User access control has always been a subject of confusion in this last five years of technology. The industry has been focused on controlling users and access devices to corporate networks.
by Osvaldo Callegari*
Currently the number of mobile devices far exceeded desktop computers with a marked integration into corporate networks.
With this excessive growth of moving devices, the challenge of IT managers has grown exponentially.
The NAC (network access control) emerges as a kind of new technology responding to the needs required by IT infrastructures, which by the way are very volatile. The milestone is: How can I secure the increasingly fluid environment of connectivity?
The benefit of access management with NAC is straightforward: the security of any device in its network connection is checked. If a policy is violated, there is constant monitoring throughout the connection session to ensure that the device remains compatible.
When a device is inspected, the entire structure is analyzed to grant access permissions to different areas of the network. An employee's guest user is unambiguously identified.
A standard corporate network is anything but normalized, since there are countless entry points that are not always easy to control and or monitor. This premise generates complexity in the development of protection technique and most of the time it is impracticable, mostly by human nature.
That is why we analyzed a case study of the Computer Security Company Forescout.
This company uses three functional criteria that allow networks to operate in complex and diverse real worlds.
The criteria are:
1. Detection and interrogation on extremes
2. Creation policy and security measures in applications: Is it easy to create policies? What level of granularity is necessary for the inspection of effective devices and enforcement measures? Do they alter the network or users?
These are some of the questions that must be considered to ensure that the NAC solution effectively provides granular levels of access control without disrupting network operations.
3. Implementation and integration: In order to maximize the benefits of a NAC solution, it must be seamlessly integrated into the network infrastructure without causing disruptions to it. Therefore, multiple approaches to implementation must be considered to determine the potential impact and level of disruption that the implementation method will have on the overall infrastructure. Another determining factor is the ability of a NAC system to leverage existing investment in network infrastructure and equipment without the need for costly upgrades or causing network downtime.
Before the execution of network security policies it is necessary that all connection devices are detected.
In addition, various types of inspection mechanisms must be considered to obtain maximum questioning with a minimum of management costs for all detected and identified endpoints.
One of the most critical aspects in access control is the detection of connecting devices and that the warranty of the devices conform to the security policies of the network.
The question remains: How to control access in a complex network where all entry points are not easy to define or are not known?
A number of methodologies have been introduced to address this main challenge of NACs, it is far from being a golden rule to consider the different forms of detection, a key decision point emerges in the discussion about whether detection should be required in a device that we already know previously registered at one end.
Prior knowledge of a device implies that some type of agent must be installed and present at the connection endpoint prior to connection, which identifies the device and provides a certain level of diagnostic system output for the NAC system.
Agent vs. Agentless NAC
Software agents have become a fairly common element in a typical device configuration as part of a corporate security policy. It is not unusual to have multiple agents that provide a variety of evaluation systems. This is a positive way to defend an individual system against spyware or viruses or enable a configurable VPN connection.
Agents have the ability to gain detailed knowledge of the system in which you reside. Access to the system registry and file structure provides a deep understanding of installed applications, active processes, and a multitude of other system configuration details to provide a "healthy" evaluation system before allowing access.
At the endpoint, the software client ID identifies the computer as a managed user device and initiates a new inspection.
Conceptually, this is a good story. The agent obtains in-depth information at the level of the compliance system and provides this record in compliance with the NAC system at the time of connection.
However, the NAC system becomes virtually useless when unmanaged agent-based devices (control licenses) are introduced into the network. Any device that does not have an agent installed is denied access to the network or on the other hand allows full access without any control at the endpoint.
Unmanaged systems are just one of the many daunting challenges faced by agent-based NAC systems, requiring a client license on managed endpoints and introducing a significant management burden associated with implementing the NAC solution.
While an agent-based approach may work in a small network environment with a limited number of endpoints, agent-based NAC systems also pose additional challenges due to operating system compatibility issues.
Most NAC solutions support the latest versions of Windows and possibly some Macintosh devices, but nothing beyond this becomes problematic. This problem becomes even more critical if you consider any other type of IP-based devices which connect to the network without an agent is not simply an option (e.g. printer, VoIP phone, MES systems, medical devices, etc.)
Because a client cannot be deployed on these devices, they become potential vulnerabilities that go undetected and therefore not protected by the NAC system.
There is, however, a variant in this discussion. Some NAC systems may provide a soluble agent, which can be temporarily downloaded and installed at the endpoint and removed once the device is no longer on the network. This approach may ease some of the IT management burden to cope with managed devices and not offer a partial solution for network address assessment and allocation for external contractors.
Agent-free NAC
Agentless NAC systems provide a number of advantages over control software solutions, especially when considering network protection scope and scalability, lowering levels of IT management manuals, and reducing disruption to network services.
Scalability
Since a software agent is not required to be installed or downloaded to the endpoint, the scalability of a clientless NAC system is virtually unlimited. While there may be other factors that determine how well NAC can work. The number of devices to be controlled with this methodology is unlimited.
Another clear advantage of a clientless NAC system is that it does not require network administrators to educate.
NAC, in the field
Clientless device detection: A large hospital works under pressure to meet regulatory requirements, they urgently need to get an accurate count of all devices on their network, such as desktops/laptops and peripherals, as well as EKG CRT, and ultra-sound machines.
Within hours of the deployment of ForeScout's NAC system, network administrators had a complete inventory of all IP-based devices related to the hospital's own network. With all devices detected and identified, administrators quickly defined and implemented a set of network-wide access policies and were able to thoroughly visualize all connection parameters.
NAC System Management
Agentless NAC systems significantly reduce the amount of management required to enforce network security policies. Since there are virtually no interoperability issues between connecting devices, IT management can focus on addressing the most critical business issues.
By design, a clientless system must cover all IP-based devices, while incorporating policy enforcement. Thus providing a wider coverage of the network. When a policy is violated, it is discovered for example: the NAC system detects an unauthorized access point without cable), TT management is immediately informed and is able to respond effectively to the threat or vulnerability.
Meanwhile, the most trivial threats are automatically controlled by the NAC system (for example, antivirus definitions are not up to date and the user is linked to self-repair).
Certain processes are controlled in sectors such as contractors who access randomly and are confined to low-risk profiles for the network.
A NAC solution allows to ensure that all the devices connected in the network comply with the security policies, the policies in turn vary from company to company, this is ultimately the biggest challenge to achieve, the quality speed and accuracy of the rules of the company.
Perhaps one of the biggest challenges in implementing a NAC solution is determining what policies should be implemented and what measures should be taken to enforce them.
We will continue to show another image of network access control with device detection.
We can infer that security in networks is mainly conditioned by human failures with the ingredient of bureaucratic processes, this makes it necessary to generate new processes in pursuit of data security.
* To contact the author write to the electronic chorus [email protected]
**Names and companies are names and registered companies of their own companies.
