Security Manager's Journal: NAC deployment means better access control at last
A NAC initiative so far has revealed a whole lot of devices that don't meet the criteria for getting on the network.
Computerworld - Another step in our relentless march toward better security: A couple of weeks ago, our network access control (NAC) initiative moved to initial deployment.
Our main goal with NAC is to restrict the access of unauthorized devices to certain segments of our corporate network. Several times, noncorporate devices connected to our corporate network introduced malware or were found to contain some of our intellectual property. We have a corporate policy that prohibits the use of personal devices on our network, but without NAC, we couldn't effectively enforce it.
With the initial deployment, we're focusing on end-user access points: the wired ports and wireless hubs in our offices, as well as the VPN. These are a higher priority than securing our production server networks and the engineering and test-and-development network segments in the data center. We'll get to those later.
We chose a NAC tool with a centralized management console that monitors every switch port on the VLANs serving our 50-plus offices around the world. With such far-flung facilities, this is more cost-effective than installing appliances at every location.
I'm sure you know how NAC works. Any device that connects to a switch port or authenticates to the network via 802.1x is interrogated before it is granted network access. Most of our authorized devices are Windows PCs. If a PC is seeking access, we first want to determine if it is a member of our domain. Next, we check that it's running our systems management software. For now, we're assuming that any PC that passes that test is up to date with patches and endpoint protection. Eventually, we might directly interrogate the device about those things, but for now we're going to be satisfied with this. PCs with the systems management software will be allowed to connect to the corporate network. Others will be halted and given some options: install the required software, be placed on a segmented network to facilitate that, or be given access to our guest network for limited Internet access.
In practice, this means that if a PC is a domain member but isn't running the systems management software, we may elect to install the software. On the other hand, if a PC is not a domain member (for example, one that has been brought in from home or by a vendor's rep) but is up to date with patches and is running an antivirus client, we may decide to grant access to the guest network. That option would still give a vendor's rep access to the Internet in order to provide product demos.
We have a few corporate-sanctioned Linux machines and Macs. To control their access to the corporate network, we could install a NAC agent on each device, create exceptions by registering the devices' MAC addresses or obtain each device's SSH key so that the NAC tool can interrogate the device. As for iPads, iPhones and Android mobile devices, they will be routed to the guest network unless they connect via a VPN client.
At this point in our NAC deployment, we're only monitoring the activity and not actually enforcing network lockouts, so as not to disrupt business activity. It's a good thing, too, since a whole lot of devices are failing to meet even our initial security policy. In initial monitoring, more than 40% of the Windows PCs could not be properly interrogated. Many of them were domain members, but we could not determine if they were running the systems management software. This will have to be looked into, as will the plethora of Linux and Apple devices that are connected to the network but are not corporate owned.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts