and little more. They provided some
plumbing,
but left organizations to do the work of fitting it all together.
Policy management, updating, and audit were left out of the
equation.
There was also a critical flaw in the NAC Frameworks reliance on a
“trust” model – selfpolicing by the very applications that
have gone
wrong. They required anti-malware software to report its own
status, even though a failure in that software might be the very
reason a computer
was unprotected. Furthermore, unwanted and unauthorized software,
such as spyware or peer-to-peer applications, could not be expected
to report
their status to a NAC Framework, thereby breaking the trust
model.
The future of NAC
The new model for NAC, or
“NAC 2.0”, that is now emerging takes into account the
shortfalls of earlier approaches and aims to solve real
business
problems. It acknowledges and embraces the functional roles and
division of responsibilities found in today’s organizations,
supports the business goals of different groups and endeavors to
meet the rapidly changing requirements of today’s dynamic threat
environment.
NAC 2.0 – embracing functional roles
NAC 2.0 has operational impact on three teams in the IT
organization. NAC 1.0’s focus on answering the network team’s
needs is matched by a real
commitment to the needs of the desktop team, and a new ability to
encompass the requirements of the security team.
Network team
As discussed earlier, the network team is where many NAC solutions
were originally embraced and it seemed natural for this team to be
the primary owner of “network” access control, although in
reality NAC is about more than just the network. This team includes
the experts on:
The network team is responsible for ensuring network availability
and performance. It does not typically have any responsibility for
endpoint assessment and remediation and does not care what the
configuration of any particular endpoint computer is. Its concern
in terms of the endpoint is to supply the appropriate level of
service to a computer based on its role and compliance state.
NAC and the network
team
The network team needs NAC to keep unknown or
unsafe computers from impacting network security, availability, and
performance. NAC needs the network team to manage the switch fabric
for enforcement (VLANs, access control lists) based on compliance
state.
Desktop
team
The desktop team is concerned with managed
computers and all aspects of their configuration – even when they
are not connected to the
network, for example, while roaming.
The team drives the requirements for assessment of endpoint
configuration, remediation of any misconfiguration, and patching
and updating, including:
* Selection, management, and updating of anti-malware software and
desktop firewall
* Desktop patch management
* Implementation of best practices for secure configuration.
In the past, enterprises solving guest access challenges gravitated
toward an appliance-based solution that simply plugged into a
spanning port on a switch; those focused on controlling employee
access looked to a software-based solution whereby specific agents
could be installed on corporate controlled machines. However, we
now see a clear inflection point. Enterprises need a heterogeneous
mix of technologies to cover an ever-widening set of
scenarios.
NAC and the desktop
team
The desktop team needs NAC as a tool to eliminate
configuration drift on the computers under its control regardless
of network location. NAC needs the desktop team to define ideal
configurations and remediation mechanisms.
Security
team
The security team is focused on regulatory
compliance and audit. Although it does not have day-to-day
operational responsibility for desktops and the
network, it sets the standards for compliance throughout the
organization. Some practices are mandated by government regulatory
bodies, such as HIPAA (USA), PIPEDA (CA), and BS7799/ISO27002
(UK/Int’l), while some come from recognized industry bodies, such
as the Center for Internet
Security (CIS Benchmarks) and the Payment Card Industry (PCI DSS).
In addition to its already formidable responsibility for risk
management, the
security team is responsible for:
* Determining which standards are applicable in their
organization
* Auditing the environment against those standards
* Showing proof of standards compliance.
NAC and the security
team
The security team needs NAC to minimize the risk
from non-compliant, unknown, and unsafe computers and to provide
comprehensive reporting and audit.
NAC needs the security team to define standards for regulatory
compliance and security best practices.
NAC 2.0 – focusing on
business goals
Unlike one-size-fits-all NAC solutions, NAC 2.0 recognizes that
businesses have different goals for employees, contractors, and
guests, and, when properly implemented, focuses on the requirements
for each group.
Business goals for
employees
Enable – not block – access to the
network and applications
Enhance productivity, security and compliance.
Business goals for formal visitors, such as contractors, partners,
and consultants
Assess the level of risk posed by the unmanaged computers of these
visitors.
Provide restricted access appropriate to the authorization and
level of risk.
Business goals for informal guests and unknown computers
Require proof of authorization
Block network access unless authorized.
Many NAC project failures have been a result of too great a vendor
focus on the network enforcement
mechanisms, and not enough on the practical prioritization of
achievable business benefits against
each distinct use case. Successful NAC deployments have in common
the primary objective of enabling
safe access to appropriate resources by authorized people – and
not an objective of blocking users
from the network. In other words, NAC 2.0 focuses on enabling
rather than blocking access.
Security
team
A Sophos white paper NAC 2.0: A new model for a more secure future
NAC 2.0 – providing dynamic flexibility IT departments now have
available a much richer context in which to make decisions about
authorizing access to company resources. In determining the
appropriate level of access, they
can now go beyond simple user identity and role, and consider
machine identity, access location, access method, time of access,
device security posture and state, emerging threats and available
threat responses.
The resulting authorization policies are dependent on increasingly
rapid real-time information about security updates. Deciding if a
computer is
fully patched requires up-to-date knowledge of available security
patches. Knowing if a guest computer’s anti-malware protection is
current means the system must not only know about a company’s own
chosen anti-virus product, but also understand what threat
detection updates have been published by each anti-virus vendor at
all times. Knowledge of the emerging threats and available
responses are both key to making authorization decisions and
therefore, NAC needs to have the native capability to provide this
critical stream of information.
Today’s best endpoint NAC solutions are evolving to enable
effective management and control of access authorization by
providing two distinct sets
of capabilities:
Network enforcement mechanisms that provide an entry gate onto the
network, along with the ability to restrict access using dynamic
VLAN and/or ACL assignments, delivered (unlike the special-purpose
appliances of NAC 1.0) as a commodity capability available within
the standard networking switching platforms.
A centralized policy management platform for directing assessment,
remediation, access control, reporting, audit, and alerting –
covering all required use cases combined with rich native
assessment and remediation capabilities.
NAC 2.0 - protecting
beyond security
Regulatory compliance, industry best
practices, and IT governance are the new set of drivers behind the
evolution and adoption of NAC. NAC as a tool for security,
productivity, and compliance leads to better endpoint and network
governance. NAC 2.0 will finally enable organizations to get
control of their systems – in spite of a rapidly evolving threat
environment and the changing nature of the network perimeter.
Summary
Network access control is a valuable
new technology for protecting an organization’s assets from risk.
Learning from the flaws of earlier solutions, NAC is now evolving
into NAC 2.0, a more mature set of integrated technologies that
embraces the multiple functional roles in the organization, focuses
on solving real business problems, and supports a dynamic
environment. NAC 2.0 is the future of network access control.
