Deploy it now: Network access control

BANGALORE, INDIA: Enterprise organisations are making significant investments in endpoint security mechanisms in an effort to comply with standards and IT control frameworks.

After all, non-compliance has serious consequences. Should unprotected, non-compliant devices access the corporate network, the organisation is at risk of intellectual property exposure, costly network downtime, and possible regulatory fines that can in turn, undermine the company’s brand and reputation.

Furthermore, to achieve compliance and justify their security investments, IT managers must ensure that the controls they put in place are functioning as they should and that security policies are being effectively enforced on both managed and unmanaged devices before they are given access to corporate resources.

Network access control tools make this seemingly impossible challenge an achievable and cost-effective reality. These proven, scalable tools automate the process of discovering and evaluating endpoint compliance status. What’s more, they also offer remediation capabilities for non-compliant devices and continually monitor endpoints for changes in compliance status. As a result, organisations benefit not only from significant reductions in security incidents but from increased levels of compliance to IT security policy.

Protecting the New Perimeter
To avoid underestimating the scope of endpoint security and control responsibilities, organisations must first acknowledge that the goal of ensuring the confidentiality, integrity and availability of information applies regardless of where the associated information resides at any given moment.

And, in today’s computing environments, people are the network perimetre. User populations now commonly include both on-site and remote employees as well as guests, contractors and other temporary workers. All of them require access to corporate resources.

Managed endpoints often have access to a broad range of information and are typically allowed to retain large portions of that information. In addition, not all managed endpoints and their users will have the same rights and permissions for accessing and storing information.

Compliance with governance directives and regulatory mandates for information protection are required for these endpoints, and a wide range of countermeasures are often implemented - from personal firewalls and antivirus to intrusion protection and encryption. These countermeasures are most effective when they take advantage of a client-based agent that can perform an in-depth audit of the endpoint’s security posture and configuration.

The challenge with unmanaged nodes is that although they do have access to sensitive information and, if unprotected, can pose a threat to corporate resources, they are not under the control of IT. Consequently, using persistent agents is typically not an option for securing them. Instead, any protective measures that are used must be temporary - or, dissolvable - and cannot impose changes or restrictions beyond the duration of a specific application session or its connection to a network.

Such on-demand protection is effective for on-site guest access, customer access to e-commerce applications, partner extranet access, and employee access from public kiosks or home computers. This not only protects the interests of the organisation but it also enables the organisation to extend value to its customers. A financial institution or credit reporting agency, for example, could assure customers that data downloaded from its site is safe from interception.

To help ensure that corporate information assets are secure, countermeasures must be provided for both managed and unmanaged endpoints. While these countermeasures may not be possible through a single software agent, they can—and should—be part of a unified agent architecture and be administered through a centralised system to ease deployment and management.

Network access control tools work together with endpoint protection countermeasures to verify the health and security status of devices prior to connecting to resources as well as on a continual basis after these endpoints connect. Devices that are out of compliance are automatically brought into compliance. If a device cannot be brought into compliance it is quarantined with limited or no access to the network. Furthermore, devices with network access are monitored continually for compliance; should an endpoint’s compliance status change, so does its network access privileges.

Evaluating Endpoints
The network access control architecture typically includes three core components: policy management, endpoint evaluation, and network enforcement. These three components work together as a single solution and usually do not rely on external elements for functionality.

Because of the complex and demanding nature of today’s IT environments, a growing number of network access control tools offer an enterprise-class management console. This console gives granular control to all administrative tasks, allowing IT to not only set the policies that control the behaviour of the tool’s agents and enforcement mechanisms but also to view logs and run reports.

The most flexible network access control tools offer a variety of endpoint evaluation technologies when determining the compliance of devices. For example, corporate-owned and other managed systems may use persistent agents to verify that endpoints are not only protected but configured correctly. These agents may check for antivirus, antispyware, and installed patches as well as more complex system characteristics such as registry entries, running processes, and file attributes. Persistent agents provide the most in-depth, accurate, and reliable system compliance information while also offering the most flexible remediation and repair functionality of assessment options.

In contrast, for non-corporate devices or systems not currently managed by administrators, dissolvable agents are delivered on-demand and without administrative privileges to evaluate the compliance status of these unmanaged endpoints. Once a session has terminated, these agents automatically remove themselves from the system.

As an alternative, network access control tools may also offer remote vulnerability scanning to extend information-gathering functionality to systems for which agent-based technology is not yet available.

Enforcing Compliance
Because every organisation’s network environment is unique, no single enforcement method can effectively control access to all points on the network. Consequently, network access control tools require flexibility in order to integrate multiple enforcement methods into an existing environment without increasing operational complexity or cost.

For example, a gateway enforcement mechanism may be used at network choke points to control traffic flow through it based upon policy compliance of remote endpoints. These choke points may be at the perimeter network connection point such as a WAN link or VPN or they may be on internal segments accessing critical business systems. 

For DHCP environments, an enforcement mechanism may serve as a proxy with its deployment between endpoints and the DHCP service infrastructure. Until policy compliance is verified, restrictive DHCP lease assignments may be given. Upon verification, a new DHCP lease may be assigned to the endpoint. DHCP enforcement mechanisms that integrate with popular DHCP servers enable more rapid deployment of network access control without deploying additional devices to the network.

Most network access control tools also support LAN environments. To that end, they may use an out-of-band 802.1x RADIUS proxy mechanism that works with the major switching vendors that support the 802.1x standard. In some cases, this LAN enforcement mechanism participates with an existing identity management architecture and authenticates users and endpoints; in other instances, it may act as an independent RADIUS only for environments that require endpoint compliance validation. Switch port access is typically provisioned based upon the authentication results for connected endpoints.

Self-enforcement is also commonly offered as part of network access control. Self-enforcement may leverage host-based protection capabilities within a persistent agent to adjust local agent policies according to endpoint compliance status. This allows administrators to control access to any network on or off the corporate network for devices such as laptops that routinely move between multiple networks.

Network access control tools may also integrate with and enhance existing network access control technologies from a variety of vendors. This helps ensure that organizations have more comprehensive coverage and control regardless of the enforcement methodology they use.

Never Too Late
Regardless of the enforcement mechanisms they use, organizations that leverage network access control tools can be assured that end users and endpoints are in compliance at the point of contact to the corporate network.

Used in combination with endpoint protection, network access control can help reduce the propagation of malicious code and lower the organization’s risk profile through increased control of managed and unmanaged endpoints.

Network access control can also provide greater network availability and reduced disruption of services, while offering verifiable organizational compliance information through real-time endpoint compliance data. In addition, network access control can help organizations minimize the total cost of IT ownership through enterprise class centralised management architectures.

With network access control, businesses can be sure that their security and compliance governance policies are being continuously enforced from the moment a device attempts to connect to the corporate network. This enforcement approach, in turn, enables IT to address the proximate and pressing business-critical objectives of protecting intellectual property, avoiding downtime and regulatory fines, and helping safeguard brand integrity.

The author is Director, Systems Engineering, Symantec Corp.