NAC 2.0: A new model for a more secure future
NAC’s functions fit better on the endpoint. We need to move beyond today’s scenario, where users struggle to implement NAC as a successful security framework. Just how bad is it? We’ve found that 40% of enterprises surveyed had begun NAC deployments, but only 4% actually finished.
The majority of those that do finish are turning to solutions focused on network hardware like appliances, Ethernet switches, routers, and VPN gateways. But we believe this is the wrong approach.
NAC 1.0 and why it failed
Organizations are increasingly turning to network access control technologies to provide better protection for their networks and data. However, many of the first generation “NAC 1.0” solutions were based on an inherently flawed model that failed to respect the expertise and ownership of different groups in the organization. NAC 1.0 was also unable to react quickly enough to protect against rapidly evolving threats or to support the needs of an increasingly mobile workforce.
NAC 1.0 – fundamentally disconnected NAC 1.0 suffered a disconnect in perceived ownership, with a struggle for control between the two key teams who brought two distinctive perspectives:
The network team’s perspective – guest access. The network team interpreted “network access control” as meaning a way to control or block unauthorized access to the network.
The desktop team’s perspective – managed endpoint computers. The desktop team saw “network access control” as meaning a way to control or ensure the security and productivity of users’ computers.
NAC 1.0 – focusing on blocking guests
Guest access was an easy target for many early NAC 1.0 products, with access generally seen as a luxury rather than a business necessity, and often needed only in specific locations such as conference rooms. In addition, guests often do not have a formal relationship with the business and are not part of any of the organization’s identity management systems such as Microsoft Active Directory. It was fairly simple for many pointsolution appliances to provide a mechanism to block guests’ computers until they could be made compliant with the organization’s security policies. However, this NAC 1.0 focus on meeting the network team’s goal of controlling guest access missed a far greater problem in terms of an organization’s security, namely the much greater likelihood of devastating data loss from a misconfigured managed endpoint computer. With a few exceptions, such as higher education, the sheer number of managed endpoint computers means they present a much greater threat surface making them in reality a much greater risk.
NAC 1.0 – lacking agility
First-generation NAC solutions failed to recognize that the threat environment is constantly changing,
with new threats and vulnerabilities appearing every day. Anti-malware vendors release a steady stream of updates to detect and clean new threats. Operating systems and applications vendors issue security patches on a daily basis.
NAC 2.0: A new model for a more secure future
Many NAC products could not easily be updated to allow for the latest updates. When an antimalware vendor released a new update or a new version, the administrator often had to update the assessment rules manually. With new operating system patches, administrators typically had to enter a new, complex set of registry entries corresponding to each new patch for each operating system – if the NAC tools supported patch assessment at all. The large effort required to keep rules up to date meant that NAC assessment tools lagged far behind the real dangers facing organizations.
Early mistakes
Intrusion Prevention Systems
Some early NAC products were based on Intrusion Prevention Systems (IPS) that looked for anomalous network behavior. These were useful when threats often consisted of worms with identifiable network signatures. Today’s threats are frequently invisible to behavior-based IPS in which case there will be no identifiable network anomaly.
Network appliances
Some NAC vendors chose to deliver their solutions as network appliances. This was a choice made
for their own convenience, not their customers’ needs. By delivering as an appliance, the vendors were able to limit their testing to a small set of predetermined platforms. This seeming convenience is deceptive. Networks often had to be redesigned to insert an appliance, funneling all traffic through a choke point and affecting performance and reliability. NAC appliances also lack deep assessment capabilities, good scalability, and the means to protect computers when they are not connected to the network.
Network equipment
Network vendors are typically interested in upgrading switching and routing gear to include the latest features. They do not have a good presence on the endpoint and as a result attempts to control network access with equipment alone were unsuccessful as it offered weak assessment and little or no policy management. Networkbased NAC ignored the issue of remote or roaming users, although ironically NAC has its roots in Host Integrity Checking for roaming users.
NAC Frameworks
The original NAC Frameworks – such as Microsoft Network Access Protection (NAP), Cisco Network Admission Control (NAC), and Trusted Computing Group’s Trusted Network Connect (TNC) – offered basic interoperation standards and little more. They provided some plumbing, but left organizations to do the work of fitting it all together. Policy management, updating, and audit were left out of the equation.
There was also a critical flaw in the NAC Frameworks reliance on a “trust” model – selfpolicing by the very applications that have gone wrong. They required anti-malware software to report its own status, even though a failure in that software might be the very reason a computer was unprotected. Furthermore, unwanted and unauthorized software, such as spyware or peer-topeer applications, could not be expected to report their status to a NAC Framework, thereby breaking the trust model.
NAC 2.0: A new model for a more secure future
The future of NAC
The new model for NAC, or “NAC 2.0”, that is now emerging takes into account the shortfalls of earlier approaches and aims to solve real business problems. It acknowledges and embraces the functional roles and division of responsibilities found in today’s organizations, supports the business goals of different groups and endeavors to meet the rapidly changing requirements of today’s dynamic threat environment.
NAC 2.0 – embracing functional roles
NAC 2.0 has operational impact on three teams in the IT organization. NAC 1.0’s focus on answering the network team’s needs is matched by a real commitment to the needs of the desktop team, and a new ability to encompass the requirements of the security team.
Network team
As discussed earlier, the network team is where many NAC solutions were originally embraced and it seemed natural for this team to be the primary owner of “network” access control, although in reality NAC is about more than just the network. This team includes the experts on:
Switching
Virtual (VLAN) management
Routing IP address management.
The network team is responsible for ensuring network availability and performance. It does not typically have any responsibility for endpoint assessment and remediation and does not care what the configuration of any particular endpoint computer is. Its concern in terms of the endpoint is to supply the appropriate level of service to a computer based on its role and compliance state.
NAC and the network team
The network team needs NAC to keep unknown or unsafe computers from impacting network security, availability, and performance.
NAC needs the network team to manage the switch fabric for enforcement (VLANs, access control lists) based on compliance state.
Desktop team
The desktop team is concerned with managed computers and all aspects of their configuration – even when they are not connected to the network, for example, while roaming.
The team drives the requirements for assessment of endpoint configuration, remediation of any misconfiguration, and patching and updating, including:
Selection, management, and updating of antimalware software and desktop firewall
Desktop patch management
Implementation of best practices for secure configuration.
NAC 2.0: A new model for a more secure future
NAC and the desktop team
The desktop team needs NAC as a tool to eliminate configuration drift on the computers under its control regardless of network location.
NAC needs the desktop team to define ideal configurations and remediation mechanisms.
Security team
The security team is focused on regulatory compliance and audit. Although it does not have dayto- day operational responsibility for desktops and the network, it sets the standards for compliance throughout the organization. Some practices are mandated by government regulatory bodies, such as HIPAA (USA)3, PIPEDA (CA)4, and BS7799/ISO27002 (UK/Int’l)5, while some come from recognized industry bodies, such as the Center for Internet Security (CIS Benchmarks)6 and the Payment Card Industry (PCI DSS)7.
In addition to its already formidable responsibility for risk management, the security team is responsible for:
Determining which standards are applicable in their organization
Auditing the environment against those
Standards
Showing proof of standards compliance.
NAC and the security team
The security team needs NAC to minimize the risk from non-compliant, unknown, and unsafe computers and to provide comprehensive reporting and audit.
NAC needs the security team to define standards for regulatory compliance and security best practices.
NAC 2.0 – focusing on business goals
Unlike one-size-fits-all NAC solutions, NAC 2.0 recognizes that businesses have different goals for employees, contractors, and guests, and, when properly implemented, focuses on the requirements for each group.
Business goals for employees
Enable – not block – access to the network and applications
Enhance productivity, security and compliance.
Business goals for formal visitors, such as contractors, partners, and consultants
Assess the level of risk posed by the unmanaged computers of these visitors.
Provide restricted access appropriate to the authorization and level of risk.
Business goals for informal guests and unknown computers
Require proof of authorization
Block network access unless authorized.
Many NAC project failures have been a result of too great a vendor focus on the network enforcement mechanisms, and not enough on the practical prioritization of achievable business benefits against each distinct use case. Successful NAC deployments have in common the primary objective of enabling safe access to appropriate resources by authorized people – and not an objective of blocking users from the network. In other words, NAC 2.0 focuses on enabling rather than blocking access.
Security team
NAC 2.0: A new model for a more secure future
NAC 2.0 – providing dynamic flexibility
IT departments now have available a much richer context in which to make decisions about authorizing access to company resources. In determining the appropriate level of access, they can now go beyond simple user identity and role, and consider machine identity, access location, access method, time of access, device security posture and state, emerging threats and available threat responses. The resulting authorization policies are dependent on increasingly rapid real-time information about security updates. Deciding if a computer is fully patched requires up-to-date knowledge of available security patches. Knowing if a guest computer’s anti-malware protection is current means the system must not only know about a company’s own chosen anti-virus product, but also understand what threat detection updates have been published by each anti-virus vendor at all times. Knowledge of the emerging threats and available responses are both key to making authorization decisions and therefore, NAC needs to have the native capability to provide this critical stream of information.
Today’s best endpoint NAC solutions are evolving to enable effective management and control of
access authorization by providing two distinct sets of capabilities:
Network enforcement mechanisms that provide an entry gate onto the network, along
with the ability to restrict access using dynamic VLAN and/or ACL assignments, delivered (unlike the special-purpose appliances of NAC 1.0) as a commodity capability available within the standard networking switching platforms.
A centralized policy management platform for directing assessment, remediation, access control, reporting, audit, and alerting – covering all required use cases combined with rich native assessment and remediation capabilities.
NAC 2.0 – protecting beyond security
Regulatory compliance, industry best practices, and IT governance are the new set of drivers behind the evolution and adoption of NAC. NAC as a tool for security, productivity, and compliance leads to better endpoint and network governance. NAC 2.0 will finally enable organizations to get control of their systems – in spite of a rapidly evolving threat environment and the changing nature of the network perimeter.
Summary
Network access control is a valuable new technology for protecting an organization’s assets from risk. Learning from the flaws of earlier solutions, NAC is now evolving into NAC 2.0, a more mature set of integrated technologies that embraces the multiple functional roles in the organization, focuses on solving real business problems, and supports a dynamic environment. NAC 2.0 is the future of network access control.
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware. Article Source:http://www.articlesbase.com/security-articles/nac-20-a-new-model-for-a-more-secure-future-1579991.html