Safe by Exclusion

If network log-in passwords or tokens are akin to identity cards in real life, then Cisco's new Network Admission Control (NAC) is like a work permit. by Ong Boon Kiat

With the help of Network Admission Control (NAC), a user's access device—whether a PC, laptop, or PDA—not only needs to be authenticated based on its identity, but its identity status needs to be continually updated and certified in order to maintain validity.

Scheduled for release before the middle of this year, NAC is an agent-based architecture that checks a hardware's installed applications for their state of compliance.

Compliance or not

Non-compliant hardware can then be denied access, or quarantined in a different network segment. According to Cisco, the first NAC release will check compliance for anti-virus software state and operating system information. For anti-virus application compliance, checks will be made on anti-virus vendor-software version, engine-level, and signature-file levels.

For OS compliance, the checklist will include OS type, patch, and hot fix. Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro.

One way to think about NAC, is as an anti-virus quality-control framework. Cisco's idea is to let IT managers ensure that updated anti-virus controls exist in all connected network nodes, all the time. But do IT managers need another layer of defence, one which is likely to give them more operational chores?

"Yes, if you want better control over your network's security," said Russell Rice, Manager of Product Marketing for new systems technologies, security products, Cisco Systems.

Speaking at a recent Asia-Pacific press symposium in Langkawi, Malaysia, he called NAC 'a glue, not a product' for security devices and applications-one which can increase the value of an organization's existing anti-virus investment.

He also dismissed the hassle and possible snags of adding a substantiation access layer, saying that the NAC will be flexible enough to suit the needs of different organizations. For instance, NAC can be configured to work purely as a monitoring tool. Once the organization feels comfortable with its overall level of compliance, it can then be elevated to block non-compliant network device access through the use of router Access Control Lists (ACLs) and Cisco's Trust Agent architecture.

The latter acts like a security middleman, collecting information from other security software clients-including anti-virus clients-and passing that information on to Cisco devices on the network.

Anti-virus's ability

But while NAC can enhance any network's overall anti-virus stance, it will not improve the anti-virus application's ability to detect and eradicate viruses. "For the detection of unknown viral strains, the anti-virus application is still responsible," explained Russell. "What NAC offers is the elimination of uncertainty in a company's current anti-virus environment."

The first release of NAC will support endpoint devices running Microsoft Windows OSs like NT, XP, and 2000, he said. In 'phase 2', NAC's platform support will extend to Sun Solaris and Linux OSs.

Subsequent NAC releases after this June will have more product extensions. For instance, Cisco switches and wireless access points will have the ability to quarantine non-compliant hosts through VLAN segmentation, which can be assigned by Cisco switches and wireless access points.

NAC will also support Cisco's security appliances, like VPN concentrators and firewalls. Cisco is also looking for more industry co-sponsors for NAC.

Long development time

Responding to the long development time needed for something that performs the simple task of checking application log files, Russell explained, "While NAC is not terribly difficult to develop, we do have to spend time making sure that it touches all our product portfolios and has a good management architecture. And working with different vendors also takes time."

IT managers should also take some time to study two things: if they already have a good software-upgrading scheme in place, and what kinds—of anti-virus policies they have. This will likely determine if a compliance-checking framework such as NAC is genuinely useful, or more troublesome than it is worth.

This article first appeared in Network Computing Asia