Network access control: Are we ready yet?

Network companies are now pushing a clear message about how network security should work: Hardware devices identify users at the network port level, provide virus scanning and authentication services, then allow or deny network access based on strict role-based policies. Whether this actually works or when it will be widely available is less clear.

Among the companies offering network access control (NAC) products are established network vendors such as Cisco, Nortel, Enterasys and Extreme Networks; start-ups such as ConSentry, Lockdown Networks and Nevis; and security companies such as Internet Security Systems (ISS) and BlueCoat Systems. But observers say that the industry is a long way from agreeing on how best to handle and build NAC systems.

Within 18 months to two years, Microsoft's Network Access Protection, Cisco's Network Admission Control and the Trusted Computing Group's (TCG) Trusted Network Connect will establish themselves, and SSL VPN vendors will defer to whichever ones prove viable and popular, says Joel Snyder, senior partner at technology consulting firm Opus One.

Meanwhile, SSL VPN vendors offer a broad range of endpoint-checking software that varies widely in its capabilities. Snyder said most vendors won't spend a lot more effort on these protections in anticipation of those separate network access initiatives.

"Here's a prediction - endpoint checking won't ultimately be in the VPN box," he added. "It will be in a NAC box. There will be just a thin layer of endpoint checking in the SSL VPN gateway that punts off to policies that are defined on a different box."

One network professional said the days of putting network ports on desktops and managing security issues after the fact are over.

"I really want role-based security in place," said Peter Hricak, senior network operations manager for visual effects creator Lucasfilm. "That's something that we're seriously looking at - to get authentication-based policies applied. I want to know who a user is, and give them rights only to what they're allowed to do."

Forcing all clients to authenticate to a LAN switch port, and enforcing network access policies based on user identities, is the direction Hricak wants to go. On the Lucasfilm network in San Francisco, he manages multiple 10G Ethernet trunks and widespread Gigabit Ethernet to the desktop for high-end digital editing. While the Foundry-based infrastructure provides plenty of bandwidth, securing users via the network is one of his challenges. Rudimentary controls such as virtual LANs (VLAN) or access control lists now on network hardware are not enough.

"It's not good enough to just lock a port to a particular VLAN," he said. "That port should really just be vanilla, until you authenticate; then you turn the port into what you need it to be."

A first line of defence
Another user examining policy-based network access control sees the technology as a first line of defence behind the primary entry point for viruses and worms into a network - the desktop switch port.

Policy-based networking "is going to help us alleviate worms, bugs, viruses, stuff like that, and protect the network," said Jeff Sandbridge, IS specialist with the State of West Virginia's MIS Office. "It's something that has to happen. You used to just have hubs and switches and then your security boxes. It's come to the point now with all the easy ways and multiple ways of attacking a network, you have to be able to provide all the features that were inside those security boxes down at the port level."

Sandbridge plans to deploy Enterasys LAN switches along with that vendor's Atlas Policy Manager server. The server software can detect activities on ports that are out of bounds for individual users on the network. The switches can take directions from the server to shut down or limit network access to traffic flows that the server identifies as breaking policy rules.

But a standard technology to scan PCs before they are allowed network access will not be fully developed for two years, according to other experts.

"Right now, most NAC offerings are really single-vendor solutions," said Steve Hulquist, principal analyst at Infinite Summit. "You have the client/server approach that Microsoft is taking and it's not even available yet. There's Cisco's approach, which is all-Cisco hardware," and the TCG's effort, which is standards-based but also not yet available. "I would be hesitant to do a full-scale enterprise implementation, given the products that are available today."

Even SSL VPN vendors, who already supply a version of this endpoint-checking software, acknowledge it has a way to go before it is fully featured and flexible.

"It's relatively early in the development of that technology," said Reggie Best, vice president of marketing for AEP Networks, which makes SSL VPN equipment. "There's a lot of work that needs to be done on that."