NAC: Now? Or Never?

The traveling business reps for a Midwest insurance company are supposed to generate revenue for the firm—but IT staff recently discovered that many of them were bringing home value and viruses to the company.

“They saw through their antivirus [management software] that they were having problems, but they didn’t know where [the viruses] were coming from,” explains Rich Langston, senior manager of product management at Symantec, speaking about a customer’s experience. The firm tracked the viruses and found that out-of-date antivirus software on the travelers’ laptops caused the security hole. The IT staff didn’t catch the problem because these road warriors rarely spent time at the home office updating or patching their security software.

It’s a valuable lesson for companies on the go.

Today’s highly mobile workforce, along with a plethora of new tech gadgets and access to the Internet from anywhere, has raised the security stakes for corporate networks. Laptops, PDAs and cell phones were just the beginning. The number of network threats has increased exponentially, with VoIP phone capabilities, Web access from hotels, dorm rooms, airports and coffee shops, and even internal sabotage.

Network Access Control (NAC), a set of technologies that aim to ensure that only authorized users with fully patched and virus-protected hardware can access corporate resources, is more important than ever—not just for outside guests gaining accesses to internal networks, but for employees who have no business in the company’s more data-sensitive systems.

A full NAC cycle solution includes pre-admission inspection and post-admission monitoring, a policy decision and enforcement point, and a method of quarantine and remediation for noncompliant machines. When a user requests access, the machine is checked and, if found to be compliant, it is allowed to access the network. Post-admission monitoring will ensure that the user stays compliant by entering the assessment/decision/enforcement process again periodically. If the user is found to be noncompliant, NAC solutions should offer a means of quarantine and remediation to bring the user into compliance. The user should then be allowed to access the network, once again under post-admission monitoring.

NAC Roadblocks

Adoption of NAC solutions has been slow. Though the problem is clear, some experts argue that NAC is not the solution. (For a recent go-round of detailed online NAC debate, see Richard Stiennon’s NetworkWorld post Don’t Even Bother Investing in NAC.) Only 27 percent of European and North American companies with 1,000 employees or more have already adopted NAC as of November 2007, and 15 percent will pilot or adopt in the next 12 months, according to Forrester Research in Cambridge, Mass.

Gartner Research Director Lawrence Orans says there are three issues causing network managers to delay deployment of network access control solutions.

1. The waiting game. “People tell us they think the technology is too immature,” Orans says, but that’s not entirely true. “There are some very strong proven solutions from small companies, and you have some of the big players out there making the biggest noise.” For starters, Microsoft in February began shipping its Network Access Protection (NAP) solution with Windows Server 2008.

“It is a product and a framework,” says Robert Whiteley, a senior analyst at Forrester. “The framework has been around, so there are bits and pieces” that companies have been deploying, but they couldn’t fully commit until now, he says.

Cisco’s Network Admission Control solution has also been released but hasn’t lived up to some analysts’ and users’ expectations. “That combination of events has caused people to view the technology as not mature,” Orans adds, but it has also created a window of opportunity for the little guys. (Gartner tracks 18 of them.)

But some companies can’t afford to wait. MedicAlert, a provider of medical emergency information services, needed to secure the health records of some 450,000 customers while granting safe access to employees, caregivers and the patients themselves to update information. The nonprofit organization thought about waiting to see how the market would play out, and it experimented with some homegrown, open-source solutions, but ultimately decided to go with a Web access control solution in a services-oriented architecture.

“What convinced me was the cost of not doing it,” says Martin Fisher, vice president of IT at Turlock, Calif.-based MedicAlert. “While it is relatively expensive, the cost of not doing it in terms of reputation lost if we actually had a breach would be enormous. While my background in development leads one to think about building everything oneself, it was also clear that we would be better off going with experts in the field rather than building it ourselves.”

2. Money matters.

“We also hear objections about expense” in deploying NAC solutions, Orans says. “There are many ways to do NAC; not every one is expensive.” There are three categories of NAC solutions—endpoint software that is installed on all desktops and laptops, appliances that attach to the network and NAC embedded in the infrastructure.

The most economical way to deploy NAC, according to Orans, is to look at the capabilities in existing infrastructure, networks and security products. “See if your current vendors have some embedded NAC functionality that you can turn on,” he says. “That can be your IPS (intrusion prevention system) vendor or Microsoft’s embedded NAC support on the Vista platform with Windows server. Endpoint protection software, such as McAfee, Symantec and Sophos, also has NAC capabilities.”

Some land-switch vendors like Nortel Networks and HP also have NAC solutions. “If your network is made up of switches from those vendors, you can add on some components and enable NAC,” Orans says.

Appliances, which sit either in line with all network traffic or “out of band” for specific traffic, are very popular but more costly, particularly if several boxes are needed to handle a large number of network users. Infrastructure expenses are the hardest to quantify because the hardware and software can’t be attributed specifically to network access control functions.

With so many choices and vendors in the market, some users say prices will eventually come down.

“Within five years time, products like these will be commoditized to the point where it will be extremely affordable,” predicts Jorge Mercado, principle architect at MedicAlert. Right now, “these [solutions] are typically for larger companies. The vendors’ pricing model is such that whoever visits your site and requires authentication has to be a direct source of revenue. That’s not necessarily the case [for smaller companies], so I think that with time, nonprofit organizations such as MedicAlert will be able to afford to secure their websites and not have to worry about paying a whole lot of money for a solution.”

3. The status quo.

Then there are political and operational concerns. IT departments fear that by keeping employees off the network due to a missed patch or out-of-date antivirus software, they’re keeping staff from doing their jobs. “That’s why we see a lot of monitoring instead of enforcement in the early stages of NAC. Some products allow system managers to simply fix the problem once it occurs in the network without quarantining a particular PC culprit.

“Another concern is, what if I keep the wrong-level person off the network? A C-level executive? That’s potentially damaging,” Orans says, “and it has been an obstacle to NAC adoption.”In the insurance company’s case, decision makers wanted to make sure that the flow of value continued despite the known virus threat, so they continued to monitor and fix the viruses rather than to shut down the network. “It’s just like any security problem. If your Internet-facing e-commerce server gets a virus, the first thing they do is nothing,” Langston explains. Shutting down the system could mean millions of dollars in losses. “If it’s a regular virus, they’ll let it go until they can figure out what to do.”

What’s more, even HIPAA and Sarbanes-Oxley requirements for data privacy don’t specifically require NAC solutions. “We don’t have to be covered if you go by the regulations,” Fisher explains regarding MedicAlert’s privacy responsibilities. “But we do act as though we were [required]. More importantly, California has a statute that requires us to be covered. It’s not a requirement to use a product like this,” but it does provide the functionality that they need to comply.

What Type of Product Fits Your Company?

Objections and obstacles noted, users also face the choice among various approaches to NAC. These choices can generally be grouped into architecture-based options, software-only solutions, and appliances. Research analyst Chris Rodriguez at Frost & Sullivan offers advice for evaluating these NAC choices according to the buyer’s company size and type of business.

Organizations that require the highest levels of security should investigate architecture options, Rodriguez says. “It provides comprehensive end-to-end security,” he says. It also allows flexibility in deployment. It can be rolled out in pieces according to budget, time, testing requirements and geographic constraints. The solution also scales easily. “They scale in direct relationship to the size of the network” because it’s part of the network infrastructure, he adds.

Market share-leading vendors in the infrastructure space include Juniper Networks, HP and Cisco.

Appliances have a good pricing advantage over infrastructure solutions, especially for smaller organizations. A single point device makes it easy to implement and maintain, Rodriguez says. But there are limits to how many users the device can support. The number varies from 2,000 to 4,000 users per box. “That makes scalability something that you should consider,” he says. Also, in-line devices represent single point of failure. “So definitely use redundant boxes, but that increases the cost.” An out-of-band device eliminates that problem.

Players in the NAC appliance market include Mirage Networks, ForeScout, TippingPoint, and Nevis.

Endpoint agents or software are appropriate for all company types. Leading vendors include Symantec, McAfee, and London-based Sophos.

“You really need two products,” Whiteley says. Deploy a software agent on all company machines, and deploy an appliance to handle pre- and post-admission activities to patrol all guest machines, he adds. Most importantly, the two products need to communicate with each other—which isn’t hard to do.

Major vendors have pledged to work with standards groups like Microsoft’s Network Access Protection and the Trusted Network Connect specification set up by Trusted Network Connect organization for interoperability. (In May 2007, Microsoft and TNC agreed to make their frameworks interoperable.)

Deploying NAC security points on both ends of the network spectrum will improve the chances of having a safe network.

“If you’re investing in patch configuration management or other security tools, they’re only as good as they are widely deployed and correctly configured,” Langston adds. “Users have suspicions about whether that’s why their laptops are slow, and they may disable these products from time to time. With NAC you can ensure that these things don’t happen and that you’re covered.” ##

NAC Options

Network Access Control choices fall into three general categories. Here are some of the leading vendors in each group.

NAC Infrastructure Providers:

• Juniper Networks
• HP
• Cisco Systems
• Nortel Networks

NAC Appliance Vendors:

• Cisco Systems
• ConSentry Networks
• ForeScout Technologies
• Lockdown Networks
• Mirage Networks
• Nevis Networks
• TippingPoint—Intrusion Prevention System appliance
• Aruba Networks

Endpoint Software Vendors:

• Bradford Networks
• Check Point
• Impulse Point
• InfoExpress
• McAfee
• Sophos
• Symantec