Sierra Central Credit Union in Yuma City, Calif., prides itself on being an open institution, allowing customers to pay bills online and transfer funds by phone. Daniel Diadiw’s job is to make sure it isn’t too open.
Diadiw, a network security specialist for the credit union, works each day to ensure that the 200 full- and part-time employees and nearly 65,000 account holders can access the bank’s network — but only the portions they’re supposed to see. For this, Diadiw relies on a mix of hardware appliances and software technology known collectively as network access control (NAC).
He’s in good company. “We see a lot of demand for network access control among small and medium businesses,” says Robert Whiteley, senior analyst for enterprise networking at Forrester Research. A recent Forrester survey found that 26 percent of businesses of all sizes already use some sort of NAC technology.
NAC is more than a mere firewall that grants recognized computers access, or a password scheme that lets privileged members log on. At its best, NAC ensures that any notebook computer, server or handheld device trying to access the network has up-to-date antivirus software and meets specified security standards. This is done by software agents sent by the NAC to check approaching machines for antivirus, antispyware and installed patches, as well as complex system characteristics, such as registry entries and file attributes. Computers that aren’t deemed safe are barred entry or are redirected to a quarantined site where network administrators can update the computer’s software or tell its user where to do so.
Right of Way
NAC can also make certain that workers have the right credentials to access different parts of the network. For example, human
resources personnel can see only employee files, and those in accounts payable, only invoices. It’s no easy task, as Diadiw realized when he came onboard at Sierra Central last spring.
“When I got here, I ran into what most security folks find when entering a new position: lots of security services, but no central repository of what the tools and appliances do,” Diadiw says. “Over the last few months, I’ve been learning our security applications, documenting their setup and figuring out the best way to apply and monitor what the systems provide.”
Basically, there are three ways to approach network access control: installing hardware devices, such as Cisco Systems’ Network Admission Control (NAC) appliance or Hewlett-Packard’s ProCurve Network Access Controller; deploying software, such as McAfee Network Access Control and ePolicy Orchestrator or Symantec Network Access Control 11.0; or layering software, such as Cisco’s NAC Guest Server and Juniper Networks’ Unified Access Control, atop existing network security.
One of the benefits of the latter is that it allows IT administrators to squeeze more functionality from switches and routers. For example, rather than have virtual private networks (VPNs) simply require remote computers to be authenticated, the software is pushed to the remote device to check for updated security software. “I have plenty of clients who basically say they’ll repurpose SSL [Secure Sockets Layer] VPNs to do end-point checks,” says Whiteley.
For smaller businesses, NAC appliances can be a good fit, he says. “Appliances aren’t cheap, but they can be considerably less expensive than pure software options,” Whiteley adds. According to Infonetics Research, worldwide NAC appliance sales are expected to grow more than eightfold, to $670 million in 2010, from $83 million in 2006.
What emerging network technology trends are you most interested in deploying at your company?
43% Network access control
14% Voice over Wi-Fi
16% WAN accelerators
9% Dual-WAN routers
11% 10G fabric networks
Andrew Baker, vice president of IT operations for ARGI, a Montvale, N.J., subscription-fulfillment business that employs 90 workers, says he is evaluating NAC appliances. “It’s not the size of the organization that determines the kind of network security,” he says. “It really has to do with the complexity of the needs and the size of the staff that can address them. The software we have now is too labor intensive. I don’t have a dedicated staff that can deal with these issues. So, an appliance makes sense.”
For a midsize business whose departments need to be well-segregated by function, or a regulated business governed by strict compliance requirements as to what information employees can access (such as Sierra Central), the use of role-based permission software is important. “Role-based control is extremely important for security,” says Diadiw, who uses Microsoft Active Directory, which allows systems administrators to manage all aspects of user accounts, clients, servers and applications. “AD is able to provide audit records for access, failed attempts, and control over ownership and access of files.”
Such details are essential. Federal law requires financial institutions to control who comes and goes on the network and what data gets passed back and forth. The idea is to prevent employees from sharing confidential information with outsiders. “One of the most common reasons to use NAC is for regulatory purposes,” says Whiteley. “Even those companies that are not regulated find they need NAC to do business with ones that are.”
Whichever NAC option businesses choose, it’s important that they consider standards, says Whiteley.
The three competing standards — Microsoft’s Network Access Protection (NAP), Cisco’s NAC and Trusted Computing Group’s Trusted Network Connect (TNC) — have begun to merge, but users may find at least some early compatibility gaps when they mix products from the more than 200 vendors that have licensed the three technologies.
“Ultimately, a hybrid of trusted and proven standards tends to work much better than putting all your eggs in one basket,” says Sierra Central’s Diadiw.
But compatibility is the goal. In October 2006 Microsoft and Cisco announced they had developed an interoperability architecture that lets NAP- and NAC-compatible products work together. Then, in May 2007, Microsoft said it would make NAP compatible with TNC, which is an open standard.
NAP is built into Microsoft Vista and is available in Windows Server 2008. “Most companies I’ve spoken to are buying the Cisco NAC appliance now, and then are considering Microsoft NAP for 2009,” says Whiteley. “That actually makes for a pretty fluid solution.”
It also makes for a more immediate solution. “We want to be able to control what comes on the network,” says ARGI’s Baker. “We haven’t had any major incidents, but it’s just a matter of time. It’s like playing Russian roulette.”