/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: “NAC” is a key terminology which is used widely across the industry. Covering a range of varying initiatives and definitions, from “Network Access Control” to “Network Admission Control”, NAC has the potential to cause confusion.
/ciol/media/post_attachments/9fb81fc7d61d20dd5e72995968631b33ff2aa4c644b2f5a5de1f023af286f810.jpg "publive-image")
The last decade has seen a steady rise in corporate security investments, in response to an ever-increasing range of security threats that cost UK businesses hundreds of millions of pounds in downtime, remediation costs and lost business every year. Spyware, Trojan horses, viruses and worms are just some of the electronic threats, which can be manipulated by hackers to attack an organisation’s network. These threats can also unwittingly be released by employees, who simply don’t know any better.
The unleashing of the Zotob worm this summer, which disabled thousands of computers, serves as a recent example of the necessity for enterprises to take a multi-layered approach to enforcement policy and intrusion prevention. Last year’s Sasser worm saw 250,000 computers infected worldwide, while the Blaster and Slammer worms had devastating effects on a global scale. These are just a few harsh examples that demonstrate what can happen when a network comes under attack, highlighting the challenges faced by businesses in proactively protecting their networks, and the costs if they do not.
Without the correct security measures in place, it is all too easy for the corporate network to become infected. With employees inserting USB devices into their office PCs, connecting MP3 players at work to download music or plugging in digital cameras to look at recent holiday snaps, there is a raft of different opportunities for worms and viruses to either be deliberately, or accidentally, uploaded onto the network.
Imagine the implications of the following situation: a graduate trainee buys an iPod while on holiday, and on his return, uses his friend’s computer to download some of his favourite tunes onto his iPod. He is completely unaware that his friend has disabled the security software on his computer in order to play online games. On Monday morning, the graduate comes into the office and connects his iPod to his PC to continue downloading more music.
He then carries on working as normal, completely unaware that he now has a worm on his machine which can propagate across the corporate network, causing major productivity loss and cost to both IT and the business. He also fails to realise that documents containing sensitive information about the company’s financial results are being leaked and before long the news will be all over the press.
This is the worst case scenario but is just one example of how malware can compromise data and networks. It certainly serves as a reminder of how vital it is that organisations take measures to preserve their corporate network and data security.
Enforcing policy and automating controls
Many organisations have recognised that effective network access control is an essential requirement for ensuring the integrity of their corporate networks, and realise that network access control must be incorporated into their general security policy and standards. The trick lies in making sure security standards are enforced. While, the vast majority of organisations have a security policy and supporting standards in place, employees rarely know what they are, or the implications of not following them.
Security policies and standards often exist only as paper documents designed by the IT manager or CSO. They outline exactly what staff are, and are not, allowed to do when connecting to the network, which websites are acceptable, what downloads are prohibited, who may connect remotely to the corporate network and procedures for reporting spam or virus alerts.
Such documents are often presented to the workforce with no explanation or supporting training. The result is that, although some people may read them, many others will just bin them. This is inevitable if employees see information security as someone else’s problem.
This attitude is the understandable result of ignorance about the importance of maintaining strict security protocols, and the reasons behind security standards. Ignorance is one of the main reasons, why many corporate information security policies and standards are unsuccessful. Without an effective system to ensure that standards are both familiar and understood, you may as well just cross your fingers and hope that the latest virus or hacker misses you.
It is therefore, essential to have both good corporate information security policies and standards and good education and awareness procedures to support them. However, to build an efficient and reliable weapon against Internet threats, businesses must also have efficient and effective monitoring and enforcement systems. Ideally, these should make security simpler than insecurity.
This means taking security responsibility away from the end-user and complimenting processes with appropriate and effective technology.
NAC offers companies a systematic, automated process for managing their security, eliminating exposure and enabling continuous protection. It allows organisations to ensure that only trusted devices, in compliance with corporate security policies, can access the network.
Broadband and home working
NAC reveals the integrity of all machines connected to the corporate network, and whether or not they comply with the organisation’s information security standards. The proliferation of broadband has enabled home working to become an economically viable option, while the dramatic fall in the price of laptops, allied with the explosion in WiFi technology, has made mobile working the norm for employees in many companies.
However, a company’s ability to enforce its information security standards diminishes severely once a computer is used outside the office. For example, if a worker takes a company laptop home for a week, who is responsible for ensuring that security standards are followed when the machine is used?
The use of computers in airport kiosks and hotel business centres presents similar, or even greater risks.
Patch enforcement protection
It is also vital that organisations have a high standard of patch enforcement. Unless security patches are kept up to date machines become increasingly vulnerable to new exploits. Research has shown that, within six days of their publication, software vulnerabilities are targeted by exploits that are widely available on the Web (Source: Symantec Internet Threat Report VIII, September 2005).
With more and more organisations making use of a remote workforce, the IT department is increasingly unable to update or check every machine to ensure that its patch level is up to date.
NAC, however, is able to constantly check and automatically update patches on machines before they gain authorised entry to the corporate network. This is essential as the application of patches and other measures can easily be delayed, for example over a holiday period.
Without automatic updates, the user or IT manager has to connect an unprotected machine to the Internet in order to download the missing updates. During the time it takes to become updated, the unprotected machine could be receiving or transferring all sorts of malicious content to and from the corporate network, potentially infecting the entire system.
Removable storage devices
Additionally, the proliferation of removable media devices including USB devices, iPods, CD/DVD burners and PCMCIA hard drives now requires that organisations take extra care in enforcement. Up-to-the-minute security products include multi-layered Host Intrusion Prevention System (HIPS) technology which can block the transfer of data to these devices.
These also allow blocking of exploits that target known operating system and application vulnerabilities. Known network-based worm and web server attacks can also be prevented through the blocking of anomalous network behaviour.
Effective use of NAC
When used effectively, NAC should offer a multi-layered approach to both enforcement policy and protection againstintrusion, ensuring that every corner of the enterprise network is covered by NAC, even when mobile devices are taken off the corporate network. However, while companies generally understand the benefits of NAC, many do not know how to implement it effectively.
The key issues which must be addressed for the successful implementation of NAC are:
· Flexibility
· Open standards
· Balance
· Remediation.
Each of these points is covered in more detail below.
Flexibility
The variety of different security measures needed for individual departments within a single organisation requires that a NAC solution is able to provide adaptive and flexible standards-based protection for all user groups and environments.
It is key that the large enterprise has the ability to accommodate the entire internal user population without adding to administrative overheads for standards creation and management.
Open standards
Successful NAC implementations will bring significant security and business benefits, but organisations have to think carefully about becoming locked-in to individual suppliers and the associated potential for creating single points of failure. Companies with a sole vendor could find themselves forced into either making expensive software upgrades or leaving themselves open to attack – with no safety net to catch a security breach that has been missed.
There is also widespread concern about the cost of becoming NAC compliant. Both these issues can be addressed by adopting an open standards solution and a layered approach to security.
In doing so, organisations can benefit from enforcing NAC without the cost and implementation burden of upgrades to their core infrastructure.
Finding the right balance
Effective NAC requires the enforcement of all network information standards without exception. It is therefore, a major challenge to strike the right balance between security and user productivity. Specific user needs, including those of third parties such as contractors, consultants, customers or suppliers must be taken into account and balanced against the requirements of the security standards.
Remediation
An effective NAC solution needs to quickly and automatically restore non-compliant machines to a trusted state, ensuring 100 percent compliance with standards before access is granted to the corporate network.
Automated remediation of non-compliant devices is therefore crucial to maintain user productivity and minimise the cost of helpdesk calls or manual intervention by the IT department.
In Conclusion
NAC is a vital component of any corporate network. When implemented effectively, NAC allows businesses to achieve compliance with corporate network information security standards, gain control over how people, applications and devices act on a network, quickly remediate any non-compliant devices and ensure continuous network integrity. This can only be achieved through processes that ensure continuous, automatic enforcement of information security standards.
Experience has shown that in this way security can be made simpler than insecurity, enabling good information assurance to be developed in the business without compromising productivity.
The author is Director, Systems Engineering, Symantec Corp.