Network Access Control is Achievable
May 25, 2008
etwork Access Control (NAC) promises to allow only authorized and compliant devices to access and operate on a network. If implemented properly, NAC can improve the security profile of a network and lower the overall security risks faced by an enterprise.
The various approaches to NAC have created a significant and even highly contested debate across the IT security industry. The benefits of NAC are clear, although have yet to be realized on a widespread basis.
Many NAC offerings today are still expensive propositions that require network re-architecture and are based on a comxplex set of bypassable technologies. At the same time, many vendors failed to deliver on their claims by offering NAC solutions that do not offer full network coverage and leave an enterprise exposed to security vulnerabilities.
Any agent-based NAC solution requires a network discovery project prior to deployment to obtain the inventory of all the devices attached to the network. However, the standard discovery process is lengthy, requires significant manual input and cannot identify all devices, especially those that are firewalled or unmanaged. Likewise, appliance-based NAC solutions are not practical from a budgetary or deployment perspective in large, geographical distributed IT environments.
The result is a confused and increasingly skeptical marketplace.
Despite this, NAC is achievable. You can implement complete and real-time NAC with your existing network setup. Your NAC deployment can be accomplished within your budgetary and implementation expectations. You can ensure that all the devices connected to your network are and remain authorized and compliant throughout their lifecycle on your network.
Visibility – The Starting Point for NAC Deployments
Visibility and real-time device detection are the first building blocks of the NAC process and, if achieved, remove significant attack vectors and enable NAC coverage to be applied to the entire network infrastructure. If a NAC solution cannot identify all devices connecting to the network in real-time, IT managers will likely find that their network access controls will only cover known devices and will regularly miss unmanaged and rouge devices, which are the source of most security vulnerabilities.
Audit and Compliance – Understanding the Network before Activating NAC
Device profiling provides contextual information about each device on the network, including its user information, function and running software and hardware. Based on this vast audit information, an IT manager can determine the devices that are authorized to access the network according to the organization’s policy regarding device and software configuration. In parallel, this audit information can enable an IT manager to identify non-compliant, unmanaged and rogue devices that should not be operating on the network even before activating the NAC processes.
NAC – Ensuring Full Network Coverage
A NAC solution must operate in real-time. Every device must be detected and included in the NAC process as it is being attached to the network. Without real-time detection, a device and/or its user is given a window of opportunity to maliciously act the network.
The quarantine mechanism used should not depend on the underlying IT infrastructure in any capacity. Internal political issues among the different departments in a large enterprise will prevent a NAC solution that relies on the IT infrastructure from scaling across the entire network. In addition, any configuration changes to the network of a bank or financial services company will never be authorized in the first place.
The user experience for managed and compliant devices should be as transparent as possible. A user of managed and compliant devices should pass through the NAC process without even knowing that the device was assessed by the NAC solution.
A NAC solution must scale across the entire IT infrastructure. The deployment must include all sites and not just a certain portion of the network. A NAC solution that is dependent on an appliance and/or the switching fabric is not a practical option in segmented networks. In addition, allowing guest users access only is the equivalent of putting your head in the sand. Any user can just connect a device to an uncovered network segment and gain access to any network resource.
Final Thoughts
NAC should be treated as a security methodology. Any worthwhile NAC solution must first allow provide intimate knowledge the network by profiling all devices connected to the network and identifying the non-compliant, rogue and unmanaged devices, even before the NAC processes are activated. This enables an IT manager to assess the impact of turning on the NAC solution. Finally, a NAC solution must be highly scalable with a relatively easy deployment across the entire IT infrastructure in order to deliver a fast time-to-value at a reasonable cost. Opinion piece submitted by Ofir Arkin, CTO, Insightix
Social Network for Hackers?
May 25, 2008
I got a real kick out of a tech article about the new House of Hackers social network site. The site says it is supposed to help security researchers get together and help each other collaborate, and behave ethically in the process. That would generally be a good thing. However if they want to establish and maintain credibility as a go to site for quality security research, they really need to up their standards a bit. Frankly from my look around, the notable posts seemed to be primarily wannabes as opposed to a real place to go to to find quality researchers.
Before I go on, I will state that a critical aspect of finding someone you should hire for research is that you are putting an awful lot of faith in their technical ability to find vulnerabilities otherwise missed by teams of skilled developers. I will also note that the really elite hackers/security researchers already have well established networks. It is true that some people might be really talented and need a place to rise to the top.
I spent awhile going through site posts, and it was much more of a social network than a place to find quality researchers. For example, there were many posts telling females how hot they were. One person claimed he wanted to start a company doing security research and randomly invited people to join. One person accepted, but said they had no programming experience. They were promptly offered a position doing social engineering. Yeah, I want to hire that company for critical work.
Ira Winkler
Wi-Fi leeching leads to police arrests
May 18, 2008
People stealing their neighbours’ wireless Internet (what is known as “leeching”) could now face the threat of a criminal record in the UK following an apparent crackdown by police. It may seem a trivial offence, but it could still be seen as hacking, a Wi-Fi thief hijacks someone else’s connection by means of using poorly secured networks. And merely stealing some Internet could also lead to more serious crimes such as identity theft and cyberfraud.
In fact, recent research conducted by price comparison website Moneysupermarket.com indicates that lax wireless protection puts up to a quarter of the UK’s population at “serious risk” of identity theft and cyberfraud. People increasingly have Wi-Fi in their homes, but many do not enable basic security features, leaving their network vulnerable to even an unsophisticated attack. “It is bad enough if your neighbour can use your Internet connection for free, but this becomes far more sinister if someone uses your wireless connection for criminal activity,” commented Jason Lloyd, who heads the broadband department at Moneysupermarket.
All this has lead to more attention from the police, who seem to be taking the problem increasingly seriously. As reported in The Guardian, two people have already been detained in the past month in Worcestershire in two unrelated incidents. Both subsequently received a caution “for dishonestly obtaining electronic communication services with intent to avoid payment.” Police Constable Tony Humphreys from West Mercia police warned users: “Wireless networks don’t stop at the walls of your home - without the necessary protection, neighbours or people in the road may be able to connect to your network. This might slow down your service, or more importantly, your connection could be used for unlawful purposes.”
Konstantin Kornakov
Announcement
