NAC, NAP, and TNC are distributed architectures that differ in detail but share a common goal: proactive eradication of threats introduced by hosts connecting to corporate networks. All three extend network infrastructure to audit health and verify compliance before each endpoint connects to that network. All require coordination between an agent on the endpoint itself, devices that deliver network access, servers that provide authentication, systems responsible for policy decisions regarding health and compliance, and elements that help enforce those decisions and remediate failures. Baking admission control into a network's fabric is conceptually attractive, but it takes time and money to upgrade networks with dozens of servers, hundreds of routers and switches, and thousands of hosts.
How appliances accomplish these tasks -- and the degree to which they do so -- varies widely. But most NAC appliances try to avoid requiring installed agent software or network/server upgrades. Instead, they use an overlay approach to augment what you already have in place.
What to expect in a NAC appliance
Unlike point products that fit into a distributed NAC infrastructure, appliances tend to minimize dependency on third-party systems by absorbing as much of the NAC burden as possible. This does not mean that NAC appliances have no external interfaces -- indeed, they must interoperate with surrounding systems to avoid network redesign. Choosing the right NAC appliance requires a good understanding of the role(s) it will play in your network and the functions it must or may provide. Factors to consider when choosing a NAC appliance include the following.
OS independence: To lower TCO, NAC appliances can usually function without installed endpoint agents. Some appliances use network scans to probe any endpoint, regardless of OS, including embedded devices like VoIP phones. Several appliances use ActiveX to scan the host, or SMB protocols to query the host, introducing Windows dependencies. Some offer an optional installed agent with advanced scanning or remediation features. Take a hard look at any NAC appliance to understand endpoint OS coverage and what features (if any) are limited to specific OSes.
Access methods: NAC appliances insert themselves into the network admission process at various points, such as when a LAN user logs into a domain, when a wireless user passes 802.1X, or when a remote user tunnels into a VPN. Most appliances support 802.1X for wired and wireless LAN endpoints. If you have not yet invested in 802.1X -- or want to support guest access -- look for an appliance with Web portal login or DHCP-time checks. Related considerations include support for your VPN client/concentrator and single-sign-on so that NAC does not result in multiple user logins.
Network independence: Unlike Cisco NAC (which requires Cisco IOS and ACS) and Microsoft NAP (which requires Microsoft Vista and Longhorn), NAC appliances are designed to drop into existing heterogeneous networks. But what does "drop in" mean? Most NAC appliances connect to a Layer 2 switch, between access and distribution or core layers. Some connect to a Layer 3 switch, near the network core. NAC appliances may operate out-of-band (consulted only during admission) or in-line (passing traffic as a bridge or router after admission). Each has pros and cons -- for example, out-of-band appliances avoid adding latency, but in-line appliances simplify enforcement. Some appliances support both options, letting you decide the best fit for your network.
Authentication methods: Most NAC appliances assess and enforce policy based on endpoint user identity -- preferably authenticated. A Web portal on the appliance is common for guest access, but you probably want to authenticate employees against existing servers and databases. Most NAC appliances can proxy LAN access requests to your existing Active Directory, LDAP, or RADIUS authentication server, then use results to enforce user or group-based policies. Some NAC appliances also support certificate and two-factor authentication, primarily needed for VPN or 802.1X users. If you must deal with "headless" devices like IP printers, look for an appliance that can use simple MAC ACLs to assess and map unauthenticated devices onto specified VLANs.
Policy definition: NAC assessment is based on policy, but what does that policy look like and how is it defined? Start by checking the endpoint's health: Is it infected with viruses or spyware; is it listening to trojan ports? Next, compare endpoint security posture to defined requirements: Is the OS version allowed, are security patches and signatures current, are anti-virus and firewall programs present, or are forbidden services running? NAC appliances diverge on these nitty-gritty policy details, so look carefully at built-in policies, custom policy granularity, and ability to assess or invoke the endpoint security programs used by your workforce.
For example, most appliances can quickly check services for common threats, but only some can launch a host AV scan if problems are detected. Look for appliances that take user identity, group/role, past compliance, threat history, and exceptions into consideration. For example, you may want lightweight assessment of guest endpoints given Internet-only access, while requiring previously quarantined employee endpoints to be thoroughly scanned. But remember: Deeper endpoint audits introduce host software dependencies; this is where NAC/NAP/TNC agents will add real value (and deployment cost).
Enforcement and remediation: Ultimately, a NAC appliance must deny admission to non-compliant endpoints. Blocking could be accomplished through authentication failure, but to cut help desk cost, NAC must assist with self-remediation. Most NAC appliances can quarantine endpoints into a VLAN or subnet, redirecting Web requests to a remediation server where the user can apply missing patches or remove malware. In-line appliances can directly enforce quarantine through VLAN switching or routing. Out-of-band appliances may redirect traffic using ARP or send SNMP/CLI ACL updates to nearby switches, routers, or firewalls. This is another area where NAC appliances diverge, so look closely at enforcement reliability and granularity, as well as self-remediation and limited access controls. For example, are quarantined endpoints isolated from each other, or do they share one "VLAN of death"? Also pay close attention to how endpoints exit quarantine -- the appliance should avoid help desk intervention for simple fixes, while escalating more serious problems via email, traps, or trouble tickets.
Scalability and performance: A small network might be satisfied with one NAC box, but NAC really appeals to larger companies where threats are difficult to cost-effectively avoid and mitigate. Most NAC appliances are therefore product suites, where several assessment/enforcement boxes can be managed by a central policy server (software or hardware). Boxes are distributed for geographic reach, coverage, performance, and redundancy. In a recent CMP poll, the top technical issues associated with NAC were ensuring that failure would not compromise fault tolerance, and providing security without compromising LAN performance. This demonstrates the importance of selecting NAC appliances that are sized for your network. For example, Mirage appliances range from four VLANs/100 endpoints to 32 VLANs/2500 endpoints with high availability.
Future direction: Companies that are not yet ready to take the NAC/NAP/TNC plunge can use NAC appliances to reap immediate benefits and learn more about assessment and remediation. In the long run, NAC appliances are expected to integrate with those infrastructure solutions. Customers with heavy Cisco investment may prefer appliance vendors that participate in the Cisco Compatible for NAC program. Those planning to move aggressively to Vista and Longhorn may look for vendors in Microsoft's NAP program. Large heterogeneous networks will benefit from appliances that eventually implement TNC's open interfaces. But avoid over-emphasis on today's alliances. Many NAC vendors are hedging their bets by participating in multiple programs.
Many vendors already offer NAC appliances, and analysts expect this market to explode over the next few years. Purpose-built NAC products that use hardware appliances to assess endpoint integrity and control network admission include products from Caymas, ConSentry, FireEye, ForeScouot, Lockdown, Mirage, Nevis, StillSecure, Symantec and Vernier, as well as Cisco's Clean Access.
In addition, most network equipment vendors are adding NAC features to managed switches, wireless access points, and remote access concentrators. Examples include Cisco, Enterasys, Extreme Networks, Hewlett-Packard, and Juniper Networks. Many host security software vendors are adding NAC features to their offerings, including InfoExpress, McAfee, Senforce, and TrendMicro. These NAC-enabled devices and programs are helping to lay the foundation for infrastructure-based network admission control. Note that Cisco currently participates in both markets -- this trend is likely to expand as vendors try to capture customers by offering NAC appliances today, and hold onto them by offering NAC infrastructure solutions tomorrow.
About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in November 2006