Network security is on the top of the agenda for most enterprises. And if it isn`t, it should be. The network is the business. It is the first port of call for entering the business` systems and where security should begin and end.
There are security solutions in the market that claim to be all things to all networks, but with convergence driving new and diverse ranges of equipment onto the IP stack, security needs to be considered from all angles.
Access control is much talked about, but what makes for an effective security system?
The real threat
Network access control (NAC) is often considered to be one of the be-all and end-all answers to overall network security, especially when introducing newer technologies, such as voice over IP (VOIP) handsets, into the business technology environment.
The belief is that controlling initial access to the network is sufficient to curb any possible threat, irrespective of its source. As we will see, this is an erroneous assumption as initial access control is only one piece of the puzzle.
Additionally, most vendors do a certain amount of post-remediation assessment. Many NAC solutions out there require that a client is loaded onto end-user systems in order to work effectively. But on a voice over IP handset, for example, this is usually not possible.
Devices like handsets are simple and often closed devices and loading or even providing client software for them is in most cases impossible. The real threat isn`t even the device itself, but the vulnerability it creates within the network.
Clone attack
We must deal with the perception often held in the market that access control is where NAC stops.
Andy Robb is technology specialist at Duxbury Networking.
This is because these devices are easy to spoof. In most cases it would be as simple as acquiring a device`s NAC address, cloning it, and immediately gaining all the network access afforded the authentic device. Most network access control systems would be oblivious to the intrusion.
So how does one gain a suitable security posture without a reporting agent being loaded onto devices?
Firstly, we must deal with the perception often held in the market that access control is where NAC stops. There is more to it than that.
In order to make sure that access control systems are doing their jobs effectively, it is necessary to have some form of post-authentication behavioural analysis. This entails monitoring a device`s activity on the network and in so doing, attempting to detect any particular activities that would be deemed untoward. This brings us one step closer to detecting devices such as our spoofed VOIP handset, mentioned above.
Also, once a device such as a VOIP handset is validated on the network, it is necessary to ensure that it only receives access to the services it needs. For example, a VOIP handset should never need access to the enterprise`s file server. While the handset itself would probably not be able to even attempt to access such a server, a laptop spoofing the handset`s address certainly would.
Proactive monitoring
Of course, this becomes tricky in today`s world, where some VOIP handsets have LCD monitors built in and are equipped with the likes of Web browsers, warranting access to http over the corporate network, for example. But sensitive systems should still only be opened up to the relevant devices - and users, that require them. And in the absence of effective agents being available for devices of this kind, we come back to the point of proactive monitoring.
Even when "trusted" devices are identified on the network, with limited access, the process of proactively monitoring their activities is a vital step in ensuring that they do not cause trouble, even with limited access.
This is where intrusion detection and prevention systems come in to play. There is often some debate as to whether detection or prevention is a more effective approach. The former details a reactive security approach, whereas the latter, a proactive. The truth is that both are required for effective network security.
In short, network access control must be holistic and architecturally integral to the network. All the bases need to be covered in terms of access control, monitoring, detection and prevention.
A chain is only as strong as its weakest link - and any network with one of the links in the effective NAC chain missing will not hold up to a serious attack.
* Andy Robb is technology specialist at Duxbury Networking.
Share