- At issue: The time has come to implement network access control, but a NAC deployment can be fraught with difficulty.
- Action plan: Keep the architecture simple, starting with the network segmentation.
Security Manager's Journal: As plans for NAC deployment get under way, the goal is to keep it simple
The first step toward deployment of network access control is to set up a network segmentation model.
Computerworld - I've mentioned network access control several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.
What we stand to gain with NAC finally seems to outweigh the drawbacks, so I've decided to begin the groundwork for a NAC deployment. To that end, I've been holding weekly meetings with our network and security operations team to develop a network segmentation model, which is pretty much a mandatory precursor to a successful NAC deployment.
From a network point of view, ours is not a very complicated company. We don't have a storefront, we're not a software-as-a-service or cloud provider, and we don't have a decentralized business model or any other risky situations to warrant a complex network segmentation model. I want to keep the architecture uncomplicated, serving the simple goal of protecting the company's assets while providing entities with transparent access. You're probably wondering why I used the word "entities" instead of "users." It's because with NAC, you have to take into account not only human users, but also servers and peripherals such as printers, plotters, cameras, alarm systems and other devices that can talk some form of Ethernet.
For the sake of simplicity, then, we decided to create four quadrants: the data center, outside the data center, untrusted entities and special nets.
The Four Quadrants
Let's start with the data center. We defined three tiers within it that should be familiar to you: Web tier, application tier and database tier. The idea is that we will segment those resources and place access controls (like a firewall) to limit access from one tier to another. For example, best practices dictate that in a production environment, Web servers should normally never directly communicate with database servers. We also identified a development and QA network that is further protected from the production network.
The "outside the data center" quadrant comprises trusted entities that, while not part of the data center, have a relationship with it: employees, printers, wireless access points and so on. Some of our entities do not meet the criteria to be in this quadrant because they are untrusted.
Untrusted entities, constituting the third quadrant, are deemed to pose threats to the company and include unpatched resources and vendor representatives who come into the office to demo their products. For example, we have a slew of pesky engineering servers that have been added to the exception list for patches and antivirus software. They are untrusted for good reason, since they account for almost 80% of our security incidents. For them, we are creating stringent access rules that will be designed to prevent infected resources from impacting the production environment.
The special net quadrant includes the monitoring and security networks, which need very broad and unfettered access to all quadrants. We may also include in this quadrant peripherals such as cameras and alarm systems that need access but can't identify themselves in an intelligent manner.
Our quadrant identification exercise is just the beginning, and further refinement will be necessary. Once that is completed, we will start to evaluate technologies for their compatibility with our segmentation model, while taking into account our corporate infrastructure, budget and resources.
How about you? Do you have a NAC success story? Let me know.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To take part in the discussions about security, visit computerworld.com/blogs/security.
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts