By Christian Buecker, CEO, macmon secure gmbh
Recent reports from research company Frost & Sullivan have found that network access control is having a market resurgence, with continuing strong demand predicted for the next few years.
Using NAC to provide protection from unauthorised, unsecured devices or internal, aggressive access attempts is now a hot topic in today’s enterprises and a major area of concern and discussion for senior management. But why? And why now, after so many years of network ports being open to attack, and so many products having been on the market for some time?
The main reason for the increase in demand for good NAC solutions is not only the increased threat of industrial espionage, but also the increasing number of allowable devices in otherwise secure environments.
Employees today generally expect their workplace to let them use their own smartphones, laptops, ultrabooks, etc. Many companies have displayed a reticence in allowing access to these “unknown” devices, but, these rules are increasingly being relaxed.
Coupled with this is the alarming fact that many devices are able to connect to rogue access points that are easily configured by the user – without the IT department even noticing!
Frequently, employees using such devices have no concept of the inherent dangers of connecting unsecured devices to a secured network. The majority of the devices have not been designed with security in mind and are, therefore, not suited to the security requirements of corporate use. That makes them exceptionally difficult to manage centrally.
Previously, NAC was considered difficult and cumbersome to roll out as well as being very costly. It sometimes required very specific hardware and often resulted in pilot projects which were never fully rolled out, because administrators were wary of making changes.
At the time, appliances had to be distributed across the whole network to block the traffic from unwanted systems; and software had to be installed on all endpoints to ensure the communication exclusively with the company’s own devices, otherwise, the complete infrastructure had to be expensively homogenised with one vendor.
The overall expense of such implementations frequently led to the failure of the project and also gave rise to a lot of negativity around the whole subject of NAC.
The new NAC
NAC products have evolved now so that, instead of being a burden on the network team, can actually add value to the team’s everyday work. The new solutions come at NAC from a network management angle, rather than focusing heavily on the endpoint.
The integration of new NAC technologies with old, but matured technologies, allows for the establishment of a central security authority for the control of all devices on the LAN and WLAN. This can be achieved without the need to adjust the existing network and without the need to invest heavily, or apply undue effort on implementation.
When looking for a NAC system today, there are three main areas to be considered.
A NAC solution can be defined as the core element of the network. This is through the control of all network entry points and through the use of future-proof technologies such as. 802.1X, SNMP or Active Directory.
Security should be provided as a centrally managed instance of access permissions for standard, new, unqualified, private, secure, insecure and guest devices. In this way, the solution provides an automated method of providing a network designated per individual class of device.
In principle, the techniques used must cover the entire network, without exception, and regardless of the existing network infrastructure, covering and acting independently of the plethora of operating systems used by any of the endpoints. Additionally, tremendous benefits can be achieved, if the NAC security solution can be integrated with other existing or planned security products.
Ease of use
As with any good solution, the implementation and maintenance of its core elements should be as straightforward as possible, so that it does not become a burden to the level of security required. This means that the selected NAC solution should not be overly-complex and should fit into a normal daily workflow.
For example; a dynamic VLAN management for company devices should also provide simple and reliable access for guests and other visitors (such as service providers) as an absolute basic requirement. The operation of a network of any size can be a considerable daily effort and a central component, such as NAC, can and should reduce both operating resource and relative expense.
The control of all dynamic network entry points from a central location should also provide, present and make available as much information as possible, in a user-friendly format. This includes graphical representations and “at-a-glance” maps of the entire network topology, and an overview and “drill-down” statistics of the current and last operated devices, with details such as the location of the last sighting, etc. It should also contain displays and listings of free or multiple use ports. Through these provisions, network transparency in itself increases enormously and each device, port and resource can be found conveniently, at the press of a button.
NAC products are available today which can provide these three elements. They can combine the robust structure expected of legacy and mature systems, with new NAC technologies and an intuitive interface.
The pick of today’s NAC solutions can operate from a central location, with a central server and cover the entire network, irrespective of physical locations. New devices are immediately recognised and treated on the basis of their individual attributes, with flexible rules.
Adjustments to the current network infrastructure are simply not necessary with this type of solution. Initial costs are drastically reduced due to straightforward implementation, which takes one or two days, depending on network size. The most effective solutions can be integrated into an existing network infrastructure, making it a relatively inexpensive and simple way to introduce NAC into an organisation. This makes it easier to tackle the security issues around the ever increasing number of devices connecting to today’s networks.