Intrusion Prevention Systems (IPS), once thought of as a way to mitigate risk from external threats, are now being turned inside out by monitoring internal traffic as part of a post-NAC (Network Access Control) security strategy. It´s not just IPS, but Network Behavior Anomaly Detection (NBAD) devices as well that are looking for a role in the post-NAC compliance market. The new role for these devices, as part of an overall NAC architecture is part of a growing trend in the network security market. This market is changing significantly as companies modify their security platforms to add functionality to compete and gain share in the emerging network access control (NAC) market.

IPS firms such as TippingPoint and NBAD firms such as Lancope are attempting to use these security platforms as the center of a NAC strategy. Now there are many security operations (SecOps) executives who believe that NAC is simply an authentication-based access control mechanism rather than an overall comprehensive approach to securing internal networks and IT assets. I find this thinking odd. Many SecOp executives are comparing NAC versus 802.1x while missing the fact that NAC is an architecture which includes end-point posture compliance, VLAN management while interfacing with identity management, Security Information Management, Intrusion Prevention Systems, Network Behavior Anomaly Detection, firewalls and policy management providing intra-company threat defense.

So there is a gap in the market. SecOps or the buyers think of NAC as a one-function device while the vendor community is selling NAC architecture, which delivers a spectrum of security services. This gap will be closed over time as the vendor community simplifies NAC architecture. In short, the gap has to be closed or NAC will either not survive or be relegated to a few simple security functions. So what is a NAC architecture and what does it do?

Networking and IT vendors are addressing NAC as an internal threat defense architecture consisting of four basic components:

1) Alarm aggregation and correlation to sift through large sums of alert data and turn it into actionable events or incidents identifying risk

2) Identity management to ensure that users and devices are authorized to access IT resources and assist in forensics through identifying IP address and users

3) Network access control to manage admittance to IT resources most commonly through VLAN management

4) Policy management which issues privileges and access rights

Consider the national vehicle transportation system, i.e., the policing of roads and registration of vehicles and drivers offers an example of how the above four components work together as a system.

Every vehicle has a VIN or vehicle identification number, which uniquely identifies the vehicle, much like a MAC and IP address identifies a computer. The vehicle is registered with an agency, usually the registry of motor vehicles, which issues a certificate or registration and license plates that identifies the vehicle and owner pair plus their origin. The driver, upon passing a test, is issued a driver´s license, which identifies the driver and his/her associated privileges, i.e., number of axles permitted to drive, type of vehicle the driver is allowed to operate, etc. The vehicle is issued an inspection sticker, which identifies a vehicle´s ?¬¢‚Äö?ᬮ??¨posture?¬¢‚Äö?ᬮ¬¨?? or compliance with regulations.

Assume this vehicle is pulled over by the police. Law enforcement first uses the license plate number, registration and driver´s license to assess the privileges associated with the driver and then checks the vehicle´s posture by analyzing the inspection sticker to ensure it complies with law. In short, the certificates are checked for their authenticity and driving records associated with them. All this information is sent to and referenced against a database, which law enforcement uses to assess the level of threat posed by the driver. An outdated driver´s license could result in the loss of driving privilege. An old inspection sticker will result in a fine and the possible revocation of rights until the vehicle is in compliance. Too many speeding tickets and driving privileges may be suspended or revoked. A driver who behaves oddly and cannot walk a straight line is taken off the road immediately.

The driver´s license, car VIN and license plates are used to identify the user and machine. Police and citizens send alerts and alarms to a central station where alerts are aggregated, correlated and responses made. For example, a police station may send an ambulance in the case of a major accident, helicopter for trauma, fire department if a vehicle is ablaze or re-enforcements, etc. The driver´s license record and the number of violations, or lack thereof, is in essence a signature of the type of threat the driver may pose. A driver who drives erratically and when pulled over has difficulty talking coherently is a behavior that allows enforcement to assess another type of threat. The combination of posture, behavior and identity dictate access to the roads.

In the above example, the police central station is the alarm aggregation and correlation function. Identity management is the review of the driver´s license, car VIN and license plates. The inspection sticker review and associated consequences is network access control and associated policy management. Police and citizens assess behavior while police are the enforcement agent. We´ll use this analogy shortly.

Now there is no doubt that Cisco has the most comprehensive NAC architecture and strategy, but it is complex. So it has re-invigorated its Clean Access Server (CAS) NAC appliance-allowing customers to get used to setting NAC policy and compliance rules while they work on simplifying NAC infrastructure. There are many NAC appliance vendors such as Consentry Networks, StillSecure, InfoExpress, Bradford Networks, Vernier Networks, ForeScout Technologies, LockDown Networks, Caymas Systems, Innerwall, Inc., Juniper, Nortel, Trend and others. Besides Cisco, the two NAC appliance companies that I see most often winning deals are ConSentry Networks and StillSecure. Many of these vendors bundle all four NAC architecture components into their NAC appliance or provide interfaces and partner relationships with others to deliver a comprehensive solution. But others are approaching the NAC market from a different perspective, which brings me back to IPS and NBAD. There are many firms participating in the IPS and NBAD markets, but I´ll provide two to make my point.

TippingPoint:

TippingPoint is an IPS provider acquired by 3Com in early 2005. It gained its credibility and market share selling IPS solutions and has been very successful in selling its IPS products as one of the first firms to offer intrusion prevention vs. intrusion detection. The TippingPoint IPS product line is extensive, with nine products ranging in capacity and number of simultaneous segments supported. It is finding solid success with its X505/X506 IPSs that combine IPS, IPSec VPN, stateful packet inspection firewall, Web content filtering and policy-based traffic shaping targeted at remote branch offices and medium-sized business. Many customers find that the new X506 is an easy-to-administer device, offering seamless integration with their network, easy-to-test URL blocking and challenging why a site may be blocked. Auto-updates are seamless, and it´s a stable device even in beta stages and testing. TippingPoint support is very good as customers tend to experience a ?¬¢‚Äö?ᬮ??¨set-it-and-forget-it?¬¢‚Äö?ᬮ¬¨?? operation.

It is estimated that TippingPoint has sold some 40,000 units over the years, which has propelled it to the top three in IPS suppliers from a market share perspective. As of May 2006, TippingPoint was ranked third in market share behind ISS/IBM and Cisco, according to Gartner.

On February 5th, 2007 TippingPoint announced a NAC strategy and product line as an extension of its IPS offerings. Its NAC products, which are shipping now in North America include:

TippingPoint NAC Policy Server: Enables central management of all admission and access control policies.

TippingPoint NAC Policy Enforcer: Provides access controls dynamically set by the TippingPoint NAC Policy Server. The inline policy enforcer appliance features include transparency to L3 networks, 10/100/1000 Mb/s ports, VLAN trunking and HTTP redirection.

TippingPoint NAC Services Server: Extends authentication, enforcement, and compliancy options of the TippingPoint NAC Policy Server.

TippingPoint NAC Client: Collect posture information for end-point assessment.

IPS has been designed to defend enterprises primarily from external threats. Inward looking IPS is a new concept, but not a stretch for those who are familiar with the technology and TippingPoint.

In short, IPS will act as a post-NAC compliance monitor analyzing internal flows searching for exploit signatures, vulnerabilities and protocol, behavioral and statistical anomalies. Once an exploit is identified within a flow, the TippingPoint enforcer will block traffic via 802.1x, DHCP or the IPS. TippingPoint forgoes the traditional alarm aggregation and correlation functions of network security relying upon its Threat Suppression Engine (TSE) technology, which is at the heart of its IPS products. TippingPoint´s NAC solution is an extension of its IPS technology, which results in significant shortcomings.

In the national vehicle transportation example, TippingPoint´s IPS would be a speed trap equipped with a police officer to enforce the offense. Once the driver is pulled over and analyzed the police, like the IPS, can take mitigating action. But just like a speed trap, this strategy works well to police and enforce policy on a road, but not an entire town, county, state or nation.

Lancope

Lancope is focused in the NBAD market as a best-of-breed NBAD vendor. Lancope has strategic partnerships and alliances with a few firms including TippingPoint, ArcSight and Foundry Networks. Its primary value proposition is the unification of network and security operations by delivering value to both groups based upon data gathered, analyzed and reported by its StealthWatch product line.

The Lancope product suite consists of:

Three StealthWatch flow collector appliances which gather either sFlow or NetFlow data

StealthWatch IDentity-1000 appliance, which provides linkage between individual users and specific network events

StealthWatch Management Console (SMC) manages, coordinates and configures StealthWatch appliances and collectors to correlate security and network intelligence from StealthWatch components deployed at segments throughout the enterprise. The management console delivers real-time insight into network behavior and segments this data into views and reports for both network and security teams.

Lancope has made a significant move toward unifying network and security operations through its StealthWatch v5.6 release. Using sFlow and NetFlow data from Cisco, Foundry, Extreme, ProCurve and Juniper routers and switches, StealthWatch´s unified flow-analysis system combines behavior-based anomaly detection with traffic reporting and network optimization data. StealthWatch monitors all connected devices, which touch an sFlow or NetFlow device within an enterprise´s internal network, delivering broad visibility. Lancope´s value to security operations is rooted in its ability to provide alarms and alerts on worm activity, covert communications channels, policy violations, protocol behavior anomalies, etc.

Lancope relies upon its NBAD engine to monitor traffic for post-NAC anomalistic behavior similar to how TippingPoint extends their IPS to a NAC environment. Referring back to the national vehicle transportation example, Lancope´s StealthWatch would be a set of traffic lights or tollbooths equipped with motion detectors, which are activated when a vehicle passes through, above the speed limit, triggering an event. That event is reported to a central station when the vehicle´s photo is analyzed for car and driver identification, which results in a citation. StealthWatch collects sFlow and NetFlow traffic, providing it with a broad network view without its own mitigation function. StealthWatch does offer mitigation integration but through partners such as Cisco PIX firewalls, Check Point firewalls, Cisco routers, TippingPoint´s IPS, ArcSight´s Network Response Manager and Foundry´s IronView Network Manager (INM). StealthWatch is similar to a neighborhood crime watch organization where neighbors monitor bad or criminal behavior and when it occurs, report events and incidents to local police.

Both Lancope and TippingPoint and many others utilize their products/architectures to monitor network traffic, generate alarms, reports and graphical representation of data. Many firms are utilizing their existing platforms to build a NAC solution. Most NBAD and IPS firms will position their NBAD or IPS as a post-NAC monitor of network traffic to increase their view and data collection capabilities. In fact in January 2007, TippingPoint and Lancope announced a capability that the two products can quarantine end-points in violation of network policies as well as automate end-point remediation. StealthWatch can send commands to a TippingPoint IPS for quarantine and policy enforcement. TippingPoint and Lancope need each other, as an IPS cannot see flows that do not pass through it. To increase network coverage we´ll see acquisitions and partnering between NBAD, IPS and SIM players over the next 18 months as IT security concerns seek to offer a broad NAC solution for enterprise customers.

The security functions of alarm aggregation/correlation, identity management, NAC and policy management are in the process of being re-packaged and/or automated to simplify internal threat defense and mitigation. NAC is not simply an authentication approach but an architecture that is driving systemic change in the vendor security offerings and both SecOps and NetOps roles and responsibilities. April and May will be big months for NAC as a few vendors launch new products that re-define how most of the industry will think about NAC.

Now a post-NAC compliance architecture that monitored all internal network traffic, identified incidents, provided switch port mitigation to those incidents and reported who and what caused the incident would be very similar to something like?¬¢‚Äö?ᬮ¬¨¬?well, like the national vehicle transportation system.

Posted 26 March 2007 at 10:15 am under Lippis Report, Network Access Control and Protection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.