A view into mobile network access control initiatives and their necessity for enterprise networks to ensure that infected devices do not gain access to healthy networks
by Aruba Networks
Today, the threat of an infected device gaining access to a healthy enterprise network is becoming a significant concern. The focus has been on securing the network perimeter, which leaves the network vulnerable to attacks that originate within the security perimeter. This threat is exacerbated by the growth in popularity of mobile devices such as laptops, PDAs and smart phones that more easily move between public and private networks.
The use of these mobile devices in insecure public networks such as wireless hotspots and municipal Wi-Fi networks exposes these devices to various kinds of viruses, worms and other malicious software. When these devices re-enter the enterprise network, the lack of any security mechanism in the traditional enterprise network architecture leaves the network vulnerable to attacks from malware. Various vendors – big and small – have recognized the need to create solutions that address this important issue. Since any re-architecture of the enterprise network is a significant undertaking, most approaches focus on an overlay solution in the short-term, providing a path of migration to comprehensive network-wide security architecture.
The types of solutions are beginning to converge, with operating system and anti-virus vendors emerging as the most capable for establishing client health and network vendors for using the results to enforce identity-based security. Various approaches have been proposed, many requiring changes to the network, the end-point and other elements. The final solution will often be a combination of parts of all these solutions. However, it is important to note that networks are changing to solve this problem, as are the role of network elements.
Access initiatives
While it is unanimously agreed that network access control is a problem, opinions differ about how to address it. Broadly, the solutions are categorized as follows:
- posture checking – solutions in this category aim to verify the posture, or state, of the host before allowing the appropriate level of access to the network. To verify posture, such systems typically verify user identity and the health of the machine (whether it is infected by a virus or other malware). Such systems also may check whether the host has current versions of antimalware software such as anti-virus software, host firewalls, etc.)
- in-line packet inspection: – in this category, an in-line network device (usually a switch or an appliance) is used to inspect all traffic for known malware signatures and/or anomalies.
Posture-based
All solutions in this category are based on the concept that a host must be checked for ‘posture’ prior to gaining network access. This process validates a host against an established corporate policy to determine compliance. The result of the posture check helps determine the level of network access permitted to the host.
Defining the ‘posture’ of a client is more complex and requires user identity and the ‘health state’of the client. The exact definition of ‘health state’ varies in different environments. The following are examples of some common attributes that make up the health state of a client: anti-malware software installed and active on the client and the version of this software is current; presence of any malware on the client; network interfaces enabled and/or active.
Some of the solutions that fit into this category are Cisco NAC (both 802.1x-based and Cisco Clean Access based), Microsoft NAP, and Juniper UAC (Universal Access Controller).
Solutions in this category differ in several important ways. For instance, each solution may be unique in the method it uses to:
- authenticate the user
- determine the posture of the client
- convey the posture to a server that compares the client’s posture to configured policies
- enforce access control depending on the result of the posture check.
Cisco
Cisco Network Access Control is a posture-based access control solution from Cisco that involves a variety of solutions products/solutions. It should be noted that Cisco NAC is effectively a closed solution that may introduce interoperability issues with third party software and networking equipment.
Microsoft NAP
Microsoft has launched the Network Access Protection (NAP) initiative with the Vista and Longhorn versions of the company’s Windows operating system for hosts and servers, respectively. As the developer of the client OS, Microsoft is in a very good position to develop a strong posture-based solution. While the basic concept of NAP is similar to the Cisco NAC initiative, the approach and the underlying technologies are significantly different. The Microsoft NAP initiative is an open solution, comprised of techniques based on 802.1x, IPSec and Dynamic Host Control Protocol (DHCP). NAP is based on a framework that will accommodate for new additional enforcement options as well.
Juniper UAC
Juniper’s Unified Access Control (UAC) solution is based on the Trusted Computing Group (TCG) Trusted Network Connect (TNC) architecture. TCG intends to create a standards-based set of API’s for NAC components. While most NAC solutions loosely follow the TCG model, Juniper has taken a more active role in adopting and promoting it. The basic model is similar to the others in that there is posture assessment, using Integrity Measurement Collectors (IMCs), which provides health related information to a server that evaluates this data against Integrity Measurement Verifiers (IMVs) which then determines how policy enforcement is carried out. One of the primary issues with TCG-TNC today is industry adoption. Almost no one else has demonstrated conformance with the standard, providing a risky uphill battle for gaining market acceptance.
In-line traffic inspection
A fundamentally different approach to protecting the network from malware is to use network elements (usually switches and network appliances) to inspect traffic to detect anomalies and signatures. Because the two approaches differ in their technique, they will often be deployed in parallel to ensure the ongoing health and security of a network. The different methods used to detect malware usually fall into one of two categories: signature detection and anomaly detection. Signature detection will detect known attacks by looking at network traffic for established patterns. The obvious flaw in this approach is the inability to detect Day Zero attacks that are new or attacks that self-modify as they propagate. Anomaly detection should be used in addition to signature detection to recognize attacks that do not have an existing signature. Anomaly detection looks for deviations from baseline network behavior and intelligently predicts which deviations are attacks requiring mitigation.
One of the major disadvantages of in-line traffic inspection is that the device inspecting the traffic can be the bottleneck and therefore fail to meet the performance requirements of network applications. Different deployment models have been proposed to overcome this problem. The most common workaround is to move the inspecting device out of the data path by re-directing traffic from a switch using port mirroring capabilities or by configuring a device to do policy-based routing of specific ‘vulnerable’applications to the inspecting device.
ID-based access
One requirement that remains consistently important across all solutions is to deploy a sophisticated enforcement technique that supports identity-based access control. In order to achieve this, a good enforcement technique should have the following characteristics:
- close proximity to the edge of the network – required for enforcement to be truly effective
- firewall role-based enforcement – VLANs should not be used as a security mechanism and should not be the sole mechanism for protecting networks.
- simple to manage – the solution should be a manageable solution. Any solution that increases the operational expenses of the network effectively becomes an un-deployable solution.
An interesting trend in enterprise networks is the consolidation of requirements for mobility and security. While the growth of wireless and remote access technologies is driving the requirement for greater mobility, the same technologies also are triggering a surge in the number of network vulnerabilities. This situation forces network designers and administrators to consider mobility and security requirements together, rather than treating them separately.
This has created the need to establish an overlay architecture that enables mobility over existing network infrastructures. An overlay infrastructure provides a framework to support any of the network access control solutions outlined in this whitepaper, including posture-based solutions and solutions based on in-line packet inspection. Solutions such as the Aruba Networks Mobile Edge, provide an integrated user-based stateful firewall that ensures flexible and secure enforcement of NAC policies.