Network security started with the concept of building a wall round the network’s perimeter to shield assets. That perimeter was extended outward to remote locations by suggests that of encrypted tunnels. Then the walls were supplemented with internal defenses geared toward detecting and neutralizing intruders that managed to slide past the outer defenses. additionally, individual hosts (servers and PCs) were given their own “body armor” within the style of antivirus software, operating system (OS) patches, and private firewalls — primarily building walls at intervals walls.
Today this static, walled-fortress security paradigm is giving thanks to a dynamic approach that additional closely resembles the human body’s immune system. The new security paradigm emphasizes organic, unified defenses and distributed detection and response technologies that enable the network to actively defend itself at each affiliation. As an integral a part of this additional refined approach, admission management technology is poised to play a outstanding role within the evolving art of network self-defense.
A complex security landscape
Although it’s still necessary to manage perimeter access and safeguard crucial info resources, applications, and services, IT should currently take under consideration many new factors when coming up with a proactive security strategy. Among the factors that have modified the network security landscape in recent years are:
A diversity of network users—onsite staff, remote employees, vendors, partners, and guest users—many of whom carry computing devices with them and hook up with the network within the firewall
An array of endpoints—desktop devices, servers of each description, and transportable devices that embrace not solely laptops however PDAs, ministorage devices, and even iPods
A variety of access methods—wired LANs/WANs, wireless LANs/PANs (Wi-Fi, Bluetooth), VPNs using IP Security (IPSec), broadband (DSL, cable, WiMAX wireless), dial-up, and Web/HTTP
An ever-growing profusion of network services and applications—traditional e-mail and file exchange, voice over IP (VoIP), XML net services, document sharing, enterprise resource coming up with (ERP), client relationship management (CRM), endlessly
A new generation of malware that spreads very quickly and may be terribly clever at hiding itself—Flash threats, worm-driven DDoS, phishing, spyware, and additional sorts rising a day
A gradual transfer of management and responsibility from IT directors to finish users as “anytime, anywhere” connections proliferate
All this network complexity and heterogeneity means countermeasures ought to be placed on each networked communication device to make sure adequate security. And a broad-based consortium of network and security vendors must collaborate to create positive gaps in defenses do not open up as new users, devices, entry points, services, and exploits arrive on the scene.
Patting down the endpoints
Even with firewalls and intrusion protection, viruses and worms that grow increasingly virulent and aggressive still disrupt business networks, leading to downtime, loss of productivity, and costly, time-consuming recovery efforts.
“Day-zero” and alternative opportunistic attacks which will metastasize widely during a matter of seconds are a challenge to reactive containment. for instance, the recent W32/MyDoom-0 e-mail worm propagates itself not solely by canvassing the victim device’s arduous disk for e-mail addresses, however conjointly by sending queries to web search engines to search out additional addresses based mostly on constant domain names. And it’s been estimated that the notorious 2003 Blaster worm hit concerning 128 million systems within the initial 3 minutes.
Because there are such a large amount of doable network connections, hosts that are not compliant with the most recent antivirus, OS, and application patch levels are tough to detect. Locating and isolating infected devices takes up time and resources, however if the matter is not noticed and handled quickly the injury will mount up exponentially. resultive} thanks to avert the risks posed by noncompliant endpoints is to forbid them from connecting to the network in the least — in effect, to provide them a “pat down” search before entry. that is where network admission management comes into play.
Unlike ancient ID management that simply verifies the identity of users, an admission management system checks to create positive the device complies with network security policies before it’s allowed to attach. and in contrast to ancient antivirus and OS patch controls that solely shield the hosts within which they reside, admission management extends these defenses to shield the complete network.
Network admission management may be deployed at the most enterprise campus, in branch offices, on remotely located and home-based devices, on wireless networks, and in extranets. The technology dramatically improves network security and helps guarantee resilience and availability, whereas conjointly increasing the worth of existing security investments.
Security checkpoints everywhere
Think of network admission management as a sort of security checkpoint. It’s almost like what you’d encounter at an airport, however distributed to every endpoint on the network — and plenty easier and quicker to go through than airport security if your device is compliant.
At an airport checkpoint, security employees make sure that passengers have valid price tickets and conjointly check IDs to verify that the name on the ticket matches the person in front of them. Identities are compared against a current list of doable malefactors. Passengers conjointly go through a metal detector, and their carry-on baggage is inspected. based mostly on profiles derived from established policies, bound passengers is also singled out for additional intense scrutiny in an adjacent space before they’re allowed to still the gate and onto the plane.
Network admission management works in a lot of constant manner. An endpoint should pass muster before it will enter the network. This prevents viruses and worms from gaining a position, particularly the foremost recent threats which will not be outlined in antivirus software, or threats that exploit an unpatched OS vulnerability.
In a network admission management system, a nonintrusive software agent residing in every endpoint plays the role of the airport security guard, giving the network a distributed self-defense dimension. This “trust” agent is a middleware element that enables the host to interact with multivendor security software residing on the host and elsewhere on the network. The access management agent works in tandem with alternative security agent software on the endpoint designed to shield against port scans, varied malicious mobile codes, spyware/adware, and alternative immediate threats and annoyances. The result’s a dynamic, adaptive immune system deployed at the endpoint level.
When the endpoint seeks a affiliation, the admission management agent makes positive the endpoint’s credentials are so as — that’s, it examines the configuration of the machine and appears for the presence and standing of behavior-blocking, personal firewall, antivirus, and patch software. The agent then delivers this info by suggests that of a router, switch, or VPN concentrator to at least one or additional access management servers (ACSs), that confirm whether or not or not the endpoint’s configuration and postures are according to current policies. An authentication, authorization, and accounting (AAA) policy server informs the ACS concerning the policies and authorization parameters. If the endpoint is out of compliance, the ACS has the associated router block the endpoint’s IP address, effectively preventing affiliation to the network.
Carrying the airport security analogy additional, a network admission management system will build use of the agent embedded within the host to grant restricted access to the network, or it will direct an endpoint to a quarantine space for additional attention.
Just as a ticketed air passenger is also allowed access to the gate space, however should have a boarding pass to board the plane, an endpoint is also permitted to attach solely to a particular section of the network based mostly on policies set by the organization. And simply as choose passengers is also shunted to a cordoned-off space where they’re frisked and their bags is sniffed for suspicious chemical residues, the network admission management system will quarantine an endpoint during a restricted network space for additional inspections. The quarantine zone may additionally embrace a remediation server which will install the suitable software on the endpoint and purge the device of malware before it’s allowed entry.
In sharp distinction to airport security, however, all the network admission management precautions are applied nearly instantaneously. Compliant users get a quick pass and a fast affiliation.
The multivendor NAC initiative
Because of its comprehensive, multilevel nature, admission management should be delivered as a partnership among networking trade suppliers, antivirus and patch management vendors, and posture assessment firms. Cisco Systems has brought of these players along as a part of the Network Admission management (NAC) initiative that currently includes quite forty five trade leaders, as well as laptop Associates, IBM, McAfee, Sophos, Sygate, Symantec, and Trend Micro. quite thirty partners have delivered or are scheduled to deliver NAC solutions by mid-2005.
This multivendor, systems-based approach to admission management lets IT exploit previous security investments and avoid having to overhaul existing security infrastructure. The NAC initiative conjointly can build it doable to roll out solutions additional quickly, while not waiting months or years for a customary to be formulated and approved. The NAC program is drawing on established standards like 802.11x, Extensible Authentication Protocol (EAP) and RADIUS, and is seeking IETF approval for specific technologies.
Because the NAC program is meant to foster trade collaboration, APIs are furnished to vendors for product integration, testing, and certification. Participants within the program integrate the interfaces into their applications and take a look at the applications at an freelance certification facility to make sure compliance.
In section a pair of of the NAC initiative, support are going to be extended to switching and IPsec remote-access VPN platforms, the IEEE 802.1 security protocol, and an expanded set of endpoint OSs. Future support can embrace firewalls, wireless access points, and alternative platforms. the last word goal is to extend the vary of NAC-enabled solutions — as well as antivirus and patch-management software, additionally as compliance and remediation product from a good vary of vendors — with the eventual aim of integrating the technology with vulnerability assessment, security info management, and alternative security capabilities to make a additional unified deterrent to network threats.
Whether you are talking concerning airports or router ports, network admission management adds a crucial enforcement dimension to the safety infrastructure. And it conjointly helps come a live of management back to the IT administrator while not inconveniencing compliant users. By putting a security checkpoint at each connected endpoint, admission management represents a major stage within the evolution toward comprehensive network self-defense.