I've mentioned network access control several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.
* At issue: The time has come to implement network access control, but a NAC deployment can be fraught with difficulty.
* Action plan: Keep the architecture simple, starting with the network segmentation.
What we stand to gain with NAC finally seems to outweigh the drawbacks, so I've decided to begin the groundwork for a NAC deployment. To that end, I've been holding weekly meetings with our network and security operations team to develop a network segmentation model, which is pretty much a mandatory precursor to a successful NAC deployment.
From a network point of view, ours is not a very complicated company. We don't have a storefront, we're not a software-as-a-service or cloud provider, and we don't have a decentralized business model or any other risky situations to warrant a complex network segmentation model. I want to keep the architecture uncomplicated, serving the simple goal of protecting the company's assets while providing entities with transparent access. You're probably wondering why I used the word "entities" instead of "users." It's because with NAC, you have to take into account not only human users, but also servers and peripherals such as printers, plotters, cameras, alarm systems and other devices that can talk some form of Ethernet.
For the sake of simplicity, then, we decided to create four quadrants: the data center, outside the data center, untrusted entities and special nets.
The Four Quadrants
Let's start with the data center. We defined three tiers within it that should be familiar to you: Web tier, application tier and database tier. The idea is that we will segment those resources and place access controls (like a firewall) to limit access from one tier to another. For example, best practices dictate that in a production environment, Web servers should normally never directly communicate with database servers. We also identified a development and QA network that is further protected from the production network.
The "outside the data center" quadrant comprises trusted entities that, while not part of the data center, have a relationship with it: employees, printers, wireless access points and so on. Some of our entities do not meet the criteria to be in this quadrant because they are untrusted.
Untrusted entities, constituting the third quadrant, are deemed to pose threats to the company and include unpatched resources and vendor representatives who come into the office to demo their products. For example, we have a slew of pesky engineering servers that have been added to the exception list for patches and antivirus software. They are untrusted for good reason, since they account for almost 80% of our security incidents. For them, we are creating stringent access rules that will be designed to prevent infected resources from impacting the production environment.
The special net quadrant includes the monitoring and security networks, which need very broad and unfettered access to all quadrants. We may also include in this quadrant peripherals such as cameras and alarm systems that need access but can't identify themselves in an intelligent manner.
Our quadrant identification exercise is just the beginning, and further refinement will be necessary. Once that is completed, we will start to evaluate technologies for their compatibility with our segmentation model, while taking into account our corporate infrastructure, budget and resources.
How about you? Do you have a NAC success story? Let me know.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To take part in the discussions about security, visit computerworld.com/blogs/security.