Network Access Control Solutions:
Protecting the average NAC Solutions from attacks is incredibly complicated (and expensive). By the mid 1990s, complex toolkits had been supplanted by pre-built firewall software packages and pre-built intrusion detection systems. As performance and usability requirements increased, software moved to hardware, and by 2000, the number of companies buying and deploying perimeter security skyrocketed. Features were integrated, costs came down, technologies improved, and today you can buy a top-of-the-line, stateful-inspection firewall at the local home electronics store. So has security technology innovation stopped? Are there no longer threats to your corporate network?
Year after year the CSI/FBI Computer Crime Survey shows that organizations experience about the same number of external attacks and internal attacks. Yet the makers of early corporate network security products largely ignored threats from the inside, because there were no easy, product-based solutions. Instead, they targeted the boundary between the corporate LAN and the Internet, because they could build products to do that, and because this was the most obvious point at which to defend against attacks from the outside. Now, thanks to distributed Internet connectivity, VPNs, wireless technology, network-connected PDAs, and extranets, most large enterprise networks no longer have borders. While this increase in connectivity is great for employee productivity, it is a corporatesecurity nightmare.
There is a lot of talk in the security market about network access control (NAC), an attempt to build an intelligent network infrastructure that can identify users, identify and do integrity checks on the computers they are using, and then grant them access to specific locations and/or resources (and set policies) based on user and machine identity. This is the holy grail of pervasive network security, and is no simple feat, as it will impact all types of products, from client software, to security appliances, to network infrastructure, to the back-end (authentication and policy databases, etc.).
Enforcing Network Access Control Solutions:
There are three main components of most NAC solutions: clients, enforcement, and the backend. The diagram below shows where each part of a NAC solution fits and highlights the three types of enforcement solutions.
NAC Solutions: Enterprise network
There are three big guns in NAC solutions market overall: Cisco, Microsoft, and the Trusted Computing Group (TCG). The first two are developing their own NAC-like solutions (Cisco's aptly titled Network Admissions Control or NAC, and Microsoft's Network Access Protection or NAP), and the third is an independent consortium working on standard implementations for NAC (called Trusted Network Connect, or TNC).
In addition to Cisco, Microsoft, and the TCG there are countless other companies building solutions that fit into the NAC architecture, from backend authentication and policy devices, to client software, to NAC enforcement devices. The bulk of this paper will focus on corporate networks and market for enforcement, and we'll look at three types of enforcement solutions: network integrated enforcement, NAC solutions, and SSL VPNs used for NAC.
The goal of all NAC solutions is simple:
1: Authenticate the users (regardless of where they are coming from)
2: Perform an integrity check on the user's computer (checking for OS patch and configuration information, presence of personal firewall, etc.)
3: Compare the authentication and integrity check results against set policies in a policy storehouse
4: Make a policy decision about what/where that user has access to, given the results of the authentication and integrity check
5: Pass authorization for network access to some type of enforcement devices that can allow, deny, quarantine, or otherwise manipulate that user's traffic
The exact steps vary for corporate networks, and each vendor in the space can give a detailed description of how they go about receiving and manipulating all the data required to be a NAC solution, but that's the basic idea. Step 5 is what we will focus on for the remainder of the report.
2. Network Integrated NAC Solutions
Cisco is the primary driver behind network-integrated NAC Solutios but the general architecture could be executed in a multi-vendor environment, particularly as the work that the TCG is doing with TNC begins to mature. The basic idea is this: switches, routers, firewalls, or any other existing network devices (in the case of Microsoft's NAP, a DHCP server running Microsoft software) communicate with both the clients looking for access (often running special client software), and with the backend authentication and policy servers, most often using 802.1x as the underlying transport protocol.
