sophos-nac-2-wpna by girlbanks


									          NAC 2.0:
          A new model for a more secure future

                       As organizations turn to network access control (NAC) technologies to protect their networks
                       and data, the flaws of earlier versions of NAC are becoming apparent. New pressures from
                       a constantly changing threat environment and an increasingly mobile workforce require a
                       new NAC model that will offer more finely controlled network access, an increased agility of
                       response, and a better focus on network, desktop, and security operations. This paper looks
                       at where NAC 1.0 went wrong and describes how the new perspective of NAC 2.0 will allow
                       organizations the flexibility of control to ensure effective endpoint and network governance.

A Sophos white paper       July 2008
A Sophos white paper      NAC 2.0: A new model for a more secure future

                       NAC 2.0:
                       A new model for a more secure future

                       NAC 1.0 and why it failed                            • The desktop team’s perspective – managed
                       Organizations are increasingly turning to network       endpoint computers. The desktop team saw
                       access control technologies to provide better           “network access control” as meaning a way to
                       protection for their networks and data. However,        control or ensure the security and productivity
                       many of the first generation “NAC 1.0” solutions        of users’ computers.
                       were based on an inherently flawed model that
                       failed to respect the expertise and ownership of     NAC 1.0 – focusing on blocking guests
                       different groups in the organization. NAC 1.0 was    Guest access was an easy target for many early
                       also unable to react quickly enough to protect       NAC 1.0 products, with access generally seen
                       against rapidly evolving threats or to support the   as a luxury rather than a business necessity, and
                       needs of an increasingly mobile workforce.           often needed only in specific locations such as
                                                                            conference rooms. In addition, guests often do not
                       NAC 1.0 – fundamentally disconnected                 have a formal relationship with the business and
                       NAC 1.0 suffered a disconnect in perceived           are not part of any of the organization’s identity
                       ownership, with a struggle for control between       management systems such as Microsoft Active
                       the two key teams who brought two distinctive        Directory. It was fairly simple for many point-
                       perspectives:                                        solution appliances to provide a mechanism to
                                                                            block guests’ computers until they could be made
                       • The network team’s perspective – guest             compliant with the organization’s security policies.
                          access. The network team interpreted “network
                          access control” as meaning a way to control or    However, this NAC 1.0 focus on meeting
                          block unauthorized access to the network.         the network team’s goal of controlling guest
                                                                            access missed a far greater problem in terms
                                                                            of an organization’s security, namely the much
                                                                            greater likelihood of devastating data loss from a
         NAC’s functions fit better on the endpoint. We                     misconfigured managed endpoint computer. With
         need to move beyond today’s scenario, where                        a few exceptions, such as higher education, the
         users struggle to implement NAC as a successful                    sheer number of managed endpoint computers
                                                                            means they present a much greater threat surface
         security framework. Just how bad is it? We’ve                      making them in reality a much greater risk.
         found that 40% of enterprises surveyed had begun
         NAC deployments, but only 4% actually finished.                    NAC 1.0 – lacking agility
         The majority of those that do finish are turning                   First-generation NAC solutions failed to recognize
         to solutions focused on network hardware like                      that the threat environment is constantly changing,
                                                                            with new threats and vulnerabilities appearing
         appliances, Ethernet switches, routers, and VPN                    every day. Anti-malware vendors release a steady
         gateways. But we believe this is the wrong approach.               stream of updates to detect and clean new threats.
         Forrester Research1                                                Operating systems and applications vendors issue
                                                                            security patches on a daily basis.

A Sophos white paper              NAC 2.0: A new model for a more secure future

                               Many NAC products could not easily be updated          Network appliances
                               to allow for the latest updates. When an anti-
                                                                                      Some NAC vendors chose to deliver their solutions
                               malware vendor released a new update or a
                                                                                      as network appliances. This was a choice made
                               new version, the administrator often had to
                                                                                      for their own convenience, not their customers’
                               update the assessment rules manually. With
                                                                                      needs. By delivering as an appliance, the
                               new operating system patches, administrators
                                                                                      vendors were able to limit their testing to a small
                               typically had to enter a new, complex set of
                                                                                      set of predetermined platforms. This seeming
                               registry entries corresponding to each new patch
                                                                                      convenience is deceptive. Networks often had to
                               for each operating system – if the NAC tools
                                                                                      be redesigned to insert an appliance, funneling
                               supported patch assessment at all. The large
                                                                                      all traffic through a choke point and affecting
                               effort required to keep rules up to date meant that
                                                                                      performance and reliability. NAC appliances also
                               NAC assessment tools lagged far behind the real
                                                                                      lack deep assessment capabilities, good scalability,
                               dangers facing organizations.
                                                                                      and the means to protect computers when they are
                                                                                      not connected to the network.

                                                                                      Network equipment
                 Manual updates                              Manual updates           Network vendors are typically interested in
                                                                                      upgrading switching and routing gear to include
                                                                                      the latest features. They do not have a good
                                                                                      presence on the endpoint and as a result attempts
              Desktop team                                Network team                to control network access with equipment alone
                                                                                      were unsuccessful as it offered weak assessment
                                                                                      and little or no policy management. Network-
                                                                                      based NAC ignored the issue of remote or roaming
                                                                                      users, although ironically NAC has its roots in Host
               Managed                   Network              Guest
             computer policy           access rules       computer policy             Integrity Checking for roaming users.

                                                                                      NAC Frameworks
                                                                                      The original NAC Frameworks – such as Microsoft
                                                                                      Network Access Protection (NAP), Cisco
               Managed                        Network                      Guest      Network Admission Control (NAC), and Trusted
               computers                       fabric                    computers    Computing Group’s Trusted Network Connect
                                                                                      (TNC) – offered basic interoperation standards
                  On-net only                                                         and little more. They provided some plumbing,
                                                                                      but left organizations to do the work of fitting it all
                        Figure 1. A typical NAC 1.0-based system                      together. Policy management, updating, and audit
                                                                                      were left out of the equation.

                               Early mistakes                                         There was also a critical flaw in the NAC
                                                                                      Frameworks reliance on a “trust” model – self-
                               Intrusion Prevention Systems
                                                                                      policing by the very applications that have gone
                               Some early NAC products were based on                  wrong. They required anti-malware software to
                               Intrusion Prevention Systems (IPS) that looked         report its own status, even though a failure in that
                               for anomalous network behavior. These were             software might be the very reason a computer
                               useful when threats often consisted of worms with      was unprotected. Furthermore, unwanted and
                               identifiable network signatures. Today’s threats are   unauthorized software, such as spyware or peer-to-
                               frequently invisible to behavior-based IPS in which    peer applications, could not be expected to report
                               case there will be no identifiable network anomaly.    their status to a NAC Framework, thereby breaking
                                                                                      the trust model.

A Sophos white paper      NAC 2.0: A new model for a more secure future

                       The future of NAC                                     control, although in reality NAC is about more than
                                                                             just the network. This team includes the experts on:
                       The new model for NAC, or “NAC 2.0”, that is
                       now emerging takes into account the shortfalls of     •   Switching
                       earlier approaches and aims to solve real business    •   Virtual (VLAN) management
                       problems. It acknowledges and embraces the
                                                                             •   Routing
                       functional roles and division of responsibilities
                       found in today’s organizations, supports the          •   IP address management.
                       business goals of different groups and endeavors to
                       meet the rapidly changing requirements of today’s     The network team is responsible for ensuring
                       dynamic threat environment.                           network availability and performance. It does
                                                                             not typically have any responsibility for endpoint
                                                                             assessment and remediation and does not care
                                                                             what the configuration of any particular endpoint
         In the past, enterprises solving guest access                       computer is. Its concern in terms of the endpoint
         challenges gravitated toward an appliance-based                     is to supply the appropriate level of service to a
         solution that simply plugged into a spanning port                   computer based on its role and compliance state.
         on a switch; those focused on controlling employee
                                                                             NAC and the network team
         access looked to a software-based solution whereby
                                                                             • The network team needs NAC to keep
         specific agents could be installed on corporate-                        unknown or unsafe computers from impacting
         controlled machines. However, we now see a clear                        network security, availability, and performance.
         inflection point. Enterprises need a heterogeneous                  • NAC needs the network team to manage the
         mix of technologies to cover an ever-widening set of                    switch fabric for enforcement (VLANs, access
         scenarios.                                                              control lists) based on compliance state.

         Forrester Research2                                                 Desktop team
                                                                             The desktop team is concerned with managed
                                                                                                           computers and all
                                                                                                           aspects of their
                       NAC 2.0 – embracing functional roles                                                configuration – even
                       NAC 2.0 has operational impact on three teams in                                    when they are not
                       the IT organization. NAC 1.0’s focus on answering                                   connected to the
                       the network team’s needs is matched by a real                Desktop team           network, for example,
                       commitment to the needs of the desktop team,                                        while roaming.
                       and a new ability to encompass the requirements                                     The team drives
                       of the security team.                                 the requirements for assessment of endpoint
                                                                             configuration, remediation of any misconfiguration,
                       Network team                                          and patching and updating, including:
                       As discussed earlier, the network team is where       • Selection, management, and updating of anti-
                                                  many NAC solutions             malware software and desktop firewall
                                                  were originally embraced   • Desktop patch management
                                                  and it seemed natural      • Implementation of best practices for secure
                                                  for this team to be            configuration.
                                                  the primary owner
                           Network team
                                                  of “network” access

A Sophos white paper      NAC 2.0: A new model for a more secure future

                       NAC and the desktop team                               NAC 2.0 – focusing on business goals
                       • The desktop team needs NAC as a tool to              Unlike one-size-fits-all NAC solutions, NAC 2.0
                          eliminate configuration drift on the computers      recognizes that businesses have different goals
                          under its control regardless of network location.   for employees, contractors, and guests, and,
                       • NAC needs the desktop team to define ideal           when properly implemented, focuses on the
                          configurations and remediation mechanisms.          requirements for each group.

                       Security team                                          Business goals for employees

                       The security team is focused on regulatory             • Enable – not block – access to the network and
                                                      compliance and             applications
                                                      audit. Although it      • Enhance productivity, security and compliance.
                                                      does not have day-
                                                      to-day operational      Business goals for formal visitors, such as
                              Security team           responsibility for      contractors, partners, and consultants
                                                      desktops and the        • Assess the level of risk posed by the
                                                      network, it sets           unmanaged computers of these visitors.
                       the standards for compliance throughout the
                       organization. Some practices are mandated by
                                                                              • Provide restricted access appropriate to the
                                                                                 authorization and level of risk.
                       government regulatory bodies, such as HIPAA
                       (USA)3, PIPEDA (CA)4, and BS7799/ISO27002
                       (UK/Int’l)5, while some come from recognized           Business goals for informal guests and unknown
                       industry bodies, such as the Center for Internet       computers
                       Security (CIS Benchmarks)6 and the Payment Card        • Require proof of authorization
                       Industry (PCI DSS)7. In addition to its already        • Block network access unless authorized.
                       formidable responsibility for risk management, the
                       security team is responsible for:                      Many NAC project failures have been a result of too
                       • Determining which standards are applicable in        great a vendor focus on the network enforcement
                          their organization                                  mechanisms, and not enough on the practical
                       • Auditing the environment against those               prioritization of achievable business benefits against
                          standards                                           each distinct use case. Successful NAC deployments
                                                                              have in common the primary objective of enabling
                       • Showing proof of standards compliance.               safe access to appropriate resources by authorized
                                                                              people – and not an objective of blocking users
                       NAC and the security team                              from the network. In other words, NAC 2.0 focuses
                       • The security team needs NAC to minimize the          on enabling rather than blocking access.
                          risk from non-compliant, unknown, and unsafe
                          computers and to provide comprehensive
                          reporting and audit.
                       • NAC needs the security team to define
                          standards for regulatory compliance and
                          security best practices.

A Sophos white paper               NAC 2.0: A new model for a more secure future

                                NAC 2.0 – providing dynamic flexibility              also understand what threat detection updates
                                IT departments now have available a much             have been published by each anti-virus vendor
                                richer context in which to make decisions about      at all times. Knowledge of the emerging threats
                                authorizing access to company resources. In          and available responses are both key to making
                                determining the appropriate level of access, they    authorization decisions and therefore, NAC needs
                                can now go beyond simple user identity and role,     to have the native capability to provide this critical
                                and consider machine identity, access location,      stream of information.
                                access method, time of access, device security       Today’s best endpoint NAC solutions are evolving
                                posture and state, emerging threats and available    to enable effective management and control of
                                threat responses.                                    access authorization by providing two distinct sets
                                The resulting authorization policies are dependent   of capabilities:
                                on increasingly rapid real-time information about    • Network enforcement mechanisms that
                                security updates. Deciding if a computer is             provide an entry gate onto the network, along
                                fully patched requires up-to-date knowledge of          with the ability to restrict access using dynamic
                                available security patches. Knowing if a guest          VLAN and/or ACL assignments, delivered
                                computer’s anti-malware protection is current           (unlike the special-purpose appliances of
                                means the system must not only know about a             NAC 1.0) as a commodity capability available
                                company’s own chosen anti-virus product, but            within the standard networking switching
                                                                                     • A centralized policy management platform
                                                                                        for directing assessment, remediation, access
                                                                                        control, reporting, audit, and alerting – covering
                                                                                        all required use cases combined with rich
                                             dynamic                                    native assessment and remediation capabilities.
                                                                                     NAC 2.0 - protecting beyond security
                                                                                     Regulatory compliance, industry best practices,
                                                                                     and IT governance are the new set of drivers
                                                                                     behind the evolution and adoption of NAC. NAC
                                                                                     as a tool for security, productivity, and compliance
                                                                                     leads to better endpoint and network governance.
             Desktop team                   Network team             Security team
                                                                                     NAC 2.0 will finally enable organizations to get
                                                                                     control of their systems – in spite of a rapidly
                                                                                     evolving threat environment and the changing
            Assessment and                  Enforcement             Compliance and   nature of the network perimeter.
           remediation policy                  policy                 audit policy

                                 Identity                                            Network access control is a valuable new
                                   store                                             technology for protecting an organization’s assets
                                                                                     from risk. Learning from the flaws of earlier
               Managed                        Network                   Guest        solutions, NAC is now evolving into NAC 2.0, a
               computers                       fabric                 computers
                                                                                     more mature set of integrated technologies that
                                                                                     embraces the multiple functional roles in the
               On and off-net                                                        organization, focuses on solving real business
                                                                                     problems, and supports a dynamic environment.
                                  Figure 2. A vision for NAC 2.0
                                                                                     NAC 2.0 is the future of network access control.

A Sophos white paper                NAC 2.0: A new model for a more secure future

                                1� Lambert, Natalie and Robert Whiteley. “Client Management 2.0.” Forrester Group, March 29, 2007
                                2� Whiteley, Robert. “Overcoming the Common Pitfalls of NAC.” Forrester Group, April 23, 2008
                                3� HIPAA: US Health Insurance Portability and Accountability Act,
                                4� PIPEDA: Canada Personal Information Protection and Electronic Documents Act,
                                5� BS7799/ISO27002: British/International Information Security Standard,
                                6� CIS Benchmarks: Center for Internet Security Benchmarks,
                                7� PCI DSS: Payment Card Industry Data Security Standard,

         Sophos solution
         Sophos NAC technology for endpoint assessment and control is incorporated in Sophos Endpoint Security and Control, giving
         organizations fundamental control of the security status of unauthorized, managed and unmanaged computers. Sophos NAC Advanced
         gives greater control through more sophisticated policy definitions, and advanced reporting capabilities. To find out how Sophos NAC can
         protect your network, or to arrange an evaluation, please visit

         Boston, USA | Oxford, UK
         © Copyright 2008. Sophos Plc

         All registered trademarks and copyrights are understood and recognized by Sophos.
         No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any
         form or by any means without the prior written permission of the publishers.

To top