NAC: Growing pains
NAC: Growing pains

Network access control is a sound concept, if you do all the necessary preparation and ignore the marketing hype. Mark Mayne reports.

Emerging a couple of years ago, network access control (NAC) was immediately promoted as the next big thing by some security vendors. Install NAC across your business network, went the pitch, and your problems are over. No more issues with mobile devices, no more unauthenticated users roaming your network. This sounded promising, but the excitement seems to have died down somewhat, so what happened?

The first, and perhaps most important, point about NAC as a technology is that it isn't one - it's a whole collection of familiar technologies that have been connected. Perhaps the biggest and most critical failure has been the hype of NAC as a single solution rather than a blend of tools that depend on business strategy, existing technology, future needs, etc. Most vendors have jumped on the NAC bandwagon and offer products that claim to be NAC-enabled. However, many security professionals feel that oversimplifying the concept has left a nasty taste in many CISO's mouths.

"NAC is actually a collection of different access, security and reporting technologies for a whole range of organisational needs, rather than the single panacea to all security problems," says Ian Kilpatrick, chairman of secure infrastructure solutions provider Wick Hill Group. "Indeed, it is the over-marketing of NAC as the next big thing that has caused the perception that it is not a success. It was basically oversold. Problems change according to where you're sitting."

NAC essentially involves the ability to control access to the network and its resources, services and applications, based on the user's role, responsibilities, group/team membership or identity. NAC systems will also identify and control threats from malware and monitor endpoint security and network activity based on the user's identity. All this should be reported back to a central console.

"NAC is different things to different people," says Steve Hanna, distinguished engineer at vendor Juniper Networks. "For some, it's about taking total control of your network, focusing on things such as identity management and enforcing the appropriate level of access. It's also about controlling the health of the machines on the network from a malware perspective. Finally, there's monitoring and restricting what users can do on the network. These all take different precedence depending on the business case."

However, NAC is an all-or-nothing concept, which is a tough pill to swallow for a large corporate with a complex legacy infrastructure already in place. "NAC is on an upward curve, and there are a lot of products in the pipeline," predicts David Lacey, a co-founder of the Jericho Forum. "The reason why deployments are slower than initially thought is because NAC is very expensive and slow to install. Older equipment doesn't work with it, and replacing that takes a lot of time and money.

"There are other concepts around - such as desktop virtualisation - that offer similar security benefits. A key issue with NAC is that all the network information needs to be in one place before you can start to manage it, and centralising this data is often a challenge," he adds.

Increasing consumerisation of office IT equipment has also hampered NAC takeup. As the range of devices connecting to the enterprise network has rocketed, defining and enforcing policies for each device becomes increasingly complex, as does the process of confirming user identity.

Another stumbling block is the fact that any shortcoming in one part of the system lowers the security of the whole entity. Most businesses will need to do a lot of preparatory work before they can consider NAC. One example is deploying two-factor authentication. "If you don't have total confidence in a robust authentication system then any attempt to control access is pointless," Kilpatrick warns. "CISOs should also keep in mind that, although NAC has much to offer, it is not perfect, even in theory."

Lacey's warning is even starker: "NAC is also dangerous, as while it is often positioned as a panacea, there are obvious holes in it, even if it's fully and robustly implemented. Zero-day threats, for example, are not addressed by NAC, nor is the threat of a malicious insider," he says. "It is still very immature from a technology perspective, and the economic model is far from proven. Most business infrastructure is a bit of a mess, and NAC simply doesn't work in that sort of situation. A lot of networks don't have the choke points or bottlenecks where enforcement can be done effectively. I've seen a lot of people pull the plug on NAC trials. It's a bit like identity management a few years ago: it seems simple and plausible in theory, but in practice it gets difficult very quickly."

Uptake has been further confused by the fact that NAC means different things to different vendors. For starters, the name varies: Microsoft calls it network access protection, while Cisco calls it network admission control, and there are other flavours. This is symptomatic of a deeper issue: there was no initial interoperability standard. Although a working standard for NAC has now been provisionally agreed - The Trusted Computing Group's Trusted Network Connect (TNC) standard - it will be months before products hit the market.

Alastair Broom, security director at Dimension Data, expects to see vendor-by-vendor tweaks bolted on to standards-based products. "These proprietary extensions will certainly see interoperability issues, as they always do," he predicts. "However, I do think that CISOs are increasingly seeing NAC as part of their armoury. More and more businesses are introducing strong authentication, which is a pre-requisite for NAC - it's also part of the PCI standard, which is a significant driver."

What's more, interest in NAC has remained very high. Broom thinks this is down to wireless implementations. "Mobile working is where I've seen the most deployments of NAC, mainly in mid-sized enterprises," he says. "Remote access is by far the biggest driver of uptake. This is how it was originally positioned, only later was it promoted as a LAN security solution."

Kilpatrick sees support for an increasing drive towards NAC in the 2008 Department for Business Enterprise and Regulatory Reform (BERR) report on information security breaches. "The BERR document shows considerable organisational focus on not just the concept of NAC, but also on deploying the individual components of an NAC-based strategy. There has been a significant surge since the 2006 survey in the deployment of many individual elements of an NAC strategy, such as strong authentication and improved wireless access controls."

NAC certainly has its proponents. Hanna at Juniper Networks is one of them, having spent years working on the newest standards as co-chairman of both the NAC standards committees - Trusted Network Connect (TNC) and Internet Engineering Task Force (IETF) NAC. He has some recommendations for those looking into implementing the concept. "To begin with, decide what problem you're trying to solve - unless you've set a clear priority, you will fail," he warns. "NAC is full of attractive possibilities, and these are extremely distracting. When you come to evaluate products, begin with the vendors that are most familiar to you, but don't stop there - look across the market.

"Also avoid proprietary systems that tie you to one vendor," he advises. "Some suppliers see NAC as a method of locking in existing customers. Having made some decisions, adopt a phased rollout. NAC is potentially disruptive, so start with a small pilot, maybe in the IT department. Try several products in this manner, and see how easy the process is to navigate for users. Finally, after implementation, begin in monitoring mode, not strict enforcement. Warn employees and set a compliance date - don't begin with it, otherwise problems will snowball."

Kilpatrick believes that despite NAC's potential, it is ultimately limited. "By the time companies have implemented it successfully, security professionals will have moved on. Something else will come along that penetrates business networks in a new and different way to current attack tools, so there will be a rush to defend against the new threat." he says.

It seems obvious now that NAC was hyped before it was really ready, and both the market and the technology are still catching up. However, the concept remains sound in principle. Lacey is keen to point out the holistic view may have been ahead of its time too: "NAC is very much part of a long-term architecture plan rather than a quick fix. It's too lengthy for a strategic implementation, and there's not enough return for a tactical implementation. That said, it's much more suited for smaller companies of a few thousand seats or less - beyond that things get very murky."

Clearly, vendors are keen on NAC, both as a new marketing tool and a new technology. Analysts and integrators are less enthused, but see growth beginning to climb. While NAC isn't the panacea initially offered, it does solve a lot of problems, and can do so very neatly and transparently. The story of NAC is just beginning ...

In many ways, NAC itself is the future, where networks are holistic, intelligent devices rather than a slew of disparate parts. The next step along this road came earlier this year, when a new standard, IF-MAP was announced. Although it has been possible to integrate security systems for some time through special proprietary technologies, there has been no standard means of getting previously siloed devices to talk.

The Trusted Computing Group's Trusted Network Connect (TNC) standards for NAC changed some of that, allowing the integration of endpoint security, identity management and network enforcement such as switches and VPNs, but appliances such as intrusion detection systems (IDS) and firewalls were still left out in the cold.

The new IF-MAP standard provides a way of integrating a wide variety of network security devices such as IDS, data leakage prevention (DLP) and interior firewalls with NAC equipment and with each other. This enables the TNC architecture to work with "unmanaged endpoints" and integrate behaviour monitoring in addition to or instead of endpoint health checking. It also provides a standard way to integrate firewalls and other enforcement devices into a TNC system.

The SOAP-based IF-MAP protocol defines a shared database called a metadata access point (MAP). Using this protocol and database, the network security devices share information about the users and devices connected to the network: who's logged into what device, how healthy the device is, whether it's violating policy etc.

Steve Hanna, distinguished engineer at vendor Juniper Networks explains: "This means that sensors in the network (such as IDS and DLP systems) can customise their policies based on the user's identity, role and health. Additionally, interior enforcement devices such as firewalls now have a standard way to get information from other network security devices on endpoints, so that they can grant an appropriate level of access."

Network access control (NAC) is a varied field and is more of an overall concept than a single technology. The concept is simple: to administer policy-based network access, incorporating a pre-admission health check and post-admission controls over where users are allowed to go and what they do. However, after this there is much debate. Different vendors have implemented this theory differently, and standards are only recently beginning to appear, making definitions both evolving and controversial.

The two main types of NAC are pre-connect and post-connect. Pre-connect determines the health and security level of a device prior to connection, and then allows the relevant level of access. Post-connect NAC monitors the behaviour of a device once it is connected to the network, preventing any malicious or unusual actions.

It is widely regarded as essential to employ both of these side-by-side to prevent trusted devices being compromised after access has been given.

Generally speaking, the elements of a NAC solution include: network authentication, identity-based access control, identity-based IPS, zero-day threat protection, endpoint compliance, automated remediation, real-time visibility and user-based reporting.

Identity and access management
Instead of the conventional identity of an IP address, NAC architectures base access rules for laptops or desktops on authenticated user identities. Two-factor authentication is generally recommended, as strong authentication is the basis of security in a NAC environment.

Zero day threat protection
One of the most attractive propositions of NAC is the ability to prevent end-user devices that do not have anti-virus or the latest OS security patches from connecting to the network at all. Another useful function is automated remediation, where any devices that are not up to date with the latest software are taken to a safe point in the network to be upgraded.

This is usually done through either quarantine (a restricted area that allows users very limited access to applications) or a captive portal (where users are redirected to a web application that provides instructions for updating their computer.)

Policy enforcement
NAC solutions enable the network manager to define policies for the entire network. This allows the regulation of what type of devices connect to what parts of the network, and what activities are allowed based on an individual's role within the company. These policies can then be enforced throughout the network's routers and switches.

Auditing and reporting
The need to have a centralised dashboard-type reporting tool is a critical one in the world of NAC. Additionally, such functionality is increasingly required for compliance with external regulation. NAC authentication allows identity-linked traffic analysis and comprehensive logging. This provides real accountability and detailed forensic information in the event of an incident.