Network executives planning to deploy network access control should start with very specific goals — not intricate schemes to quarantine and remediate insecure devices and shut down badly behaving machines and record every connection each device attempts to make on the network.
That’s because comprehensive NAC rollouts are costly and complex, and the technology is young enough that even if the goals are simple, the implementation may not be.
For instance, Erickson Retirement Communities in Maryland, wanted NAC to block intentionally malicious users from gaining access to the network. “If you can’t authenticate successfully, you’re going to end up in some dirty virtual LAN that gives you internet access, and that’s it,” says Scott Erickson, the company’s CTO, who oversees the firm’s 14 campuses.
“I want contractors to be able to get [traffic] in and out, and if auditors are here, for them to use their VPNs. That’s really what I was after with NAC.”
But even that focused agenda is difficult for Erickson to achieve, for two reasons. One, he has been trying to implement the technology while keeping an eye on his budget. And two, all the elements he needs are not ready, although vendors he works with talk about them as if they are.
This dilemma stems from the many definitions of NAC being bandied about. Initially, NAC as defined by Cisco was a response to the Blaster worm that ravaged networks in 2003. The goal was to check that endpoints had proper patches and were updated in operation before they gained network access.
Since then, useful additions such as internal intrusion-detection/prevention gear have been tacked on to the definition. Notoriety of the technology has soared, and based on the expanded definition, NAC has been split into two parts: preadmission and post-admission.
Erickson was interested in preadmission controls that tie users and machines to policies. He wanted machines to identify themselves as issued by the company or not, then have users identify themselves and use a combination of the two identity checks to determine what, if any, access they get. “Now, if it’s a combination of the two, I’ll put you into a full, accessible VLAN,” he says.
Erickson figured he had all the elements he needed. His Cisco switches are software upgraded to handle 802.1x port-level policy enforcement, and his Cisco Access Control Server (ACS) RADIUS server is interoperable with Active Directory.
But it wasn’t as simple as he thought. For Cisco switches to enforce the policies using 802.1x port authentication, each machine being screened needs 802.1x supplicant client software, and Cisco didn’t have any ready late last year when Erickson was ready to go.
He hoped Microsoft would come up with a supplicant for Windows XP that would work with Cisco switches, but it didn’t. So his first thought was to pilot Cisco Network Access Control using Microsoft Vista and its 802.1x supplicant at three sites with about 100 PCs each.
“I have three sites with about 100 PCs each that I just opened, and I’m going to flip all three of them. Those will be my pilot sites,” Erickson says. At least that was the original plan.
Now, he’s considering a more costly alternative — installing Cisco Network Access Control appliances at each site. He has so many sites that the cost is high, he says. But he may be forced into eating the extra cost in the interest of avoiding a long wait while bugs are worked out of Vista.
As Erickson’s experience reveals, NAC can have pitfalls. “There are lots of pieces and parts to NAC, and the number of vendors makes it hard,” says Zeus Kerravala, an analyst with the Yankee Group.
But Kerravala points out that Erickson has done many things right in his deployment, such as examining whether existing policy-storage directories can fit into the NAC scheme a customer is considering. If a company has Active Directory in use, it should be able to leverage it in a Cisco Network Access Control implementation rather than buying Cisco’s Clean Access Server, he says.In addition, businesses should first deploy NAC to a small group of technically savvy users at different sites, just as Erickson plans to do. “Learn your lessons with them and build off that then roll it out more broadly,” Kerravala says.
And Kerravala recommends starting with an appliance even if the goal is to embed NAC in the network infrastructure. “A network upgrade is expensive, and an appliance lets you test the technology before you commit to one,” he says.
Brett Childress, the director of IT Infrastructure for instrumentation vendor National Instruments in Austin, Texas, says he wanted a NAC appliance from the outset. Two years ago when he started looking, his network vendor, Cisco, had no workable NAC equipment, and he wanted to avoid any NAC scheme that required client software.
He was also interested in postadmission NAC to guard against malware that gets past virus screening. He selected Mirage Networks’ gear from among limited choices, primarily because it required no client software. “We just didn’t want another piece of software spread around on machines that we would have to keep updated and would make us worry about multi-platform support,” Childress says. National Instruments’ desktops run multiple flavours of Windows, Linux and Macintosh.
The company doesn’t use a formal pre-admission NAC product, instead relying on frequent operating-system patches and antivirus signature updates to protect the network from infected machines, Childress says. “With a layered defence of centrally-managed antivirus, patch management via SMS and with Mirage on top of that, we feel fairly comfortable,” he says.
But that could change if the company broadens its remote-access program to include machines owned by employees that are not maintained by National Instruments. Childress says he would have to examine the cost of pre-admission NAC compared with its benefits because it tells the status of the connecting machines’ defences, not whether they have actually been infected.
“I’m checking they have antivirus installed and turned on, a DAT file that’s not more than a week out of date, that they have the most recent critical update from Microsoft,” Childress says. “The reality is you’re not checking for all these other potentially unknown pieces of malware that could be installed on that machine.”
The philosophy of the company is to allow employees unrestricted access to resources and the internet as long as that behaviour doesn’t endanger the network. “We tend to shy away from super-strict, upfront secure policies,” he says, and use Mirage to defend against attacks that freedom might enable. “We want to provide an adequate safety net to protect the productivity of the company. We would never want one user’s actions to take down the department for a day.”
Advertising and marketing firm Omnicom Group, based in New York, has adopted ForeScout’s Counteract appliance that performs pre-admission NAC. The firm needed this capability because it has so many travelling employees who use their laptops off network for weeks on end, then return with the laptops behind in updates and patches and possibly infected, says CIO Kenneth Corriveau.
Since installing Counteract about a year ago, the company makes sure that systems coming on the network are patched and have current virus definitions. Based on their status they are denied access or assigned to specific VLANs, Corriveau says. The pre-admission NAC also checks whether users have filed time sheets and denies access until they are done.
In general, it is important to err on the side of caution, Kerravala says, to avoid unintended disruptions. The classic example: forcing the CEO’s laptop to update virus definitions before it can connect to the network. Is the annoyance worth the marginal protection the network gains by the update? “Be careful what you deploy,” he says. “What you put in must not prohibit workflow.”
That is why it is key to get support for NAC from the top. In particular, managers for lines of business should be part of setting NAC policies.