For, by Anton Grashion, security strategist, EMEA, Juniper Networks
It depends on how you define network access control (NAC). Plain NAC did not encompass the full role-based security system users and enterprises require to balance security with a productive, intelligent network. Working up from the TCG-TNC definitions, the technology to coordinate each user's role, endpoint device and location-based policies to create a dynamic access control system is available today.
Unified access control (UAC) is not simply port-based authentication or endpoint legality checking. It goes much further by restricting the assets a particular user can access, and provides policy coordination with security appliances, such as firewalls, to deliver NAC over existing infrastructure.
However, it would be unwise for any vendor to say that NAC is enough to create the perfect LAN security system. It is a predator-prey relationship. An enterprise network presents a target and an opportunity to maliciously misuse at all times. Security has to keep evolving to protect against that threat.
Against, by Jeff Prince, chairman and CTO, ConSentry Networks
Network access control is a key step in securing a local area network (LAN). It ensures that only the right people have access, and it can prevent such threats as a guest unleashing a worm.
But NAC fails as a total security method because it does not allow you to control where users can go or what they can do once they're on the LAN. This kind of post-admission control is vital to protect a network. IT must be able to restrict access to applications, file servers and so forth. Engineering staff, for example, should not have access to finance records. And IT needs these capabilities to be updated as users' access rights can change.
IT also needs tools that block other vulnerable sources — for example, denying the use of non-business applications or stopping applications that spawn hundreds of connections.
So, beyond the simple authentication and posture check of NAC, IT needs visibility, user access control and threat control. The ultimate goal is to tie access rights to each end-user enabling role-based provisioning, and using NAC as just a part of overall LAN security.
THREAT OF THE MONTH:
USB U3 technology allows a user to run applications from a USB thumb drive instead of requiring installation on the computer. When the thumb drive is removed, all files and registry keys used by the application are removed, allowing for portable application use.
How does it work?
The U3 technology makes the thumb drive appear as two separate devices on the computer it's plugged into — one is the thumb drive itself, and the other device appears to the computer to be a standard CD-ROM. In this way, the application launcher can use the autorun capability to launch when the drive is inserted. Unfortunately, this also allows anyone to rewrite the CD-ROM image with an alternate image and autorun any code.
Should I be worried?
There is a thumb-drive-based hacking tool under development that anyone can download and place on a U3-capable USB device.
How can I prevent it?
Turn off autorun for all CD-ROM devices. Additional mitigation can be done by third-party programs which enforce security policies for physical devices. Some of these programs can also combat information theft via removable devices by shadow-copying any data transferred to thumb drives to a secure datastore for assessment by network administrators.
— Joe Stewart, senior researcher, SecureWorks (formerly LURHQ)