Tip

Integrating LAN edge switch security and network access control

In the first part in this series on LAN edge switch security functions, we discussed filtering port traffic and using LAN edge switch ACLs. In the second part, we explored

    Requires Free Membership to View

using edge switches for network access authentication. In this final part in the series, we discuss integrating edge switches with network access control (NAC).

Authenticated access ensures that a user has to provide credentials to get access to the corporate LAN. But that doesn't guarantee that the user's computer will behave well on the network once it is there. It doesn't ensure that the computer is not hideously compromised, owned by some botnet or riddled with malware.

So, authentication controls are supplemented in some places by fuller-featured health checks, usually referred to as network access control (NAC). NAC systems go beyond verifying that users or machines are known, to signing off on the system's initial good health. NAC checks, among other things, to be sure that there is an antivirus program running, that the system has passed a scan and that its operating system has been brought up to date. The more current systems incorporate ongoing behavioral analysis, which watches what a system does once on the Net and takes remedial action if it goes astray.

LAN edge switch security functions and NAC

Defense-in-depth requires that networking teams use edge switches as part of the security infrastructure. ACLs, VLANs and authentication form the base of edge security; NAC sits atop this base to further mitigate risks. It is usually driven by intelligence in the data center or network core, such as policies defined and propagated from a central management point or directories of users that are allowed to use the network.

Read this series on using intelligent edge switches for security
LAN edge switch security functions: Switch ACLs;filtering port traffic

Configuring LAN edge switches for NAC

However, some vendors, such as ConSentry, Napera and Fortinet, put all the intelligence as well as the enforcement in edge devices, making deployment in theory simpler, especially in smaller networks. But NAC requires at least the participation of edge switches if it is really going to protect the network. Authentication for edge access is the first and most important hurdle that systems must clear in most NAC installations. Beyond that, failure to pass tests requires use of edge device VLANs or port-disablement as controls on "bad" systems.

Whether NAC is edge-driven or simply edge-enforced, initial health checks require a tamper-resistant agent on the endpoint that can verify that some software is running (e.g., an antivirus) and other software is not (e.g., various kinds of spyware). In the Windows world, several NAC solutions use Microsoft's Network Access Protection client for health checks. Others supply their own agent.

Implementing health checks at the LAN edge

The specifics of implementing health checks vary dramatically from system to system (more than ACLs or even authentication configurations). In spirit, they resemble ACLs:
Vlan-hosts fail antivirus-check isolate
Vlan-guests fail antivirus-check allow remediate-vlan
Wlan fail OS-check allow remediate-vlan

Adding health checks can bring down the incidence of compromised machines being used on the LAN. ACLs and VLANs can protect edge devices from one another and can limit the range of attacks possible against data center targets, but they can't see that more subtle attacks are under way. Adding behavioral analysis can make even subtle attacks visible if they entail doing anything over the network that a user wouldn't normally do.

So, on networks with significant numbers of transient users (as in a company making extensive use of contractors, or in a university) or where IT control of desktops is minimal, NAC may be an excellent precaution. NAC will be most useful on wireless LANs and other segments with temporary users or lots of laptops that leave the LAN regularly. In a smaller organization with a more static user population, it is nearly always overkill. Before undertaking a NAC deployment involving added gear, all organizations should exploit whatever edge switch security they have available; and if they are Windows users, they should look at NAP.

About the author: John Burke is a principal research analyst with Nemertes Research, where he focuses on software-oriented architectures and management. As an analyst, John draws on his experiences as a practitioner and director of IT to better understand the needs of IT executives and the challenges facing vendors trying to sell to them. A frequent speaker, his career began at The Johns Hopkins University, where he supported the engineering faculty in its use of computers in research and teaching. He moved on to systems and network administration at The College of St. Catherine, in St. Paul, MN, and then to directing staff in voice, data, desktop and systems management at the University of St. Thomas, also in St. Paul.


This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.