Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security Manager's Journal: NAC deployment means better access control at last

Mathias Thurman | May 21, 2013
The deployment has already revealed a whole lot of devices that don't meet the criteria for getting on the corporate network.

Another step in our relentless march toward better security: A couple of weeks ago, our network access control (NAC) initiative moved to initial deployment.

Trouble Ticket
Network access control is ready for deployment. Action plan: Move slowly so as not to disrupt the business with sudden tight controls.

Our main goal with NAC is to restrict the access of unauthorized devices to certain segments of our corporate network. Several times, noncorporate devices connected to our corporate network introduced malware or were found to contain some of our intellectual property. We have a corporate policy that prohibits the use of personal devices on our network, but without NAC, we couldn't effectively enforce it.

With the initial deployment, we're focusing on end-user access points: the wired ports and wireless hubs in our offices, as well as the VPN. These are a higher priority than securing our production server networks and the engineering and test-and-development network segments in the data center. We'll get to those later.

We chose a NAC tool with a centralized management console that monitors every switch port on the VLANs serving our 50-plus offices around the world. With such far-flung facilities, this is more cost-effective than installing appliances at every location.

I'm sure you know how NAC works. Any device that connects to a switch port or authenticates to the network via 802.1x is interrogated before it is granted network access. Most of our authorized devices are Windows PCs. If a PC is seeking access, we first want to determine if it is a member of our domain. Next, we check that it's running our systems management software. For now, we're assuming that any PC that passes that test is up to date with patches and endpoint protection. Eventually, we might directly interrogate the device about those things, but for now we're going to be satisfied with this. PCs with the systems management software will be allowed to connect to the corporate network. Others will be halted and given some options: install the required software, be placed on a segmented network to facilitate that, or be given access to our guest network for limited Internet access.

In practice, this means that if a PC is a domain member but isn't running the systems management software, we may elect to install the software. On the other hand, if a PC is not a domain member (for example, one that has been brought in from home or by a vendor's rep) but is up to date with patches and is running an antivirus client, we may decide to grant access to the guest network. That option would still give a vendor's rep access to the Internet in order to provide product demos.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.