 |
|
|
| INFORMATION |
| Published : |
Jun 21, 2006 |
| Length : |
6 |
| Type : |
White Paper |
|
| |
|
|
| Overview : |
|
NAC is a multifaceted framework to thoroughly control who and what gets access to network resources, and help keep malware from entering the enterprise. Today, there are huge challenges to implementing as-yet immature NAC solutions on an enterprise-wide basis, including convoluted integration requirements, inadequate inspection capabilities, and weak policy management. In contrast, by virtue of their in-depth access control and host integrity checking capabilities, today's SSL VPNs (the actual progenitors of the NAC concept and technology) provide an efficient and effective dose of NAC where it is needed most and with far fewer complications. Furthermore, it is expected that today's SSL VPN technology will remain a valid component of future enterprise-wide NAC implementations, as well as play an instrumental role in the eventual maturation of NAC. To learn more, download "Achieving NAC Now and in the Future: The Role of SSL VPNs" by network security expert Mark Bouchard, compliments of Aventail. |
|
 |
|
| |
| View All Items By This Company |
| Browse Related Categories : |
Access Control, SSL, Security, Security Management, VPN |
|
|
|
|
NAC Solutions: It goes by many names: network admission control, network access protection, network access control, trusted network connection, unifi ed access control, total access protection, and endpoint admission control... just to name a few. It is one of the hottest items in information security today, and for the purposes of this paper, we will simply call it NAC.
NAC is a multifaceted solution typically requiring the coordination of a wide variety of pre-existing networking gear and additional NAC-specific components. Its purpose is to thoroughly control who and what gets access to networked resources, and it is hot because, in fulfilling this objective, it also addresses one of the greatest security issues plaguing organizations over the past several years. Specifically, NAC solutions assists with the very real problem of keeping malware from entering the enterprise and not just at Internet and WAN boundaries, but at local points of connection as well (i.e., within the LAN).
Unfortunately, equally real are the challenges that will inevitably arise when attempting to implement asyetimmature Network Access Control solutions on an enterprise-wide basis. Gaps in coverage, convoluted integration requirements, inadequate inspection capabilities, and weak policy management are just a handful of the more significant issues that will confront organizations which are eager to "NAC-ify" their networks sooner rather than later.
In contrast, by virtue of their in-depth access control capabilities, SSL VPNs the actual progenitors of the NAC solution
NAC Solution: The Promise
In general, NAC is a security mechanism that involves having access to a network be conditional to the outcome of an audit of the security characteristics and other configuration settings of the involved client device (e.g., desktop, laptop, PDA). concept and technology provide an efficient and effective dose of Network Access Control where it is needed most and with far fewer complications. Essentially, they offer organizations the opportunity to ease their way into broader and more complex NAC initiatives. Furthermore, it is expected that today's SSL VPN technology will remain a valid component of future enterprise-wide NAC implementations ? if not also play an instrumental role in NAC's eventual maturation. The primary benefi t of this approach is the ability to stop viruses, worms, and other types of malware from entering enterprise networks by controlling the degree of access granted to potentially compromised machines. For example, a laptop found to be lacking an important patch and not running updated anti-virus software could be denied access to the corporate LAN. Alternately, it could still be granted access, but only to a quarantine zone that provides minimal services, such as access to the Internet or other resources that can be used to remedy its deficiencies.
In addition, NAC solutions can also help with malware containment and compliance-motivated adherence to the principle of least privileges. This is by virtue of the ability to control minimize allowable destinations once a machine has been cleared for access, and typically involves also accounting for the user's identity.
From an architectural perspective, network access control is helpful to understand that realizing the benefits of NAC solutions depends on anywhere from two to potentially dozens of components working together to support three main functions: client audit/inspection, policy derivation, and policy enforcement.
Client Audit/Inspection entails establishing the identity/ownership and state of the user's computing device, particularly in terms of security related configuration details (e.g., presence of critical patches, anti-virus software, and personal fi rewall). Common approaches include use of: pre-deployed, persistent NAC agents; dynamically downloaded, ephemeral (or persistent) NAC solution agents; integration between NAC agents and other client-based software (e.g., anti-virus, personal fi rewall); and remote scanning techniques, which use no agents at all.
|
|
|
|
 |
|
