Special Edition Lippis Report on Network Security Issue 3: Scaling NAC to Campus LANs
In this Lippis Report we offer an update to Network Access Control (NAC). The NAC market is at a pivotal point, as a key piece of technology that offers a third mode of operation is about to enter the market. This third mode, based upon authentication and distribution of NAC functions across existing appliances and network infrastructure will enable NAC to scale across an enterprise from its early deployments of guest, wireless and remote access to headquarter and campus LAN environments. We offer a view of how the NAC market is progressing and detail this distribution of NAC functions and enabling mode of operation which will allow business and IT leaders to build strong defenses in one of their most critical IT assets, the campus LAN.
Scaling NAC to Campus LANs
University of Pisa develops trail-blazing approach for cost effective compliance and protection of large city campus networks
Network Access Control (NAC) has gone through the typical cycle of new IT technologies. When a new IT technology is first introduced industry analysts and press are euphoric over its potential to solve a hard problem. This euphoria is replaced by disillusionment when the speed of deployment is much slower than first anticipated, usually due to implementation difficulties and/or feature deficits. After a period of disillusionment IT suppliers fix problems and repackage solutions while analysts and press set the right expectations for buyers. IT buyers, armed with a realistic view of the IT technology, start to implement en mass. This is what I call the reality phase.
NAC is now at the reality phase with many industry observers believing that over the next two years (2008 to 2010) there will be aggressive NAC deployments. For example, IDC estimates that LAN-based NAC shipments over a 7-year period will grow at a Compound Annual Growth Rate (CAGR) of 45% with 2007-9 being peak years. Infonetics predicts a 68% CAGR over the next 5 years, while Gartner is very bullish with a +100% year over year projection. The size of the NAC market is difficult to predict as it varies widely depending upon what is counted. For example, do you count the Ethernet switch for network-based enforcement? Some may count Microsoft 2008 Windows Server as part of NAC equipment as well. So the overall NAC market is on the order of a few billion dollars with NAC appliances sized in the hundreds of millions of dollars range. With high CAGRs and large market size, NAC is shaping up to be a very explosive market fueled with high-octane growth.
Food Manufacturer Extends Its Workplace with Secure Remote Access
It took some time for NAC to get to this point and there had to be an industry shake up with Lockdown Networks closing its doors, ConSentry Networks changing executive management a few times, Cisco focusing on its NAC appliance offering and the linking between NAC and Microsoft's NAP. 2008 is the launch year for NAC as there are substantial and improved solutions being introduced. For example, Microsoft recently released their NAP product, which builds their solution into an overall infrastructure offering. Cisco is doing the same by unifying its NAC infrastructure and appliance portfolio, which combines both together with what is called the "œNAC portfolio unification".
Utility Overhauls Network Defenses to Boost Control and Visibility
NAC deployments will accelerate this year because IT leaders are being offered comprehensive offerings and options as they move forward with their developments. With system wide access control solutions available, IT and business leaders are now looking at a bigger picture. They are asking how they can use NAC not only as a single point solution, but also as part of their overall security strategy and infrastructure. Clearly most firms have two main IT layers. Microsoft's represents the desktop and end-point layer while Cisco is the dominant infrastructure layer. These two layers represent big portions of most enterprise IT budgets. It's no wonder that most dollars spent on NAC and NAP will flow to these two firms. Case in point, NAC solutions are transitioning from point appliance and use solutions to a comprehensive system approach offering greater defense across more use scenarios.
What is driving NAC deployments? Well it's a few things: the need for identity-based access control, to enforce end-point policy requirements, to configure guest and unmanaged users and compliance reporting. Most NAC deployments start with VPN, wireless and guest access moving onto remote offices and the campus LAN. NAC was first deployed in areas that had high security concerns, wireless access, guest access and protecting campus LANs from remote users. Many start-up concerns focused on these opportunities with the result being that NAC is deployed around campus and headquarter facilities. With NAC surrounding campus LANs and with comprehensive system solutions, NAC is now ready to be deployed within campus LANs to provide both inside and outside access control.
What NAC Provides
Boosting Business Development with Citywide Wireless Access
NAC provides a level of control around users and devices based upon access policy. NAC, governed by access policy, verifies who the users are and what kind of devices they bring to the network. To accomplish this, a complete NAC solution should cover the following four functional areas:
Authentication plus Authorization: This function enforces authorization policies and privileges and supports multiple user roles such as guest, accountant, consultant, board member, assistant, etc.
Scanning plus Evaluation: This function provides an agent scan for required versions of hot-fixes, anti-virus, et al. In addition to device scans, network scans for virus and worm infections plus port vulnerabilities are included here.
Quarantine plus Enforcement: This important function isolates non-compliant devices from the rest of the network by either MAC or IP-based quarantine, effective at a per-user level.
Updating plus Remediation: This function provides network-based tools for vulnerability and threat remediation plus help-desk integration.
Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture
Most of the established NAC vendors have all four functional areas covered, with some providers stronger in one area or another. Some of the smaller NAC appliances focus on one or two of the above functional components. For example, Lockdown Networks, who recently wound down their operations, was strong in Authentication and Authorization plus Quarantine but was weak in Scanning plus Evaluation and Update and Remediation. When Microsoft finally brought NAP to market, Lockdown's value proposition became too weak to sustain its operations and it was forced to shut down. ConSentry is similar but they also provide network-based enforcement via their own Ethernet switches and controllers, which has proved to be a good approach for them thus far. They need a good scanning and remediation engine, however. There are many NAC providers such as HP ProCurve with their NAC appliance sourced from StillSecure, Counter ACT from ForeScout Technologies, Dynamic NAC Suite from InfoExpress, EasyNAC from NetClarity, EdgeWall from Vernier Networks, Juniper's Unified Access Control, Nortel's Secure Network Access and many others. Here we focus on Cisco due to its size and efforts.
Cisco's NAC Portfolio
Cisco defined and created the NAC market and it now has some 3,000 NAC customers. Cisco started with an infrastructure-based approach and subsequently added the appliance-based approach. Cisco and the market are now at a point where they are ready to combine the two sides together with what is called the "œNAC portfolio unification". NAC portfolio unification is designed to take the appliance-based focus and infrastructure-based focus and make the best out of both worlds.
Cisco's NAC components are organized into three categories:
Policy: The policy component is the largest category, including its NAC Manager, which delivers centralized management, configuration, reporting and policy store. The NAC Server is tasked with posture assessment and enforcement. Its Ruleset updates provide scheduled automatic rulesets for anti-virus, Microsoft hot-fixed, etc. More on Ruleset updates below. The NAC Profiler profiles unmanaged devices and applies policy based upon device type. The NAC Guest Server is a full-featured guest provisioning server.
Optional End-point Client: Cisco offers a NAC Agent that is either persistent, meaning that it is permanent on the end-point or dissolvable, meaning that it dissolves after access is granted. It also offers a web agent and 802.1x Supplicant. There is no client cost for these end-points. Another optional end-point component from Cisco is its Cisco Security Agent (CSA). CSA is a desktop application similar to either McAfee or Symantec, but it uses a different algorithm to mitigate threats. Instead of relying on the static threat signature-based approach, CSA uses a behavioral approach. It monitors the user and the system behavior to determine what mitigation actions should be taken.
Communications: This is an important component as it provides network enforcement in routing and switching infrastructure and access policy for 802.1X termination and identity-based access control. Providing the latter is Cisco's Access Control Server (ACS). Look for more from Cisco in this area during 2008.
A few highlights on the above product portfolio. While Cisco delivers on the above-mentioned four capabilities through its product set, it's particularly strong in quarantine and remediation plus policy configuration and management. Cisco's remediation is strong due to automated threat update signatures and remediation enforcement support thanks to its Ruleset Update service. There are two points here.
First, automated threat Ruleset Updates are built into the Cisco NAC appliance. When IT deploys a Cisco NAC appliance, it periodically contacts Cisco, automatically pulling threat updates directly from a Cisco database which is updated every few hours. Cisco NAC Manager downloads the Ruleset Updates from Cisco as it provides new vulnerability signatures, Microsoft updates, hot-fixes, etc., off-loading this task from the IT organization.
Second, Cisco offers built-in enforcement support. The Cisco database supports policies for over 350 applications including Microsoft hot-fixes, nearly all anti-virus vendors, and others. When IT accesses Cisco NAC Manager, they are presented with a comprehensive list of security updates. If IT wishes to enforce any item on the list, all they need to do is point and click and the applications are updated during remediation. This process stands out in the industry as the best remediation engine available.
Its NAC manager allows IT to create and manage policies, an ability that also rises above other NAC providers. Role-based access is defined in the NAC policy manager. Cisco can easily place users into multiple groups depending on their initial job function, different network segments or both for example. Single sign-on is particularly nice too. When a user attempts to enter the network, they can perform a Windows logon and network/NAC sign-on at the same time as one process, independent of their access media, be it VPN, wireless, wired, etc.
Cisco NAC Profiler and Guest Server
The NAC Profiler and NAC Guest Server are optional components to a Cisco NAC solution. Cisco NAC Guest Server is a dedicated guest server where IT provides initiation configuration policy; then individual business units can tailor their guest or contractor access to their particular needs, which is very efficient. Cisco NAC Guest Server works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the lifecycle of guest access, including account provisioning, user notification, access management and reporting.
The Cisco NAC Profiler identifies all end-point devices on the network including printers, scanners, network devices, all end-points and mobile devices. Profiling all of these devices manually, assigning the policy and maintaining this is unrealistic and needed to be automated, which is what NAC profiler does. NAC Profiler combines end-point recognition technology with Cisco NAC to automatically profile and identify all end-point devices and create a policy to dynamically provide access, such as a printer category.
Linking NAC Appliance and Infrastructure: A New Mode of Deployment Needed
To link NAC appliances with NAC infrastructure a more scalable deployment option is needed. For example, Cisco NAC appliance supports two deployment options today. One is called in-band and the other is out-of-band. In-band mode is when the Cisco NAC Server is always in the data path. Its benefits are that it's easy to deploy with highly reliable enforcement, as there are no other dependencies for enforcement. Out-of-band is when Cisco NAC Server is used to control initial authentication and posture checking. Once a device's posture passes conformance, data does not have to pass through Cisco NAC Server. Enforcement is provided by another entity. For most IT leaders, the choice between in-band/out-of-band is based upon the size of deployment. If it's a simple and small-scale deployment, in-band is the better choice. If it's large and a more extended infrastructure, then out-of-band is best for scale.
But to leverage network infrastructure and NAC appliances a new mode of deployment is needed. This new deployment option provides user authentication and device posture compliance status. To process user authentication, 802.1X is the standard approach which should be used. For device posture and end-point security policy compliance status would be the responsibility of a NAC Server. Combining NAC Server for assessing device posture and a Radius server system for 802.1x authentication, a third deployment option that glues together NAC appliances and NAC infrastructure is enabled. This provides a scalable way to deploy NAC and 802.1X authentication in large campus LAN environments. End-points would be authenticated via an 802.1x server, then posture assessed via NAC Server and have enforcement of policy by routing and switching infrastructure while providing a transparent experience to the end user.
This third deployment option will be available in 2008 and will contribute to the spike many expect in NAC deployments. NAC deployments around VPN, guest access, wireless, etc will be linked together so that NAC not only surrounds a corporation but is mitigating threats within the campus too.