Guest access or federated NAC management?

Mimicking activity in the physical world, Cisco Guest Server lets employees sponsor guests onto your network rather than lumping all guests into one account or another. This is the first step toward placing access control decisions with the business user, where it ultimately belongs. When I walk into a building or office to visit someone, I often have to sign in and be escorted by an employee. Generally speaking, any employee can sponsor a visitor with out having to get sign-off from a committee. Sign the log, get a paste on name badge, and wait for an escort. Letting guests into your offices poses a significant security risk if your organization is being targeted. Talk to someone like Ira Winkler or Steve Stasikounis, both masters of getting places they shouldn???t, just getting in the door is often the most difficult step in penetrating a company, but nearly all companies allow that to happen. The benefit is that employees can schedule meetings when they need without undue overhead. Why should guest network access be any different?

The idea behind the NAC Guest Server is that user can sponsor guests onto the network be creating a temporary account the guest uses to log-in. The guest activity can then be tracked. Of course, who gets to sponsor access and what kinds of access can be granted are all defined by a defined policy, so you can control who does what. I have a longer view.

I have always maintained that relying on IT to assign NAC policies is less business friendly than letting business managers perform that function because who knows better what access is needed? An IT or security admin that is divorced from the business process or a line manager trying to get projects done and generate revenue? While defining roles and assigning access control is a useful exercise, there are often exceptions where some employees need access outside the pre-defined roles.

There is a continuum of policies ranging from loose to strict. Loose access control policies where access is relatively open once a host and user is authenticated and approved onto the network handle exceptions easily. Stricter access control policies not so much. If your company is driving toward more strict access control policies, the exception monster will rear its ugly head. that means business managers will have to go to IT, ask for and justify the exception at the expense of getting things done.

Business managers should make access control decisions because they know better who needs access to network resources. Before you think I am suggesting line managers should be turned loose on a NAC console, I am not. In fact, all of the NAC products I have seen are designed to be used by an IT or security administrator. A business manager would just get lost in the buttons and knobs.What I am suggesting is a federated management framework where IT defines resources on the network by host, port, or some other identifier and defines how those resources are reached. These are the basic building blocks of any network device security policy???a Windows file share is at a specific IP address and is accessed over 137, 138, 139, and 445. Then you assign the resources to business managers, who in turn can grant access to their users. A business manager know that Joe Bob needs access to a file share containing project data and IT doesn???t. It???s silly to have to go to IT to get that permission. In teh management framework, each manager is assigned only those resources they use. The benefit is of Joe in sales wants to give Sally in marketing access to a Sales resource, he can. However, Joe can???t give access to accounting resources if he doesn???t have those rights. I am talking about adding an abstraction layer.

By splitting access control where IT maintains the technical details of accessing resources which is their expertise and business managers decide who can access those resources. None of the NAC products I have seen support this model, but it???s early yet. (When I bring this up, some vendors agree vehemently but I wonder if they really agree or are they patting me on the head?)

Perhaps guest access is the first step down this road. It certainly makes sense. I know some of you will simply disagree with my suggestion that line managers should be granting access control and I know some of the arguments (but feel free to post them anyway). Giving up control isn???t that bad and you will find that you can have both tight access control as well as flexible management.