Evaluating network access control: NAC policy enforcement matters

By Linda Tucci, Senior News Writer 22 Jul 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More NAC resources Appliance-based network access control keeps university network secure Network access control: A hybrid approach For network access control, this shop chose Microsoft NAP; here's why Network access control evaluation tips: NAC systems insights for CIOs

But just as important in selecting a product is the technical approach that your organization wants to take in enforcing NAC policy. Enforcing NAC may not be a top priority for many companies yet, but eventually you will want to be able to "throw the switch in case of an emergency," said Gartner Inc. analyst Lawrence Orans.

He enumerated four common technical approaches for enforcing NAC policy and rated them in terms of cost, complexity and adaptability:

• Virtual LAN steering. This approach simply moves the user from one VLAN port to another. A noncompliant endpoint, for example, could be moved from the production environment to a quarantine VLAN or guest network.
• Dynamic Host Configuration Protocol (DHCP). Enforcement involves assigning an IP address in a quarantine subnet, a subtle difference from assigning someone to a different VLAN. A drawback? Users can bypass DHCP security by using static IP addresses.
• In-line enforcement puts an intrusion prevention system or similar system on the network to check out the endpoint before it connects. If the endpoint does not authenticate, every packet from that endpoint is dropped.
• Address Resolution Protocol (ARP) modification is employed in some solutions that do not have an agent. An appliance in the network that acts as a "honeypot" for all traffic can modify the ARP tables of the endpoint.

Government NAC integrator uses VLANs, switch-blocking Wesley Ward is an IT security engineer at American Systems Corp. The Chantilly, Va.-based company provides systems engineering to government and private customers, including the General Services Administration, Internal Revenue Service, branches of the U.S. military and the Department of Homeland Security. American System's NAC implementation needed to offer guest networking for business partners, as well as monitor devices before and after connection to the network and quarantine those that did not comply. The solution also had to be clientless. American Systems uses VLAN assignment, virtual firewalls and switch-blocking for NAC enforcement. Ward said he also notifies users. "We send the user an email that they are out of compliance and let them know why they have been moved from one VLAN to another, to get them to comply with corporate policy before getting access back to the production VLAN," Ward said. American Systems went with Cupertino, Calif.-based ForeScout Technologies Inc., but Ward said most of the vendors the company looked at were able to do some kind of enforcement. "We wanted to be able to take various different actions for various violations, and ForeScout gave us the best flexibility in doing that," he said. -- L.T.

In-line enforcement is typically the most expensive of the bunch, Orans said. "Anytime you put a bump in the wire, it has to be high-performance, so it does not add latency to the network. It has to be transparent to users, and from a topology standpoint, you have to have it at all key points, so you are more likely to deploy more boxes than if you took an out-of-band approach."

On the other hand, in-line enforcement tends to be less complex to deploy than VLANs, he said, since appliances can be inserted in-line without making changes to the switches themselves.

VLANs are low-cost but they can be complex to deploy, due to the burden of managing multiple VLANs in large environments, Orans said. One or more VLAN may need to be added to every switch to enforce the NAC policy. "And you have to make sure that the endpoints that have been quarantined can get back from some remediation server, so that can be complicated," he said.

DHCP is also cheaper and less complex, but it's the least-secure NAC policy enforcement option, Orans said. Likewise, ARP modification is low in cost and complexity, but it isn't commonly deployed and does not support enforcement in Secure Sockets Layer virtual private network (VPN) environments.

In terms of adaptability, all four approaches will allow you to put NAC in the LAN, but some are not good for wireless networks (VLANs) and others are not ideal for VPN-based approaches, where an in-line appliance excels.

Googling NAC: "You get really confused, really quickly"

"The key thing is that before you go looking at the 20-some NAC vendors is to think through the enforcement mechanisms that will be important to you and which will work in your environment," Orans said.

So, if DHCP seems to make a lot of sense, that would rule out market leader Cisco Systems Inc., Orans pointed out, because not surprisingly the network provider believes the hardware itself should enforce NAC, not DHCP, which it does not support. "If you're Microsoft and don't sell switches, then there is nothing wrong with using DHCP, a great approach for reassigning someone to a quarantine subnet," he said.

Indeed, as our companion piece on defining a usage case points out, NAC requires IT to do its homework before shopping.

"If you start by Googling NAC and talk to eight vendors, you get really confused, really quickly," Orans said. "Many of them have valid solutions but totally different approaches to NAC. Go in knowing what you want to do."

Tags: Enterprise information security management,  Enterprise network management,  LAN and wireless LAN management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Information security and risk management guides for CIOs Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds CIO turns to identity and access management to solve business problem Enterprise network management Data recovery solutions must address a range of concerns Network access control: Security advice for enterprise CIOs Network access control now addresses multiple needs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options Network access control: A hybrid approach Appliance-based network access control keeps university network secure Network access control evaluation tips: NAC systems insights for CIOs More CIOs consider IT managed services to deal with new technologies Survey: Economy puts nonessential IT projects on back burner LAN and wireless LAN management Network access control: A hybrid approach IT telephony, VoIP deployment staffing solutions for CIOs Top five IT/Business Strategies tips of 2007 Wireless investments key to future success New monitoring technology helps university find mobile users Mitigate mobile security threats Wi-Fi way to shrink digital divide, say big-city CIOs Security flaw could ground Wi-Fi users Mobile workers push for smartphones Tool offers better wireless security for laptop users

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary