In spite of the billions of dollars spent each year on
IT security, companies still suffer data leaks, security breaches,
and virus outbreaks, writes Chris Boscolo, CTO and founder
ofNapera Networks.
Today's security challenges come both from the changing threat
environment but also from changes in how we work. Mobile working is
now the norm rather the exception. Many employees use their company
laptops for both business and personal use. While this is a boon to
productivity and work-life balance, it also means we are in danger
of losing control of corporate IT assets.
Traditional security solutions, such as firewalls, anti-virus,
anti-spyware, patch management, or VPNs are no longer sufficient to
keep the threats off the network. While these play a vital role,
companies are still dealing with devices connecting to the network
with unpatched software, out-of-date anti-virus and improper
security settings. Not keeping devices up to date is probably the
largest hole in the security fight today.
What is network access control?
Network access control (NAC) products entered the market a few
years ago to fill this gap. A typical NAC solution provides an
endpoint assessment of the computer and then enables access and
enforces security policy based on the state of the computer and the
identity of the user.
Early NAC solutions were expensive and complex and targeted at
the large enterprise market. But even for those companies with
budgets and IT staff to manage NAC, the deployments often failed or
stalled. This was due to complexity, the lack of interoperability
and proprietary technologies used in the NAC solutions.
Interoperability
Cisco, Microsoft, and the Trusted Computing Group (TCG), a
consortium of suppliers, proposed alternate frameworks and
interoperable architectures in an attempt to overcome this hurdle.
Today, NAC is moving toward more standards-based protocols.
TCG developed its Trusted Network Connect (TNC) framework with
the sole goal of implementing standards around NAC. In addition to
this, the Internet Engineering Task Force (IETF) has a working
group focused on having these same NAC protocols standardised.
The biggest boon to NAC has been Microsoft and its Network
Access Protection platform and protocols. Under NAP Microsoft is
interoperating with other vendor solutions, and encouraging
partners to develop agents and tools to enable NAP to communicate
with non-Windows devices as well as competing policy servers.
Partners have responded by developing Macintosh and Linux NAP
agents.
NAP was slow out of the gate because of the long adoption cycle
for Windows Vista and Windows Server 2008, which holds the policy
enforcement engine for Microsoft's NAP platform. But the NAP agent
for Windows XP was in Service Pack 3, released worldwide earlier
this year. As a result, the NAP agent is expected to be available
to some 80% or more of Windows laptops, by the end of 2008.
One key benefit of NAP is that any anti-virus vendor that
reports status via Windows Security Centre will also be capable of
reporting status via NAP. Most of the anti-virus products work with
NAP, and hopefully all of them will. (You can see a current list
here:
http://www.napera.com/PDF/Napera-Microsoft-NAP-Compatibility-List.pdf
)
Getting started
NAC has come a long way in the past year. But how do you get
started?
If you are mostly a Windows shop, then Microsoft NAP would be a
good place to start. If you are a smaller organisation, then you
don't need Windows Server 2008 but can use a network appliance to
enforce policies and directly communicate with the Microsoft NAP
agent. If you have Macintosh or Linux computers, then you need to
look for cross-platform support.
There is much debate about where to enforce NAC, but I believe
that the best place is at the network layer (layer 2 or 3). There
are now several NAC appliances that are relatively easy to deploy
and manage.
Also, it's best to find a solution that provides centralised
management for both employee and guest accesses. Mobile employees
pose a huge risk to your network, but visitors, partners or
suppliers working on site bring an even greater danger, since you
have no way to manage those devices.
A good NAC solution should enable you to provide guests with
controlled and safe access either to the internet or a select group
of printers or network resources, without exposing the rest of the
network.
It is useful to be able to implement NAC in phases, so you
aren't disrupting your network or your workers or creating a burden
for your help desk.
Your first task is to monitor your environment. Gather the
information you need and understand what is actually happening with
devices on your network. Many IT managers are shocked by what they
find. One IT manager discovered he had several virtual machines on
his network he was unaware of another found that more than half of
the laptop computers were not running the latest security patches
yet another found their desktop security suite was incorrectly
configured and that all of their desktop firewalls were
disabled.
This insight into your network is one of the greatest benefits
of NAC. While few companies deploy NAC for this reason, it is
always the first thing IT staff notice and appreciate. Never before
have they been able to have this central view of every device on
the network and, importantly, the security status of those devices.
One of our customers, Bakha Nurzhanov, co-founder and CTO of Design
Clinicals, a Seattle-based healthcare IT firm, said, "It was like
having a microscope over my entire network,".
Authentication
In spite of your efforts, employees often ignore the rules. Even
with NAC, you need to think about authentication of both devices
and users. For example, many companies are now using Wi-Fi access
points to provide easy wireless access to the corporate network,
but they forget to add the necessary security. The problems with
WEP wireless encryption are well documented, and WPA provides a
reasonably secure alternative. But in our recent survey of 40 small
and medium enterprises, more than half used a shared password for
all wireless access.
Regardless of your choice of encryption, this is an obvious
Achilles heel because individual users cannot easily be identified
and any change to the shared password creates massive disruption.
Identifying wireless users and dealing with changing a shared
password regularly is one task that makes wireless access a
management nightmare.
A more secure way to do Wi-Fi is to use WPA Enterprise. This
requires every user to authenticate with his or her own username
and password when connecting. Although initial setup of WPA
Enterprise can be difficult, the day-to-day burden of changing a
shared password is eliminated. WPA Enterprise also means you can
give guests access by creating a guest user.
I have yet to meet an organisation that didn't have at least one
computer on their network that was out of compliance or that
presented a direct threat to the network. No matter what they have,
if they don't have a way to check devices before they access the
network, they risk having a virus or other threat spread across the
company.
While you may not be able to control everything your employees
do, you can take control back of mobile computing and implement
better policies and technologies that make sure all devices
accessing the network are healthy and secure.