Analysis: Network Access Control

All conspiracy theorists worth their salt have one thing in common: A certainty that far-reaching and insidious forces are conspiring, molding events to suit their nefarious aims.

That about sums up the NAC market.

The number of players in this intrigue has exploded from a handful a few years ago to upwards of 35 today. And it's not just infrastructure gear vendors, though Cisco Systems and its rivals are well represented. From AirMagnet to Vernier, and of course Microsoft, everyone wants a piece of your security budget, and they're not above forming convenient alliances to get it. And no wonder: Worldwide manufacturer revenue for NAC (network access control) enforcement products will grow to $3.9 billion by 2008 from $323 million last year--that's more than 1,100 percent growth, according to a recent Infonetics Research survey. Our own reader poll shows that more than half of organizations surveyed already deploy some form of NAC. Most start with a targeted scope, such as regulating network access to guest users, mobile laptops and wireless hosts.

If vendors have their way, those modest use cases will spread like a bootleg X-Files clip at a UFO convention.

The high number of enterprisewide deployments we saw in our poll was surprising until we dug a bit deeper and discovered that the bulk of these respondents are in government or financial services, where compliance with regulations is a powerful driver.

That many IT groups are starting with limited deployments around wireless, remote access and mobile laptops is no surprise, to us or to NAC vendors. They smell big future contracts and have been targeting marketing dollars and sales pitches to pain points that give IT serious agita. Guest contractors and consultants need to connect to your network, and saying no is rarely an option. Get Framed

The big news in NAC is the move toward frameworks, by both vendors and standards bodies. Frameworks should let IT combine products from multiple vendors through such integration points as APIs and common protocols. How important is it that a NAC product adhere to a standardized framework? Very, according to our reader poll. But demand for any one particular framework isn't evident, indicating that a leader has yet to emerge.

Not for lack of trying. Three main NAC frameworks--Cisco System's Network Admission Control (CNAC), Microsoft's Network Access Protection (NAP) and the Trusted Computing Group's Trusted Network Connect (TCG/TNC) are vying for attention and generating more plot twists than a Desperate Housewives story line. Cisco and Microsoft have joined forces with the NAC/NAP Interoperability Architecture; Microsoft is on the record as committed to aligning NAP with specifications from the TCG; and Cisco has joined other vendors, including Juniper Networks, on the IETF Network Endpoint Assessment BoF (birds of a feather). If formed into a working group, the NEA BoF will attempt to unify competing standards.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

For now, the Cisco/Microsoft Interoperability Architecture has an edge simply because of the market clout these two giants wield. TCG/TNC, on the other hand, is the "everyone but Cisco" contingent--and that everyone includes Microsoft, which is hedging its bets. The IETF may have a say in the outcome ... if the NEA BoF makes it to working group status and can unify the competing standards. We're hopeful the NEA BoF will be approved as a working group and that its standards will be adopted by the industry. But those are big "ifs." Only enterprise demand drives vendors to implement standards.

Dissecting The Frameworks

The premise is simple, whether you call it network access control, network admission control, network access protection, network node validation or Trusted Network Connect. These systems grant access to the network based on factors such as host assessment, host and user authentication, patch level, location, and even time of day.

Feature sets have evolved, though: In early NAC products from vendors like Sygate, acquired by Symantec, and Zone Labs, acquired by Check Point Software Technologies, assessment was accomplished through an agent on the host. Now, NAC products use a wider variety of host posture data points--including antivirus and antispam status, patch levels, firewall status and policy, authentication, logged-in users, access methods and location as defined by IP address--to make assessments Similarly, the early enforcement model handled through an inline gateway has morphed into an array of enforcement strategies, including inline, out-of-band and host-based (see "Enforcement Taxonomy" ).

Cisco Network Admission Control CNAC, Cisco's NAC play, is differentiated from Cisco's Clean Access NAC appliance, which controls access to network devices and can be used with any vendor's infrastructure gear. CNAC, on the other hand, uses the Cisco Trust Agent or Cisco Security Agent for host assessment, Cisco's Secure Access Control Server for centralized policy development and deployment, and sundry infrastructure equipment for enforcement.

Implementing CNAC is a major undertaking, requiring substantial investment to retrofit the existing infrastructure. Cisco admits that it's having better success selling Clean Access to the enterprise than CNAC. Detractors will tell you--accurately--that for CNAC to work, all your Cisco gear must be upgraded, resulting in further lock-in.

If you're an all-Cisco shop and happy, CNAC makes sense. But if you support router and switch gear from multiple vendors, integration with CNAC will be difficult, and the non-Cisco equipment may not be able to enforce policies. Cisco, like Microsoft, has a rather aggressive partner program that includes security vendors running the gamut of host and network security products.

CNAC uses third-party vendors to provide posture information to the Cisco Security Agent; information is then sent to the Secure Access Control Server, which integrates with external assessment authorities like authentication, AV and patch management systems. Access Control Server validates posture information against company-defined policies and can use external authoritative servers to learn what policies should be applied to hosts. Enforcement is through Cisco infrastructure devices, like switches, routers and VPN concentrators.

Microsoft Network Access Protection NAP is a software-only framework that includes Active Directory; a new server, called a Network PolicyServer; and a NAP agent that will ship with Longhorn, Vista and as an upgrade client to Windows XP SP2. Earlier Windows and non-Windows OSs will not be supported.

NAP defines SHAs (System Health Agents), including desktop firewalls, antivirus scanners and patch management systems. Status reports--called Statements of Health, or SoHs--are sent by SHAs to a server, called an HRA (Health Registration Authority).

The Network PolicyServer integrates with external authorities, like antivirus and patch-management servers, to get current configuration information. Then, hosts are issued Health Certificates by the HRA or directed to remediate if health checks fail. The Health Certificate is presented to network servers that attest to a host's condition.

Until products ship, there's no telling how well Microsoft will implement NAP. We're concerned with gaps in how guest access is supported for unmanaged PCs or computers that are not part of an Active Directory domain. In addition, some NAC must-haves are missing. For example, SHAs, the software that reports to the NAP client running on a host, aren't required to notify the NAP client of status changes. That means a host may fall out of policy compliance, and the NAP client won't know until the next assessment is run.

Like Cisco, Microsoft has a successful partner program that includes not only software vendors but network infrastructure players, including Alcatel, Enterasys Networks, Extreme Networks, Hewlett-Packard and Juniper. Interoperability Architecture

The Cisco/Microsoft NAC/NAP Interoperability Architecture is the fruit of several years of integration work (see "Interoperability Architecture Summary" left). This alliance--if it works as planned--should fill the gaps in each program: Cisco brings hardware enforcement and support for non-Windows OSs. Microsoft brings Windows and Active Directory support. Both bring their own partner programs to bear; partners of either vendor will in theory be allowed to play in both sandboxes.

The integration point is how Cisco Access Control Server interacts with Microsoft NAP. If a client doesn't have an SoH, it will have to request one from Microsoft's HRA. If the client sends a list of SoHs, the Access Control Server will forward it to the Network Policy Server, which will validate the statements and return results to the Access Control Server, which will implement the policy.

Confused yet? The partnership does have one clear upside: non-Windows OSs and pre-Windows XP versions will be supported with free Cisco Security Agents. What isn't clear, however, is how NAP partners like Alcatel, Extreme and HP will fit into this picture. Will Microsoft's Network Policy Server be the central point of command and control, interacting with Cisco products as well as other vendors' infrastructure gear? That's anyone's guess. What is interesting is that both vendors say they'll keep their partner programs active, for the time being at least. A smart hedge.

Trusted Network Connect

The Trusted Computing Group's Trusted Network Connect working group comprises any vendor that wants to make a NAC play and that is not Cisco. The TCG/TNC working group has published a set of specifications defining the data formats and communications protocols for a complete NAC system, but our reader poll and conversations with security and IT professionals show it has a visibility problem. Not surprising, given the disparity in marketing budgets.

The TCG/TNC specifications are vendor-neutral--potentially any company that writes to the specification can integrate with NAC products from any other vendor. The building blocks look very similar to CNAC: IMCs (Integrity Measurement Collectors) send health data to the TNC client software. The TNC client software sends health data to a PDP (Policy Decision Point) that validates the measurements given by the IMC against Integrity Measurement Verifiers, or IMVs.

Once the PDP reaches a decision, an access policy is applied to a PEP (Policy Enforcement Point). The TNC client will most likely by supplied by the same vendor that supplies the PDP, but that doesn't have to be the case. This model raises many implementation questions. If there are multiple TNC clients on a host, which one will be used? How are TNC clients registered on a host, and what does host configuration involve? Until there are shipping products, these questions won't be answered, nor will best practices be formed.

The group is busily sponsoring demonstrations and adding vendors to its member roster. Although it's extremely tightlipped about unannounced work, the group is kicking around ideas such as integrating work from other TCG working groups and adding more specifications to integrate other network and security equipment into the TNC architecture, which will bring more assessment and enforcement products into the mix. But it won't commit to anything publicly. Maybe not a bad idea, but it's not helping the TCG/TNC's visibility problem.

IETF

Then there's the IETF. Currently, the Network Endpoint Assessment BoF, co-chaired by Cisco's Susan Thomson and Juniper's Stephen Hanna, is working toward gaining working group status. Its initial goal is to define a set of requirements for communications among NAC components and then try to either unify the existing protocols or develop new ones.

While that goal is laudable, don't hold your breath. Agreement by consensus on what to order for lunch can take a long time. For a protocol suite as complex as NAC, it can take a long, long time. But Will They Work?

Of all of the frameworks available, only CNAC has an interoperability testing program. We see that as a critical factor for any access-control initiative because protocol conformance assures a basic level of interoperability. Standards are written and agreed on by groups, then implemented by other groups.

Of course, no matter how specific a given set of standards are as written, developers are left with a lot of room for interpretation. Suppose two vendors have written to the standards, even participated in an industry bake-off. That doesn't guarantee their products will play well together. Interoperability testing does.

Decision Time

As the NAC market starts to gel, the amount of energy being poured into positioning is amazing, even to those used to vendor hyperbole. NAC systems aimed at everyone from the small office to the global enterprise are available from multiple vendors, each offering a wide array of assessment, enforcement and integration options. So do you jump in now, or wait to see what shakes out in standards, frameworks and the inevitable consolidation due to acquisitions, mergers and attrition over the coming 12 to 24 months?

Companies with mobile workforces or that frequently have contractors and guests accessing the network can benefit from NAC today, because those two scenarios represent the greatest threat. But, if you can mitigate the problems represented by guest and mobile computers--say, through network segmentation--waiting for the market and standards to coalesce makes sense. You get time to plan for an orderly NAC deployment, standards have time to evolve, and vendors will hopefully make headway integrating their products.

If you want NAC today, we can help ensure that your chosen vendor has a plan that fits with your vision. In our report, "NWC Analytics: Network Access Control" we discuss the results of our e-poll, which reflects your peers' views on NAC, in the context of the market. We also analyze vendor positions and offerings. You can find it at nwcanalytics.com.

Here's a look at the current state of the technology.

Power Of Four In the most current offerings, NAC happens in four phases: assessment, validation, decision and enforcement.

» ASSESS: If IT assets remained static, a host of ills would be eradicated. Dream on. Devices change state constantly during use, so if a NAC product performs only a pre-assessment, as in Nortel's Secure Network Access and StillSecure's SafeAccess, the system can't detect changes on the host and, quite frankly, the value of the product plummets. Access control cannot be fire and forget. Assessments and reassessments, continuous or periodic, are critical (see "Assessment Strategies" left).

Posture assessment updates are triggered using a variety of mechanisms. These can be simple--802.1X re-authentication, a scheduled reassessment or passive monitoring--or complex, like triggering an assessment based on host activity. We surveyed NAC vendors about their reassessment strategies; most claim to continuously reassess hosts (see "Good Posture?" right).

Don't take that to mean real-time assessment. In many cases, "continuous assessment" and "periodic assessment" are used synonymously, when in fact a continuous assessment is really a periodic assessment.

ConSentry, Enterasys, Extreme Networks and Nevis Networks use passive monitoring--IDS, behavior analysis or both--to determine when a host needs a reassessment based on its behavior. Triggering an IDS signature or worm activity that leaves a distinct network footprint, such as scanning off-net or sending lots of e-mail, may cause a host to reassess itself.

Assessment is easy to say, difficult to do. Nearly all assessment strategies, except for external scanning and passive monitoring, require authenticated access to assess the computer--sometimes with local Administrator privileges--just to run a persistent or dissolvable agent. Even remote procedure calls require credentials. This is especially problematic for unmanaged computers and guest access, where installing or running mobile code is often not feasible. Granted, many organizations give their mobile users elevated privileges, but the coming User Access Control in Vista may change that since doing away with Administrator rights will be easier.

» VALIDATE: Validation is a two-part process as posture information is gathered, then validated. How data is gathered depends on the NAC product and the integration points between products. For example, vendors like Symantec or BigFix that integrate with Cisco's NAC or Microsoft NAP write to those APIs to report on their applications' conditions. Many other vendors, including CA, Sophos and Symantec, have done custom integration or use SDKs from OPSWAT, a provider of system integration development tools for endpoint security applications and a Cisco NAC, Microsoft NAP and TCG member. Assessments are passed to the policy server using standardized protocols, like 802.1X, EAP or EAP-TLS, or using a proprietary protocol. Remember, if your NAC system uses 802.1X as a transport, your hosts need supplicants, and the access switch needs to support 802.1X as well.

The Policy Server validates a host's condition based on a defined policy by leveraging other repositories on the network. For example, if all Windows OSs must have all patches installed, the Policy Server would take the host assessment and compare it against a list of required installed patches--discrepancies set a host into remediation mode, where it's quarantined until it gets a proper patch profile. The resulting patch process may be made more or less transparent. » DECIDE: Once the host assessment is validated, the host's access permission is determined. This process is the heart of NAC.

Hosts that match all defined policies are granted the access assigned to them. But what about hosts that fail to match one or more conditions?

This is where your organizational policy comes in. A policy that states "any host that fails any check will be remediated before accessing the network" simply won't work in most cases because, like it or not, users' computers are much more varied than we like to admit. If applying a patch will disable VPN software--as happened with Windows XP SP2--forget enforcing an all-or-nothing policy. Likewise, if a computer can't reach a patch server, it won't be able to access the network.

Clearly, the exceptions, not the norm, are the pain points in a NAC deployment. A NAC system must allow many validation policies that can be applied to specific systems or users, so the wider the criteria the NAC system can use to assess and validate a host's condition, the better. » ENFORCE: If the decision process is the heart of NAC, enforcement is the soul.

Types of enforcement vary widely by NAC vendor and often depend on the network infrastructure already in place. If your switches don't support 802.1X, for example, you may be out of luck.

The most versatile NAC offerings, such as those from ConSentry and Nevis Networks, provide a variety of in-band and out-of-band enforcement methods that not only allow you to tailor enforcement for specific network segments, but provide a migration path.

Remote users connecting over dial-up or VPN links should be handled using the same NAC policies as any other hosts. IPsec VPN and SSL VPN gateway vendors, including Cisco, Juniper and Nortel, have supported host assessment and access control for many years. Consider using RADIUS as the transport channel. Assessment attributes can be sent to the RADIUS server and attributes returned to the gateway defining an access policy.

Make no mistake: Any enforcement mechanism means significant changes to your infrastructure. Inline appliances are no exception. The closer enforcement is to the host, the tighter the access control (see "Attack Surface" diagram, nwc.com/2006/1012). When enforcement happens on an access-switch port--a method supported by 802.1X, VLAN steering, port ACLs or a NAC-enabled switch appliance--infected hosts have limited access to network components. When enforcement occurs closer to the core, at the distribution layer or further in, more hosts are available to an infected system. Balancing enforcement choices against other options, such as architecture and enforcement method, isn't as difficult as you might think. When port-based control is not an option, decide how many hosts will be reachable to a malicious computer. Decision factors include the likelihood an unknown host will connect to the network, and your managerial control over legitimate mobile computers. Enforcement for ports in public locations like conference rooms and wireless access points will naturally be far different from that for internal ports.

» EXCEPTION HANDLING: If the 80/20 rule applies anywhere, it's NAC: VoIP phones, printers, network cameras, Solaris and Linux servers and desktops ... some network gear simply won't have NAC agents or 802.1X supplicants installed. These exceptions are typically handled by whitelisting the MAC address.

Plan ahead for guests who need more network access than the standard guest policy allows. At $250 per billable hour, you don't want a contract developer hired on a per-project basis idling while IT scrambles to provide access to a subset of development servers.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs and former editor in chief of Secure Enterprise. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].

Ripe For The Picking With the NAC space numbering 35 vendors and growing, consolidation is bound to happen through acquisition and attrition. Both conventional infrastructure vendors that are partnering to fill gaps in their NAC strategies and security vendors facing commoditized markets should be looking to acquire technology. That's the only way to ensure they won't be cut off at the knees if a key partner is acquired by a competitor. Here are some tempting acquisition targets.

AIRMAGNET
Although AirMagnet is not a NAC vendor per se, it does provide robust endpoint port control and, more important, wireless networking control--to the point of managing to which access points to connect or changing posture based on location. NAC offerings generally don't have a decent solution for controlling wireless networking.

CONSENTRY NETWORKS
ConSentry is one of the vendors offering a wide variety of options for endpoint assessment, remediation and access control. Its product line provides migration paths from one assessment or remediation path to another--or what the heck, you can do them all simultaneously. ConSentry boasts a 10-Gbps inline access-control appliance, the LAN Shield Switch, with a purpose-built 128-core CPU under the hood that can move traffic through the switch with a claimed latency of less than 1 millisecond. ConSentry's LANShield Controller is a command-and-control system that can configure infrastructure switch ports from a variety of vendors. Its breadth of offerings would fit well with vendors lacking a high-speed in-line device or a robust command-and-control system.

NEVIS NETWORKS
Nevis Networks offers network-level assessment and remediation products that complement endpoint assessment. Its transparent appliance, the LANenforcer LAN Security Appliance, sits between access switches and distribution switches and is positioned to control access for managed hosts. Its Secure Switch access device is intended to control access for unmanaged hosts, including guests and contractors. With the ability to assess a host, control access, and perform continuous monitoring using IDS/IDP and network behavior monitoring, Nevis should be an attractive acquisition for the same reason as ConSentry--flexibility.

STILLSECURE
StillSecure's strength is command and control, rather than a complete NAC line like ConSentry and Nevis have. Its partnership with Extreme fills the need for a command-and-control system in Extreme's NAC offering and gives StillSecure a reach into Extreme's customer base. Enforcement Taxonomy A number of enforcement methods are available. Here are the eight most common. Many vendors support multiple enforcement methods; a few support a wide variety, letting you select the best fit and migrate from one to another as needed.

VLAN steering: Moves hosts and switch ports onto specific virtual LANs. A "guest" VLAN can be used to give visitors access to the Internet, for example, but nothing else. The critical component is for the command-and-control application to integrate with the switch.

802.1X: An IEEE port authentication protocol that authenticates a device to the network. Enforcement is through switch port control or VLAN steering. It's used extensively in wireless networks and is starting to be deployed in the wired infrastructure. Each endpoint needs a supplicant.

DHCP: Passes out leases and host-configuration information. By controlling which IP addresses are issued, access control can be enforced through IP addressing. It's an interim solution that is easily defeated unless the switch fabric is aware of what IP addresses belong to which MAC addresses.

Agent self-enforcement: Uses a resident agent on the host to enable and disable network access through application control or manipulating host firewall rules. ARP poisoning: Uses a man-in-the-middle scenario to control at Layer 2 how hosts can access resources. Like DHCP, it can be easily defeated (see "Are DHCP Management and ARP Poisoning Enough?" ).

Inline blocking: Similar to deploying a network firewall on each switch port or uplink. Network traffic from hosts is regulated according to a deployed policy. The closer to the access port the host is connected, the better the access control. Likewise, the further upstream, the less effective the enforcement.

VPN: Can be used to restrict access. If all hosts are on a VPN and you don't accept non-VPN traffic, then an infected host or attacker can't cause problems. Of course, highly utilized servers must be able to handle the encryption/decryption.

DNS redirect: Used to force a user to authenticate, usually through a Web portal, before being granted access. This is similar to the hotel broadband access with which we're all familiar. Once the host authenticates and is assessed, it can be granted access to the network or sent to a remediation page.

Are DHCP Management And ARP Poisoning Enough? DHCP lease management and ARP poisoning are two methods for controlling access. DHCP leases are managed through the NAC system, first putting a host onto a private network so that it can be assessed, then changing the host IP as needed. DHCP control requires little change to the underlying infrastructure and is less invasive than switch-port manipulation, VLAN steering or dynamically updating router ACLs.

ARP poisoning, on the other hand, uses ARP to manage the MAC-to-IP mapping used by network hosts to communicate within a single subnet. If a host sends out an ARP packet saying it's the network router, for example, all endpoints on that segment will send it all packets bound for other segments (note that the concept is called ARP poisoning whether it's used for good or evil).

Either method is easily defeated by knowledgeable attackers. Using a static IP address will bypass DHCP lease management handily. ARP poisoning is a bit stronger, but on Windows hosts, using the built-in arp -a command will create a static ARP mapping. The tricky part is getting the network peer--a router, for example--to know what your real MAC address is. Constantly sending out directed ARP responses is one solution.

Some vendors pooh-pooh problems and declare these enforcement methods good enough for most deployments because they provide half the solution by controlling the access of potentially infected computers. We say why spend time and resources to solve half the problem?

DHCP management and ARP poisoning do have their uses as interim enforcement methods during a NAC pilot; while upgrading infrastructure to support better enforcement methods like VLAN steering or 802.1X; or in those cases where nothing else works well, such as when the infrastructure is unmanaged or it's too costly to deploy in-line enforcement. However, DHCP and ARP poisoning should be used only as stopgap measures. Otherwise, a false sense of security may settle in, only to be shattered once it's too late.