Cisco´s network security program has been a huge success. Its self-defending network ad campaign has won advertising awards and deservedly so as they communicate the power a network has to secure an IT environment in the simplest of terms. Cisco´s trusted network investments are as huge as its wins. It´s number one in terms of market share and revenues in Worldwide Firewall/VPN security appliances, and Network intrusion detection and prevention, according to IDC. They clearly have thought leadership and the prowess to organize a market segment around their security technology as its Network Admission Control or NAC program has demonstrated. But with all of Cisco´s success NAC remains elusive to most organizations. Why? Because it´s too complex and extremely costly.

Network Admission Control: A Primer

While anti-virus (AV) software is a first defense from exploits propagating throughout a network it´s not foolproof since most AV software is signature-based and so cannot block zero-day attacks. Also, in most if not all corporations, enterprises have both trusted and non-trusted end-points requesting access to IT resources over local, wide and wireless access networks. Network Admission Control or NAC provides a defensive solution to validate end-points, deliver a second level of defense mechanism, and protect IT assets from end-points it cannot control or that do not have AV installed.

Controlling admission to the network and containing exploits if and when they break through defenses is the job of embedded network security services. In a NAC environment, end-points requesting access to IT resources are assessed based upon their posture. If their posture does not conform to a set of policies defined by the IT department, they are quarantined into a safe VLAN until they are in compliance. The network may offer a pop-up menu instructing the user on how to bring his/her system into compliance. Once the end-point is in compliance, the user may access IT resources based upon programmed corporate rules and policies embedded in the back-end policy server(s).

Pre- and post-admission controls offer IT departments important tools to control that can access the LAN and what resources on the LAN those users can reach. Gone are the days when every employee plugged into the network and was offered universal access to all IT assets. Full access control not only controls admission to the LAN but also controls access to all networked resources. As part of this post-admission control, users can be assigned quality of service and placed into a stratified set of network services. For guest users, where IT departments do not have control over client software, controlling network access offers a check point to assess the guest posture, monitor for exploits, and apply policy such as permitting access only to the Internet.

NAC authenticates users and assesses the security posture of the end-point before it is allowed to come onto the LAN. This check is very important from a security and control point of view. NAC is distance independent meaning end-points from any location must first have their posture assessed before they are allowed access.

Building upon NAC is NIC or Network Incident Control. In addition to controlling network access, controlling the propagation of exploits or incident containment is the second most important embedded network security service. The network collects security posture of the network and is alarmed based upon anomalistic behavior. Once alarmed, the network has the ability to contain the exploit by shutting down ports, flows, VLANs, etc. NIC sounds great but most CSOs and CIOs say it will take a long time before they are comfortable with schemes like NIC and are willing to turn on the auto-pilot and let the network self defend.

NAC´s Woes

The concept of NAC and NIC are simple to explain but very difficult to implement, especially NIC. Enterprises want the ability to provide admittance control but they are taking a wait and see on buying Cisco. There are few large installations of NAC due to its high complexity, acquisition and operational cost. One firm recently purchased a new network infrastructure of catalyst switched and Cisco routers and spent some $600K doing so. To implement Cisco´s NAC across this environment would require an additional $500K of acquisition cost and the implementation of some 80 appliances across their network. The thought of managing 80 appliances was enough to scare the heck out of the IT organization. There are NAC technology glitches also being reported, such as NAC appliances dropping network ports when switching from a data to a voice VLAN.

NAC Implementation is Daunting

Consider what it takes to add NAC to a LAN environment. First switches need to be upgraded for 802.1x access authentication, if not currently supported. Then client software such as Cisco Trust Agent or Cisco Security Agent is installed on all trusted end-points. Then authentication failure and guest VLANs need to be configured and implemented plus the addition of security appliances and modules such as a captive portal, firewall blade, clean access quarantine server, NAC policy server and NAC PE agent on routers and switches are added. Adding IP telephony to this environment requires adding voice VLANs and QoS upgrades to switches and routers. Adding WLANs to this environment requires the addition of appliances or modules such as location servers, wireless IDS, WLAN Blade and a SUP 720.

Alternative Admission Control Strategies

The barriers to entry for Cisco´s NAC are high as outlined above. But Cisco has done an excellent job educating the market and creating demand. In short, enterprises want admission control now. So many are looking at network admission control approaches from start-up firms such as ConSentry Networks and Lockdown Networks as well as from Nortel, ProCurve Networking by HP, 3Com, Foundry Networks and Extreme Networks.

ConSentry Networks

ConSentry, which won best of show at Interop in Las Vegas in May, 2006 offers its LANShield Controller appliances called CS1000 and CS2400 for low and high density deployments respectively. The ConSentry Controllers provide NAC end-point authentication and posture check, visibility including incident- and exception-based information at Layer 7+ tied to user identity, role-based provisioning for user access control, and threat control to block propagation of exploits including zero-day attacks. In addition to the Controller, ConSentry recently announced its LANShield Switch, which combines the same per-user, per-application controls with integrated switching, eliminating the need for a second platform for customers who are upgrading their switches.

To manage post-admission access, ConSentry offers its InSight command center, which provides IT with incident-based per-user, per-flow information plus templates to easily create and distribute policies for role-based access and exploit control. The ConSentry platforms work with existing identity stores, such as Active Directory and RADIUS, to tie all traffic back to the user and learn user roles to apply access policies. ConSentry will also work with the Microsoft NAP initiative and the Trusted Computing Group´s TNC specification as they´re available. The key to ConSentry´s pre- and post-admission control capabilities is its LANShield silicon ?¬¢‚Äö?ᬮ‚Äö?Ñ?? a 128-core processor and two programmable ASICs that provide secure traffic processing at 10 Gbps speeds. This custom silicon ensures that securing the LAN won´t slow it down.

Lockdown Networks

Lockdown Networks offers its Enforcer NAC appliance which authenticates end-points and users, then audits sessions either on-schedule or on-demand to ensure conformance with IT and security policies. The Lockdown Enforcer employs policy-based access control to deny access to or quarantine end-points that do not conform to IT administrator-defined rules. In addition to the Enforcer appliance is the Lockdown Auditor, which is a policy manager to configure IT access rules.

Lockdown Networks primary products are its Enforcer appliance, which integrates authentication, assessment, enforcement and remediation for network end-points and provides policy-based access control interfacing with a wide range of switch and access point vendors automatically granting access or quarantining end-points based on conformance to policy rules; its Auditor, which checks end-point conformance both on-schedule and on-demand; its Commander software which is a centralized policy manager and reporting engine and is used to configure and manage the Enforcer and Auditor; and its Sentry and AuditPoint products to deliver NAC services at reduced price points to remote offices.

The above two start-ups are simplifying NAC configuration and deployment and have packaged NAC services into an appliance, which significantly reduces the barrier of entry of network admission control. Larger network infrastructure players such as ProCurve Networking by HP, Extreme Networks, Foundry Networks, Nortel et al., are leveraging the Trusted Network Connect work, which provides a standardized way to deliver NAC.

Cisco will get NAC right eventually. It usually takes Cisco one or two business cycles to incorporate customer feedback into engineering to correct its mistakes. In the meantime, Cisco has educated the market for its competitors, an odd place for Cisco to be.

Posted 30 May 2006 at 7:43 am under Lippis Report, Enterprise Mobility. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.