Network Access Control: Bridging the Network Security Gap
by Graham Cluley - Senior Technology Consultant at Sophos - Monday, 03 February 2008.
Now that technology is so integral to so many people's lives, there are a growing number of expert users who have a potentially dangerous level of IT knowledge, enabling them to evade enforcement when accessing network resources, even if there is only the narrowest of gaps to slip through. Such a gap may arise from a number of scenarios, including the use of DHCP (Dynamic Host Configuration Protocal) networks - enabling a device to have a different IP address every time it connects to the network - or where the rogue computer is using local, statically assigned IP addresses for network access. Problems may also occur if a quarantine agent is not installed on the user's computer. Whilst many of these employees will simply be trying to play the system without malicious intent, they still pose a threat to networks because they are opening holes, giving cyberciminals a backdoor entrance into company infrastructures. This is one example of why companies should not rush headlong into purchasing the first NAC solution they find; unfortunately solutions do vary, and it is crucial to find the best system for the job.

Making NAC work for your company

There are a number of different ways to implement NAC; solutions can be hardware or software based, standalone or integrated into the internal network infrastructure. How do businesses decide what is right for them? The appropriate solution for an organization is primarily dependent on its current network environment and it is therefore crucial to assess this fully before taking the plunge. Critical factors include, how homogeneous the network is, what the main network access methods are, and of course, the budget available. For example, for small to mid-sized businesses, the most effective NAC solution is one that can assess the security level regardless of the specific solution in place as well as work seamlessly within existing IT infrastructures.

When making their choices, enterprises should focus expenditure on the solutions and services that solve their biggest problems, choosing solutions that protect against vulnerabilities and provide a full security process instead of merely providing products. As a rule, the best option for organizations looking to introduce NAC to their security suite, is to find a solution that works with the existing network infrastructure and user management systems - and one that is truly vendor neutral. This will be least disruptive to implement and will produce the best return on investment.

It is also imperative that a NAC solution provides comprehensive support for the organization's security strategies, as well as having the ability to create and manage new policies in the future. It should also be flexible enough to meet new business strategies as they inevitably arise. A final critical factor is that the solution offers capabilities beyond standard network-based enforcement, identifying and providing protection against all classes of users trying to gain access to the network - both known and unknown.

The complete NAC solution

An all-encompassing NAC solution will alert network administrators of MAC and IP addresses, enabling them to take immediate action when an unauthorised endpoint computer connects to the network. Its reporting capabilities should extend to include multiple reports for rogue endpoints, exempt computers and any new information that may prove critical - as events occur, in real time. The alerts should identify the rogue computer with pinpoint precision so that network administrators can simply and swiftly identify its network location and subsequently take the appropriate actions.

It is crucial that this constant monitoring does not interfere with normal network communications; for this reason, passive monitoring will provide the best results. The monitoring of low-level ARP (Address Resolution Protocol) a network layer protocol used to convert an IP address into a physical address, allows all IP communications to be detected, without exception. This means that even if a canny user evades DHCP network-based enforcement, their computer will not be able to communicate and spread infections throughout the network because ARP has to be used in order to slip through. By monitoring ARP, identifying which computers are attempting to make IP connections, and comparing the computer with the list of approved, compliant, and registered computers, systems administrators have a watertight way of spotting a rogue computer making advances on the network, enabling them to act fast and effectively.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th