Find White Papers
Home About Contact Help
Free Membership Member Login
Jul 18, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

NAC: Managing Unauthorized Computers

Sophos
By : Sophos
INFORMATION
Published : Apr 05, 2007
Length : 5
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

Unauthorized endpoint computers pose significant security risks to organizations. Where underlying network-based enforcement is available, network access control (NAC) solutions provide detection and implementation of security policies to minimize these risks.

However, in some environments the network cannot provide this enforcement. This paper looks at how a complete NAC solution can protect the network from unauthorized access from unknown computers or people with malicious intent.
View All Items By This Company
Browse Related Categories :

Access Control

,

Anti Virus

,

Compliance

,

Network Security

,

Risk Management

,

Security Policies
 

Overview
Having an enterprise-level strategy for security compliance and access control is essential to protecting the organization from possible threats. The core infrastructure and network-based resources must be protected using multiple safeguards at multiple access points throughout the enterprise. Well-integrated, multilayered security systems are the best methods for controlling threats to those resources.
Network access control (NAC) solutions enable organizations to reduce vulnerabilities by defining and managing security policies, and introducing assessment capabilities and enforcement methods to control access to the network. The best NAC solutions permit regulated access for known and secure/compliant users while also disabling or controlling the use of high-risk applications on those users’ computers. Additionally, leading NAC solutions can be configured to prevent or quarantine access by unauthorized or unknown computers.
Although most users do not have malicious intentions, unauthorized computers pose a big security risk to organizations.
The key requirement of a complete NAC solution is to identify and block such rogue computers, such as a user who is intentionally bypassing standard network connection methods, and may be malicious.

How NAC handles rogue computers
NAC solutions permit access to authorized computers by evaluating and enforcing the computers’ security state based on whether they comply with the organization’s security policy.
Endpoint computers are permitted access to network resources when they conform to policy, and are denied or quarantined from access when they do not conform. These functions are performed most effectively by using a combination of network- and client-based enforcement points, such as DHCP, 802.1X, wireless LAN, SSL or IPSec VPN, and client-based enforcement.
Effective enterprise NAC solutions rely on the ability of the network to positively enforce compliance and affirmatively block or quarantine access to unauthorized computers, i.e. those that are either non-compliant or unknown. In most cases, the network or client software provides the necessary enforcement and quarantine mechanisms. However, there are scenarios where certain network-based enforcement mechanisms cannot fully enforce compliance, and where no client is present that can provide client-based enforcement.

Where there is no network enforcement
Scenarios where network-based enforcement does not provide 100% coverage include DHCP networks or where the endpoint is using local, statically assigned IP addresses for network access and a quarantine agent is not installed on the endpoint. Although an enterprise can use DHCP to assign a combination of dynamic and static IP addresses, this case refers to those clients that are not using DHCP to obtain that address.
In this instance, the risk arises from an intelligent user deliberately trying to evade enforcement when accessing network resources. The number of unauthorized computers trying to access the network constitutes a small percentage of overall network use, but because of the nature of the method of access and unknown intent, administrators need to be alerted to the threat and be able to mitigate the risk. The damage to a network from just one rogue computer could be immense.

Fitting NAC into a typical environment
Once an organization has identified the need for a NAC solution, and implemented and rolled it out to all or part of its end users, additional requirements become apparent, such as protecting against unauthorized computers connecting to the network. A complete NAC solution must do the following:
Integrate with existing network configurations with minimal impact and cost of upheaval.
Provide comprehensive support for the organization’s security strategies and have the ability to create and manage policies that support those strategies.
Remain flexible enough to meet new strategies as they inevitably arise.
Offer capabilities beyond standard networkbased enforcement, and identify and provide protection against all classes of users trying to access the network – both known and unknown.
While 802.1X can provide robust enforcement, many network switches in use today do not support 802.1X, and organizations are averse to the disruption and cost of upgrading. Furthermore, 802.1X must be applied to the whole user base – any area without enforcement remains vulnerable. The majority of organizations today want to get the best from their existing enforcement mechanism, which in most cases is DHCP. The biggest risk is that of a rogue computer using a static IP address to access the network.

Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map