Getting the NAC Of Things at RSA

When you have a problem like access control, the RSA conference is a good place to look for an answer.

When it comes to conferences, there are two on my can’t-miss list: the RSA conference and Black Hat. So I was happy to find myself last month in San Francisco (it’s my favorite U.S. city) attending RSA Conference 2007.

RSA is the one place where I can bump into old colleagues, have chats with domain experts and find out what’s coming from almost every major security vendor. The keynote speaker list is usually impressive — this year, it included former Secretary of State Colin Powell — and the sessions are quite informative. It seems as if each year, some theme or technology stands out, and for me this time, the technology was Network Admission Control.

NAC is of great interest to me because it can solve so many problems. A major issue for my company involves guest laptops. Whether it’s a vendor providing a demo, a partner who is visiting one of our engineering groups, a consultant or a contractor, guests who plug laptops into our network pose a risk. We could segment our conference rooms onto a separate virtual LAN, providing only limited access and no contact with the corporate LAN. But that wouldn’t address what is frequently the reality: Visitors are placed in empty cubicles or congregate in labs, offices or other shared work spaces. A company like ours, with an entrepreneurial environment and an engineering-centric mission, can’t place restrictions on who works where. It would be a nightmare to enforce a written policy, and we just don’t have the staff to do it or the budget to properly segment our network. Enter NAC.

If done properly, NAC would let us apply restrictions at the switch level. We could control how any device that gets attached to our network relates to the network. Guest laptops could be required to have certain patches, antivirus software and a good desktop firewall policy before they could gain any access at all. If the laptop failed to meet those requirements, it would be placed on a “fix-up” or quarantine network until it “gets right” by having software installed or being properly configured.

NAC could also eliminate problems with rogue wireless access points. We’ve had unauthorized APs attached to unused ports both here in the U.S. and at our overseas sites. During my last trip to Seoul, South Korea, I noted that several unauthorized wireless APs were attached to the company network. The users, who were finance folks, didn’t understand the security implications. They just wanted to be on the network when they were in a conference room that didn’t have any network access. (Ironically, that same office had an authorized wireless deployment; the finance folks didn’t know about it because the service set identifier isn’t broadcast and their laptops weren’t configured properly.) With NAC, an unauthorized AP would be rendered useless.

Usually what happens with NAC is that the switch port won’t recognize a rogue device like a wireless AP as being authorized. But some NAC approaches don’t rely on this device awareness in the switch. For example, Microsoft’s approach is to issue a Dynamic Host Configuration Protocol address to compliant devices. Devices with a legitimate DHCP address get access to the corporate critical infrastructure, while others are given a DHCP address that maps to a quarantine network. Cisco’s method, called Clean Access, forces all users to a single virtual LAN until they are authenticated or pass the proper security requirements.

ID, Please

Another popular technology at this year’s conference was identity management. I imagine that ID management, coupled with NAC, would be nirvana to any security professional. ID management tackles the other half of the restriction puzzle: How do you manage access to a wide variety of applications? At the heart of ID management is a directory server, where every employee is identified and granted or denied access to corporate applications. A Unix administrator, for example, would be granted access to various Unix administrative tools and portals, but not to financial applications. The opposite would be true for a financial analyst, and very few applications would be available to someone working in the mail room.

ID management isn’t new, but sometimes I think it will meet the same fate as public-key infrastructure, meaning that despite the hype, no one will spend the money to implement the technology. All the same, A10 Networks, Ping Identity and CA all had impressive stories to tell regarding their ID management tools.

I’m always asked after a conference which technology on display I thought was cool. This year I stopped by the booth of Mandiant, a company that years ago helped me with a security breach. It’s renowned for its forensics expertise and computer security training programs, and this year it was touting a new product that allows multiple analysts to remotely access and analyze a system.

The analysts might be scattered around the world, but they can still collaborate on analyzing your system. And you don’t have to pack up the system and ship it off to the analysts, which is a real plus when you suspect that an employee might be up to something illegal on company resources. Of course, Mandiant’s technology requires software to be installed on the compromised machine, but nowadays, that’s a fairly trivial task. I’ll definitely be spending more time evaluating this service.

But RSA and San Francisco are behind me for now. I’m back in my office, managing a huge third-party risk assessment. I’ll discuss that in my next installment.

What Do You Think? This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussions in our security blogs:

To find a complete archive of our Security Manager’s Journals, go online to


Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon