Perimeter protection is not enough. Will a network access control standard make the grade or do we need to look at something that is already here?
The Blaster worm in late 2003 highlighted the fact that perimeter protection is not enough - the internal network is vulnerable. This birthed the concept of network access control (NAC). Its purpose: to control who and what gets access to networked resources, assisting with the very real problem of keeping malware from entering the enterprise - not just at Internet and WAN boundaries, but at local points of connection within the LAN. The primary challenge, however, is that NAC technologies are immature. SSL VPNs, meanwhile, are proving effective.
Numerous approaches and combinations of components are used to achieve the primary three NAC functions: client audit or inspection, policy derivation and policy enforcement. Gaps in coverage, convoluted integration requirements, inadequate inspection capabilities and weak policy management are just a handful of the more significant issues that confront organisations eager to 'NAC-ify' their networks.
Leading vendors such as Cisco, IBM, HP and Microsoft, for instance, all have security concepts and methodologies that they have originated to ensure access control. So far, three initiatives have emerged: Cisco Systems Network Admission Control (NAC), Microsoft's Network Access Protection (NAP) and the Trusted Computing Group's (TCG) Trusted Network Connect (TNC).
Each has unique drawbacks, however. For full coverage, Cisco's NAC system requires that organisations use Cisco hardware, an expensive option if you have already invested in other equipment. Microsoft, on the other hand, promotes the use of the Vista OS on end points and Longhorn on the server.
Vista is brand new and Longhorn has yet to be released.
In addition to the NAC technology issues, security management and policy development can prove difficult. The complexity of NAC requires coordination between network administrators who must keep the network up and functioning; desktop support managers who must ensure basic antivirus technology, etc, is installed; and security officers who create policy. Given their diverging interests, this is rarely the case, however. Another common problem is that internal network design is usually not restricted and has not been documented. Organisations thus do not know what traffic is where on their network and cannot develop a security policy that can be effectively implemented. In addition, where companies have bought into specific security products, complexity often drives them to implement only basic functionality in favour of ensuring maximum up time.
In contrast, by virtue of their in-depth access control capabilities, SSL VPNs - the actual progenitors of the NAC concept and technology - provide an efficient and effective dose of NAC where it is needed most and with far fewer complications. Essentially, they offer organisations the opportunity to ease their way into broader and more complex NAC initiatives.
Furthermore, it is expected that today's SSL VPN technology will remain a valid component of future enterprise-wide NAC implementations - if not also play an instrumental role in NAC's eventual maturation.
SSL VPN benefits
Traditional remote access technologies required that organisations either install complicated and expensive dial-up infrastructures, or deploy IPSec-based virtual private networks (VPNs) solutions that typically introduce various network-traversal and performance problems. In comparison, SSL-VPNs feature 'clientless' connectivity that removes the need for a pre-installed or VPN client, thus freeing administrators from the tedious and costly task of installing and updating a client on users' PCs. Using a standard web browser, authorised users, including mobile employees, contractors, partners, customers and suppliers can securely access e-mail, files, intranets, extranets, legacy applications, desktops and servers from any location.
SSL VPNs extend secure remote access beyond corporate controlled laptops out to smart phones, PDAs, public kiosks and other computers that are not controlled and managed by the corporate IT department. Moreover, SSL VPNs allow integration with a wide range of dynamic authentication methods and protocols, including Microsoft Active Directory, LDAP and RADIUS. They also have the capability for granular policy configuration, providing organisations with complete and fine-grained control over individual user access to specific network applications and resources.
In addition to fostering ease of use and reducing total cost of ownership, assurance regarding the security and configuration status of a client device is addressed by host integrity checking. With this feature, the initial connection to an SSL VPN gateway causes an Active-X or Java-based client inspection agent to automatically download to the remote user's computing device. Host inspection findings are then used as attributes in the dynamic calculation of access rules which are enforced by the gateway. The result is essentially NAC functionality but with a level of access control granularity that far exceeds today's average NAC offering.
The future of NAC
It must be reiterated that NAC offerings will continue to mature. As the remote access needs of enterprises continue to grow, some organisations will decide to turn their networks inside-out, eliminating the majority of their LAN infrastructure and embracing an approach where all users are effectively accessing corporate applications 'remotely'. For those organisations that retain a traditional LAN infrastructure it will be essential for SSL VPN-based NAC implementations to work in conjunction with the broader LAN-focused NAC solutions.
There is little question that NAC holds significant promise as an information security countermeasure. However, realising its benefits will depend on associated solutions evolving a bit further to better address current challenges regarding scope of network coverage, depth of client audits, integration requirements, lack of standards, and robustness of policy management capabilities.
Meanwhile, organisations can take advantage of mature NAC capabilities that are already present in some of the leading SSL VPN secure access gateways. Not only are these solutions an ideal approach for achieving secure remote access, but they can also provide an efficient and effective dose of NAC in those locations where unknown/untrusted nodes are most likely to be encountered.
For more information contact Martin Tassev, managing director, Loophold Security Distribution, +27 (0)11 575 0004, firstname.lastname@example.org