Many network access control specialists have yet to address one of the biggest problems with their security technology: making their products work better with legacy network gear.
But vendors such as StillSecure, NetClarity and Nevis Networks plan to make their products compatible with 3Com, Cisco, Enterasys, Extreme Networks, Foundry Networks and Hewlett-Packard switches, so corporations don’t have to replace them to use NAC technologies.
Interoperability between these vendors and others could speed the adoption of NAC, which profiles devices that are logging on to networks, compares those profiles with security policies, decides what access, if any, a device is eligible for and enforces that level of access.
Security vendors are also looking to capitalise on a booming market in which one in three IT shops plans to buy or implement NAC this year, according to a Forrester Research survey of North American companies. About half of the world’s 2,000 largest corporations already have some form of NAC, Forrester says.
For its part, StillSecure’s SafeAccess software carries out NAC by scanning networked PCs from a server and receiving a compliance report from a software agent on the client machine or from an ActiveX agent downloaded to it that performs the same function. Based on the results, policies determine whether to admit the client, and SafeAccess instructs enforcement points what to do.
StillSecure says it plans to partner with Extreme this year, to incorporate SafeAccess into Extreme’s Sentriant threat-detection and mitigation appliance. Sentriant monitors behaviour of devices on networks and blocks anything suspicious. SafeAccess can also act as a bridge sitting inline to block traffic from non-compliant machines, and can use 802.1x switches as enforcement points or limit access by forcing an IP address on the machine that allows access only to a quarantined network segment.
NetClarity is adding 3Com and HP to the list of switch-makers whose equipment can enforce policies after NetClarity Auditor appliances determine what access rights devices should receive. And the company is also working towards compatibility with Foundry and Extreme, as well as with fellow NAC vendor ConSentry. Auditor also supports Cisco Catalyst switches. It uses command lines to communicate with the switches and assign non-compliant machines to quarantine virtual LANs (VLAN).
NetClarity says it is negotiating with intrusion-detection and prevention vendors to use their gear as enforcement points for its NAC. This would add to its list of enforcement points that also include firewalls from Astaro, Check Point, Cisco, Cyberguard, Juniper, Secure Computing and Snapgear.
This year Nevis Networks will introduce an appliance that sits between access switches and core switches to enforce policies on a per-switch basis. The appliance monitors traffic of devices that already have network access, seeking malicious behaviour. When it finds some, it shuts down the offending machines, preventing worms and viruses from propagating.
This new device (LANenforcer LAN Security Appliance) is an alternative to Nevis’ earlier product, LANenforcer, that included a switch, making it necessary to upgrade the network before implementing its NAC scheme.
Many companies using overlay NAC products need to protect their networks from devices such as laptops that can be removed from the network, get infected and then log on again.
For instance, NetClarity customer Cape Cod Cooperative Bank used Auditor appliances to check for malware on laptops used by financial consultants who consulted customers from bank branches, says Jason Bourdun, the information security manager for the bank. “They would log in and, before they were issued an IP address, the Auditor would scan them and notify me if they were vulnerable, if their configuration reached a certain threshold,” he says. In practice, the advisers’ laptops proved clean, but the NAC capabilities met bank security needs and those of banking regulators, he says.
Meeting legal and regulatory requirements drives many NAC deployments, such as the use of NAC vendor Lockdown Networks’ equipment by EADS Astrium, a North American subsidiary of European aircraft maker EADS, based in Houston. Because Astrium deals with NASA much of its work is classified, but it has to let visitors from the EADS parent company use its network, says George Owoc, director of business administration for the firm.
Space work is classified and the company needs licences from the US State Department that dictate how to protect data. “We have a serious need to enforce security policies,” he says and, part of that is proving what measures the company took to protect the network.
Lockdown Enforcer gear generates reports that detail network admissions. “I can see who logged in and what access they got,” Owoc says. “It’s pretty important not to infringe on our import-export licences. It can keep me out of jail.”
Businesses are also concerned that infected machines can take their networks down, as happened to Continental Airlines in 2002 when the Slammer worm crippled ticketing systems, according to Andre Gold, the airline’s chief information security officer.
Continental uses ConSentry’s enforcement appliances to keep malicious code from breaking its network but also let reservation agents use key applications, Gold says. Machines found to be noncompliant might be allowed access to reservation applications, for instance, if the non-compliance was not a direct threat to that application. The machine could be banned from accessing other network resources.
This “soft quarantine” allows employees to keep working, while warning IT staff of problems, Gold says. “It stops the client from doing bad stuff but doesn’t stop the individual from being productive,” he says.
ConSentry is a quick fix for now because it doesn’t disrupt the network and offers protection, he says. ConSentry’s Secure LAN Controllers are installed between access and distribution switches to enforce policies, and no changes are made to the network otherwise, Gold says. “A combination of security and networking people can manage [ConSentry appliances], and there is no additional hardware or software needed to pull that off.”
Long term, he’s not sure of the best course. 802.1x enforcement of access policies in network switches is appealing because it is built into the infrastructure. But, in the meantime, overlay NAC will remain attractive to many businesses, he says.
“You’ll continue to see companies look for alternative measures that can scale,” Gold predicts. “I don’t see this market sorting itself out in the very near future.” Gold isn’t the only one looking at 802.1x as the ultimate solution. According to the recent Forrester survey, by Rob Whiteley, 49% of respondents are upgrading their switches to the technology this year, “looking to put the NAC building blocks in place.”