NAC 2.0: A New Model for a More Secure Future

Organizations are increasingly turning to network access control technologies to provide better protection for their networks and data. However, many of the first generation “NAC 1.0” solutions were based on an inherently flawed model that failed to respect the expertise and ownership of different groups in the organization. NAC 1.0 was also unable to react quickly enough to protect against rapidly evolving threats or to support the needs of an increasingly mobile workforce.
NAC 1.0 – fundamentally disconnected NAC 1.0 suffered a disconnect in perceived ownership, with a struggle for control between the two key teams who brought two distinctive perspectives:
The network team’s perspective – guest access. The network team interpreted “network access control” as meaning a way to control or block unauthorized access to the network.
The desktop team’s perspective – managed endpoint computers. The desktop team saw “network access control” as meaning a way to control or ensure the security and productivity of users’ computers.
NAC 1.0 – focusing on blocking guests Guest access was an easy target for many early NAC 1.0 products, with access generally seen as a luxury rather than a business necessity, and often needed only in specific locations such as conference rooms. In addition, guests often do not have a formal relationship with the business and are not part of any of the organization’s identity management systems such as Microsoft Active Directory. It was fairly simple for many pointsolution appliances to provide a mechanism to block guests’ computers until they could be made compliant with the organization’s security policies. However, this NAC 1.0 focus on meeting the network team’s goal of controlling guest access missed a far greater problem in terms of an organization’s security, namely the much greater likelihood of devastating data loss from a misconfigured managed endpoint computer. With a few exceptions, such as higher education, the sheer number of managed endpoint computers means they present a much greater threat surface making them in reality a much greater risk.
First-generation NAC solutions failed to recognize that the threat environment is constantly changing, with new threats and vulnerabilities appearing every day. Anti-malware vendors release a steady stream of updates to detect and clean new threats. Operating systems and applications vendors issue security patches on a daily basis.
Many NAC products could not easily be updated to allow for the latest updates. When an antimalware vendor released a new update or a new version, the administrator often had to update the assessment rules manually. With new operating system patches, administrators typically had to enter a new, complex set of registry entries corresponding to each new patch for each operating system – if the NAC tools supported patch assessment at all. The large effort required to keep rules up to date meant that NAC assessment tools lagged far behind the real dangers facing organizations.
Some early NAC products were based on Intrusion Prevention Systems (IPS) that looked for anomalous network behavior. These were useful when threats often consisted of worms with identifiable network signatures. Today’s threats are frequently invisible to behavior-based IPS in which case there will be no identifiable network anomaly.
Some NAC vendors chose to deliver their solutions as network appliances. This was a choice made for their own convenience, not their customers’ needs. By delivering as an appliance, the vendors were able to limit their testing to a small set of predetermined platforms. This seeming convenience is deceptive. Networks often had to be redesigned to insert an appliance, funneling all traffic through a choke point and affecting performance and reliability. NAC appliances also lack deep assessment capabilities, good scalability, and the means to protect computers when they are not connected to the network.
Network vendors are typically interested in upgrading switching and routing gear to include the latest features. They do not have a good presence on the endpoint and as a result attempts to control network access with equipment alone were unsuccessful as it offered weak assessment and little or no policy management. Networkbased NAC ignored the issue of remote or roaming users, although ironically NAC has its roots in Host Integrity Checking for roaming users.