- At issue: The time has come to implement network access control, but a NAC deployment can be fraught with difficulty.
- Action plan: Keep the architecture simple, starting with the network segmentation.
Security Manager's Journal: As plans for NAC deployment get under way, the goal is to keep it simple
The first step toward deployment of network access control is to set up a network segmentation model.
Computerworld - I've mentioned network access control several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.
What we stand to gain with NAC finally seems to outweigh the drawbacks, so I've decided to begin the groundwork for a NAC deployment. To that end, I've been holding weekly meetings with our network and security operations team to develop a network segmentation model, which is pretty much a mandatory precursor to a successful NAC deployment.
From a network point of view, ours is not a very complicated company. We don't have a storefront, we're not a software-as-a-service or cloud provider, and we don't have a decentralized business model or any other risky situations to warrant a complex network segmentation model. I want to keep the architecture uncomplicated, serving the simple goal of protecting the company's assets while providing entities with transparent access. You're probably wondering why I used the word "entities" instead of "users." It's because with NAC, you have to take into account not only human users, but also servers and peripherals such as printers, plotters, cameras, alarm systems and other devices that can talk some form of Ethernet.
For the sake of simplicity, then, we decided to create four quadrants: the data center, outside the data center, untrusted entities and special nets.
The Four Quadrants
Let's start with the data center. We defined three tiers within it that should be familiar to you: Web tier, application tier and database tier. The idea is that we will segment those resources and place access controls (like a firewall) to limit access from one tier to another. For example, best practices dictate that in a production environment, Web servers should normally never directly communicate with database servers. We also identified a development and QA network that is further protected from the production network.
The "outside the data center" quadrant comprises trusted entities that, while not part of the data center, have a relationship with it: employees, printers, wireless access points and so on. Some of our entities do not meet the criteria to be in this quadrant because they are untrusted.
Untrusted entities, constituting the third quadrant, are deemed to pose threats to the company and include unpatched resources and vendor representatives who come into the office to demo their products. For example, we have a slew of pesky engineering servers that have been added to the exception list for patches and antivirus software. They are untrusted for good reason, since they account for almost 80% of our security incidents. For them, we are creating stringent access rules that will be designed to prevent infected resources from impacting the production environment.
The special net quadrant includes the monitoring and security networks, which need very broad and unfettered access to all quadrants. We may also include in this quadrant peripherals such as cameras and alarm systems that need access but can't identify themselves in an intelligent manner.
Our quadrant identification exercise is just the beginning, and further refinement will be necessary. Once that is completed, we will start to evaluate technologies for their compatibility with our segmentation model, while taking into account our corporate infrastructure, budget and resources.
How about you? Do you have a NAC success story? Let me know.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To take part in the discussions about security, visit computerworld.com/blogs/security.
More by Mathias Thurman
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts