In-Depth

Securing Visitors with Guest-Access Controls

A defense contractor turns to admission controls to meet government requirements to secure national security information.

• By Mathew Schwartz
• 08/22/2006

How can companies secure their networks yet still grant access to visitors?

For George Owoc, director of business administration for EADS Astrium North America Inc., a wholly owned subsidiary of ASTRIUM Space Transportation, the answer was a network access control (NAC) hardware-based appliance called Enforcer, from Lockdown Networks, which shunts users onto different network VLANs, each with specific levels of access based on an individual’s credentials.

“Why is that important to me?” asks Owoc. “Certain of the projects we work on are considered national security and are regulated under ITAR (the International Traffic in Arms Regulations).” Even though most of the projects are rather mundane, he says, “to comply with our State Department licenses, [we] must ensure a certain amount of security in our facility.” A special problem is maintaining security when visitors not named in those State Department licenses need network access. While EADS Astrium North America only has 24 users located in three offices, in its work with such organizations as NASA, Boeing, and Lockheed Martin, and on such projects as a ground-based simulation of the International Space Station, the Integrated Cargo Carrier (a luggage rack for the space shuttle), and the European Space Agency’s Columbus module, it sees numerous visitors. By using NAC, “it allows me to give them the courtesy of access to my network without exposing my secure VLANs.”

EADS Astrium North America isn’t alone. Many companies are currently evaluating or deploying NAC, and their reasoning is simple: “Network managers want to take back control of the network,” says Gartner Group analyst Lawrence Orans.

To do that, one of their first goals is to regulate guests’ network access. “A lot of people are concerned about these devices that enter the corporate network, whether it’s a consultant or a contractor that’s coming in, whether to work in a temporary space or a visitor’s cube,” he notes.

Often the solution for guests is simple—grant access (and often just wireless access) to the Internet only, “since that’s what they’re looking for in most cases anyway,” notes Ray Wizbowski, senior director of market development and communications for ForeScout, a NAC vendor. The problem, however, is identifying which machines belong to guests, employees, or unknown users, and tailoring network and file access accordingly. Companies are increasingly turning to NAC precisely to do that.

State of NAC

How many companies have implemented NAC? According to a survey of almost 200 IT managers conducted by ForeScout, three-quarters are still “gathering information” about network access control; 15 percent are budgeting for it or beginning deployment; and only 4 percent have deployed it. Half of companies planning to implement NAC will first target guest users versus VPN (for 29 percent of companies) or campus LAN (25 percent) users.

Two NAC approaches get the most press: Cisco’s Network Access Control (CNAC), which enforces access in the network fabric, and Microsoft’s Network Access Protection (NAP), which will arrive with Windows Vista and will employ DHCP. Yet numerous technology vendors already offer NAC technology, and many market analysts note these third-party options are frequently less expensive to deploy and maintain than either CNAC or NAP.

For example, Owoc says he considered CNAC before selecting the Enforcer appliance. “I’m very familiar with the Cisco product and worked with it in other organizations, and I was actually preparing to make a case to buy the Cisco product when I was contacted by Lockdown,” he notes. Because of his good experiences with Lockdown’s Auditor—an automated, hardware-based vulnerability assessment device he’s employed for over three years—and because “the price was good and the appropriateness of the solution was there,” he opted to go with Enforcer instead.

Having run Enforcer for roughly five months now, Owoc characterizes managing it as “a very light load.” By contrast, “if I [were] to try to do this manually or even with some of the other solutions, my guess is it would be maybe a third of a person to deal with these types of issues.” Noting “we’re a small company,” that really wasn’t an option.

Avoiding Network Disruption

With NAC technology already widely available, why haven’t more companies adopted it? According to ForeScout’s survey, “The biggest fear is network disruption,” says Wizbowski.

Ease of use might be another factor. “My only warning to someone who might be interested in this is [that] it’s not something that somebody who doesn’t have a pretty good technical background—an understanding of IP, VLANs, and stuff like that—could deal with,” says Owoc. “It’s not like some of the firewalls that are plug-and-play. So it’s not good for a small business that doesn’t have a knowledgeable IT staff, though probably they could hire a consultant to do it for them.”

Quarantines Scarce

Many NAC adopters, including Owoc, are using access controls, but haven’t yet implemented quarantine capabilities. In the future, however, especially when users have outdated antivirus signatures, “I will start shutting them down or forcing them into a remediation VLAN.”

He notes Lockdown is releasing a new version of Enforcer which works with iNAC—a framework which allows various products to interact and apply specific controls and checks to a machine before granting network access. “I haven’t seen it yet, but I’ve talked to them about it, and I’m interested in doing it.”

Currently, he notes, Enforcer won’t let him fix any problems it finds, so he has to resort to e-mailing users a patch or asking them to apply a fix. “With iNAC, I can integrate it with Patchlink, and Patchlink can be told to go update or apply patches to the machine in question, so the user isn’t inconvenienced at all.” When such features debut, he plans to implement Patchlink.

Timeline for NAC

As the forthcoming iNAC, NAP, and other approaches attest, technology vendors are still working to make NAC a seamless experience. Dan Clark, vice president of marketing for Lockdown Networks, notes, “The end goal of NAC is not to enforce policy. It’s to make sure the devices are compliant in order to maximize users’ productivity and to increase network uptime.”

Perhaps it’s no surprise, then, that timing-wise, “a lot of people are still developing short lists of vendors, and looking to do a lab project this year—toward year’s end—or next,” says Gartner’s Orans, even though fears over network access are “slowing things down or making people think twice.”

One way to overcome potential disruptions is to only issue warnings early in the NAC deployment, and ease users in. “So the warning would say, ‘You’re missing this patch, and in a month from now, we wouldn’t have let you onto the network,’” he says.

As that example illustrates, successful NAC deployments, including quarantines, will require more than just technology. “There is a significant amount of user education that needs to take place here,” says Orans. “Also, once people do get quarantined, in order to remediate their systems, it has to be really painless. It can’t be the type of thing where a customer needs to get the help desk on the phone.”

Related Articles:

• Case Study: SUNY-Buffalo Health Science Schools Aims for Network-Admission Controls
• Regulations Spur Adoption of Network Access Control