In-Depth
Why It’s Time for Network Access Control
Security and compliance policies are only successful if they are enforced. That’s where network access control comes in.
- By Rich Langston
- 01/16/2007
Network access control is a technology whose time has come. After all, while security and compliance governance policies are a critical component of any successful organization today, they are only useful if they are enforced around the clock.
Employees routinely access their corporate networks from home computers, kiosks, hotel business centers—all systems beyond the control of IT. Their security status is unknown and unpredictable, yet users must rely on them to remain productive anytime, anywhere.
The challenges don’t end at remote and mobile users. Corporate users, contractors, and guests constantly access network resources. Can IT be sure that all these devices are running the appropriate security solutions, configured correctly, and outfitted with up-to-date patches?
At the same time, failure to comply can result in more than a black mark in an auditor’s book. Allowing unprotected and non-compliant computers on the network puts organizations at risk for the exposure of intellectual property, costly network downtime, and possible regulatory fines that can undermine a company’s brand and reputation.
Consequently, a growing number of organizations are turning to network access control solutions. With such a proactive solution in place, enterprises can ensure the security policy compliance of any device before the device actually accesses the network.
Tried and True Tools
Some of the biggest names in information technology have recently turned their attention to network access control. However, because most of these solutions are still in the development stage, and many require an overhaul of existing hardware and software infrastructure, organizations have hesitated to invest in them, opting instead to postpone deployment. These organizations, in turn, are struggling to provide the perimeter of defense and policy enforcement needed to keep information assets safe.
However, a growing number of companies have already begun to reap the benefits of network access control using solutions that have been successfully deployed for years. These solutions increase security, network availability, and regulatory compliance by enabling enterprises to enforce security settings and software running on the hosts connected to their enterprise networks.
The most effective network access control solutions today are agent-based solutions that do not require significant investment in IT hardware or software. These solutions integrate with a customer’s existing infrastructure and support all major infrastructure vendors.
Most importantly, these solutions proactively protect the network from dangerous endpoints by enforcing compliance on contact with the enterprise LAN, wireless network, and remote access services.
Control in Phases
Effective network access control incorporates three phases of operation: evaluation, enforcement, and remediation.
In the evaluation phase, an agent examines the endpoint that is attempting to connect to the network, looking at policies and the status of the device to determine whether to grant full, limited, or no network access. Host integrity checks are made against pre-defined templates such as patch level, service packs, antivirus, and personal firewall status as well as custom-created checks tailored for the enterprise environment. Policies are all controlled from a centralized management system. In addition, because effective network access control must assess both managed and unmanaged systems, an on-demand agent is critical to assessing unmanaged endpoints.
If a device fails to pass the compliance check, several enforcement mechanisms are offered depending upon the network infrastructure. Enforcement options include quarantining the device, assigning it to a guest VLAN, and even blocking it entirely.
Any device found to be out of compliance with relevant policies is then automatically brought back into compliance in the remediation phase of network access control operations. For example, if antivirus software is not installed on the device, the device automatically connects with the appropriate remediation server and downloads and runs the necessary software. If antivirus software is turned off, the remediation server turns it back on. If antivirus is outdated, the relevant files are downloaded or updating programs are run to bring the virus protection back into compliance with security policy.
In all cases, only when the device is compliant is it allowed to access the network—all without requiring user intervention.
Immediate Deployment
Support for a wide variety of network equipment, access methods, and protocols enables organizations to maximize ROI in network access control by eliminating ties to specific vendors. For the most flexible, cost-effective deployment, a network access control solution must be deployable across the network regardless of connectivity type.
For example, for LANs and wireless networks, 802.1x standards-based methods must be supported, preferably with options for easier deployment. For environments in which 802.1x is not available or desirable, a DHCP-based approach can provide network access control enforcement of endpoint devices in networks using dynamic IP allocation.
In WAN environments, a gateway mechanism is used to provide in-line access control to critical network resources such as VPN links, data centers, and connections to remote offices. On-demand agents offer support for unmanaged devices connecting through SSL VPNs, Web-based applications, and wireless switches.
In addition, a self-enforcement technology ensures enforcement of devices when agents leave the network. This technology leverages outbound firewall filter rule sets to restrict access to systems that are not in compliance. Non-compliant systems essentially move themselves into a sandbox where they can access a remediation system and bring themselves back into compliance. Self-enforcement requires no hardware, runs on any infrastructure, and provides a simple and cost-effective way to introduce network access control into an environment.
Timing is Everything
Effective network access control is all about timing. Connected devices must be in compliance before they are allowed network access, and blocking or remediating non-compliant devices must be automatic. Compromised or infected systems must be quickly brought into compliance to help ensure that corporate information assets and IT systems are protected from information theft, violation, and disruption.
Network access control must be deployable now. Today, these solutions enable administrators to extend control to every type of network and all types of endpoints, from desktops to laptops, guest systems, and even embedded devices. Administrators can define how secure an endpoint must be before it can access specific network resources and manage network access from a single convenient console.
With mature, proven network access control solutions, the crucial task of protecting corporate information is no longer simply proximate and pressing. It is also possible.