Rolling Review Kickoff: Host-Based NAC
Malware spreads fast, and the best risk management strategy is not to get bitten in the first place.
HOST CASE
NAC isn't the only choice for network defense. Technologies and organizational processes--including 802.1X for computer and user authentication, VPN encryption, strongly enforced desktop management policies, and proper role definition and application access controls--can help achieve this goal. But even if you implement all these, you still have the roaming computer problem, and that's perhaps the strongest argument in favor of host-based NAC. Protect the computer while it's out of your control, then ensure that it's not infected when it returns home.
Host-based NAC features such as application access control and host firewalls for outbound as well as inbound traffic may keep malware like the Storm worm off your network, even if an individual system becomes infected. Today, host-based NAC makes most sense in cases where most of the computers are company-owned; the guest access issue is generally not well addressed, and in this Rolling Review we'll ask vendors about their plans in this area.
Photo illustration by Getty Images
Host-Based NAC Rolling Review
The Invitation
This Rolling Review will focus on network access control products that are installed on hosts and both assess system health and enforce NAC policies. Companies are looking at NAC as a way to protect internal resources and limit the activities that users and hosts can perform on the network. Binary policies that choose "on" or "off" based on host condition are often not robust enough to be effective. Policies need to match acceptable access rules that allow users and devices to interact on the network while maintaining security. Our written policies and goals will reflect that reality.
Similarly, enforcement decisions are not always "grant" or "deny." Rather, a variety of enforcement choices, such as warning a user, starting an update in the background, or limiting access to certain resources, should be available.
We will test common scenarios, such as a conference room that is open to the public and an internal network segment that contains managed computers. All testing is conducted under real-world conditions. We'll assess products based on these criteria:
Policy development, which rates the ability to create flexible assessment and enforcement policies. The breadth of information used for host assessment will be evaluated, along with available enforcement actions.
Integration with existing hosts and network services.
Management and configuration of devices that are in-line, as well as of agents.
Price.
Reporting and troubleshooting tools available to visualize what's occurring on the network, viewing status of the current network, monitoring hosts and user activity, and generating historical reports.
The Test Bed
We will test using Windows XP, Vista, and Mac OS X workstations. All workstations, except those attached to the conference room access switch or in use remotely, will be managed and part of our Active Directory domain. Workstations attached to the conference room access switch will be guest computers. We also will throw a Linux server and other "unmanageable" devices into the mix. We'll use 802.1Q virtual LANs throughout the network, and traffic between VLANs will be routed. In this scenario, access switches will use 802.1Q uplink trunks to the distribution switch.
Our Active Directory server will provide AD, Radius/IAS, DNS, and DHCP services. We'll also maintain an update server for systems and apps. While the test bed will be largely self-contained, we'll have our network fully functional and will integrate products into the existing network. We won't replace access switches.
We're willing to put client software on computers in the AD domain, but we won't put persistent agents on guest computers. Dissolvable agents are acceptable for guest access. We want to test multiple enforcement types. Our expectation is that the conference room won't use 802.1X because we can't assume clients will have properly configured supplicants, but 802.1X will be acceptable on the managed wired and wireless networks. We'll design a set of common policies spelling out configuration guidelines and goals for groups of workstations. Some hosts will be in conformance, some not. In addition, some hosts will be infected with known malicious software, and some will exhibit signs of malicious activity. We'll examine both initial and ongoing assessments and the resulting actions for hosts that violate our policies.
The Vendors
Check Point Software Technologies, Great Bay Software, Identity Engines, InfoExpress, LANDesk Software, McAfee, Nortel Networks, Senforce Technologies, Sophos, StillSecure, Trend Micro.
THE PREMISE
Rolling Reviews present a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. Our extended testing span lets us accommodate today's accelerated revision cycles and focus our attention on individual products, while maintaining a consistent test bed. For consideration, contact the author.
Find more Rolling Reviews, past and present: networkcomputing.com/rollingreviews
About the Author
You May Also Like