Control what you let in
About a year ago, I sat down with my incident response team to discuss our progress in managing patch and virus signature updates. We had been plagued by a series of worm and virus outbreaks, but were lucky that impact to the business had been fairly low, but there was still some impact.
The root of the problem was that since we could only achieve about 97 percent coverage on patches and virus signatures, at any given time, we would have a number of vulnerable systems. At least, that was the consensus view in the meeting.
However, thinking about the situation a little more, I realized that the real problem was that we lacked the appropriate ability to manage security policy on our network. If we couldn't get to a computer because it was off the network or outside of our administrative control, we couldn't ensure that it complied with our security policies.
I also realized that as we moved toward a more mobile workforce, this type of 'uncontrolled' system would become increasingly common.
After summarizing this situation to the team, I asked everyone to consider how we should respond. Interestingly, the answer I received was fairly unanimous: inspect the computer before it connects to the network. After all, we 'inspect' the user before allowing them access to our corporate systems.
The strategy was to shift the responsibility for policy compliance to the user and act as the policy author and enforcer. This shift is the heart of a strategy that is now sometimes referred to as network admission control, or NAC.
When a computer connects to a network, it brings along a lot of baggage. If it is infected with a virus or worm, there's a threat that it will infect other systems on the network. If it is running illegal software, the host network is exposed to it.
These issues sometimes arise from a malicious user, but often simply arise from negligence. People forgetting to update their virus signatures or to log off their ISP before logging into their corporate network can have a far-reaching impact on the business.
Consider two examples of user behavior that could put the corporate network at risk (see panel, below). What was missing in both cases was any knowledge of the endpoint computer. Was it a Windows XP laptop? A Treo? A PDP-11? An Apple?
Each of these endpoints has a different set of associated risks and different policies would be applied to each one. The control of the device before it was admitted to the network was neglected. These situations create an unnecessary threat to the corporate network. NAC is one way to mitigate this risk.
Computers typically connect to networks in one of two ways – through a network switch or through a gateway (sometimes referred to as layer-2 and layer-3 connectivity). In layer-2, the 'wired' approach is to connect to a switch via a wired network port.
On an IP network, connectivity also relies on assigning a network address, either assigned dynamically through DHCP or through a static IP definition in DNS. For layer-2 connectivity, the two relevant control points are the network switch port configuration and, in the case of an IP network, the IP allocation.
In order to apply NAC for a layer-2 connected computer, the switch port configuration must initially be set to only pass packets used to validate the user and device. The validation must be done initially to establish the session, and then again periodically to ensure the ongoing compliance of the endpoint. Once the session is established, the user can access all the networks that they are authorized to traverse.
A second form of connectivity – layer-3 connectivity – is provided through a gateway and relies on a set of technologies that deliver services such as filtering, encryption, proxy, authentication, and authorization. The gateway makes routing decisions between the client network and the internal network based on several decision criteria.
In particular, to apply NAC, both the device and the user must be validated. The validation will be done against a policy server and the key control will be in the gateway itself. Sessions will be established based on the response from the policy server.
In conclusion, the idea of combining device and user network access control is not a new one. Several leading firms have embraced NAC in new product initiatives, and once these are available, the deployment of a robust NAC solution will become the basis for the enforcement of security policy on the network.
Lance Braunstein is executive director, infrastructure engineering, Morgan Stanley, IIG