Network Access Control: Bridging the Network Security Gap

The business work place has evolved significantly over the last ten years. Back then, networks were far more simplistic; the internet was not a critical business tool, there was far less legislation, and there were no applications for employees to launch in the workplace, except for a sly game of Solitaire. Now, a company’s IT network is its central hub, an increasingly complex environment that offers dramatically enhanced efficiency, but also brings with it a convoluted set of problems for increasingly over-stretched IT departments.

Modern technologies have opened a Pandora’s box of issues for companies trying to keep control of their networks. It is not unusual for a typical employee to launch instant messaging, log onto Facebook and start sharing videos with friends and colleagues. Not only might members of staff log on to the network from their desks, they might also log on from home, or from their laptop at a WiFi hotspot in a coffee shop or at the airport.

While the ubiquity of the new internet is predominantly positive for businesses, boosting employee up-time and therefore productivity, it has opened up a can of worms in terms of security, and adhering to an ever-escalating number of compliance regulations is becoming an increasingly difficult challenge for organizations. By their ability to puncture holes in corporate defenses, these new technologies are like candy to a baby for cybercriminals, who are exploiting these vulnerabilities to infect networks with malware, spyware and Trojan horses for their financial gain.

Organisations’ ongoing drive for more flexible working practices also has a major impact on the overall security of corporate networks. Now, networks need to be opened up to third parties, such as contractors, customers and consultants, but these guests may not use the same security applications as the host network and may not have applied the most recent software upgrades or patches. Moreover, full-time employees are frequently granted administration rights that enable them to use their computers from outside the office, but this can compromise security, as it requires that some critical security services are disabled.

Despite the risks involved in not keeping a tight rein on the comings and goings of network users, a surprising number of organisations have no enforcement mechanism in place to drive compliance or to report on results. This gap in corporate policy exposes the enterprise to a range of threats; not simply from malware and hack attacks, but also the loss or theft of intellectual property, and punishment from inadvertently flouting regulatory requirements.

Some forward thinking businesses are however cottoning on to the risks and have therefore begun to implement security policies which try to control employee use of corporate resources and the internet whilst at work. While such frameworks can go some way towards ensuring that employees toe the line, they can be difficult to implement and enforce. Furthermore, policies alone do not present a watertight solution and they cannot stop all security breaches that are outside user control.

What are security companies doing to support customers?
The complexity of managing modern security applications, combined with a lack of control over employee and visitor computers attaching to the network, has driven many security vendors to incorporate compliance and enforcement capabilities as extensions to existing products. Indeed, some vendors have gone as far as to shift their position from promoting single endpoint security products to creating and endorsing entire suite of endpoint security solutions to give IT departments back the control they need to quash the growing threats to their networks. It has become starkly apparent that companies need support in managing all the various users and endpoints accessing their networks to ensure that security and compliance breaches do not take place.

Network Access Control – helping companies to take control back
Organisations of all sizes are now considering Network Access Control (NAC) as part of a holistic security strategy. NAC not only gives businesses the power to simply and swiftly create and enforce security policies, it can also block or quarantine non-compliant or unauthorized computers that are seeking to gain network access. An effective solution can also determine whether all endpoints are compliant with the organization’s security policies; not only prior to granting permission to access the network, but on an on-going basis once these users have been allowed to log on. In this way, companies can rest assured that if a user acts out of line with the security policy, they will be banned from the network until the matter has been dealt with. Furthermore, systems administrators can grant individual employees or guests specific levels of network access, which dictate which resources they can use. These levels are set by looking at a combination of factors, including the user’s department, internal role and their level within the company, as well as the status of their endpoint’s security solutions.

Replicating physical security measures online
The need to secure sensitive data on business networks, and the NAC method of achieving this, can be compared to the constraints many businesses put in place to ensure the physical security of their buildings. Let’s take the example of a pharmaceutical company, which needs high levels of security in order to protect drugs patents worth billions of pounds, and to ensure compliance with strict legislative standards. In this kind of environment, a receptionist would meet all employees and visitors at the front desk. Once their reason for wanting to move forward has been established and the receptionist has accepted that it is in line with the company’s security policies, they will then be either authorised or refused entry.

Those employees and visitors that have been approved, will be granted further access to specific areas of the building, depending on their requirements and position within the company. For example, while the managing director may have ‘access all areas’ clearance, a temp may only be able to access the parts of the office that they will directly be working in. By giving physical access to the right people in this way, the company has dramatically reduced the associated security risks. You would not let a masked man through business doors, but it’s a bit more complicated to prevent them gaining access to the business network – without the right solution in place.

The risk of intelligent users
A common trap that many businesses fall into is only considering to implement NAC if they have remote and mobile workers and frequent visitors, but while these casual users certainly pose a significant threat to company networks, it is equally critical to protect their infrastructures from users within the corporate walls. Indeed, in a recent Sophos poll, which asked more than 200 companies who they thought exposed their networks to the greatest IT threats, 44 percent believe standard employees to be the most dangerous.

Now that technology is so integral to so many people’s lives, there are a growing number of expert users who have a potentially dangerous level of IT knowledge, enabling them to evade enforcement when accessing network resources, even if there is only the narrowest of gaps to slip through. Such a gap may arise from a number of scenarios, including the use of DHCP (Dynamic Host Configuration Protocal) networks – enabling a device to have a different IP address every time it connects to the network – or where the rogue computer is using local, statically assigned IP addresses for network access. Problems may also occur if a quarantine agent is not installed on the user’s computer. Whilst many of these employees will simply be trying to play the system without malicious intent, they still pose a threat to networks because they are opening holes, giving cyberciminals a backdoor entrance into company infrastructures. This is one example of why companies should not rush headlong into purchasing the first NAC solution they find; unfortunately solutions do vary, and it is crucial to find the best system for the job.

Making NAC work for your company
There are a number of different ways to implement NAC; solutions can be hardware or software based, standalone or integrated into the internal network infrastructure. How do businesses decide what is right for them? The appropriate solution for an organization is primarily dependent on its current network environment and it is therefore crucial to assess this fully before taking the plunge. Critical factors include, how homogeneous the network is, what the main network access methods are, and of course, the budget available. For example, for small to mid-sized businesses, the most effective NAC solution is one that can assess the security level regardless of the specific solution in place as well as work seamlessly within existing IT infrastructures.

When making their choices, enterprises should focus expenditure on the solutions and services that solve their biggest problems, choosing solutions that protect against vulnerabilities and provide a full security process instead of merely providing products. As a rule, the best option for organizations looking to introduce NAC to their security suite, is to find a solution that works with the existing network infrastructure and user management systems – and one that is truly vendor neutral. This will be least disruptive to implement and will produce the best return on investment.

It is also imperative that a NAC solution provides comprehensive support for the organization’s security strategies, as well as having the ability to create and manage new policies in the future. It should also be flexible enough to meet new business strategies as they inevitably arise. A final critical factor is that the solution offers capabilities beyond standard network-based enforcement, identifying and providing protection against all classes of users trying to gain access to the network – both known and unknown.

The complete NAC solution
An all-encompassing NAC solution will alert network administrators of MAC and IP addresses, enabling them to take immediate action when an unauthorised endpoint computer connects to the network. Its reporting capabilities should extend to include multiple reports for rogue endpoints, exempt computers and any new information that may prove critical – as events occur, in real time. The alerts should identify the rogue computer with pinpoint precision so that network administrators can simply and swiftly identify its network location and subsequently take the appropriate actions.

It is crucial that this constant monitoring does not interfere with normal network communications; for this reason, passive monitoring will provide the best results. The monitoring of low-level ARP (Address Resolution Protocol) a network layer protocol used to convert an IP address into a physical address, allows all IP communications to be detected, without exception. This means that even if a canny user evades DHCP network-based enforcement, their computer will not be able to communicate and spread infections throughout the network because ARP has to be used in order to slip through. By monitoring ARP, identifying which computers are attempting to make IP connections, and comparing the computer with the list of approved, compliant, and registered computers, systems administrators have a watertight way of spotting a rogue computer making advances on the network, enabling them to act fast and effectively.

This solution, while providing comprehensive reporting on users attempting to access the network, and the actions of those already logged on to the systems, should make systems administrators’ lives easier, and that means that reporting should be simply decipherable and easy to action.

Maximizing flexibility and control for systems administrators
Implementing NAC solutions is all about giving companies control back over their networks. It is therefore crucial that the chosen solution gives systems administrators the optimum degree of flexibility and control. Because user groups in organisations are closely interwoven with the associated policies, determining which users are assessed for compliance against which policies, is a crucial step in reining in control. Groups can be defined according to department, function, individual hire dates, or a combination of these factors. The best NAC solutions allow multiple policies to be created for various user groups, and for these to be shared between groups as necessary.

The crux of a truly flexible solution is ensuring that these policy-to-group relationships can be changed at the drop of a hat – including the addition of new users to existing groups – in line with the very real requirements of a constantly evolving workforce. This is particularly critical if administrators want to mandate specific security applications for new users. This degree of control is essential when mergers and acquisitions take place for example, when companies face the daunting task of imposing their corporate security policies on large numbers of new users. Without an effective NAC solution in place, successful migration for new employees can be a logistical nightmare.

Controlling employee and visitor access to increasingly complicated business networks should not be seen as an expendable add-on to security suites, but as an integral part of ensuring compliance in an ever-more regulatory world, and fending off cyber attack in an ever-more dangerous network environment. By implementing a flexible and comprehensive NAC solution, organizations are able to effectively combat today’s threats, while being fully equipped to mitigate against tomorrow’s.