To thwart LAN attacks, many companies strive to assess the vulnerability of network devices before the logon process is completed. To that end, Cisco Systems Inc. has promised that its Network Access Control strategy, essentially the embedding of "intelligence" into routers and switches, will address that problem.
However, NAC-enabled products have so far only been released in dribs and drabs. But for those who can't wait for Cisco to finish, or are wary of a single-vendor approach to device assessment, several other vendors have stepped into the breech.
Vendors such as Sygate Technologies Inc., InfoExpress Inc., Endforce Inc. and others are helping businesses to assess the state of devices before they log on to the network, ensuring that they have adequate security safeguards before they are granted access to the LAN.
The gated network
Like most end-point security systems on the market, those from Fremont, Calif.-based Sygate require a client on the device. That client communicates with an appliance on the network, which checks to see if the device meets specified criteria, such as an updated firewall or antivirus software required to log on to the LAN. If the device is deficient, it can be quarantined and the user would be directed to update the necessary software before it is allowed onto the network.
"You don't want to stop devices from logging onto the network," Wright said. "You want to allow access under certain conditions."
Sygate's approach was valuable for North Canton, Ohio-based Diebold Inc., a maker of ATMs with offices in 88 countries. While it uses up-to-date Cisco Catalyst switches in its data center, the 13,000-employee company is connected to a wide range of network devices around the globe. Some of its offices have Cisco equipment that is not 802.1x compliant, while others aren't using Cisco gear at all.
Right now using Sygate's client, Diebold can assess the status of devices as they attempt to log onto the network, guaranteeing that the most recent security features installed.
"We need to have something on the PC inspecting the PC itself to see if patches are up to date," said B. Scott Harroff, chief information security officer for Diebold.
Sygate's appliance sits on the network and communicates with a client on the end device. If a user does not meet the criteria for logging on, he can be directed to a Web server where he can download the tools necessary to upgrade to the required software.
A NAC for waiting
While Cisco's NAC strategy is appealing to some, it is still being rolled out and will not be complete until 2005, said Mark Bouchard, senior program director for Stamford, Conn.-based Meta Group Inc.
In addition, NAC not only requires 802.1x-compatible Cisco networking gear throughout the network, but it also requires a Cisco Secure Access Control Server, said Dan Golding, a senior analyst with Midvale, Utah-based Burton Group. While the 802.1x standard is meant to work with a number of standards based authentication server, those using Cisco's NAC cannot pick and chose among different vendors or approaches.
Though Sygate and most other solutions require a client on the device, which can be problematic, particularly if businesses have guest users logging on to the LAN, Bouchard said some of these third-part approaches can provide a good interim solution.
Diebold is working with both Cisco and Sygate to determine how to proceed in the future. The company is planning to upgrade all of its network devices to 802.1x-compliant Cisco gear, at which point it could take advantage of Cisco's NAC approach when it is fully rolled out in 2005.
"We see [NAC] as being appealing, having switching infrastructure with the ability to determine what is valid and what isn't a valid node and to move it," Harroff said.
However, he added that he sees a continuing need for a product like that offered by Sygate, and also plans to work with Sygate in the future.