In Lippis Report Issue 59 I discussed difficulties associated with implementing network admission control or NAC. There are two approaches to NAC deployment: infrastructure or appliance-based. Many are finding that implementing NAC first with appliances is a more manageable approach that delivers solid value today and allows them to prepare for an infrastructure-based NAC deployment tomorrow. Microsoft plans to offer yet another approach to network security with its NAP or Network Access Protection which will be built into Microsoft Windows Vista and Windows Server Code Name “Longhorn” operating systems. While both architectures are not fully available, Microsoft has been successful in extending the sales cycle for infrastructure-based NAC deployments. With infrastructure-based NAC being complex and expensive and Microsoft´s NAP on the horizon, many CIOs/CSOs are embracing the appliance approach to network security as a strategy to build defenses now while buying time for the two big players to demonstrate their full network security architectures.

For Cisco and Microsoft network security has been the first front in the increasing battle between these two giants with unified communications being the newest battle line (see Lippis Report Issue 63). Microsoft has been effective in extending Cisco´s sales cycle by pre-announcing architectures which force CIOs/CSOs to hold off spending as these business decision makers place high credibility on Microsoft´s ability to deliver over time. CIOs/CSOs are waiting to understand how interoperability between desktops, servers and network security architecture will work. In the network security space, Microsoft´s long awaited NAP coupled with a relatively quiet period of high visibility exploits has contributed to a hold-out on infrastructure-based NAC spending.

But while Microsoft has said that Vista will be available in January, some of my clients who are testing Vista have little faith that January will come with a Vista shipment. And even though we have been blessed with a quiet period — no high visibility exploits reeking havoc or embarrassing big brands — CIOs/CSOs can´t wait to build defenses as regulatory, business continuity planning and just good plain business sense compels building defenses to protect company assets. So what do you do? Microsoft´s NAP will not be ready until a year from now, Cisco´s infrastructure-based NAC is high cost and there is no guidance as to how or if NAC and NAP will interoperate. The answer, appliance-based NAC.

In Lippis Report Issue 59 we explored NAC appliances from ConSentry Networks and Lockdown Networks. Cisco´s CCA or Cisco Clean Access, also known as the NAC appliance, is an integral part of the Cisco NAC initiative lowering cost and complexity for admission control. Cisco acquired CCA from Perfigo and has found great success in the educational market place where separation of student and administration IT resources is paramount to defending these institutions from the propagation of exploits. With the dynamics mentioned above, Cisco is finding significant CCA success with enterprise accounts too in a wide range of industry segments and applications. There are three distinct network security deployment scenarios unfolding.

Scenario One: Defend and Learn

In the defend and learn scenario IT staff are deploying the NAC appliance for specific applications such as guest and remote access, two of the largest uses for NAC services today. Many organizations have not defined access policy and are surprised after they deploy a NAC appliance as they find out who is accessing their networks and why. In short, the defend and learn scenario offers a first step in gaining experience defining policy and visibility into network use. In fact, after deploying the NAC appliance many firms find there is a huge difference in the posture reality of devices on their networks and their preconceived notion of policy. Thus, many end up using the NAC appliance to gain network security and policy development experience. These IT executives, depending on the scale of their enterprise may choose to loosely couple NAC appliance with NAC infrastructure and proceed primarily with appliance-based NAC. It seems that the smaller a network operation is, the looser the coupling between NAC appliance and NAC infrastructure.

Scenario Two: Appliance First, Business Process Second

In Scenario Two, IT executives are deploying the NAC appliance in small parts of their business where they obtain a strong return prior to extending NAC across their broader business process. The key difference between Scenario One and Two is that there is active planning to build upon the NAC appliance experience and leverage it to a wider and deeper defensive infrastructure-based NAC strategy linked into securing business process. In short these IT executives have bought into the value of NAC and are using the NAC appliance to buy time for industry dynamics to settle down and products to mature. These firms understand that a broad-based NAC infrastructure deployment will be a multi-year endeavor and they want to start now.

Scenario Three: NAC and NAP Hold Outs

The hold out scenario is dominated by large companies who have significant Microsoft and Cisco investments. Infrastructure-based NAC deployments are put on hold as these executives seek to optimize their IT investments by leveraging both NAP and NAC. For this scenario, like Scenario Two above, the NAC appliance offers both experience and time for IT staff to develop deployment strategy. These IT executives are involved in a series of lab trials understanding the differences and similarities of NAC and NAP so they can best plan for deployment.

As there is competition for Cisco´s CCA from ConSentry, LockDown et al., there´s also competition for infrastructure-based NAC implementations from ProCurve Networking by HP ProActive Defense offering, Nortel´s Secure Network Access (NSNA), Juniper´s Unified Access Control and 3Com´s Secure Converged Networking. For those installed bases, there are good solutions that do not require an appliance. But for many the focus is on Microsoft and Cisco. For the Cisco installed base all roads to network access control start with a NAC appliance, and for good reason.

Organizational Realities

Network security has traditionally been an overlay strategy. Install firewalls, IDS/IPS, NBAD, IPSec, SSL, et al., appliances to create layers of defense. This is a model that security operations budget for and know how to implement. The NAC appliance strategy fits well into this organizational framework. In short, security operations are deploying NAC appliances now to protect corporate assets, learning policy definition while access protection technology matures. NAP has its supporters in those who control desktops and servers while network design teams favor both infrastructure and appliance versions of NAC. The NAC appliance allows these groups to sort out responsibilities and functional NAC/NAP differences.

Getting Started

Running the NAC appliance in informational mode first to gain access visibility as to who is on the network and device posture is a great way to get started. Information mode provides a network security baseline and vulnerability assessment. While NAC appliances do not automate mitigation, baselining is an important first step toward a security posture assessment.

Beyond information mode, remote access is an application where the NAC appliance offers value by enabling one network to be shared among a mixed user community offering privacy, segmentation, stratification and of course security. For example, Nevada´s Clark County has implemented a NAC appliance to separate users such as those from the state supreme court, the DA office, local court systems, etc. Guest access is another NAC appliance application where a mixed user community with variable access privileges shares a common network.

The NAC appliance has become a viable way of solving access problems across multiple industry sectors such as manufacturing, finance and high tech. The remote access application is especially popular in retail such as banks and large national retail chain stores.

Appliance and Network Infrastructure Inter-working

All NAC appliances provide end-point posture assessment, enforcement and policy definition. What will be key over the next business cycle is the inter-working between NAC appliances and network infrastructure. Here Cisco clearly has an edge. NAC appliances and infrastructure-based NAC will inter-work over time; however, there is currently little to no distribution of functionality between appliances and network gear. Look toward the IETF to develop a standard messaging protocol for network access control.

One can speculate that Cisco will offer CCA as a blade in Catalyst switches over time and the sharing of information plus enforcement between CCA and infrastructure-based NAC. But alas, today CCA is a self contained appliance which does not rely upon other Cisco equipment to assess posture, enforcement and remediate threats. Cisco´s LAN switching focus is on development of support services for both NAC framework and NAC appliance, such as 802.1x and LPIP (LAN port IP) support. Cisco also promises to assure the proper 802.1x supplicant environment is available both via MeetingHouse and Vista/Longhorn.

Protecting Investments

There is clarity on the client portion of NAC and NAP. An 802.1x supplicant has won on the client and will be a common denominator across most IT security concerns. Microsoft has embraced 802.1x as part of NAP as has Cisco as part of NAC with its recent $47M acquisition of MeetingHouse. The ProCurve group, Nortel, Juniper´s Odyssey Access Client, et al., also support 802.1x supplicants paired with radius servers for network access authentication. The difference between suppliers is that some firms bundle the radius server with their NAC appliance while others can work with a range of radius servers providing authentication before network access.

While 802.1x has been available for some time without much use, Microsoft´s NAP should change this. Pushing configuration settings down to end-points has been the main problem with 802.1x and thus security and network ops have passed on its use. NAP promises to ease the administrative burden for 802.1x supplicants and provide common client software for both wired and wireless
end-points in the process.

The Road Ahead

To move forward in network security I suggest being prepared to implement 802.1x supplicants on end-points and start your access control implementations with a NAC appliance. Independent of which one of the above scenarios best suit your company and IT staff, a NAC appliance is the best starting point to build access defenses while your IT staff access security posture and learn how to define policy that supports business process.

Posted 8 August 2006 at 8:36 am under Lippis Report, Network Access Control and Protection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.