news / tech talk

Network Access Control

by Lee LeClair
As seen in Inside Tucson Business

If you have a mid to large size business with a lot of IT infrastructure, you may have heard of a fairly new technology called Network Access Control (NAC). NAC addresses several concerns and provides an enhanced level of security. NAC is still evolving and the implementations currently available are all proprietary though some rely on aspects of open standards. NAC provides two core functions: network access control and PC compliance verification.

Various NAC solutions provide network access control through several methods but the predominant methods are through IEEE 802.1X or through in-line blocking. The 802.1X standard is most known for its use in wireless networks though it is supported in more modern wired network switchgear as well. In itself, 802.1X is a protocol for a switch to pass authentication data to an authentication system, typically a RADIUS server. Failure to authenticate results in the network switch port used to connect being shut off, effectively cutting the requesting PC off at the switch port level. With 802.1X turned on, someone cannot come in off the street and connect their system to your network without first authenticating to the network for access. You can see the advantages if you have multiple offices or a lot of guests or clients at your site(s).

The second part of NAC provides for PC compliance verification. For example, a business establishes a policy that all PCs must have anti-virus software, it must have been updated within the last two weeks, and it must have successfully run within the last week. In addition, the system must be up-to-date on operating system patches or it must not have certain software e.g., iTunes. Once this policy is established, a NAC solution would use either remote login or a PC-based agent to verify that all connected PCs are compliant with policy. If any are not, several actions can be taken including quarantine of the system to a separate LAN segment where updates can be applied or simply providing a warning screen that updates should be applied as soon as possible. The compliance checks are typically verified at network connection time and on some configurable frequency after connection. This type of compliance checking is similar to a vulnerability scan but is not as complete and should not be substituted for periodic vulnerability scanning of connected systems.

Sound like good stuff? It is, but there are catches as there always are. First, at this point the technology is not standardized so all implementations are proprietary. The big players are getting into this arena (i.e., Cisco, Microsoft, et al) but their products have issues (Microsoft’s isn’t availble yet – its coming with Vista/Longhorn/etc. and Cisco’s requires all Cisco switches). Some smaller companies have more complete solutions now but if you buy theirs, will the company you chose be around later? There were more than 30 companies offering a NAC type product during a recent survey by MITRE corporation. Finally, older network switches do not all support 802.1X or do not support it fully.

As for PC compliance verification, it’s a great concept and ability to have but implementation must be considered carefully. Too draconian a policy could result in your CEO being trapped in a quarantine VLAN at a really bad time; that would mean an even worse time for his IT team in short order. Too lax a policy would mean that a lot of money and time was spent without significant return. As usual, careful planning, user training and rollout are critical to success.

The benefits of NAC are significant in maintaining a controlled and compliant environment. The decision to begin examination or adoption of this technology should be based on your current requirements and risk mitigation needs.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business