Network Access Control Technologies

8/6/2019 Network Access Control Technologies

1/6

NETWORK ACCESS CONTROL

TECHNOLOGIES

Benny Czarny

OPSWAT Inc., 640 2nd, 2nd FloorSan Francisco, CA 94107, USA

Tel +1 415 543 1534 # 301Email [email protected]

ABSTRACT

Cisco, Microsof and the Trusted Computing Groupare baling to control the keys to locking untrust-ed endpoints out of networks. Whether you callthe approach network access control, networkadmission control, network access protection,

network node validation or trusted network con-nect, the premise is identical systems shouldgrant access to the network based on factors suchas anti-malware protection level, personal re-wall assessment, host and user authentication,location, and even time of day. This paper will:

- Review network access control technologies de-livered by Cisco, Microsof, Trusted Computing

Group and selected non-standard-based solutionssuch as Nevis Networks and ConSentry Networks.

- Outline the partnerships between anti-malwarecompanies and each one of the technologies, it

will then outline the partnership process and theresources that would be required for each initiative.

- Compare the processes and list the technical,business and marketing advantages and risks ofimplementing each network access technologypartnership.

INTRODUCTION

Over recent years the increase in the number of mo-bile workers, the number and types of mobile devices,and in the number of non-employees requiring access

to corporate networks has dissolved the network pe-rimeter. Access requests can come from anyone andanywhere, which is why organizations are turningto network access control (NAC) technologies. Thispaper discusses Cisco NAC, Microsof NAP, TrustedComputing Group TNC and other programs that of-fer a solution to the problem. This paper also outlinesthe benets of anti-malware companies partneringwith these programs.

OPSWAT WHITE PAPER OCTOBER 2008 1

NETWORK ACCESS CONTROL TECHNOLOGIES CZARNY

1. Host assessment and communication.2. Host ino sent to policy server.3. Policy server validates policy against application management server seings.4. Results are communicated to the network inrastructure.

5. Endpoint is granted/denied access to the network or quarantined.

Figure 1: Generic network access control diagram.


2/6

2 OPSWAT WHITE PAPER OCTOBER 2008


The approach has many names: network access con-trol, network admission control, network access pro-tection, network node validation or trusted networkconnect. But whatever it is called, the premise is thesame: systems should grant network access based on

factors such as anti-malware protection level, person-al rewall assessment, host and user authentication,location, and even time of day.

Network access control is not a new concept. Micro-sof released its Remote Quarantined Service withWindows 2003 Server

- this solution enabled system administrators to writescripts that would check the health of machines try-ing to access a network remotely. Now, Cisco, Micro-sof, the Trusted Computing Group and many othervendors are baling to control the keys that lock un-trusted endpoints out of networks.

Although endpoint security applications do not al-ways play an active part in this bale, they have a sig-ni cant in uence on this market, given their missionto protect endpoints from malware, vulnerabilitiesand other security threats.

CISCO NAC

Cisco was the rst to dene the technology. In 2003it launched the NAC program. In fact, Cisco coinedthe term NAC (for Network Access Control), which isthe term most commonly used today. In its initial ap-

proach Cisco and its partners provided live client pol-icy information to Ciscos NAC client, through wrienPosture Plug-ins (PP). Cisco also dened the termPosture Validation Server (PVS). PVS is a partnerpolicy server that allows administrators to denethe health of endpoints the PVS instructed Cisconetwork devices as to the level of network access al-lowed based on the health of the endpoint communi-cated by the PP. This program extended to anti-virus,patch management, vulnerability scanners and othersecurity technologies.

However, Ciscos original NAC framework not onlyfailed to solve the problem of unmanaged endpoints,it was also hacked. It had two additional drawbacks.First, it worked only with upgraded Cisco LAN equip-ment. Second, the program depended on the vendorsof anti-malware and other security products to altertheir binaries in order to work with the Cisco Trusted

1. Endpoint connects to the network.2. NAS collects e ndpoint health state, using OPSWAT OESIS toolkit.3. Endpoint health state is communicated to NAM.4. Security policy decision is passed to network inrastructure.


Figure 2: Cisco Clean Access diagram.


3/6

Agent platform. Furthermore, some of the prospec-tive partners (e.g. Symantec and McAee) had andstill have competing NAC solutions.

The acquisition of Pergo in 2004 enabled Cisco toovercome these drawbacks. Pergos solution was

able to work with nearly all of Ciscos switches, bycreating dynamic virtual networks. And once Pergoagreed an OEM licence for OPSWATs OESIS (OP-SWAT Endpoint Security Integration SDK) Frame-work, Cisco no longer had to rely on security vendorsmodifying their products.

MICROSOFT NAP

Microsof launched a program that was similar to Cis-cos NAC, named NAP Network Access Protection. Itsupports a few more authentication protocols and

has a similar client/serverbased integration. CiscosPP was replaced by a System Health Agent (SHA)and PVS was replaced with a Network Policy Server(NPS).

Though similar in concept, one major dierence sepa-

rates the rst NAC and NAPprograms. While Ciscosprogram supports any operating system that workswith Ciscos equipment, Microsofs solution workswith any Microsof operating system and with anynetworking equipment, as long as Windows 2008

Serveris part of the network health decision-makingprocess.

TRUSTED COMPUTING GROUP TNC

The Trusted Computing Group (TCG) is a non-protorganization whose purpose is to de ne and pro-mote open standards for hardware-enabled trustedcomputing. TCG formed a work group (the TrustedNetwork Connect (TNC) Work Group) that has re-leased an open architecture and a set of standardsfor determining endpoint integrity before and duringnetwork activities.

Similar to NAC and NAP, TNC dened a protocol forgathering a client computers security state in theform of integrity measurements. Called IntegrityMeasurement Collector (IMC), this protocol is theequivalent of Microsos SHA or Ciscos PP. TCGdened an Integrity Measurement Verier (IMV) as

3


1. Endpoint connects to the network.2. NAP client collects endpoint health state.3. Endpoint health state is communicated to Microsof NPS.4. Security policy decision is passed to network inrastructure.


Figure 3: The Microsof NAP program leverages a Microsof NAP client delivered on recent Microsof operating systems.

OPSWAT WHITE PAPER OCTOBER 2008


4/6

4


the interface between the network enforcementpoint and the network policy server (TNC server). It issimilar in concept to Microsos System Health Valu-ator (SHV) and Ciscos PVS. However, unlike SHV andPVS, the TCG program was designed to support any

operating system and any networking equipment.

NAC PRODUCTS

There are many network access control productsproduced by dozens of companies, including:Most companies deliver an appliance or soware

solution that integrates with existing network in-frastructures and enforces some sort of networkaccess control. Nevis Networks and ConSentry Net-works, the two NAC/switch vendors, took an all-in-one approach and delivered a network access device(switch) with NAC capabilities. The rest of the NACvendorsenforce network access by using technologies thatinclude:

Virtual networks

SNMP ARP poisoning

802.X

DHCP

Other technologies and techniques

The frameworks: NAC, NAP and TNC

1. Endpoint connects to the network.2. TNC client collects endpoint health state.3. Endpoint health state is communicated to TNC server.4. Security policy decision is passed to network inrastructure.


Figure 4: Trusted Computing Group diagram.

Cisco Systems

Sophos

Microsof

AEP Networks

Nortel Networks Mirage Networks

Bradord Networks

Insightix

McAee

Forescout Technolo-

F5 Networks

Array Networks

Symantec

Nevis Networks

gies

Avenda Systems

SonicWALL

ConSentry Networks

Aruba Networks Bluesocket

Blue Ridge Networks

Check Point Technologies

InoExpress

StillSecure

Trend Micro

3COM Corporation

Tipping Point Technologies

And others



5/6

The goal of almost any NAC vendor is to collect in-formation about the health of an endpoint and/orto trigger a healing action on an unhealthy end-point. Health checks include checking for the state

of endpoint security applications by verifying thedenition time of the anti-virus application, theengine version, the last time the anti-virus applica-tion triggered a scan, when the last de nition leupdate occurred and other checks.

Healing actions include triggering a denition leupdate, updating the engine and triggering a fullsystem scan.

Non-compliant endpoints are usually noti ed, de-nied access to the networks or put in a separateLAN that has fewer network permissions.

There are several methods by which NAC vendorsmonitor endpoint health:

1. Running a one-time or a persistent client on theendpoint.

2. Calling RPC (Remote Procedure Calls). This canbe done from Windows, which some NAC vendorspermit products and users to leverage.

3. Monitoring network tra c, which enables ven-

dors to monitor endpoint activities, such as anti-malwareapplication updates on given ports and protocols,virus outbreaks, bots and peer-to-peer applica-tions.

WHY ANTI-MALWARE COMPANIES

SHOULD PARTNER WITH NAC VENDORS

For any anti-malware company, partnering withNAC vendors makes business sense. Partneringenables joint packaging and joint solutions.Partners can co-market and co-brand, which en-ables companies to be detected and inter operatewith many NAC vendors, get listed on their web-sites and on their management consoles.Partners can provide mutual defence and anti-mal-ware companies partnering with NAC providerscan avoid uninstallation of their products. If a NAC

product does not detect a supported endpoint se-curity application on the endpoint machine (wheth-er that is because there is none or because the ap-plication installed on the machine is unsupported),

the product will typically instruct the network ac-cess device to quarantine the endpoint and installa security application that it supports. Since manyanti-malware applications cannot inter-operate,the supported security application will typicallytrigger a uninstall of the unsupported application.For security vendors, uninstallation of their appli-cation means:

Virtual networks SNMP

HOW TO PARTNER WITH NAC VENDORS

For NAP, NAC, TNC and other NAC solutions,anti-malware vendors should join OESISOK.OESISOK is a certication program that veriesthe integration to the OPSWAT OESIS Framework,which powers most NAC devices. The program per-mits the submission of betas, release candidatesand generally available releases for certicationtesting.

To partner with Microsof, anti-malware vendorsshould join the NAP program. Integrate your sys-tem health agent with the Microsof NAP client.

Develop SHV and integrate your policy and systemhealth verier. Maintain the solution for every ap-

plication you deliver.

To partner with TNC, anti-malware vendors shouldimplement IMC and follow the TNC guidelines. De-velop and test an IMV and IMC solution. Market thesolution with every relevant TCG vendor and main-tain the solution for every application you deliver.

REFERENCES

[1] Cisco News Room. hp://newsroom.Cisco.com/

dlls/index.html.[2] Cisco CTA. hp://www.Cisco.com/en/US/

solutions/ns340/ns394/ns171/ns466/ns617/net_de

sign_guidance0900aecd80417226.pdf.

[3] Hacking Cisco CTA. hp://www.ernw.de/con-

5




6/6

6


tent/e7/e181/e566/download568/ERNW_nacaack_10_dr_20070307_ger.pdf.

[4] hp://mediaproducts.gartner.com/reprints/juniper/vol3/article4/article4.html.

[5] hp://www.opswat.com/.

[6] OESISOK Antimalware Interoperability Certi-cation Program. hp://www.oesisok.com/.

[7] Cisco-Microso Interoperability white paper.Cisco Network Admission Control and MicrosoNetwork Access Protection InteroperabilityArchitecture. hp://www.Cisco.com/applica-

tion/

pdf/en/us/guest/netsol/ns617c654cdccont_0900a

ecd8051fc24.pdf.

[8] Cisco CNACF deployment guide: NetworkAdmission Control Framework DeploymentGuide. hp://www.Cisco.com/application/pdf/

en/us/guest/netsol/

ns617c649cdccont_0900aecd80417226.pdf.

[9] Cisco CNACF con guration Best Practices:

NAC Framework Con guration Guide. hp://www.Cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/

cdccont_0900aecd8040bbd8.pdf.

[10] Cisco CNACF partners info. hp://www.Cisco.com/web/partners/pr46/nac/partners.html.

[11] Cisco NAC portal. hp://www.Cisco.com/go/nac.

[12] Cisco CNACF switch support list. hp://www.Cisco.com/en/US/netsol/ns628/networking_

solutions_package.html.[13] Cisco NAC 2.0 (Framework) Release Notes.

hp://www.Cisco.com/en/US/netsol/ns617/networking_solutions_release_note09186a0080652b06.html.

[14] Cisco CNACA Release Notes page (includes

current list of CNACA partners). hp://www.Cisco.com/en/US/products/ps6128/prod_release_notes_list.html.

[15] Cisco CCA (CNACA) page. hp://www.Cisco.

com/go/cca.[16] Cisco CNACA data sheet. hp://www.Cisco.

com/en/US/products/ps6128/products_data_sheet0900aecd802da1b5.html.

[17] Cisco Switch Support for Cisco NAC Appliance.hp://www.Cisco.com/en/US/products/

ps6128/products_device_support_table-

09186a008075f6.html#wp60598.

[18] Microso TechNet on Network Access

Protection. hp://www.Microso.com/tech-net/

network/nap/default.mspx.

[19] Network Computing article, Cisco NAC vs.Microso NAP. hp://www.networkcomputing.com/showArticle.jhtml?articleID=60401143.


Network Access Control Technologies

Documents

Transcript of Network Access Control Technologies