The new perimeter
Sidney Gellineau, CIO, NYC Transit
Sidney Gellineau, CIO, NYC Transit, embraces the original vision of NAC – to vet unmanaged guest devices, reports Dan Kaplan.
Sidney Gellineau is standing in his 12th floor corner office at 2 Broadway, where sweeping views of the edge of Lower Manhattan and the surrounding water might awe even the most hardened New Yorker.
The sun is shining brightly on this mid-August day, accentuating the Statue of Liberty and Ellis Island, both of which seem just a stone's throw away from one of the office's panoramic windows.
But at this moment, Gellineau, 46, acting vice president of technology information services for New York City Transit, the agency that runs the city's subway system, is ignoring the picturesque scene.
He has got his eyes fixated on something attached to the back wall of his office: a new alert screen that provides real-time visibility into security devices on the internal network. The 32-inch flat-screen monitor is only a day old, and Gellineau is still getting used to all the bells and whistles.
“I just look for the red,” he says, referring to the bar graphs that increase in height and brightness should the network suffer some prolonged attack.
Soon, the console will offer even more clues to the network's health. That's because NYC Transit, a division of the Metropolitan Transportation Authority (MTA), is in the process of extending IP networks to its approximately 460 subway stations across New York's five boroughs.
To complement this move, the agency is deploying network access control boxes from Mirage Networks to each subway station as part of a defense-in-depth strategy. The solution acts as an out-of-band appliance that touches all the endpoints.
The migration from legacy to IP-based network means cheaper maintenance and increased efficiency for NYC Transit. And it means greater rewards for customers, namely in the form of up-to-the minute customer information screens and high-end security cameras.
But the roll-out also means heightened risk for the transit system, as the network migration necessitates the creation of 460 new access points.
To Gellineau, responsible for protecting the IT assets of the largest subway system in North America (and a prime target in a post 9/11 world), that is 460 ways a rogue device could connect to the LAN and do damage.
“My biggest worry is an unauthorized device accessing this network and getting into our critical [train control] systems,” he says. As an example, he mentions one way in which the information screens could be compromised to induce panic: “If they got access to that system, they could put up a message like ‘Bomb in Station.'”
The agency already has deployed NAC at its centralized rail control center, the critical computer hub of the subway system that is responsible for making switching adjustments to trains and for communicating with their engineers.
At NYC Transit, the job of NAC is simple: vet every single device connecting to the network. If it is unknown, quarantine it and ensure it is running the latest anti-virus signatures and system updates. If it is not, don't let it on board.
NAC starting to mature
NYC Transit's decision to deploy NAC is thematic with the progression of the technology, according to New York-based analyst firm The 451 Group. In a report earlier this year, the company said many enterprises finally are ready to leverage NAC – driven mostly by the need to control guest access in an increasingly expanding perimeter.
“The paradigm of having a big red circle where everything inside is good and everything outside is bad is over,” says Nick Selby, research director of The 451 Group's enterprise security practice. “Where's the circle? Where's the perimeter?”
This readiness to adopt, the analyst firm says, comes after years of confusion brought on by “an overabundance of competing architectures, products and approaches.”
Selby says that when Cisco arrived on the scene as the first NAC vendor some five years ago, business customers were reluctant to adjust their infrastructure to handle the technology. Also, NAC required organizations to establish customized policies, often a time-consuming and tedious process.
Meanwhile, end-user companies, especially the larger variety most interested in something like NAC, were unwilling to invest in a start-up provider.
As a result, the technology flailed and deployment percentages hovered in the teens.
Mike Rothman (left), founder of Atlanta-based consultancy Security Incite, says NAC also was bruised and battered by unfulfilled promises.
“In the rush to try to help an emerging technology hit its stride, a lot of the industry – namely the vendors – took some liberties with what the technology did,” he says. “When you tell them it is something that solves every problem and it ends up not doing that, it's going to get people upset.”
Other vendors, meanwhile, tried to capitalize on the sky-high hype of NAC, claiming they were delivering a NAC solution, even when they were offering something else.
On the surface, NAC did not have an auspicious start to 2008. In March, one of the space's earliest entrants, Lockdown Networks, announced it was shutting its doors “due to overall economic trends and slower-than-predicted adoption of NAC technology.”
Lockdown's NAC appliance worked well in small corporate environments, but was hampered by scalability shortfalls in wider deployments, according to a March report from Gartner analysts John Pescatore and Lawrence Orans.
The closure, though, surprised few experts, who all along had said the sector was crowded with competition and that some firms simply would not make it.
“Clearly you can't have 25 vendors,” Rothman says. “There's not enough of a market. There will be consolidation.”
In February, The 451 Group labeled 2008 the “do-or-die” year for the pure-play NAC vendor. For providers to survive, the analyst firm said, they would have to expand the scalability of their offerings and ensure they could address larger risk management concerns facing today's corporations.
Initially, that would mean supplying products that do not only perform hygiene checks on guest devices – the traditional calling card of NAC – but that also provide visibility of network assets, Selby says.
“NAC vendors have found they need to move very quickly away from a message of security posture and very quickly toward one of operational visibility,” he says. “NAC as originally envisioned looks increasingly quaint. The vendors that are growing and surviving are the ones finding additional functionality.”
Austin, Texas-based Mirage Networks, a NAC pure-play that now has 550 customers, believes in NAC's availability to scan the health of a device and then watch it once it is granted access to the network – a capability known as post-admission monitoring.
“The world is full of reactive security devices today,” says Greg Stock, president and chief executive officer of Mirage Networks. “NAC is the most proactive way to do security. I believe NAC is the evolution of network security.”
Eventually, the growth of NAC will progress into the technology becoming a feature – either on the network or endpoint, analysts predict.
“Solutions that can ultimately be integrated with infrastructure (for example, 802.1X-based switches) or with other core security products (such as IPSs or anti-virus software) stand the best chance of surviving market consolidation,” Pescatore and Orans note in their report.
Stamford, Conn.-based Gartner predicts annual market revenue for NAC will increase from $225 million in 2007 to $877 million in 2010. The 290 percent jump, experts say, partially will be bolstered by an increased adoption of Microsoft Vista, which contains a built-in network access protection (NAP) capability.
Some believe the NAC-like functionality will spur companies to deploy other NAC solutions to serve as a complement to NAP.
But even with corporate America slow to adopt Vista, in recent months, NAC vendors seem to have found new life and a chance to garner major customer wins.
One example, Bradford Networks recently earned an additional $8 million in venture funding. The Concord, N.H.-based company has gained success, observers say, by carving out a customer niche at college campuses, where administrators must deal with constantly moving endpoints.
Defense in depth
Some NAC critics, though, suggest that threat prevention solutions, like an IPS, combined with identity and access management and security information management offerings, can act as a NAC alternative.
“If you have a secure network, you shouldn't be worried about insecure machines connecting to it,” says Richard Stiennon, CEO of Burlingame, Calif.-based managed security firm Seccom Global.
Even with post-admission functionality, NAC often fails to detect and prevent zero-day attacks, for which there is no signature, he says. Plus, endpoints can be tampered with, meaning an attacker could spoof a device's media access control (MAC) address and claim it's in a healthy state – when it actually is not.
“Network security should never rely on the reported state of the endpoint,” Stiennon says. “An alternative to NAC would be to put something at the network access point to block viruses. Everyone should be doing a better job of defending the network.”
NYC Transit also relies on separate intrusion prevention system (IPS) and network behavior analysis solutions to complement NAC.
“It doesn't do everything,” Gellineau says of NAC.
For him, the main draw of the technology is that it can substitute for firewalls at each of the subway stations.
The transit system's core network is protected by redundant firewalls, so if one fails there, trains stay on schedule and the network doesn't come to a grinding halt. But that is not an option at stations, where heat and space issues make redundant firewalls impossible to deploy. That's where NAC fits in.
“If the firewall fails – and firewalls do fail – I lose service to that station,” Gellineau says.
Rather than risk that happening, the NAC appliance “fails open,” meaning it allows traffic to pass through, and the hope is that other network-edge solutions will kick in to prevent any infection.
“I'm assuming some risk until I can get out there and fix the problem,” Gellineau says.
NAC also helps the transit agency – and other organizations across the world – deliver on compliance because it is designed to allow or deny devices based on rules the administrator establishes. For instance, devices can report that they were checked on entering the network and, once on it, that they only gained access to data they were authorized to see.
This pleases administrators, say experts.
“The ability to enforce policies is something their auditors are pushing them to do,” says Omar Khawaja, manager of security solutions marketing at Basking Ridge, N.J.-based Verizon Business, a provider of managed security services. “NAC is not just a security play.”
NYC Transit, consisting of 49,000 employees and some 12,000 network users, including partners and contractors, must comply with a number of mandates. This includes the Payment Card Industry Data Security Standard (PCI DSS), for which it is a level-one merchant, meaning it annually processes more than six million Visa or MasterCard transactions.
(Many of those transactions are completed on the stations' ticket vending machines, which soon will be upgraded to Windows Server 2003 from Windows NT, an operating system that is no longer supported. Running this obsolete platform has so far not been a problem, but that will all change with the rollout of IP-enabled networks).
NYC Transit also is obliged to follow the Health Insurance Portability and Accountability Act (HIPAA) because it houses medical facilities that store patient data.
While the agency did not necessarily purchase NAC to help it satisfy these compliance demands, the technology certainly helps answer some of its obligations, Gellineau says.
But most importantly, he stresses, NAC is in place because it acts as another layer of defense between the attacker and critical network assets.
“Once an unauthorized device gets on your network, they're in your perimeter,” he says. “It's one stop closer to a breach.”
CREDIT ACCEPTED: Compliance issuesNYC Transit must comply with a number of mandates, including PCI DSS. Many of those transactions are completed on the stations' ticket vending machines, which soon will be upgraded to Windows Server 2003 from Windows NT, an operating system that is no longer supported. Running this obsolete platform has, so far, not been a problem, but that will all change with the rollout of IP-enabled networks.
NYC TRANSIT: By the numbers
26: Subway lines
468: Subway stations
660: Miles of track
6,485: Approximate subway cars
8,159: Average weekday train trips
342.5m: Annual miles logged
1.563b: Annual ridership