Many organizations are implementing network admission control (NAC) as the first step in LAN security, looking to control who can access the LAN. When I'm with these customers, I ask a few key questions:
Do you care about controlling users on the LAN?
Do you want to prevent zero-day attacks?
Do you need to make sure users don't get access to the wrong information?
Customers almost always answer "yes," and that's when the conversation moves to the differences between pre- and post-admission control. A lot of people define NAC as admission control – just who can come onto the network. But LAN security is about much more than just NAC – it's really about controlling people after they're on the LAN. That's what defines post-admission control, and that's why NAC isn't enough.
When I ask customers why they need these post-admission controls, the top reasons they give are:
· To enable guest access
· To control contractor access
· To protect high-value corporate data and applications
· To segment users for regulatory compliance
· To detect and contain malware
To solve these problems, a LAN security system must provide post-admission control capabilities. And to a large extent, the architecture of the platform will dictate whether those capabilities are possible. So in this column we'll first review the top customer projects that require post-admission control, and then we'll look at why inline LAN security architectures provide the greatest scope of control.
Top five Reasons customers deploy post-admission control
1) Enabling guest access
Many types of businesses must provide internet access to customers and visitors. For example, hotel guests expect internet access, as do patients and family members in the waiting room of a medical facility. But enterprises must ensure that guests cannot reach corporate assets such as data and applications, or compromise services such as voice over IP (VoIP). Enterprises may also want to ensure guests cannot spread malware. LAN security solutions thus must handle these tasks:
Recognize guests – either by categorizing all unauthenticated users as guests or through a guest login. Restrict access of identified guests – limit access to the internet only so guest traffic does not propagate across the LAN. Perform host posture check – a dissolvable agent can protect against malware infection from unmanaged guest computers.
2) Controlling contractor access
Enterprises work with a variety of contractors — service personnel who maintain everything from data center servers to MRI machines and on-site contractors for everything from project management to accounting. These contractors need LAN access to perform their jobs. However, that access must be limited. To control contractors, a LAN security platform must:
Learn a contractor's identity during authentication – either through "snooping" the login to active directory or RADIUS or through a captive portal login. Apply role-based controls – enforcing these policies is key to limiting the applications, servers, and other resources contractors can reach. Perform host posture check for unmanaged machines – contractors often use their own PCs, and the enterprise must stay protected.
3) Protecting corporate data and applications
Critical data and applications need greater protection. For example, only faculty should access a university's grading system. IT needs simple tools for limiting access to the most sensitive data. This level of post-admission control requires that a security platform that can:
Tie users to traffic flows – this detailed visibility, including the username and applications, helps IT define and apply control policies, respond to problems, and identify trends.
Apply role-based control in real time – enabling LAN segmentation and restricting access to information such as financial data, customer records, or the like.
Detect and contain attacks and zero-day threats – blocking denial of service (DoS) attacks, new malware, and attacks on services such as VoIP is key to protecting availability of corporate resources.
4) Segmenting users for regulatory compliance
To comply with regulations such as the Payment Card Industry (PCI) data security standard or the Health Insurance Portability and Accountability Act (HIPAA), organizations need to segment users and restrict access to critical information based on users' roles. For auditing purposes, organizations also need to prove access is indeed restricted. A good post-admission control solution will protect sensitive data and limit the scope of an audit to user and server systems subject to the regulation. To aid in compliance, LAN security systems must perform these functions:
Apply policy-based access controls – to protect critical data and resources.Fully document control policies – listing the users allowed to access resources is a key auditing tool. Report all user activity – showing which users went to which resources is also vital for auditing.
5) Detecting and containing malware
Checking a host for malware or OS service packs at network admission is not enough. Once on the network, the user may visit an internet site or click an email link, catch a virus, and spread it to the network. Post-admission checks ensure a malware outbreak does not cause a network meltdown. A security platform must have these capabilities:
Correlate all traffic from a single user – so the platform can recognize anomalous behavior. Apply anomaly detection algorithms – to recognize and block both known and unknown threats. Provide granular malware control – so IT can decide whether to block all traffic from an infected user or just the infected application.
Architectural considerations
A LAN security platform's post-admission control capabilities depend on whether it employs an inline or out-of-band architecture. Because they sit in the flow of traffic, inline devices provide more comprehensive post-admission control by continuously monitoring traffic in real time, tying it to specific users, and applying policies. In-line devices that offer deep packet inspection provide the most complete control.
Out-of-band devices operate on the user's initial traffic flow only, checking for authentication, admission compliance, and virtual LAN (VLAN) membership. These solutions have limited post-admission control capabilities and no enforcement control over user traffic. Out-of-band devices depend on switches for enforcement, and VLANs and access control lists (ACLs) are the only tools for this enforcement. Since users end up having multiple group affiliations, this kind of segmentation and control simply doesn't work.
LAN security platforms need to provide flexible role-based provisioning, to support everything from simple policies to complex conditional policies that accommodate users with multiple roles.
Adding it up
Post-admission control offers a number of benefits by letting enterprises control what resources users can reach, from where, and when. While some organizations may have different needs than those highlighted here, post-admission controls give enterprises the tools they need in today's volatile security environment to provide selective, granular access; protect critical assets such as customer data and intellectual property; comply with state and government regulations; and counter malware for improved uptime.
— Tom Barsi is the president and CEO of ConSentry Networks
