It’s all very well putting authentication in place so that you know nobody unauthorised can get on to your network, and deploying firewalls liberally round the perimeter to keep unwanted visitors out, but what do you do when a legitimate user connects a laptop, with out-of-date anti-virus software, on to the network, and brings a virus or worm into your environment?
Plans are afoot for a security standard (see ‘New spec will secure laptops on your network’) to control how potentially non-secure PCs gain network access. That’s a way off though, so vendors are starting to come up with their own ideas.
Trapeze Networks has something called bonded authentication (see ‘Wi-Fi switch security nothing but a white elephant’ ) that authenticates the PC as well as the user, but that doesn’t check if the PC is in a fit state to be connected. In the meantime, Cisco, working with anti-virus vendors including Network Associates, Symantec and Trend Micro, is releasing Phase 1 of its Network Admission Control (NAC).
NAC up close
NAC was announced about nine months ago by the company, but while the IOS code - 12.3(8)T - needed to support it on its routers is available now, the version of its Access Control Server (ACS) AAA authentication server that makes up the other part of the jigsaw, was due for release in the summer.
NAC is made up of several pieces. On each host PC, you need to have installed Cisco Trust Agent software. This software communicates via a plug-in to the AV software already present on the PC (hence the partnership with the AV vendors), and also, via EAP over UDP, to the network access device that will enforce the security policing. In Phase 1, this will be a Cisco router, so any quarantining of a suspect PC will be done at a Layer 3 boundary only. It will be Phase 2, probably towards the end of this year, before this policing will be supported on a LAN switch or wireless access point, and control narrowed down to a per-port basis.
The router, running NAC, will request security credentials from the PC and pass them onto to the authentication server - in this case a Cisco ACS - via RADIUS. You’ll have the option to choose whether or not to validate devices via access lists. This ability is essential at present since for now the CTA can only be installed on Windows NT4, XP and 2000 hosts: Solaris and Linux support will be added in Phase 2, but it will be 2005 sometime before a CTA for an IP telephone is available, so none of this will be applicable for these unsupported devices to start with.
The ACS will then (although it doesn’t have to) communicate with your AV policy server to check, for instance that the PC is running the correct version of AV software, and that the DAT files and scan engine are at the required level. If not, you’ll have the option of letting the user connect, refusing connection, or forcing an update of the requisite software. Other checks that can be carried out will include the OS version and patches installed, and whether the Cisco Security Agent is installed and up to date.
Once everything’s been checked out, the host will be polled periodically (the default’s every ten minute although that’s customisable) to make sure that it’s still the same PC that was authenticated and that nothing has changed security-wise. If it has, a new validation will be carried out, and an administrator can also force validation manually at any time.
The CTA software is free, and available either from Cisco or the AV participants, but you’ll have to upgrade (or buy) your ACS server software, and probably a couple of routers too, as 12.3(8)T’s not been around all that long. Though at least you don’t have to upgrade all routers - just the ones that will be controlling access.
The main issue at present, apart from the Windows-only support for client PCs (and it’s unlikely older versions of Windows will ever be supported), is the disassociation between Layer 2 and Later 3 validation. As stated, this validation of the host’s security credentials is currently only done at a router interface, not on the access switch, which does potentially allow an insecure PC to impact its local LAN. And so far it’s completely unrelated to 802.1x for user authentication, although there’s nothing to stop you running both independently. This situation will improve with Phase 2 later this year.
It’s also worth pointing out the obvious. NAC will ensure that you can’t connect to the network unless your OS patches, AV and CSA software are up to date, and it will update machines for you if required. It will not detect any viruses that do find their way onto the host PC; Cisco is at pains to highlight that NAC cannot replace your AV protection strategies. That said, it does certainly give you the option to start to control the state of the PCs connecting to your corporate network, which is surely a good thing.