Contents
Editorial
Guest contributor
Hot topics
Business cases
Experts voice
Solutions
At a glance
Quick poll
Events
PDF version
 

Subscribe to
Bull Direct:


 

Archives
n°25  |  April   2008
Experts voice

NAC (Network Admission Control), the new Eldorado for access control?
By Dominique Castan, IT Security Consultant, in the Consulting and Audit team at the Networks and Security Division, Bull Services France

Dominique Castan has more than 15 years experience in the area of IT security. He was security product manager at Evidian, where he developed the Identity and Access Management (IAM) (AccessMaster) & Single Sign-On (WiseGuard) offerings. In addition to his role in developing these offerings, Dominique has contributed to many pre-sales and consultancy projects in identity and access management, PKI and workflow authorization with major customers in France and internationally. In 2007, he joined Bull’s IT Networks Security Consulting and Audit specialist team as a consultant. Dominique undertakes information system security consultancy and audit assignments, particularly those involving risk analysis, and provides assistance to contracting authorities when it comes to organizing the security aspects of information systems.

 

Threats come from both outside and inside... and the latter are extremely costly to resolve

One of the most prevalent methods used nowadays to penetrate a company’s network is to target workstations located on the edge of the network. For example, workstations used by mobile users are prime targets for hackers. According to Kaspersky Lab, during the first half of 2007, more than 2,000 new malevolent programs appeared every month on average, and by-passed even the most advanced protection systems.

But the most significant risks come from inside the network, and are the work of employees or subcontractors. According to the Computer Security Institute (CSI), the average cost of an internal network attack is some $2.7 million, compared with $57,000 for a break-in from the outside. It is on the inside of the company network that sensitive data is most easily accessible. Indeed, those linked into the internal network are best placed to assess the value of data, and also to exploit the data should they manage to obtain access to it.

NAC: a solution that limits the risk of attack

Beyond anti-virus or intrusion detection (IDS/IPS) type technologies, businesses are now expressing interest in solutions that link the security status of various access points, user identities, and conditions for accessing the network.

In this context, a product integrating a NAC function is well-suited to limiting the risk of attacks, as it fulfils the following functions:

  • Identifying the point of entry for the workstation in question (internal network, VPN access, subsidiary, partner)
  • Correctly authenticating both the workstation and its user
  • Updating the workstation to comply with the current security policy (anti-virus signatures, pack and Wired Operating System services, etc.)
  • Providing access to part or all of the network in accordance with a particular security profile
  • Guaranteeing secure access for workstations that are not subject to internal controls (guest users and partners)
  • Monitoring access events with detailed reporting in a format useable by dashboards.

A rapidly expanding market

According to industry analysts IDC, the market for NAC is growing rapidly. It was valued at $526 million in 2006, and is predicted to increase to $3.2 billion by the end of 2008. Within this market, appliances will take the lion’s share, with net sales increasing by a factor of 8.5 over this period.

A market that remains divided

Inspired by these predictions of strong growth, many publishers and hardware manufacturers are rushing into the NAC market. Most present themselves as suppliers of a comprehensive solution or of a major component of NAC. However, four types of offerings are currently available on the market:

  • Offerings that concentrate on the network ‘pre-admission’ procedure, geared to analyzing the workstation profile and status. Before admitting a workstation onto the network, these solutions enable the detection and verification of that PC’s conformity and its vulnerabilities. They verify that the user is fully recognized, that their workstation belongs to the company that their anti-virus signatures are up to date, that the registry keys conform, etc. The best known among these types of offerings are Symantec (Network Access Control), LockDown (Network Enforcer) and Sophos (NAC Advanced),
  • Offerings that aim to take advantage of the network itself and the filtering capabilities of routers and switches: usually provided by network equipment suppliers. They offer the resources needed to reorganize security at the edges of the enterprise network, and to put in place a control system on the inside of the network itself. To do this, they prioritize a policy of access to resources that is dynamically configurable in accordance with profiles, level of security on the workstation, and means used to access the network. The most popular of these are Cisco (CNAC Appliance), Juniper (UAC Infranet) and Enterasys (Sentinel NAC),
  • Others prioritize the security policy, and not network topology when it comes to defining the network perimeter and sub-division. The offering is presented in this instance as a protective layer for the network that establishes the ‘health’ of would-be entrants to the network. This is the case of Microsoft and its NAP (Network Access Protection) solution, recently launched on the market. This offering is not yet fully available, as it requires Longhorn Server , which should be announced between now and June 2008. Microsoft’s strategy is to sign partnership agreements with anti-virus and network equipment vendors, and then offer a security policy administration solution and a security profile control for Vista and XP stations,
  • Open Source solutions are usually oriented towards network administration. They tend to be sets of components offering with rather limited coverage. And they are reserved more for integrators wishing to respond to clearly targeted needs such as, for example, providing security for a server network, or controlling integrity on a series of files on different systems. The most popular are the FreeNAC and Open Source Tripwire solutions.

An attempt to standardize

The TCG (Trusted Computing Group) consortium along with TNC (Trusted Network Connect) is pushing for interoperability between different vendors based around the 802.1x authentication protocol (level 2 for switches and appliances), as well as interoperability for their various components. The leading names in this area are, most notably, Juniper (UAC Infranet), Nortel (Secure Network Access), HP (Procurve) and StillSecure (Safe Access).

Security services provided by NAC

An NAC product offers the following security services:

  • Centralized administration of security policies (different access rules for different user roles, dashboards, etc)
  • Detection of workstation connections or server connections on the edge of or within the network
  • Level 2 authentication of users and workstations (link layer) or authentication at level 3 (network layer) of the OSI model
  • Analysis of workstation posture (anti-virus signatures, OS fix levels, registry key values, firewall configurations, etc)
  • Assigning quarantine and repair status (remediation) to workstations that do not conform
  • Dynamic provisioning for rules controlling access to firewalls, appliances and network switches
  • Network access control in accordance with rules, enabling network ports to be blocked or assigned to quarantine or production VLANs
  • Audit of the activities relating of components connecting to the different networks, conformities and vulnerabilities of access points.

NAC components: End-Point , Decision-Point and Enforcement-Point

The End-Point comprises an NAC agent, an Applet or an ActiveX Control . This is a client that installs or downloads onto the workstation. It is non-intrusive, and carries out checks on the security profile and vulnerabilities of the user’s workstation.

The Decision-Point comprises an administration appliance which also serves as a relay to an authentication server (Radius, Active Directory, or other directories). This appliance enables administration of security policies, and the control of a security profile and vulnerabilities, the authentication of workstations and users, and decisions to be taken regarding access. Optionally, it can be associated with third-party anti-virus servers. The Decision-Point propagates access decisions to peripheral installations, or to installations on the inside of the network.

The Enforcement-Point comprises an appliance or switch, enabling decisions made about granting access to be acted upon. This type of appliance is generally on the inside of the network ( In-Band mode) and the switches are normally on the periphery ( Out-Of-Band mode).

NAC from the user’s point of view

The diagram below shows an example of the way access from the user’s workstation to applications on the Intranet can be controlled in accordance with the security policies in use.

NAC from the user point of view

When the user tries to connect to the wired or Wireless (1) network", access is intercepted by a switch on the network edge. An appliance , the Enforcement-Point , redirects the user towards a ‘login’ page at which point they must supply their user-name and password. The Enforcement-Point then transmits the user-name/password pair to the Decision-Point appliance. The latter checks the user-name and password on a third-party authentication server (Radius or LDAP).

As soon as the authentication has been validated, the Decision-Point returns both user profile and security protocol to be executed to the Enforcement-Point . The final procedures for checking the workstation and assessing its vulnerabilities (2) are completed by the End-Point ’s NAC agent.

If the workstation does not conform to the security policy (3a), it is isolated in a quarantine zone. The user’s access is then restricted to the Remediation server that will distribute the anti-virus signature updates or OS upgrades.

Once the Remediation has been successfully carried out, depending on the user’s security profile, the Enforcement-Point (3b) allows the workstation to access a production VLAN, a ‘user’ VLAN dedicated to the company’s partners or a ‘guest’ VLAN, all designed to handle users external to the organization.

Examples of ‘nomad’, ‘workstation’ and ‘guest portal’ NAC projects:

Deployments on precise and well-controlled perimeters are now becoming available. ‘Nomad’ PC projects are often deployed in the first instance. Indeed, they have less impact on operation. This involves protecting remote access operations based on VPN SSL or IPSec type links. We should note here that the NAC is dedicated to securing the enterprise network from unauthorized access, and to protect communications. Complementary solutions are recommended to provide protection for the mobile workstation itself: personal anti-virus solutions and firewalls, strong authentication, encryption of hard disk data, etc.

‘Workstation’ projects of the LAN wireless type", that are more central to the enterprise network, are more complex to deploy. Often, operating procedures will have to be revised, and this can mean having to go through a preliminary phase. These projects focus on access to production VLANs, wireless campuses and centralized resources accessible from enterprise sub-sites.

Web ‘portal’ projects for guest and external partner access are also in great demand. They enable secure creation of guest accounts. Once the general rules of utilization have been accepted, these portals provide restricted access.

The advantages of NAC

NAC enables you to:

  • Control who has access to what in a granular way
  • Adapt your security policy depending on access location, whether workstations are controlled (employees) or un-controlled ones (used by sub-contractors, guests...), and the authentication methods deployed
  • Carry out detailed audits, to produce reports and alerts. These are then used to monitor systems running at the network’s extremities, and access points to different sub-systems in internal networks
  • Reduce network security deployment costs by offering centralized administration. To simplify administrative tasks, the NAC’s security policy draws on user roles and authorizations that have already been defined in the organization’s identity directories
  • Offer transparency as far as users are concerned, as the solution is integrated into a Windows login or Single Sign-On (SSO) solution
  • Automatically update workstations (with signatures, OS patches, registry keys, etc.)
  • Update decisions about access to the hardware it is compatible with, such as firewalls and edge switches.

Weak points that remain limiting factors for its deployment

NAC’s main weakness stems from a lack of clear standards. An NAC project may, indeed, require a network infrastructure update, because interoperability between different components is still limited.

But the possibility exists nonetheless. Customers with heterogeneous components at the network edge may decide to put solutions based on TNG standardization at the top of their wish-lists. But for the most part, it will be the chosen solution for new sites, or when completely overhauling the switching infrastructure, for instance, when deploying VoIP.

NAC can also be a costly solution when it comes to applying and adapting it to different needs across an entire enterprise network. A staged implementation or roll-out on a project-by-project basis usually preferable.

Conclusion

Organizations have very tangible expectations. NAC is a relevant way to implement secured IP networks. Combining the security of access points, user identities and network access conditions, this technology offers an innovative and powerful way to identify potential attacks to an enterprise network, and prevent that risk.

NAC offerings on the market are evolving rapidly, driven by the requirements of VPN, wireless and VoIP access control. The proliferation of ‘nomad’ devices, the multiplication of information system ‘clients’ and the development of IP-based telephony are making increasingly heavy demands, both on the network perimeter and the core of the network. Offering as it does coherent resources to combat threats to security, a capacity to react rapidly to alerts while lightening administrative tasks, NAC is certainly worth considering as a means to improving enterprise network security.

Glossary

802.1X

Security protocol for authenticating a user accessing a network via an authentication server. This protocol conforms to the RF C3560 implementation standard.

Appliance

Device which, once connected, enables immediate operational status once connected

Switch

Network component enabling the linking of the various network entities making up the physical network.

In-Band

NAC operating mode used to apply access control within the network.

IAM (Identity and Access Management)

The sum of the policies, processes, procedures and applications an enterprise might use to manage identity and access to their networks.

PKI (Public Key Infrastructure)

A series of software servers for generating, verifying, and validating keys, cryptographic devices (HSM), smartcards and procedures with a view to managing e-certification life cycles.

IP (Internet Protocol)

Protocol for sending data packets across networks. The IP’s role is to select the optimum route for each packet of data as it traverses the network.

IPSec (Internet Protocol Security)

Series of layer 3 OSI type protocols using algorithms enabling the transport of secured data on an IP network.

LDAP (Lightweight Directory Access Protocol)

Protocol enabling the interrogation and modification of TCP/IP based directory services. It includes a data model, a naming model and a security model.

NAC (Network Admission Control)

Proprietary Cisco technology for controlling access to workstations and enterprise network servers in accordance with a given security policy.

NAP (Network Access Protocol)

Proprietary Microsoft technology for controlling access to workstations and enterprise network servers in accordance with a given security policy.

Out-of-Band

NAC operating mode for applying a network edge access control.

OSI (Open System Interconnection)

A networking model developed by the international standards authority for handling exchanges between open systems comprising seven layers.

Quarantine

Zone expressly designated for the isolation within one segment of an enterprise’s local network of all workstations not conforming to the security policy in force.

RADIUS (Remote Authentication Dial-In User Service)

Protocol enabling an authentication to be effected.

Remediation

Server dedicated to updating workstations so they remain compliant with the latest security policy.

SSL (Secure Sockets Layer)

Security protocol for Internet exchanges.

SSO (Single Sign-On)

A one-off authentication method enabling a user to access several applications with just one authentication procedure.

TNC (Trusted Network Connect)

A TNG workgroup aiming to standardize network access control architectures to enable the interoperability of components produced by the main market manufacturers.

TNG (Trusted Network Group)

Consortium within the TNC workgroup that designs interoperability specifications for network access control.

VLAN

Virtual local network enabling logical partitioning within a local network in order to secure it.

VoIP

Technique enabling vocal communication via an IP network.

IPSEC VPN

Secure virtual private network for linking nomad users. It is secured by the IPSEC client/server type Web access.

SSL VPN

Secure virtual private network for linking nomad users. It is secured by the SSL Web access protocol.

Wireless

Wireless network technology for connecting to an internal company network.

Authorization workflow

Series of applications servers for generating and validating user requests with a view to managing the life cycle of access rights to information system resources.

 

SEND TO A FRIEND
Contact  |  Site map  |  Legal  |  Privacy