Laying the Identity Foundation for NAC

Mobility has destroyed the traditional means of knowing user’s identities and hence their access privileges; and little has been done to fill the gap. Network security vendors are trying to address this identity gap by introducing network access control (NAC) products that check device integrity before letting devices connect. Unfortunately, deploying just NAC fails to address the critical issue: providing a unique identifier for each user around which access rules are written.

Compliance check? Or spyware?

For all networks, but particularly for wireless networks, the authenticated identity of the user should be the axis around which network access decisions are made. The IP address shouldn’t serve this identification function; it simply changes too often. The layer two MAC address likewise can only be seen on the local network segment and can easily be spoofed. By orienting NAC solely around checking the integrity of systems before allowing them to connect, there is an implicit assumption that there are only two classes of users: those in compliance and those out of compliance. But there are also guests, contractors, vendors, sales, finance, HR, marketing, engineering and a host of other types of users on an organization’s network. What does it mean to be in compliance as a vendor attempting to access the network just for outbound VPN access? Most NAC solutions operate by running a piece of client code that bundles up this information on the host and sends it to the network for evaluation. But there are no widely deployed standards for this today. What is one organization’s host compliance check is another organization’s spyware due to the fact that these integrity check systems interrogate the host registry files and other configuration elements on a device, just like the latest worm might.

NAC as envisioned thus far certainly has utility. The idea of tying endpoint software status to network admission makes sense and certainly raises the bar in network security. However, focusing on this check alone is not the best first step. Going back to the need for a common identifier it is clear that it is possible to do better than endpoint posture as a delineation for network decisions. The opportunity we have is to undo the degradation in identity that came about from the advances in mobility. We can achieve this quite simply by using the authenticated identity of the user as the common identifier for all network access decisions.

Exploiting underutilized NAC capabilities of existing network infrastructure

More technology is not the answer to the network access quandary; what is needed are better intelligence and more precise control of technology already deployed on the network. Switches, routers, firewalls, and other network devices have a host of security capabilities that often aren’t exploited due to the difficulty of management and integration with other security systems. To make the deployment of this technology effective, an identifier is needed which is consistent throughout access-type, location, and even the endpoint itself. This identifier then must become a foundational element in security decisions throughout the infrastructure. Thankfully, this is not as hard as it sounds.

For organizations committed to NAC, a ubiquitous user authentication service can enhance results. To make correct, consistent access decisions, the NAC infrastructure must have access to authoritative user data (for a given user, this data usually resides in one of several user directories), and this infrastructure must be integrated with policy controls that let administrators efficiently set user access rules.

By adopting identity as the foundation for network access, organizations can ensure consistent security regardless of how their users connect: wired, wireless, and VPN. Once user identities are known on the network, it is a relatively simple matter to provision unique access rights for each network session, enabling the organization to fully embrace the power of the network in provisioning access to applications and other resources based on the identity and group affiliation of the user. This is in stark contrast to relying on the application layer alone to provide controls.

A bridge to authenticated networks

Inserting an identity layer into the infrastructure provides a consistent means of getting users online and sets the foundation for a service on the network that can be extended as NAC standards emerge and integration options present themselves. This identity layer can be deployed over time: staging the deployment by location or by access method, organizations can slowly migrate legacy infrastructure to this new approach as confidence in the technology and the stability of network policies improve. Authenticated and customized network services solve real problems today and represent a leap beyond the restrictions of current static networks to true authenticated networks.

Click here to listen to an Exclusive Interview with Sean Convery, CTO of Identity Engine Inc.