nac
Post on 24-Nov-2014
126 Views
Preview:
TRANSCRIPT
TeleconferenceDemystifying NAC: Going Beyond Basic Admission ControlRobert Whiteley
Senior Analyst
Forrester Research
September 25, 2006. Call in at 12:55 p.m. Eastern Time
2Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Theme
Firms must look beyond current limitations of NAC and build a life cycle with
both pre- and post-admission.
3Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
• Examining NAC’s momentum
• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls
4Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
• Examining NAC’s momentum
• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls
5Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining network access control (NAC)
► A mix of hardware and software technologies that dynamically control client systems’ access to networks based on their compliance with policy.
► Network quarantine = network access control = Network Admission Control (Cisco’s specific term) = Network Access Protection (Microsoft’s specific term)
6Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Access Security
The most accessible systems are not secure.
The most secure systems are not
accessible.
Network access control
NAC provides the technology framework and policy hooks to make security and access tradeoffs.
NAC solves an IT oxymoron: secure access
7Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC is gaining significant momentum in large enterprises . . .
• Demand side: NAC has jumped to an early mindshare position within large enterprises.
» Some 40% of enterprises were tackling NAC initiatives in 2006.
» Some 52% of firms indicated the need for access control across all network mediums: wired, wireless, and remote access.
• Supply side: Dozens of vendors are jumping on the bandwagon — RSA’s 2006 “NAC Show.”
» Infrastructure vendors: 3Com, Cisco, Enterasys, Extreme, Foundry, HP ProCurve, Nortel
» Software vendors: Elemental Security, ENDFORCE, F-Secure, McAfee, Panda Software, Symantec/Sygate
» Appliance vendors: Caymas, Check Point, ConSentry, ForeScout, Granite Edge, InfoExpress, Lockdown, Mirage, Nevis, Vernier
8Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But many companies suffer from stalled deployments
• . . . Only 4% of firms had completed deployments.
• Why?
» Multiple, confusing architectures
» Lack of interoperability
» Upfront costs exceed benefits
» Lack of identified business drivers
9Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defined use cases are just now coming into focus
• The ROI of NAC is a lost cause
• Successful deployments focus on business needs for:
» Unmanaged or guest systems
» Partner extranet functionality
» Enterprise mobility
» Virus/worm contamination
10Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Wave 1Homogenousarchitectures
Wave 2Hybrid
architectures
Wave 3Interoperablearchitectures
2004 2005 2006 2007 2008
Momentum: Early adoptersDriver: Controlling the “Wild, Wild West”
Momentum: Early majorityDriver: Unmanaged/guest systems
Momentum: Late majorityDriver: Operation efficiency
The result: Enterprises are in the second wave of NAC deployments
11Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
• Examining NAC’s momentum
• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls
12Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Today’s NAC deployments focus on three architectural components
• Endpoint
» PCs — Desktops, laptops, servers
» Devices — IP phones, printers, embedded OS machines
» Primary ownership: desktop or client operations
• Network
» Perimeter devices — Security appliances, VPN concentrators, firewalls
» Wiring closet devices — routers, switches, wireless APs
» Primary ownership: network operations
• Back-end servers
» AAA, policy, configuration, and remediation servers
» Primary ownership: security operations
13Entire contents © 2006 Forrester Research, Inc. All rights reserved.
But successful enterprises are shifting focus to two distinct functional components
• Pre-admission — “Keep people out”
» Technologies to perform integrity and compliance checks before network resources are granted
» Key components: endpoint security scans and identity via authentication
• Post-admission — “Kick people off”
» Technologies to monitor resource access violations, anomalous behavior
» Key components: identity management and IPS
14Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Bridging NAC’s architectural and functional views
Architecture
Function
Endpoint tools:• Endpoint security tools• Client security suites (AV, FW, etc)• Compliance agent (optional)
Intelligent network:• Switches and routers• VPN gateways• Wireless APs• Security appliances
Policy and identity servers:• Authentication and authorization (RADIUS, LDAP, AD)• Remediation and configuration management • Audit and assessment
Pre-admission control: • Endpoint integrity check• Enforcement during authentication
Post-admission control: • Behavior monitoring• Resource and application violations
15Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
• Examining NAC’s momentum
• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls
16Entire contents © 2006 Forrester Research, Inc. All rights reserved.
As NAC evolves functionally, focus on building a user or device-access control life cycle . . .
Pre-admission
Post-admission
Remediation
17Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But NAC is only a small component in an endpoint security life cycle
NAC
18Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Client Network
NAC evolves to encompass a wider risk-based architecture
Proactive endpoint risk management
Identity
NAC
19Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining proactive endpoint risk management
► Policy-based hardware and software technologies that proactively manage risk by integrating endpoint security, access control, identity, and configuration management
20Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
• Examining NAC’s momentum
• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls
21Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Firms must overcome the four “dirty little secrets” of the NAC market
Why it hurts NAC deployments
Underpinning hardware — DHCP, RADIUS, and DNS — are not reliable enough.
NAC doesn’t provide automatic remediation of noncompliant users.
Budget for high-availability components
How to overcome
Integrate config. management tools
Infoblox, MetaInfo, and INS
Enterprise-class components
Automatic remediation
Altiris, Shavlik, BigFix, etc.
Key vendors
Policy isn’t “plug-and-play” across multiple vendors.
Select vendors that have proven interoperability
Cisco (NAC) and Microsoft (NAP)
Multivendor policy
NAC is device-centric, and many solutions don’t support user context.
Integrate with AD/LDAP, and push for SSO.
True identity awareness
Applied Identity and Identity Engines
22Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: vendor selection
• Pick vendors that focus on:
» Identity: Without identity, NAC is device-centric and misses the full-policy-compliance framework.
» Remediation: The ability to remediate or enforce compliance is key to automating NAC.
• Look for solutions that focus on interoperability:
» Microsoft: NAP
» Cisco: NAC
» TCG: TNC
23Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: deployment best practices
Phase in NAC to maximize short-term effectiveness:
• Phase 1 — Create NAC policies: Leave three months to simply write policies and understand who goes where under what conditions.
• Phase 2 — Deploy an overlay pre-admission solution: Get policy-savvy solutions in place that allow you to begin NAC but may not have a full set of enforcement capabilities.
• Phase 3 — Add more enforcement and post-admission: Once you have the right policy infrastructure in place, you can scale out enforcement with 802.1X and behavior monitoring with IPS.
• Phase 4 — Build remediation capabilities: Finally, you can enable user-remediation or auto-remediation with configuration management solutions.
24Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Robert Whiteley
+1 617/613-6183
rwhiteley@forrester.com
www.forrester.com
Thank you
25Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Selected bibliography
• September 8, 2006, Trends “Refreshing Enterprise LAN Infrastructure”
• May 12, 2006, Trends “Getting The NAC Of It: 2006 Network Access Control Adoption”
• November 2, 2005, Best Practices “Securing The Network From The Inside Out”
• June 28, 2005, Tech Choices “Choosing The Right Network Quarantine Solution”
top related