Authenticating users and devices on the enterprise network, also known as network access control, is a critical step in any effective security scheme. Given its importance it would be natural to believe vendors would make authentication relatively easy to implement. Unfortunately that’s not currently the case, but vendors are taking steps to ease the pain of rolling out authentication.
Implementing a network authentication system is a complex undertaking. It involves deployment of back end services (for directory, authentication and policy control of the network) and authentication services for devices attaching to the network.
Placing authentication services on intelligent devices like laptops and desktops is a challenge that is well understood. More of a challenge is addressing utility devices like IP telephones, printers, alarm/security systems, HVAC components and banking machines. Anything attaching to the network must be taken into account.
The scope of an authentication project will involve different IT groups, forcing network people to work with application, directory, security and operations people. This kind of project can be a challenge. Many smaller IT departments do not have the in-house skills and experience necessary to execute a project like this from beginning to end.
There is also a business side to an authentication project. Roles must be defined and policies put in place to enforce those roles to take full advantage of a network access control system. Many enterprises feel that the cooperation needed between business departments is an even greater challenge than that presented by the technology.
Is a network access control system worth the effort?
Yes — for several reasons.
First, unwanted visitors will find it impossible to get by a properly implemented system. The network rejects or isolates those it does not recognize or does not know how to deal with. This saves the business from potential attack or theft.
Second, properly implemented, the system can effectively force patch-management for anti-virus, OS and other software onto end stations. An end-station profile check in the authentication component of the system enforces patch management. When a device tries to attach to the network with out-of-date anti-virus, OS or anything else the device can be re-directed to a secure network that contains a server that would force an upgrade before allowing the device in. The business benefits from higher availability when its systems are properly patched and virus-free.
Third, the business is given the ability to control who has access to what. In these days of companies being required to comply with privacy and securities laws, it is in the interest of every business to follow a best-practices model for network-based control of users. While there are several other reasons to implement an authentication system, the fact that availability, confidentiality, and integrity are all positively impacted should justify the project.
The question is how to get the project done. Network and software vendors are working on making this technology easier to implement. Cisco, Enterasys, Extreme and HP have all added features that help implement network authentication. Cisco and Enterasys, each have full policy management options available. Software vendors have also stepped up. Microsoft has made IEEE 802.1x a core part of its OS. Funk Software (now part of Juniper) has an IEEE 802.1x agent with policy manager available. Most anti-virus and personal firewall vendors have added policy with authentication and authorization components.
While the technology is improving, the experience necessary for an authentication implementation may still be an issue.
There are a couple of options. One uses technology to try and make implementation easier, the other involves using consultants. Lockdown Networks out of Seattle, Wash. has developed a Network Access Control appliance. The company claims that their appliance works with current networks and is easy to implement. This could be a viable option for many organizations.
On the consulting side, a group out of Greenland, NH has made network access control its primary security consulting focus. Blue Spruce Technologies provides expertise to get the project rolling, allowing the enterprise to bring the expertise in-house through training and participation as the project progresses.
The goal of network access control schemes is to help the enterprise take control of its infrastructure in order to meet the business goals of security and smoother operation. However, the complexity involved in the authentication system makes it difficult to implement effectively, given limits in expertise and resources. In the past, the enterprise had to outsource, or spend a great deal of time learning how to deal with network access control making this project unattractive. The time has come for IT departments to address the critical area of network access control to protect their business, now that there are new offerings from network and software vendors, along with specialized consulting services to make things easier.
–Kanellakis worked at Enterasys Networks and its predecessor Cabletron Systems for almost 15 years. These days he is enjoying spending time with his family and looking for interesting ventures to pursue.