NAC Appliances: Shortcut to Access ControlInfrastructures that check endpoint health before network access have generatedplenty of buzz, but precious little deployment. Some companies are waiting for awinner to emerge from the chief contenders: Ciscos Network Admission Control(NAC), Microsofts Network Access Protection (NAP), and TCGs Trusted NetworkConnect (TNC). Others have tested these infrastructures and found that fulldeployment requires massive network upgrades and agent installations that willlikely take years. To fill the gap between consumer interest and investment, severalvendors now offer "NAC-in-a-box" -- appliances that deliver many of NACs promisedbenefits, with far less fuss.Simplifying NACNAC, NAP, and TNC are distributed architectures that differ in detail but share acommon goal: proactive eradication of threats introduced by hosts connecting tocorporate networks. All three extend network infrastructure to audit health andverify compliance before each endpoint connects to that network. All requirecoordination between an agent on the endpoint itself, devices that deliver networkaccess, servers that provide authentication, systems responsible for policy decisionsregarding health and compliance, and elements that help enforce those decisionsand remediate failures. Baking admission control into a networks fabric isconceptually attractive, but it takes time and money to upgrade networks withdozens of servers, hundreds of routers and switches, and thousands of hosts.Alternatively, some of these functions can be consolidated into a singular appliance,positioned between the endpoints to be scanned and the network to be protected.NAC appliances insert themselves into 802.1X, VPN, or domain authentication flows,scanning the endpoint for malware and required security measures. Endpoints thatare clean and compliant are granted access to authorized resources to conductbusiness as usual. Endpoints that are unknown or unsafe may be shunted intoquarantine and/or granted limited access.How appliances accomplish these tasks -- and the degree to which they do so --varies widely. But most NAC appliances try to avoid requiring installed agent softwareor network/server upgrades. Instead, they use an overlay approach to augment whatyou already have in place.What to expect in a NAC applianceUnlike point products that fit into a distributed NAC infrastructure, appliances tendto minimize dependency on third-party systems by absorbing as much of the NACburden as possible. This does not mean that NAC appliances have no externalinterfaces -- indeed, they must interoperate with surrounding systems to avoidnetwork redesign. Choosing the right NAC appliance requires a good understandingof the role(s) it will play in your network and the functions it must or may provide.
Factors to consider when choosing a NAC appliance include the following.OS independence: To lower TCO, NAC appliances can usually function withoutinstalled endpoint agents. Some appliances use network scans to probe any endpoint,regardless of OS, including embedded devices like VoIP phones. Several appliancesuse ActiveX to scan the host, or SMB protocols to query the host, introducingWindows dependencies. Some offer an optional installed agent with advancedscanning or remediation features. Take a hard look at any NAC appliance tounderstand endpoint OS coverage and what features (if any) are limited to specificOSes.Access methods: NAC appliances insert themselves into the network admissionprocess at various points, such as when a LAN user logs into a domain, when awireless user passes 802.1X, or when a remote user tunnels into a VPN. Mostappliances support 802.1X for wired and wireless LAN endpoints. If you have not yetinvested in 802.1X -- or want to support guest access -- look for an appliance withWeb portal login or DHCP-time checks. Related considerations include support foryour VPN client/concentrator and single-sign-on so that NAC does not result inmultiple user logins.Network independence: Unlike Cisco NAC (which requires Cisco IOS and ACS) andMicrosoft NAP (which requires Microsoft Vista and Longhorn), NAC appliances aredesigned to drop into existing heterogeneous networks. But what does "drop in"mean? Most NAC appliances connect to a Layer 2 switch, between access anddistribution or core layers. Some connect to a Layer 3 switch, near the network core.NAC appliances may operate out-of-band (consulted only during admission) or in-line(passing traffic as a bridge or router after admission). Each has pros and cons -- forexample, out-of-band appliances avoid adding latency, but in-line appliances simplifyenforcement. Some appliances support both options, letting you decide the best fitfor your network.Authentication methods: Most NAC appliances assess and enforce policy based onendpoint user identity -- preferably authenticated. A Web portal on the appliance iscommon for guest access, but you probably want to authenticate employees againstexisting servers and databases. Most NAC appliances can proxy LAN access requeststo your existing Active Directory, LDAP, or RADIUS authentication server, then useresults to enforce user or group-based policies. Some NAC appliances also supportcertificate and two-factor authentication, primarily needed for VPN or 802.1X users.If you must deal with "headless" devices like IP printers, look for an appliance thatcan use simple MAC ACLs to assess and map unauthenticated devices onto specifiedVLANs.Policy definition: NAC assessment is based on policy, but what does that policy looklike and how is it defined? Start by checking the endpoints health: Is it infected with
viruses or spyware; is it listening to trojan ports? Next, compare endpoint securityposture to defined requirements: Is the OS version allowed, are security patches andsignatures current, are anti-virus and firewall programs present, or are forbiddenservices running? NAC appliances diverge on these nitty-gritty policy details, so lookcarefully at built-in policies, custom policy granularity, and ability to assess or invokethe endpoint security programs used by your workforce.For example, most appliances can quickly check services for common threats, butonly some can launch a host AV scan if problems are detected. Look for appliancesthat take user identity, group/role, past compliance, threat history, and exceptionsinto consideration. For example, you may want lightweight assessment of guestendpoints given Internet-only access, while requiring previously quarantinedemployee endpoints to be thoroughly scanned. But remember: Deeper endpointaudits introduce host software dependencies; this is where NAC/NAP/TNC agents willadd real value (and deployment cost).Enforcement and remediation: Ultimately, a NAC appliance must deny admission tonon-compliant endpoints. Blocking could be accomplished through authenticationfailure, but to cut help desk cost, NAC must assist with self-remediation. Most NACappliances can quarantine endpoints into a VLAN or subnet, redirecting Webrequests to a remediation server where the user can apply missing patches orremove malware. In-line appliances can directly enforce quarantine through VLANswitching or routing. Out-of-band appliances may redirect traffic using ARP or sendSNMP/CLI ACL updates to nearby switches, routers, or firewalls. This is another areawhere NAC appliances diverge, so look closely at enforcement reliability andgranularity, as well as self-remediation and limited access controls. For example, arequarantined endpoints isolated from each other, or do they share one "VLAN ofdeath"? Also pay close attention to how endpoints exit quarantine -- the applianceshould avoid help desk intervention for simple fixes, while escalating more seriousproblems via email, traps, or trouble tickets.Scalability and performance: A small network might be satisfied with one NAC box,but NAC really appeals to larger companies where threats are difficult tocost-effectively avoid and mitigate. Most NAC appliances are therefore product suites,where several assessment/enforcement boxes can be managed by a central policyserver (software or hardware). Boxes are distributed for geographic reach, coverage,performance, and redundancy. In a recent CMP poll, the top technical issuesassociated with NAC were ensuring that failure would not compromise faulttolerance, and providing security without compromising LAN performance. Thisdemonstrates the importance of selecting NAC appliances that are sized for yournetwork. For example, Mirage appliances range from four VLANs/100 endpoints to32 VLANs/2500 endpoints with high availability.Future direction: Companies that are not yet ready to take the NAC/NAP/TNC plunge
can use NAC appliances to reap immediate benefits and learn more aboutassessment and remediation. In the long run, NAC appliances are expected tointegrate with those infrastructure solutions. Customers with heavy Cisco investmentmay prefer appliance vendors that participate in the Cisco Compatible for NACprogram. Those planning to move aggressively to Vista and Longhorn may look forvendors in Microsofts NAP program. Large heterogeneous networks will benefitfrom appliances that eventually implement TNCs open interfaces. But avoidover-emphasis on todays alliances. Many NAC vendors are hedging their bets byparticipating in multiple programs.Finding NAC-in-a-boxMany vendors already offer NAC appliances, and analysts expect this market toexplode over the next few years. Purpose-built NAC products that use hardwareappliances to assess endpoint integrity and control network admission includeproducts from Caymas, ConSentry, FireEye, ForeScouot, Lockdown, Mirage, Nevis,StillSecure, Symantec and Vernier, as well as Ciscos Clean Access.In addition, most network equipment vendors are adding NAC features to managedswitches, wireless access points, and remote access concentrators. Examples includeCisco, Enterasys, Extreme Networks, Hewlett-Packard, and Juniper Networks. Manyhost security software vendors are adding NAC features to their offerings, includingInfoExpress, McAfee, Senforce, and TrendMicro. These NAC-enabled devices andprograms are helping to lay the foundation for infrastructure-based networkadmission control. Note that Cisco currently participates in both markets -- this trendis likely to expand as vendors try to capture customers by offering NAC appliancestoday, and hold onto them by offering NAC infrastructure solutions tomorrow.More Networking Tips:Networking Tutorial Goes to Basic PPP ConfigurationWhen Do You Use Static Routes?BGP Routing Protocol Tips You Need to KnowRouting Information Protocol & RIP ConfigurationHow to Configure IGRP (Interior Gateway Routing Protocol)?How to Use Cisco IP SLA to Manipulate Route Forwarding Decisions?