NAC, Vista, and Your Security Strategy
We sort out the options with the most buzz for 2007—NAC, Vista, and NAP—for enforcing security with devices requesting network resources.
- By Chris DeVoney
Though a new year is underway, IT professionals still face the challenge of securing the end-point machines that access the networks and Big Iron. Network access control and Microsoft Windows Vista are advertised as options that will satisfy our hunger for improved security. For 2007, one still may be problematic and only sampling the other may be smart.
Network access control (NAC) is a set of infrastructure pieces that enforce security policy compliance on all devices seeking to access network computing resources. Unless the device can prove it is healthy (right minimal OS, BIOS, patches, not virus- or spyware-infected, and compliant with corporate security standards), the device gets shunted to a network side rail and can’t access corporate data stores.
At the same time, NAC can follow role-based rights that provide which servers and what data stores can be used by the properly-authenticated device. That device can be anything from a smartphone or personal computer to a server, printer, intelligent office copier, or computerized medical device.
The approaches fall into three categories: infrastructure-based (Cisco, Microsoft, and Jupiter are the usual names), end-point software-based (Symantec and McAfee are two examples), appliance-based (such as products from StillSecure, Mirage, and even Cisco put these companies into the appliance game), as well as a hybrid of these.
Like many other technology challenges, there is no universal “best” way to implement NAC. The variables include network connect topologies (such as data center, local, LAN, wireless, VPN, or WAN), client diversity (stationary versus mobile, full client versus PDA/smartphone, homogenous versus heterogeneous), user-trust (employee and role versus guest versus contractor), scalability (hundreds of seats to 100,000+), central controls (whose capabilities and reporting vary widely), and cost.
The bar set by customers for most NAC vendors is simply “get it working.” More are adding “make sure it stays compatible with my future.” The first leaves the door open for piecemeal solutions, the second for leaps of faith. Most NAC players are part of the Trusted Computing Group, which wants to solve the latter issue. However, I get nervous when vendors need to get religion to solve my problem.
Most NAC players also admit the maturity of their products and their integration with central management schemes needs to evolve faster than the current rate or the administrative demands will erase much of the labor savings, comprehensive compliance auditing, and better-management advantages.
The other product generating buzz for 2007 is Microsoft Windows Vista: within the context of the enterprise and for making end-point connections to mainframes, the talk of Vista is rarely “if” but almost always “when.” The current question of “how many” is more about “what’s allowed in the door” rather than “the number of machines to convert.”
As designed, Vista is more secure than previous Windows versions. Just three features—BitLocker to encrypt hard disk data, User Access Control to reduce running at Administrator level (which should make malware harder to install), and Service Hardening to make service compromises tougher should significantly reduce security incidents and remediation costs.
Yes, Vista does NAC, and Microsoft will do NAC one better with NAP—Network Access Protection—which will perform more extensive system “health” checks. It will also, upon direction, send patches and updates to raise the computer’s health to the threshold needed for network entry.
Some NAP features can be duplicated today with Advanced Directory’s Group Policy Objects or products such as Microsoft’s System Management Server or patchers like HFNetChkPro or PatchWorks. I’m unsure if NAP could shoehorn relief automatically where it is most needed—a system overwhelmed by malware.
The awaited NAP features in Vista require Microsoft’s Longhorn server of which Redmond rumblings now place its shipment time in Q1 of 2008. If you add the wait for Longhorn SP1, figure NAP for a 2009 deployment. Remember, Microsoft hasn’t announced if NAP will cover XP (currently it’s Vista only), and you can probably scratch support for any other legacy OS. NAP is a non-starter for systems whose OS doesn’t an MS in its name.
Although improved and extensively tested, Vista lacks seasoning against the widespread computer world. Whether you subscribe to Murphy’s Law of Selective Entomology (“There’s always more than one bug”) or the Rule of Software Deployment (“Always wait for Service Pack 1”) even Microsoft admits IT managers will not rush into Vista.
As to upgrades, most managers don’t care about Vista’s increased hardware requirements. The software can be “free,” which is true for many corporations with Microsoft assurance agreements. The barrier: the cost of testing and support changes and roll-out labor and user retraining puts most system upgrades into the why-bother category.
I suspect you, like me, are looking at your Windows computer purchasing plans for the year and are coping with the question, Vista now or Vista later? If you have that assurance agreement, keep taking delivery of the tested and true XP image on those systems and accept Vista where appropriate, such as test implementations, IT development staff, or users who need little support.
For those machines not part of the agreements, my strategy is to buy machines with Vista licenses. Where legacy must rule, I downgrade the license and have the machine delivered with Windows XP. The machine runs the apps now and has the license for the step up later.
When scanning the 2007 horizon, given the increased malware, traveling systems, and compliance issues, pulling up a seat (actually several hundred or several thousand seats) to the NAC buffet will be more common in 2007. Our job will be to pressure vendors to improve centralized management and integration. Few IT managers will put large portions of Windows Vista on their plate when Windows XP satisfies more needs.