Pages

Thursday, February 19, 2009

Why we need to deploy network access control (NAC) ?

The deployment plan of Network Access Control (NAC) technology in IIUM aims to protect IIUM heterogeneous wireless networks from the public back door (possibly done through 3G, bluetooth, firewire, UTP, USB etc), and often dangerous, Internet. It also provides protection from viruses and other types of malware that may be resident on the mobile gadgets that staff, students and visitors connected into IIUM wireless networks. NAC places a virtual shield around a network by guarding its endpoints, the places where heterogeneous wireless networks mesh with the outside world.
While NAC vendors take various approaches to NAC, the technology basically works by treating all endpoints with suspicion. Access to the wireless network is granted only after Aruba Wireless Controller, LDAP and NAC authenticates the user’s identity (username, password and MAC address), verifies the security state of the user’s endpoint and ensures that the user meets policies that define who should be allowed to use which resources and under what conditions (using role base idenfication offered by Aruba Controller).
A survey conducted earlier this year by Infonetics, a technology research firm located in San Jose, Calif., found that enterprises acquire NAC technology for various reasons, including blocking viruses (86 percent), intercepting external attacks (80 percent), stopping spyware/malware (73 percent) and blocking e-mail attacks (70 percent). Other motivations cited by the respondents included regulatory compliance (54 percent), adding LAN security (45 percent), blocking internal attacks (38 percent) and meeting customer and business partner demands (36 percent).
Much of NAC’s overall appeal comes from its simplicity, as well as its ability to provide enhanced security and more sanitized networks with little or no negative impact on the community productivity especially in IIUM. In fact, many instituition that have adopted NAC technology report improved productivity. By deploying this IIUM Community are now free to use devices that were formerly banned from any other enterprises networks due to security concerns. By deploying NAC, ITD is trying to secure the wireless connection even browsing via smartphone or PDA since this devices is not really have a good antivirus software.
NAC often arrives on customer premises in the form of a network appliance. This approach is appealing to many enterprises, and the solution that ITD is looking for: the appliance must simply be plugged into the wireless network, providing fast, painless, out-of-the-box security and avoid changes to the existing configuration. Many NAC appliances are multifunction security devices, offering capabilities such as network-based virus scanning and intrusion prevention systems (IPSs) along with NAC capabilities. The appliance must be capable to integrate with the existing equipments.
Non-appliance-based approaches to NAC are more complex and tend to require a bit more hands-on work. The available alternate choices are to enforce NAC with functionality that’s built into network devices, such as switches, or to enforce NAC using SSL VPN gateways.
No network is airtight—malware continues to get in, whether via mobile gadget (PDA, smartphone) of staff, student or guest laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let’s face it: Sometimes attackers are just smarter than we are. Even the companies following best practices get hit.
Deploying NAC don’t just mean a security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in our policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; their computer’s patch level; and if anti-malware or desktop firewall software is installed, running and current, ITD can decide whether to limit access to network resources based on condition or not. A host that doesn’t comply with your defined policy could be directed to remediation servers, or isolate it in a quarantine VLAN.
Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.
After reviewing other reading materials,
NAC’s soaring popularity which has attracted numerous vendors to the market. NAC technology suppliers include such heavyweights as Bardford, Microsoft, Infoexpress, Juniper, Consentry, Cisco, Fortinet and Aruba Networks. Altogether, there are close to 50 +/- NAC vendors, large and small, meaning that enterprises have plenty of products and approaches to choose from.
With all the available choices, settling on the right NAC technology from the right vendor requires a significant amount of research. The final selection usually boils down to finding the product that most closely matches the IIUM’s NAC goals and the network’s size, complexity, budget and configuration.