Safe by Exclusion
If network log-in passwords or tokens are akin to identity
cards in real life, then Cisco's new Network Admission Control (NAC) is like
a work permit. by Ong Boon Kiat
With the help of Network Admission Control (NAC), a user's access devicewhether
a PC, laptop, or PDAnot only needs to be authenticated based on its identity,
but its identity status needs to be continually updated and certified in order
to maintain validity.
Scheduled for release before the middle of this year, NAC is an agent-based
architecture that checks a hardware's installed applications for their state
Compliance or not
Non-compliant hardware can then be denied access, or quarantined in a different
network segment. According to Cisco, the first NAC release will check compliance
for anti-virus software state and operating system information. For anti-virus
application compliance, checks will be made on anti-virus vendor-software version,
engine-level, and signature-file levels.
For OS compliance, the checklist will include OS type, patch, and hot fix. Initial
NAC co-sponsors include Network Associates, Symantec, and Trend Micro.
One way to think about NAC, is as an anti-virus quality-control framework. Cisco's
idea is to let IT managers ensure that updated anti-virus controls exist in
all connected network nodes, all the time. But do IT managers need another layer
of defence, one which is likely to give them more operational chores?
"Yes, if you want better control over your network's security," said
Russell Rice, Manager of Product Marketing for new systems technologies, security
products, Cisco Systems.
Speaking at a recent Asia-Pacific press symposium in Langkawi, Malaysia, he
called NAC 'a glue, not a product' for security devices and applications-one
which can increase the value of an organization's existing anti-virus investment.
He also dismissed the hassle and possible snags of adding a substantiation access
layer, saying that the NAC will be flexible enough to suit the needs of different
organizations. For instance, NAC can be configured to work purely as a monitoring
tool. Once the organization feels comfortable with its overall level of compliance,
it can then be elevated to block non-compliant network device access through
the use of router Access Control Lists (ACLs) and Cisco's Trust Agent architecture.
The latter acts like a security middleman, collecting information from other
security software clients-including anti-virus clients-and passing that information
on to Cisco devices on the network.
But while NAC can enhance any network's overall anti-virus stance, it will not
improve the anti-virus application's ability to detect and eradicate viruses.
"For the detection of unknown viral strains, the anti-virus application
is still responsible," explained Russell. "What NAC offers is the
elimination of uncertainty in a company's current anti-virus environment."
The first release of NAC will support endpoint devices running Microsoft Windows
OSs like NT, XP, and 2000, he said. In 'phase 2', NAC's platform support will
extend to Sun Solaris and Linux OSs.
Subsequent NAC releases after this June will have more product extensions. For
instance, Cisco switches and wireless access points will have the ability to
quarantine non-compliant hosts through VLAN segmentation, which can be assigned
by Cisco switches and wireless access points.
NAC will also support Cisco's security appliances, like VPN concentrators and
firewalls. Cisco is also looking for more industry co-sponsors for NAC.
Long development time
Responding to the long development time needed for something that performs the
simple task of checking application log files, Russell explained, "While
NAC is not terribly difficult to develop, we do have to spend time making sure
that it touches all our product portfolios and has a good management architecture.
And working with different vendors also takes time."
IT managers should also take some time to study two things: if they already
have a good software-upgrading scheme in place, and what kindsof anti-virus
policies they have. This will likely determine if a compliance-checking framework
such as NAC is genuinely useful, or more troublesome than it is worth.
This article first appeared in Network Computing Asia