Getting the Knack for NAC

Today's technology environment is defined by mobility. It's a productivity enhancement few organizations can be without - but the gain in productivity is causing an explosion of network security concerns.

Consider the dramatic increase in the number and capabilities of mobile devices: according to Gartner, the dominant trend in computer buying has shifted to notebooks, which now make up 31% of those sold worldwide.1. And not only are laptops becoming the computer of choice for many corporate employees, more and more IP-enabled devices are coming into the mix - PDAs, mobile phones, and gaming systems, to name a few, each bringing new security vulnerabilities onto the network. Further enhancing productivity - and jeopardizing network security - is the ubiquity of access. Whether at home, in a hotel, or even from a parking lot, users require and expect access to corporate networks at a data rate that enables full productivity.

This environment has created great challenges for IT and security professionals. Controlling the devices accessing the network has become increasingly problematic as these devices move in and out of protected corporate networks, and as the line between office and personal computer blurs or even disappears.

This technology shift has IT security professionals asking two questions: "How do I control the access to my corporate networking resources?" and "How do I ensure that the resources that are allowed on my network aren't creating a security risk?"

Today's threats are not entering corporate networks through the perimeter, protected as it is by technologies like firewalls, anti-virus, and intrusion detection systems. Rather, they are taking aim at the network's soft underbelly, through authorized endpoints, which, as known devices, completely bypass perimeter defenses. Which brings us full circle to the question of controlling endpoints to minimize security risks without impeding business.

Network Access Control (NAC) aims to do exactly what the name implies: control access to the network. It is still an emerging technology space, and many vendors are taking advantage of this lack of definition to jump on the NAC bandwagon. But if we boil down NAC to its essence, we are referring to the ability to:

* Enforce security policy and restrict prohibited traffic types
* Identify and contain users that break rules or are noncompliant with policy
* Stop and mitigate zero-day and other threats

For a NAC solution to be effective, it must deliver two essential pre-admission capabilities. First, it must be able to identify a new device connecting to the network. Second, it must be able to test the endpoint for adherence to security policy and restrict access for those devices that do not meet defined entry criteria. Together, these capabilities should provide data that can be used to compare a device's current security state against established security policy criteria, to determine how much or how little access that device is allowed.

Once the device is on the network it must be continually monitored for policy violation, as most of the threats to a network are introduced by users after they are authenticated. If a threat is identified, the infected system must be removed from the network to prevent widespread infection. The device stays in quarantine until IT staff can remove the infection or otherwise bring the device into policy compliance.

Mirage Networks' patented quarantine solution connects out-of-band, so the Mirage appliance can be installed without affecting network uptime. The technology isolates infected and out-of-policy users without using agents or dedicated VLANS, so unmanaged devices can be quarantined as easily as managed, and once a device is isolated it cannot infect other isolated devices.