MP: (knocks on the door – Waits. Door opens with MA)
MA: (in a deep fatherly voice) May I help you?
MP: ah, Hi, Mr. App…err, sir….um I’m here to see your daughter, Oracle.
MA: Oh you are, are you? Let me take a look at you. (Looks up/down, turns him around) Have you had a cold or flu recently?
MP: No
MA: Do you always have your firewall enabled before entering unknown areas?
MP: Absolutely!
MA: Have you graduated high school & up to date on your shots?
MP: Yes sir! I’m actually attending Jr Community College Institute.
MA: Ok then (calling over shoulder) Oracle, your friend is here.

After that, you don’t know if they are going to the prom, going to a movie, going to the beach or anything and if poor little Oracle is vulnerable, I don’t think any of you want to see Mr. Packet take advantage of that!

80% of NAC deployments are driven by Guest Access.  What once was the main driver, ‘Endpoint Base lining’ now only accounts for 15% of installations which might explain NAC’s downturn.  At first this was going to be a ‘NAC is whack’ post due to interoperability, standards, cost/complexity and so forth but that seems so 2007.  Plus, TCG is trying to push specifications forward.  So instead of ripping on a technology, I wanted to provide some ideas on Guest Access.  Plus, most companies most are now doing ‘Laid-Back NAC,’ since they are not sure what to do if a device is non-compliant.  According to Gartner, only 7% push/enforce device policies but when it comes to querying, checking the device is ‘good enough’ since if it’s not ours, then you must be a guest.  While compliance & protecting intellectual property are important, it’s mostly about the fear of strangers on the network.

Probably the most prevalent way visiting guests get access (internal or outbound) is Wireless.  Most companies have a WiFi AP that is visible to anyone with a radio and the password is freely given out.  Some broadcast SSID while others keep it secret and usually there is a password (not always the strongest or most secret) to jump on the wireless LAN.  Often, 802.1x will do it’s part by authenticating the user and opening a port.  After that, replay the opening scene since there’s no application awareness.  To protect internal resources, IT might VLAN (segment) the Wireless traffic so it is unable to reach internal destinations.  Another easy prevention mechanism is to only allow Outbound HTTP/HTTPS (ports: 80/443) traffic.  For many visitors, this works well since all they needed was the internet anyway; for others or internal employees that need access to internal systems, an SSL VPN can do the trick.  Just treat your Wireless users as any other ‘remote’ user {pdf}.  They have HTTPS access to the internet and all they have to do is type/bookmark the SSL VPN URL.  Host Check……authenticate…and resource assignment gives users internal access.  You could also create a portal page with available systems and depending on the request, force UN/PW then.  You get granular access control, encryption, application awareness (when coupled with BIG-IP LTM {pdf}) and whatever reports/stats needed for management.

IAM or Identity and Access Management is becoming a hot topic both for general access and NAC.  Regulatory compliance, protecting intellectual property, guest access and the fear of strangers are all driving the NAC & IAM intersection.  Who’s on my network, who has access to corporate secrets, are you one of us and how do we report and control all that are great concerns for IT.  As IAM meets NAC, the crossroads needs smarter signals. When adding Identity to NAC, the focus should be on the user rather than device (even though you’ll still probably check endpoint ‘health’) but companies are having some difficulty with role based info/authorization.  This idea is still in the Technology Trigger (early adopter) phase of the Gartner hype-cycle, but they do predict through 2011, 70% of large enterprises will have implemented authentication for all forms of network access.

ps

• #7 out of 26 Short Topics about Security
• previous stories: 6, 5, 4, 3, 2, 1