Network executives planning to deploy network access control should start with very specific goals, not intricate schemes to quarantine and remediate insecure devices, shut down badly behaving machines and record every connection each device attempts to make on the network.
That’s because comprehensive NAC rollouts are costly and complex, and the technology is young enough that even if the goals are simple, the implementation may not be.
For instance, Erickson Retirement Communities in Silver Springs, Md., wanted NAC to block intentionally malicious users from gaining access to the network. “If you can’t authenticate successfully, you’re going to end up in some dirty [ virtual LAN ] that gives you Internet access, and that’s it,” says Scott Erickson, the company’s CTO, who oversees the firm’s 14 campuses. “I want contractors to be able to get [traffic] in and out, and if auditors are here, for them to use their VPN s. That’s really what I was after with NAC.”
But even that focused agenda is difficult for Erickson to achieve, for two reasons. One, he has been trying to implement the technology while keeping an eye on his budget. And two, all the elements he needs are not ready, although vendors he works with talk about them as if they are.
This dilemma stems from the many definitions of NAC being bandied about. Initially, NAC as defined by Cisco was a response to the Blaster worm that ravaged networks in 2003. The goal was to check that endpoints had proper patches and updated security in operation before they gained network access.
Since then, useful additions such as internal intrusion-detection/prevention gear have been tacked on to the definition. Notoriety of the technology has soared, and based on the expanded definition, NAC has been split into two parts: preadmission and postadmission.
Erickson was interested in preadmission controls that tie users and machines to policies. He wanted machines to identify themselves as issued by the company or not, then have users identify themselves and use a combination of the two identity checks to determine what, if any, access they get. “Now, if it’s a combination of the two, I’ll put you into a full, accessible VLAN,” he says.
Erickson figured he had all the elements he needed. His Cisco switches are software upgraded to handle 802.1x port-level policy enforcement, and his Cisco Access Control Server (ACS) RADIUS server is interoperable with Active Directory.
Lots of catch-22s
But it wasn’t as simple as he thought. For Cisco switches to enforce the policies using 802.1x port authentication, each machine being screened needs 802.1x supplicant client software, and Cisco didn’t have any ready late last year when Erickson was ready to go.
He hoped Microsoft would come up with a supplicant for Windows XP that would work with Cisco switches, but it didn’t. So his first thought was to pilot Cisco Network Access Control using Microsoft Vista and its 802.1x supplicant at three sites with about 100 PCs each. “I have three sites with about 100 PCs each that I just opened, and I’m going to flip all three of them. Those will be my pilot sites,” Erickson says. At least that was the original plan.
Now, he’s considering a more costly alternative — installing Cisco Network Access Control appliances at each site. He has so many sites that the cost is high, he says. But he may be forced into eating the extra cost in the interest of avoiding a long wait while bugs are worked out of Vista.
As Erickson’s experience points out, NAC can have pitfalls. “There’s lots of pieces and parts to NAC, and the number of vendors makes it hard,” says Zeus Kerravala, an analyst with the Yankee Group.
But Kerravala points out that Erickson has done many things right in his deployment, such as examining whether existing policy- storage directories can fit into the NAC scheme a customer is considering. If a company has Active Directory in use, they should be able to leverage it in a Cisco Network Access Control implementation rather than buying Cisco’s Clean Access Server, he says.
In addition, businesses should first deploy NAC to a small group of technically savvy users at different sites, just as Erickson plans to do. “Learn your lessons with them and build off that then roll it out more broadly,” Kerravala says.
And Kerravala recommends starting with an appliance even if the goal is to embed NAC in the network infrastructure. “A network upgrade is expensive, and an appliance lets you test the technology before you commit to one,” he says.
The no-client, appliance approach
Brett Childress, the director of IT Infrastructure for instrumentation vendor National Instruments in Austin, Texas, says he wanted a NAC appliance from the outset. Two years ago when he started looking, his network vendor, Cisco, had no workable NAC equipment, and he wanted to avoid any NAC scheme that required client software.
He also was interested in postadmission NAC to guard against malware that gets past virus screening. He selected Mirage Networks’ gear from among limited choices, primarily because it required no client software. “We just didn’t want another piece of software spread around on machines that we would have to keep updated and would make us worry about multiplatform support,” Childress says. National Instruments’ desktops run multiple flavors of Windows , Linux and Macintosh.
The company doesn’t use a formal preadmission NAC product, instead relying on frequent operating-system patches and antivirus signature updates to protect the network from infected machines, Childress says. “With a layered defense of central-managed antivirus, patch management via SMS and with Mirage on top of that, we feel fairly comfortable,” he says.
But that could change if the company broadens its remote-access program to include machines owned by employees that are not maintained by National Instruments. Childress says he would have to examine the cost of preadmission NAC compared with its benefits because it tells the status of the connecting machines’ defenses, not whether they have actually been infected.
“I’m checking they have antivirus installed and turned on, a DAT file that’s not more than a week out of date, that they have the most recent critical update from Microsoft,” Childress says. “The reality is you’re not checking for all these other potentially unknown pieces of malware that could be installed on that machine.”
The philosophy of the company is to allow employees unrestricted access to resources and the Internet as long as that behavior doesn’t endanger the network. “We tend to shy away from super-strict, upfront secure policies,” he says, and use Mirage to defend against attacks that freedom mig