If your organization has not yet deployed a
network access control (NAC) solution, you're not alone. But
it's a good bet you're giving it a lot of serious thought. Research
firm, Gartner Inc. says the market, estimated at a modest $100
million in 2006, will double by the end of the year.
 | | | | | Really, a lot of this is belt and
suspenders security, defense in depth.
Lawrence Orans,
analystGartner Inc. |
| | | | | |
| |
|
But once you tune out the persistent buzz around NAC over the
last couple of years, you'll find that it's tough to define your
short- and long-term security requirements, and tougher still to
find a solution that fills the bill now and will still be viable in
a few years.
Most of the emphasis has been on pre-connect access control,
basically, a health check for things like up-to-date antivirus and
patch status, etc. for every device logging on to your network.
Products use a variety of network and agent assessment and
enforcement methods. As is, they'll meet a lot of
organizations' short-term needs, notably limiting visitors' network
access.
"Guest networking is the thing most people want addressed;
that's the biggest driver," said Gartner analyst Lawrence Orans.
"People call guest networking NAC, but it's just the first step.
With NAC, you have an opportunity to define polices, and identify
and evaluate endpoints."
NAC picture unclear
The
NAC landscape is far from settled. Cisco's infrastructure-based
approach is still developing--it offers appliance and software
solutions with a migration path to switch/router-based enforcement.
Microsoft's Network Access Protection (NAP), which requires Windows
Vista (or a Windows XP patch) and Longhorn, is years away from
general deployment. Some of the early market entries have been
acquired by Symantec (Sygate, Whole Security), Check Point (Zone
Labs), Cisco (Perfigo) and Sophos (Endforce). Other independents
are presenting mixed sets of capabilities and methods, giving
organizations pause as they assess their present and,
significantly, future needs.
Gartner defines full NAC as requiring both pre-connect and
post-connect assessment. The vanishing perimeter means that you
have no guarantee, for example, that a laptop that's been
remediated with current antivirus and patches is free of malware.
Further, how do you know that employee, guest, contractor--or
hacker--aren't accessing apps and data they shouldn't? VLANs and
ACLs offer some access controls, but are difficult to configure and
manage if you're looking for dynamic control in a changing
environment with guests, contractors and partners all requiring
some level of network access.
Continuous access, malware monitoring
If these things keep you awake at night, you can consider one of
several network-based inline appliances that provide granular
access control and persistent monitoring to detect attack behavior
and authorized access. Consentry Networks, Nevis Networks and
Vernier Networks all offer these comprehensive capabilities.
"The strength of these solutions is their identity-based NAC and
post-connect capability," said Gartner's Orans. "Their strength is
user policies, device policy because of they tie user policy to
Active Directory. They sit inline and drop or allow packets
depending on who you are."
Do you need this level of security? Are you ready to use it? It
depends. Most organizations don't have the kind of sophisticated
role-based access policies to take full advantage of these product
capabilities.
"Most organizations use broad group definitions as a starting
point; for example, patients, doctors, nurses, certain types of
staff," said Alan Norquist, vice president of marketing at Vernier.
"They find it gives them a lot of value. It's secure but much
simpler than doing VLANs."
Alliance Imaging, an Anaheim, Calif.-based nationwide provider
of medical imaging and oncology solutions, was primarily concerned
about inappropriate access on shared networks at 85 distributed
locations across the country.
"Our concern was how do we create security mechanism to prevent
others on site from attacking one of our remote edges and how do we
prevent us from attacking one of our business partners," said Adam
Le, Alliance's director of IT infrastructure. "For example, you may
have a family practice on one floor, radiologist, then us, with
patient data passed through the same network. Patching and managing
endpoints is extremely difficult--network isn't ours."
Le deployed a Consentry's LANShield appliance in Alliance's data
center in Arizona and large branch offices in California, Ohio and
Massachusetts, and is gradually installing LANShield Switches at
the remote locations, replacing existing switches as they reach end
of life.
Security on the switches
The switches--Nevis offers a switch-based solution as well--are an
attractive option. Gartner believes that switches are the best way
to implement continuous identity-based controls with the ability to
monitor traffic for malware, but that widespread adoption will wait
until Cisco, which dominates the infrastructure market, can offer
this kind of technology at a competitive price.
"The right place is in switching functionality; as people do
switch upgrades, we'll capture market," said Dominic Wilde, Nevis'
vice president of marketing. "We're under no illusions, but we fill
a niche protecting high-value resources down to the port level. And
we have deals where we can become the new switching
standard,—mostly in green field sites like Asia."
"70 percent of our shipments were switches, but we're still a
blip on radar compared to Cisco' said Dan Leary, Consentry vice
president of marketing and product management. "We're confident the
switch to embedded technology will be faster than analysts
think."
"Really, a lot of this is belt and suspenders security, defense
in depth," said Gartner's Orans. "The defense and intelligence
communities are interested because they need an extra level of
protection; and schools and universities because students and
faculty share the same physical networks. And any
organization—pharmaceuticals come to mind--that places a premium on
intellectual property are interested in network enforce access
based on who you are."