Network security started with the idea of building a wall around the network's perimeter to protect assets. That perimeter was extended outward to remote locations by means of encrypted tunnels. Then the walls were supplemented with internal defenses aimed at detecting and neutralizing intruders that managed to slip past the outer defenses. In addition, individual hosts (servers and PCs) were provided with their own "body armor" in the form of antivirus software, operating system (OS) patches, and personal firewalls -- essentially building walls within walls.
Today this static, walled-fortress security paradigm is giving way to a dynamic approach that more closely resembles the human body's immune system. The new security paradigm emphasizes organic, unified defenses and distributed detection and response technologies that enable the network to actively defend itself at every connection. As an integral part of this more sophisticated approach, admission control technology is poised to play a prominent role in the evolving art of network self-defense.
A complex security landscape
Although it is still important to control perimeter access and safeguard critical information resources, applications, and services, IT must now take into account several new factors when planning a proactive security strategy. Among the factors that have changed the network security landscape in recent years are:
- A diversity of network users—onsite employees, remote workers, vendors, partners, and guest users—many of whom carry computing devices with them and connect to the network inside the firewall
- An array of endpoints—desktop devices, servers of every description, and portable devices that include not only laptops but PDAs, ministorage devices, and even iPods
- A variety of access methods—wired LANs/WANs, wireless LANs/PANs (Wi-Fi, Bluetooth), VPNs employing IP Security (IPSec), broadband (DSL, cable, WiMAX wireless), dial-up, and Web/HTTP
- An ever-growing profusion of network services and applications—traditional e-mail and file exchange, voice over IP (VoIP), XML Web services, document sharing, enterprise resource planning (ERP), customer relationship management (CRM), ad infinitum
- A new generation of malware that spreads extremely quickly and can be very clever at hiding itself—Flash threats, worm-driven DDoS, phishing, spyware, and more types emerging every day
- A gradual transfer of control and responsibility from IT administrators to end users as "anytime, anywhere" connections proliferate
All this network complexity and heterogeneity means that countermeasures need to be placed on every networked communication device to ensure adequate security. And a broad-based consortium of network and security vendors needs to collaborate to make sure gaps in defenses don't open up as new users, devices, entry points, services, and exploits arrive on the scene.
Patting down the endpoints
Even with firewalls and intrusion protection, viruses and worms that grow increasingly virulent and aggressive continue to disrupt business networks, resulting in downtime, loss of productivity, and costly, time-consuming recovery efforts.
"Day-zero" and other opportunistic attacks that can metastasize widely in a matter of seconds are a challenge to reactive containment. For example, the recent W32/MyDoom-0 e-mail worm propagates itself not only by canvassing the victim device's hard disk for e-mail addresses, but also by sending queries to Internet search engines to find more addresses based on the same domain names. And it has been estimated that the notorious 2003 Blaster worm hit about 128 million systems in the first three minutes.
Because there are so many possible network connections, hosts that aren't compliant with the latest antivirus, OS, and application patch levels are difficult to detect. Locating and isolating infected devices takes up time and resources, but if the problem isn't spotted and handled quickly the damage can mount up exponentially. The best way to avert the dangers posed by noncompliant endpoints is to forbid them from connecting to the network at all -- in effect, to give them a "pat down" search before entry. That's where network admission control comes into play.
Unlike traditional ID management that merely verifies the identity of users, an admission control system checks to make sure the device complies with network security policies before it is allowed to connect. And unlike traditional antivirus and OS patch controls that only protect the hosts in which they reside, admission control extends these defenses to protect the entire network.
Network admission control can be deployed at the main enterprise campus, in branch offices, on remotely located and home-based devices, on wireless networks, and in extranets. The technology dramatically improves network security and helps ensure resilience and availability, while also increasing the value of existing security investments.
Security checkpoints everywhere
Think of network admission control as a kind of security checkpoint. It's similar to what you would encounter at an airport, but distributed to each endpoint on the network -- and a lot easier and quicker to pass through than airport security if your device is compliant.
At an airport checkpoint, security staff ensure that passengers have valid tickets and also check IDs to verify that the name on the ticket matches the person in front of them. Identities are compared against a current list of possible malefactors. Passengers also pass through a metal detector, and their carry-on baggage is inspected. Based on profiles derived from established policies, certain passengers may be singled out for more intense scrutiny in an adjacent area before they are allowed to continue to the gate and onto the plane.
Network admission control works in much the same way. An endpoint must pass muster before it can enter the network. This prevents viruses and worms from gaining a foothold, especially the most recent threats that may not be defined in antivirus software, or threats that exploit an unpatched OS vulnerability.
In a network admission control system, a nonintrusive software agent residing in each endpoint plays the role of the airport security guard, giving the network a distributed self-defense dimension. This "trust" agent serves as a middleware component that allows the host to interact with multivendor security software residing on the host and elsewhere on the network. The access control agent works in tandem with other security agent software on the endpoint designed to protect against port scans, various malicious mobile codes, spyware/adware, and other immediate threats and annoyances. The result is a dynamic, adaptive immune system deployed at the endpoint level.
When the endpoint seeks a connection, the admission control agent makes sure the endpoint's credentials are in order -- that is, it examines the configuration of the machine and looks for the presence and status of behavior-blocking, personal firewall, antivirus, and patch software. The agent then delivers this information by means of a router, switch, or VPN concentrator to one or more access control servers (ACSs), which determine whether or not the endpoint's configuration and postures are consistent with current policies. An authentication, authorization, and accounting (AAA) policy server informs the ACS about the policies and authorization parameters. If the endpoint is out of compliance, the ACS has the associated router block the endpoint's IP address, effectively preventing connection to the network.
Carrying the airport security analogy further, a network admission control system can make use of the agent embedded in the host to grant limited access to the network, or it can direct an endpoint to a quarantine area for further attention.
Just as a ticketed air passenger may be allowed access to the gate area, but must have a boarding pass to board the plane, an endpoint may be permitted to connect only to a certain segment of the network based on policies set by the organization. And just as select passengers may be shunted to a cordoned-off area where they are frisked and their luggage is sniffed for suspicious chemical residues, the network admission control system can quarantine an endpoint in a restricted network area for further inspections. The quarantine zone may also include a remediation server that can install the appropriate software on the endpoint and purge the device of malware before it is allowed entry.
In sharp contrast to airport security, however, all the network admission control precautions are applied almost instantaneously. Compliant users get a fast pass and a quick connection.
The multivendor NAC initiative
Because of its comprehensive, multilevel nature, admission control must be delivered as a partnership among networking industry providers, antivirus and patch management vendors, and posture assessment companies. Cisco Systems has brought all these players together as part of the Network Admission Control (NAC) initiative that currently includes more than 45 industry leaders, including Computer Associates, IBM, McAfee, Sophos, Sygate, Symantec, and Trend Micro. More than 30 partners have delivered or are scheduled to deliver NAC solutions by mid-2005.
This multivendor, systems-based approach to admission control lets IT capitalize on previous security investments and avoid having to overhaul existing security infrastructure. The NAC initiative also will make it possible to roll out solutions more quickly, without waiting months or years for a standard to be formulated and approved. The NAC program is drawing on established standards such as 802.11x, Extensible Authentication Protocol (EAP) and RADIUS, and is seeking IETF approval for specific technologies.
Because the NAC program is intended to foster industry collaboration, APIs have been furnished to vendors for product integration, testing, and certification. Participants in the program integrate the interfaces into their applications and test the applications at an independent certification facility to ensure compliance.
In Phase 2 of the NAC initiative, support will be extended to switching and IPsec remote-access VPN platforms, the IEEE 802.1 security protocol, and an expanded set of endpoint OSs. Future support will include firewalls, wireless access points, and other platforms. The ultimate goal is to increase the range of NAC-enabled solutions -- including antivirus and patch-management software, as well as compliance and remediation products from a wide range of vendors -- with the eventual aim of integrating the technology with vulnerability assessment, security information management, and other security capabilities to build a more unified deterrent to network threats.
Whether you're talking about airports or router ports, network admission control adds a critical enforcement dimension to the security infrastructure. And it also helps return a measure of control back to the IT administrator without inconveniencing compliant users. By putting a security checkpoint at every connected endpoint, admission control represents a significant stage in the evolution toward comprehensive network self-defense.
About the author:
Cecil Christie is Director of Marketing, Security Technologies Group, at Cisco Systems Inc.