"It's not the size of the organization that determines the kind of network security. It really has to do with the complexity of the needs and the size of the staff that can address them," says ARGI's Andrew Baker.
Mar 06 2008

Improve IT Security with Network Access Control

Stop the enemy at the gate with network access control.

Sierra Central Credit Union in Yuma City, Calif., prides itself on being an open institution, allowing customers to pay bills online and transfer funds by phone. Daniel Diadiw’s job is to make sure it isn’t too open.

Diadiw, a network security specialist for the credit union, works each day to ensure that the 200 full- and part-time employees and nearly 65,000 account holders can access the bank’s network — but only the portions they’re supposed to see. For this, Diadiw relies on a mix of hardware appliances and software technology known collectively as network access control (NAC).

He’s in good company. “We see a lot of demand for network access control among small and medium businesses,” says Robert Whiteley, senior analyst for enterprise networking at Forrester Research. A recent Forrester survey found that 26 percent of businesses of all sizes already use some sort of NAC technology.

NAC is more than a mere firewall that grants recognized computers access, or a password scheme that lets privileged members log on. At its best, NAC ensures that any notebook computer, server or handheld device trying to access the network has up-to-date antivirus software and meets specified security standards. This is done by software agents sent by the NAC to check approaching machines for antivirus, antispyware and installed patches, as well as complex system characteristics, such as registry entries and file attributes. Computers that aren’t deemed safe are barred entry or are redirected to a quarantined site where network administrators can update the computer’s software or tell its user where to do so.

Right of Way

NAC can also make certain that workers have the right credentials to access different parts of the network. For example, human
resources personnel can see only employee files, and those in accounts payable, only invoices. It’s no easy task, as Diadiw realized when he came onboard at Sierra Central last spring.

“When I got here, I ran into what most security folks find when entering a new position: lots of security services, but no central repository of what the tools and appliances do,” Diadiw says. “Over the last few months, I’ve been learning our security applications, documenting their set­up and figuring out the best way to apply and monitor what the systems provide.”

Basically, there are three ways to approach network access control: installing hardware devices, such as Cisco Systems’ Network Admission Control (NAC) appliance or Hewlett-Packard’s ProCurve Network Access Controller; deploying software, such as McAfee Network Access Control and ePolicy Orchestrator or Symantec Network Access Control 11.0; or layering software, such as Cisco’s NAC Guest Server and Juniper Networks’ Unified Access Control, atop existing network security.

One of the benefits of the latter is that it allows IT administrators to squeeze more functionality from switches and routers. For example, rather than have virtual private networks (VPNs) simply require remote computers to be authenticated, the software is pushed to the remote device to check for updated security software. “I have plenty of clients who basically say they’ll repurpose SSL [Secure Sockets Layer] VPNs to do end-point checks,” says Whiteley.

For smaller businesses, NAC appliances can be a good fit, he says. “Appliances aren’t cheap, but they can be considerably less expensive than pure software options,” Whiteley adds. According to Infonetics Research, worldwide NAC appliance sales are expected to grow more than eightfold, to $670 million in 2010, from $83 million in 2006.

What emerging network technology trends are you most interested in deploying at your company?

43% Network access control
14% Voice over Wi-Fi
16% WAN accelerators
9% Dual-WAN routers
11% 10G fabric networks
7% Other

Source: CDW poll of 287 BizTech readers

Andrew Baker, vice president of IT operations for ARGI, a Montvale, N.J., subscription-fulfillment business that employs 90 workers, says he is evaluating NAC appliances. “It’s not the size of the organization that determines the kind of network security,” he says. “It really has to do with the complexity of the needs and the size of the staff that can address them. The software we have now is too labor intensive. I don’t have a dedicated staff that can deal with these issues. So, an appliance makes sense.”

For a midsize business whose departments need to be well-segregated by function, or a regulated business governed by strict compliance requirements as to what information employees can access (such as Sierra Central), the use of role-based permission software is important. “Role-based control is extremely important for security,” says Diadiw, who uses Microsoft Active Directory, which allows systems administrators to manage all aspects of user accounts, clients, servers and applications. “AD is able to provide audit records for access, failed attempts, and control over ownership and access of files.”

Such details are essential. Federal law requires financial institutions to control who comes and goes on the network and what data gets passed back and forth. The idea is to prevent employees from sharing confidential information with outsiders. “One of the most common reasons to use NAC is for regulatory purposes,” says Whiteley. “Even those companies that are not regulated find they need NAC to do business with ones that are.”

Standard Appeal

Whichever NAC option businesses choose, it’s important that they consider standards, says Whiteley.

The three competing standards — Microsoft’s Network Access Protection (NAP), Cisco’s NAC and Trusted Computing Group’s Trusted Network Connect (TNC) — have begun to merge, but users may find at least some early compatibility gaps when they mix products from the more than 200 vendors that have licensed the three technologies.

“Ultimately, a hybrid of trusted and proven standards tends to work much better than putting all your eggs in one basket,” says Sierra Central’s Diadiw.

But compatibility is the goal. In October 2006 Microsoft and Cisco announced they had developed an interoperability architecture that lets NAP- and NAC-compatible products work together. Then, in May 2007, Microsoft said it would make NAP compatible with TNC, which is an open standard.

NAP is built into Microsoft Vista and is available in Windows Server 2008. “Most companies I’ve spoken to are buying the Cisco NAC appliance now, and then are considering Microsoft NAP for 2009,” says Whiteley. “That actually makes for a pretty fluid solution.”

It also makes for a more immediate solution. “We want to be able to control what comes on the network,” says ARGI’s Baker. “We haven’t had any major incidents, but it’s just a matter of time. It’s like playing Russian roulette.”

CEO Takeaway
• Network access control, whatever form it takes, is essential for safeguarding your business. It's no longer good enough for your network to simply recognize remote workers or business partners trying to access your systems. Even trusted users can inadvertently deliver malware when they connect. NAC software and hardware ensures the health of those remote systems before they connect.
• Midsize companies, businesses in regulated industries and those that handle particularly sensitive information should consider NAC software that takes into account an individual's role in the company. This role-based capability helps enforce identity-based security policies across the network, regardless of the network-access method or device, including wireless devices.
• Be sure NAC appliances and software you buy are fully compatible with your existing routers, switches and network-security software. The three main NAC standards — Microsoft's NAP, Cisco's NAC and Trusted Computing Group's TNC — are merging. But some third-party products are not yet interoperable.
John Emerson