Find White Papers
Home About Contact Help
Free Membership Member Login
Sep 7, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

NAC at the Endpoint: Control Your Network Through Device Compliance

Sophos
By : Sophos
INFORMATION
Published : May 23, 2008
Length : 7
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

Protecting IT networks used to be a straightforward case of encircling computers and servers with a firewall and ensuring that all traffic passed through just one gateway. However, the increase in mobile workers, numbers and type of device and the amount of non-employees requiring network access, has led to a dissolving of that network perimeter. Access requests can come from anyone and anywhere, which is why organizations are turning to network access control (NAC) technologies.

This paper discusses why NAC is important and how it should be implemented on the endpoint for maximum protection.

View All Items By This Company
Browse Related Categories :

Access Control

,

Compliance

,

Network Security Appliance

,

Policy Based Management

,

Security Policies
 

As a result, NAC will become more central to corporate network defenses as it allows organizations to:
- Identify who is requesting network access
- Assess whether the user’s computer has the correct security requirements
- Grant or refuse a request, or quarantine a computer until it complies with security requirements
- Ensure that users only visit that part of the network that their role or task requires. Where to optimize control
The move away from the castle and moat approach has seen security vendors react with a range of hardware appliances and software solutions that address the problem of where access control should be deployed. There are currently three deployment choices:
- In the data path
- On the network
- At the endpoint.
 This is called in-line enforcement and places a NAC appliance directly between the endpoint and the network. Data is unable to pass between the endpoint and the network without first being rerouted through the NAC appliance. Even though the data sent by the endpoint is scanned, in-line enforcement has drawbacks.
Firstly, in order to provide comprehensive protection, NAC must reside at each physical location – such as every network entry point – which is costly as it requires additional hardware integration. Secondly, because it sits in the data path, in-line NAC appliances also add to data processing times, which lowers available bandwidth levels and reduces network speeds.
Other NAC appliances work in what is termed “out-of-band”, in that they do not reside in the data path but are on the sidelines, watching as traffic passes by. They are called “post-connect” NAC appliances as they only scan data packets after the endpoint has connected to the network and begins to send traffic. These appliances typically look for abnormal behavior patterns in the data sent from the computer to determine whether it is infected. Again this requires substantial investment in additional hardware, since appliances need to be installed throughout a network.
The most effective deployment of NAC is to integrate it at the endpoint level, ensuring that the computer is automatically assessed before and during any connection to the network, at any time of the day or night. Importantly, this allows organizations to easily ensure that an individual endpoint is in compliance with their security requirements before it joins and (if out of compliance) compromises the network.
NAC at this level is entirely software-based. It has no impact on network processing speeds, and can easily be rolled out across an organization’s existing complement of endpoint computers, plus any new devices as and when they are added to the network.
Endpoint NAC solutions are driven by centrally defined and managed security policies, which are able to cover every conceivable request and are easily updated. Updating in-line and outof- band appliance policies are difficult, as they suffer from being fragmented across the network, with separate pieces of hardware – possibly from different vendors – requiring their own policies. For example, a NAC appliance at the gateway would need a policy to govern access for mobile workers, while one at a WLAN switch would need to cover office-based users. Any updates to an organization’s overall policy would need to be replicated at each point, so that it remains consistent for employees who operate both on the road and in the office. Updating multiple policies is time-consuming and leaves open the possibility that one point in the network is overlooked, which can lead to a security hole or employees blocked from performing their normal duties.
NAC policies can be as specific as an organization requires and are flexible enough to react to changing organizational requirements. New individuals, groups or roles can quickly be added to ensure continued operational efficiency, while verification requests for the latest security patches can also be included.
Placing NAC at the heart of their endpoint defenses allows IT administrators to control what many consider their greatest threat to network security: their own employees.
An unintended consequence of providing employees with company-issued endpoint devices is configuration drift. Many organizations grant individual users administration rights over their device as a way of easing helpdesk enquiries and providing workers with a level of flexibility.

Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map