- At issue: The time has come to implement network access control, but a NAC deployment can be fraught with difficulty.
- Action plan: Keep the architecture simple, starting with the network segmentation.
Security Manager's Journal: As plans for NAC deployment get under way, the goal is to keep it simple
The first step toward deployment of network access control is to set up a network segmentation model.
Computerworld - I've mentioned network access control several times in this column over the past few months. If you've been following along, you know that I like the functionality it offers but am leery of the difficulty and cost of deploying it, as well as the resources required to manage it properly.
What we stand to gain with NAC finally seems to outweigh the drawbacks, so I've decided to begin the groundwork for a NAC deployment. To that end, I've been holding weekly meetings with our network and security operations team to develop a network segmentation model, which is pretty much a mandatory precursor to a successful NAC deployment.
From a network point of view, ours is not a very complicated company. We don't have a storefront, we're not a software-as-a-service or cloud provider, and we don't have a decentralized business model or any other risky situations to warrant a complex network segmentation model. I want to keep the architecture uncomplicated, serving the simple goal of protecting the company's assets while providing entities with transparent access. You're probably wondering why I used the word "entities" instead of "users." It's because with NAC, you have to take into account not only human users, but also servers and peripherals such as printers, plotters, cameras, alarm systems and other devices that can talk some form of Ethernet.
For the sake of simplicity, then, we decided to create four quadrants: the data center, outside the data center, untrusted entities and special nets.
The Four Quadrants
Let's start with the data center. We defined three tiers within it that should be familiar to you: Web tier, application tier and database tier. The idea is that we will segment those resources and place access controls (like a firewall) to limit access from one tier to another. For example, best practices dictate that in a production environment, Web servers should normally never directly communicate with database servers. We also identified a development and QA network that is further protected from the production network.
The "outside the data center" quadrant comprises trusted entities that, while not part of the data center, have a relationship with it: employees, printers, wireless access points and so on. Some of our entities do not meet the criteria to be in this quadrant because they are untrusted.
Untrusted entities, constituting the third quadrant, are deemed to pose threats to the company and include unpatched resources and vendor representatives who come into the office to demo their products. For example, we have a slew of pesky engineering servers that have been added to the exception list for patches and antivirus software. They are untrusted for good reason, since they account for almost 80% of our security incidents. For them, we are creating stringent access rules that will be designed to prevent infected resources from impacting the production environment.
The special net quadrant includes the monitoring and security networks, which need very broad and unfettered access to all quadrants. We may also include in this quadrant peripherals such as cameras and alarm systems that need access but can't identify themselves in an intelligent manner.
Our quadrant identification exercise is just the beginning, and further refinement will be necessary. Once that is completed, we will start to evaluate technologies for their compatibility with our segmentation model, while taking into account our corporate infrastructure, budget and resources.
How about you? Do you have a NAC success story? Let me know.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
To take part in the discussions about security, visit computerworld.com/blogs/security.
More by Mathias Thurman
- Security Manager's Journal: A ransomware flop, thanks to security awareness
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!