Network Security
From the July 2007
issue of Communications News
Unify NAC and VPN
Like SSL VPNs, a NAC solution can substantially improve on simple password-protected access.
by Frank Guerrero
As companies continue the steady migration from desktop to laptop computers, and users at all levels are increasing their use of wireless PDAs and smart phones, the traditional network security perimeter has dissolved. Rather than being able to guarantee network security with legacy virtual private networks (VPN), firewalls and other measures to protect the wireline corporate LAN and WAN, IT departments must now deal with the prospect that users can and will access network servers and other resources from homes, cars, client sites, cafes and many other previously unforeseen places.
 This network access-control architecture combines the benefits of an SSL VPN with NAC to seamlessly control users on today’s distributed networks. |
Security solutions for mobile users in any location have
been developed. VPNs have been securing users logging in from outside the
traditional corporate firewall. Most recently, network access control (NAC)
solutions have been policing and regulating access inside the corporate
firewall.
So far, however, these solutions have developed along separate tracks:
Products do not work together to create an efficient and unified solution to
defend against external threats.
The advent of SSL VPN technology has simplified remote user administration by offering a choice of clientless (Web-based) access or client-based access. Depending on whether the company needs its users to have access to Web and/or non-Web applications, the IT department can go either the clientless or client-based route.
SSL VPNs provide secure access through the use of endpoint security and network access control on all devices entering the network remotely. SSL VPNs perform endpoint security checks each time the user attempts a connection. After receiving the latest policy updates from the enterprise SSL VPN appliance, the endpoint is checked for correct versions of antivirus software, operating system patches and many other requirements, and then compared to the policy.
The results establish the level of the device’s trust. Authentication of the user is then done and the SSL VPN’s policy server or network user directory determines which network access policies to apply to the end-user. Finally, the user is granted appropriate access to specific network resources based on the user’s qualification level. All this is done transparently, quickly and with no configuration of the user’s device.
Like SSL VPNs, a NAC solution can improve on simple password-protected access to any network resource. The NAC solution can perform endpoint security checks and quarantine devices not fully compliant with company IT policies, and grant appropriate access to specific resources based on an authorized user profile in the corporate security directory.
NAC also addresses two other important areas of recent
concern: wireless access and non-employee access. For wireless access, by
using endpoint security, authentication and access policies provided by NAC,
roaming or unauthorized employees can be given appropriate access. For
non-employees, recognizing them and checking their devices for compliance
before entering the network without excessive configuration eliminates
security concerns without disruption to their productivity.
In addition, advanced NAC solutions can now control which applications can be launched when attached to the corporate network, rather than relying on firewall configurations that do not fully address application access.
The functional requirements between VPN and NAC are similar. Consequently, remote access control and internal network access control should be enabled and managed through a well-integrated solution. Often, however, IT departments must select and manage two different solutions for remote and local access control, forcing them to increase the staff burden for deployment, configuration and management.
This requirement increases the cost of access control. Worse is the fragmented nature of the overall management process, which could result in conflicting policies between the two systems and thereby open up the potential for unaddressed vulnerabilities.
An alternative solution is a unified, fully integrated
product or product set, designed to manage both remote and local user
access. Developing such solutions means unifying endpoint security, network
access and application access policies. This solution eliminates the
possibility of conflicting security policies between two systems, and it
also allows the IT organization to start with an
external solution and then roll into a NAC solution at its own pace without
major changes.
Cost reduction is another benefit of this unified framework. With tight integration and a common policy engine, the cost of managing both solutions is little more than the cost of managing one.
Frank Guerrero is vice president of marketing for NeoAccel, San Jose, Calif.
For more information:
www.rsleads.com/707cn-257