The aerospace industry is highly regulated. Working with the
government and NASA means a lot of checks and balances.
And EADS Astrium North America Inc. knows all about that. The
network holds sensitive data that cannot, and should not, be
accessed by just anyone. But that introduces an interesting
dynamic, especially because the network is also accessed by guests,
contractors and visitors from other companies.
"We have to secure the data from people on the network who can't
have access to it," said George Owoc, the company's director of
business administration.
Recently, EADS Astrium -- a subsidiary of EADS, a European
aerospace company -- rolled out Lockdown's Enforcer NAC appliance
in a beta environment.
The standalone box can enforce network access based on a
flexible set of parameters, Owoc said. Access can be granted or
denied based on port location, installed software, applications,
critical updates, and patches. The sweet spot, however, is that
Enforcer can grant or deny access based on identity within Active
Directory.
In the secure area, only certain groups can enter the subnet
based on identity, Owoc said. In order to exchange and view data in
that area, anyone accessing it must be licensed. The need to comply
with license requirements prompted the NAC solution, he said.
"Fundamentally, it keeps someone out of jail," he said (only
half joking), adding that allowing anyone to access such licenses
could "affect our ability to secure licenses in the future."
Others who authenticate to the network are put into a separate
VLAN, Owoc said. And guests and visitors are dumped into a
different VLAN altogether, which is similar to a network in a
hotel, where the Internet can be accessed but other applications
cannot.
"By virtue of VLANs, we control that access," Owoc said. "It's
very similar to Cisco's NAC in function …it's a one-stop solution
for us."
Before putting Enforcer into a beta environment, his company
used Lockdown's Auditor, Owoc said, but that couldn't integrate
Active Directory. During that time, if a guest wanted access, Owoc
had to be there to grant it.
"If I'm not there, how do they get access?" he said. "Now, it's
hands off. I don't need to be there watching these guys."
To local users, the NAC solution is invisible; it kicks in when
they authenticate, Owoc explained. Guests and visitors are put into
the "hotel" network. Since it is identity based, it doesn't matter
which port a user plugs into.
"This way it's all automated," he said. "I don't have to worry
about who plugs in where."
Using Enforcer has generated interested in trying Lockdown's
upcoming offering: iNAC (intelligent NAC). With iNAC, Owoc said,
instead of blocking a user from accessing the network because of a
misconfiguration or lack of a patch or anti-virus, the system
pushes an update to the machine.
"Rather than shutting them down, I can force the upgrade," he
said.
The iNAC solution, according to Lockdown, integrates with the
Dragon and Sentinel security appliances from Enterasys and also
with Patchlink. Owoc said he's hoping to integrate it with
Patchlink once EADS Astrium North America obtains and rolls out
iNAC.
According to Dan Clark, Lockdown's marketing vice president,
Enforcer's integration with third-party vendors adds a level of
security and automates many two-way communications between
different appliances.
While Lockdown plans to integrate with solutions from Enterasys,
IBM, Intel and Microsoft, the Patchlink pairing adds extra checks
to an NAC system, Clark said.
When integrated with Patchlink, the Enforcer audits and requests
a patch from Patchlink, which automatically updates the device.
After it is updated, the device is put back onto the network.
This article originally appeared on SearchNetworking.com.