Alternatives to 802.1x-Based NAC
As Figure 1 shows, deploying 802.1x NAC requires security-enabled network equipment that many companies don't have and that might be cost-prohibitive to deploy. Vendors recognize this problem and have come up with alternative NAC solutions that offer varying levels of security.
For example, LANDesk supports both the Cisco 802.1x NAC solution and its own proprietary access solution, which doesn't require an 802.1x infrastructure. The LANDesk proprietary NAC solution works with any network switch. In the LANDesk approach, the vendor adds its own DHCP server in front of your corporate DHCP server. When new clients request an IP address, the LANDesk DHCP server determines whether the LanDESK trust agent is installed and whether the client is healthy based on your corporate policy. If no trust agent is installed or the client is deemed unhealthy, the LANDesk DHCP server returns an IP address in the quarantine subnet. If the client is healthy, the LANDesk DHCP server forwards the request to the corporate DHCP server, which returns to the client an IP address for the corporate network.
Unlike the 802.1x NAC security solution, which limits access at the network port level, the DHCP approach is IP-based and can be circumvented. If your primary goal is simply to ensure that your own managed computers are healthy, this approach might be satisfactory. However, if you want to limit any new computer accessing your network, the 802.1x solution provides this additional security.
A third approach, Juniper Networks' combination of Secure Sockets Layer (SSL) VPN, firewall, real-time agents, and policy server, creates secure, authorized communications between endpoints and servers. Solutions from Mirage Networks and Info-Express offer NAC solutions that use still different architectures and technologies. For example, Mirage Networks detects communication to unused IP addresses and unusual protocol usage (e.g., SMTP mail originating from a unofficial mail server), then uses techniques including ARP management to try to contain the anomalous network traffic.
Whereas the 802.1x NAC solution requires a network infrastructure that many companies don't have, the DHCP solution doesn't require footing the bill for additional network hardware—but it's less secure than 802.1xbased NAC. Both solutions usually require that a trust agent be installed on the host. This means that if client computers are running unsupported OSs—or if vendors choose not to install your trust agent on their computers—the clients will have access only to your quarantine network.
Beyond Connections: The Policy
The NAC policy is just as important as the network architecture supporting your NAC implementation. NAC solutions include some sort of a security policy server in which you create rules that define what constitutes a healthy computer in your environment. For example, you might require that clients have all Microsoft Windows security patches and current antivirus signatures from your antivirus software vendor. Typically, you'd define the policy on the posture-validation server; the policy consists of the different checks that the clients must pass to access the network. The posture validation server compares the state of the client against the published policy to deem whether a client is healthy. The complexity of the policy varies by vendor. For example, LANDesk supports checking antivirus definitions, driver updates, LANDesk client software versions, security threats, software updates, detected spyware, and vulnerable software such as the OS application patches. For example, if a peer-to-peer application was installed on your client, you could configure your NAC solution to quarantine the computer until the program was removed.
One NAC struggle that you must deal with is how to address hosts that might need access to your network but can't install the NAC client—for example, vendor laptops, computers running an OS that your NAC vendor doesn't support, printers, mobile devices running Windows mobile, or other WiFi enabled devices. If you don't make exceptions for these devices, they will remain on your quarantine subnet and won't be able to access your network. But when you make exceptions, you could open holes in your otherwise secure network. Sometimes leaving devices in quarantine is OK—you might get by with creating ACLs on your quarantine networks to permit some access. For example, you can give the quarantine network access to the Internet and a terminal server or other computer inside the sensitive network, but prohibit full access.
New Technologies on the Horizon
NAC offers new solutions to the changing security problems you face, and NAC architectures vary. Because of the expense and complexity of 802.1x solutions and the potential subversion of DHCP solutions, some vendors are seeking innovative approaches to NAC. At the time I wrote this article, nearly all of the major NAC vendors were gearing up for significant new releases. Keep your eyes peeled for new technologies.
Register
steina August 10, 2006 (Article Rating: