NAC

TeleconferenceDemystifying NAC: Going Beyond Basic Admission ControlRobert Whiteley

Senior Analyst

Forrester Research

September 25, 2006. Call in at 12:55 p.m. Eastern Time

2Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Theme

Firms must look beyond current limitations of NAC and build a life cycle with

both pre- and post-admission.


Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures

• Going beyond: predicting NAC’s future

• Recommending how to overcome NAC’s pitfalls


Agenda






Defining network access control (NAC)

► A mix of hardware and software technologies that dynamically control client systems’ access to networks based on their compliance with policy.

► Network quarantine = network access control = Network Admission Control (Cisco’s specific term) = Network Access Protection (Microsoft’s specific term)


Access Security

The most accessible systems are not secure.

The most secure systems are not

accessible.

Network access control

NAC provides the technology framework and policy hooks to make security and access tradeoffs.

NAC solves an IT oxymoron: secure access


NAC is gaining significant momentum in large enterprises . . .

• Demand side: NAC has jumped to an early mindshare position within large enterprises.

» Some 40% of enterprises were tackling NAC initiatives in 2006.

» Some 52% of firms indicated the need for access control across all network mediums: wired, wireless, and remote access.

• Supply side: Dozens of vendors are jumping on the bandwagon — RSA’s 2006 “NAC Show.”

» Infrastructure vendors: 3Com, Cisco, Enterasys, Extreme, Foundry, HP ProCurve, Nortel

» Software vendors: Elemental Security, ENDFORCE, F-Secure, McAfee, Panda Software, Symantec/Sygate

» Appliance vendors: Caymas, Check Point, ConSentry, ForeScout, Granite Edge, InfoExpress, Lockdown, Mirage, Nevis, Vernier


. . . But many companies suffer from stalled deployments

• . . . Only 4% of firms had completed deployments.

• Why?

» Multiple, confusing architectures

» Lack of interoperability

» Upfront costs exceed benefits

» Lack of identified business drivers


Defined use cases are just now coming into focus

• The ROI of NAC is a lost cause

• Successful deployments focus on business needs for:

» Unmanaged or guest systems

» Partner extranet functionality

» Enterprise mobility

» Virus/worm contamination


Wave 1Homogenousarchitectures

Wave 2Hybrid

architectures

Wave 3Interoperablearchitectures

2004 2005 2006 2007 2008

Momentum: Early adoptersDriver: Controlling the “Wild, Wild West”

Momentum: Early majorityDriver: Unmanaged/guest systems

Momentum: Late majorityDriver: Operation efficiency

The result: Enterprises are in the second wave of NAC deployments


Agenda






Today’s NAC deployments focus on three architectural components

• Endpoint

» PCs — Desktops, laptops, servers

» Devices — IP phones, printers, embedded OS machines

» Primary ownership: desktop or client operations

• Network

» Perimeter devices — Security appliances, VPN concentrators, firewalls

» Wiring closet devices — routers, switches, wireless APs

» Primary ownership: network operations

• Back-end servers

» AAA, policy, configuration, and remediation servers

» Primary ownership: security operations


But successful enterprises are shifting focus to two distinct functional components

• Pre-admission — “Keep people out”

» Technologies to perform integrity and compliance checks before network resources are granted

» Key components: endpoint security scans and identity via authentication

• Post-admission — “Kick people off”

» Technologies to monitor resource access violations, anomalous behavior

» Key components: identity management and IPS


Bridging NAC’s architectural and functional views

Architecture

Function

Endpoint tools:• Endpoint security tools• Client security suites (AV, FW, etc)• Compliance agent (optional)

Intelligent network:• Switches and routers• VPN gateways• Wireless APs• Security appliances

Policy and identity servers:• Authentication and authorization (RADIUS, LDAP, AD)• Remediation and configuration management • Audit and assessment

Pre-admission control: • Endpoint integrity check• Enforcement during authentication

Post-admission control: • Behavior monitoring• Resource and application violations


Agenda






As NAC evolves functionally, focus on building a user or device-access control life cycle . . .

Pre-admission

Post-admission

Remediation


. . . But NAC is only a small component in an endpoint security life cycle

NAC


Client Network

NAC evolves to encompass a wider risk-based architecture

Proactive endpoint risk management

Identity

NAC


Defining proactive endpoint risk management

► Policy-based hardware and software technologies that proactively manage risk by integrating endpoint security, access control, identity, and configuration management


Agenda






Firms must overcome the four “dirty little secrets” of the NAC market

Why it hurts NAC deployments

Underpinning hardware — DHCP, RADIUS, and DNS — are not reliable enough.

NAC doesn’t provide automatic remediation of noncompliant users.

Budget for high-availability components

How to overcome

Integrate config. management tools

Infoblox, MetaInfo, and INS

Enterprise-class components

Automatic remediation

Altiris, Shavlik, BigFix, etc.

Key vendors

Policy isn’t “plug-and-play” across multiple vendors.

Select vendors that have proven interoperability

Cisco (NAC) and Microsoft (NAP)

Multivendor policy

NAC is device-centric, and many solutions don’t support user context.

Integrate with AD/LDAP, and push for SSO.

True identity awareness

Applied Identity and Identity Engines


Recommendations: vendor selection

• Pick vendors that focus on:

» Identity: Without identity, NAC is device-centric and misses the full-policy-compliance framework.

» Remediation: The ability to remediate or enforce compliance is key to automating NAC.

• Look for solutions that focus on interoperability:

» Microsoft: NAP

» Cisco: NAC

» TCG: TNC


Recommendations: deployment best practices

Phase in NAC to maximize short-term effectiveness:

• Phase 1 — Create NAC policies: Leave three months to simply write policies and understand who goes where under what conditions.

• Phase 2 — Deploy an overlay pre-admission solution: Get policy-savvy solutions in place that allow you to begin NAC but may not have a full set of enforcement capabilities.

• Phase 3 — Add more enforcement and post-admission: Once you have the right policy infrastructure in place, you can scale out enforcement with 802.1X and behavior monitoring with IPS.

• Phase 4 — Build remediation capabilities: Finally, you can enable user-remediation or auto-remediation with configuration management solutions.


Robert Whiteley

+1 617/613-6183

[email protected]

www.forrester.com

Thank you


Selected bibliography

• September 8, 2006, Trends “Refreshing Enterprise LAN Infrastructure”

• May 12, 2006, Trends “Getting The NAC Of It: 2006 Network Access Control Adoption”

• November 2, 2005, Best Practices “Securing The Network From The Inside Out”

• June 28, 2005, Tech Choices “Choosing The Right Network Quarantine Solution”

NAC

Documents

ips13 entire contents

todays nac deployments

roi of nac

teleconferencedemystifying

nac initiatives

network operations

nacs pitfalls

vernier7entire contents