Teleconference

Demystifying NAC: Going Beyond Basic Admission Control
Robert Whiteley Senior Analyst Forrester Research
September 25, 2006. Call in at 12:55 p.m. Eastern Time

Theme

Firms must look beyond current limitations of NAC and build a life cycle with both pre- and postadmission.

2

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Agenda
‡ Examining NAC¶s momentum ‡ Detailing today¶s NAC architectures ‡ Going beyond: predicting NAC¶s future ‡ Recommending how to overcome NAC¶s pitfalls

3

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Agenda
‡ Examining NAC¶s momentum ‡ Detailing today¶s NAC architectures ‡ Going beyond: predicting NAC¶s future ‡ Recommending how to overcome NAC¶s pitfalls

4

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Defining network access control (NAC)
A mix of hardware and software technologies that dynamically control client systems¶ access to networks based on their compliance with policy. Network quarantine = network access control = Network Admission Control (Cisco¶s specific term) = Network Access Protection (Microsoft¶s specific term)

5

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

NAC solves an IT oxymoron: secure access
NAC provides the technology framework and policy hooks to make security and access tradeoffs.

Access

Network access control

Security

The most accessible systems are not secure.

The most secure systems are not accessible.

6

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

NAC is gaining significant momentum in large enterprises . . .
‡ Demand side: NAC has jumped to an early mindshare position within large enterprises.
» Some 40% of enterprises were tackling NAC initiatives in 2006. » Some 52% of firms indicated the need for access control across all network mediums: wired, wireless, and remote access.

‡ Supply side: Dozens of vendors are jumping on the bandwagon ² RSA¶s 2006 ³NAC Show.´
» Infrastructure vendors: 3Com, Cisco, Enterasys, Extreme, Foundry, HP ProCurve, Nortel » Software vendors: Elemental Security, ENDFORCE, FSecure, McAfee, Panda Software, Symantec/Sygate » Appliance vendors: Caymas, Check Point, ConSentry, ForeScout, Granite Edge, InfoExpress, Lockdown, Mirage, Nevis, Vernier
7
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

. . . But many companies suffer from stalled deployments
‡ . . . Only 4% of firms had completed deployments. ‡ Why?
» Multiple, confusing architectures » Lack of interoperability » Upfront costs exceed benefits » Lack of identified business drivers

8

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Defined use cases are just now coming into focus
‡ The ROI of NAC is a lost cause ‡ Successful deployments focus on business needs for:
» Unmanaged or guest systems » Partner extranet functionality » Enterprise mobility » Virus/worm contamination

9

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

The result: Enterprises are in the second wave of NAC deployments
Momentum: Early adopters Driver: Controlling the ³Wild, Wild West´ Momentum: Early majority Driver: Unmanaged/guest systems Momentum: Late majority Driver: Operation efficiency Wave 1 Homogenous architectures Wave 2 Hybrid architectures Wave 3 Interoperable architectures

2004

2005

2006

2007

2008

10

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Agenda
‡ Examining NAC¶s momentum ‡ Detailing today¶s NAC architectures ‡ Going beyond: predicting NAC¶s future ‡ Recommending how to overcome NAC¶s pitfalls

11

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Today¶s NAC deployments focus on three architectural components
‡ Endpoint
» PCs ² Desktops, laptops, servers » Devices ² IP phones, printers, embedded OS machines » Primary ownership: desktop or client operations

‡ Network
» Perimeter devices ² Security appliances, VPN concentrators, firewalls » Wiring closet devices ² routers, switches, wireless APs » Primary ownership: network operations

‡ Back-end servers
» AAA, policy, configuration, and remediation servers » Primary ownership: security operations
12
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

But successful enterprises are shifting focus to two distinct functional components
‡ Pre-admission ² ³Keep people out´
» Technologies to perform integrity and compliance checks before network resources are granted » Key components: endpoint security scans and identity via authentication

‡ Post-admission ² ³Kick people off´
» Technologies to monitor resource access violations, anomalous behavior » Key components: identity management and IPS
13

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Bridging NAC¶s architectural and functional views

Architecture

Endpoint tools: ‡ Endpoint security tools ‡ Client security suites (AV, FW, etc) ‡ Compliance agent (optional)

Intelligent network: ‡ Switches and routers ‡ VPN gateways ‡ Wireless APs ‡ Security appliances

Policy and identity servers: ‡ Authentication and authorization (RADIUS, LDAP, AD) ‡ Remediation and configuration management ‡ Audit and assessment

Pre-admission control: ‡ Endpoint integrity check ‡ Enforcement during authentication

Function
Post-admission control: ‡ Behavior monitoring ‡ Resource and application violations

14

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Agenda
‡ Examining NAC¶s momentum ‡ Detailing today¶s NAC architectures ‡ Going beyond: predicting NAC¶s future ‡ Recommending how to overcome NAC¶s pitfalls

15

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

As NAC evolves functionally, focus on building a user or device-access control life cycle . . .

Remediation

Pre-admission

Postadmission
16
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

. . . But NAC is only a small component in an endpoint security life cycle

NAC

17

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

NAC evolves to encompass a wider risk-based architecture
Proactive endpoint risk management

Client NAC

Network

Identity
18
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Defining proactive endpoint risk management
Policy-based hardware and software technologies that proactively manage risk by integrating endpoint security, access control, identity, and configuration management

19

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Agenda
‡ Examining NAC¶s momentum ‡ Detailing today¶s NAC architectures ‡ Going beyond: predicting NAC¶s future ‡ Recommending how to overcome NAC¶s pitfalls

20

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Firms must overcome the four ³dirty little secrets´ of the NAC market
Why it hurts NAC deployments
Enterprise-class Underpinning hardware ² components DHCP, RADIUS, and DNS ² are
not reliable enough.

How to overcome
Budget for highavailability components

Key vendors
Infoblox, MetaInfo, and INS

Automatic remediation

NAC doesn¶t provide automatic remediation of noncompliant users.

Integrate config. management tools

Altiris, Shavlik, BigFix, etc.

Multivendor policy Policy isn¶t ³plug-and-play´
across multiple vendors.

Select vendors that have proven interoperability Integrate with AD/LDAP, and push for SSO.

Cisco (NAC) and Microsoft (NAP)

True identity awareness

NAC is device-centric, and many solutions don¶t support user context.

Applied Identity and Identity Engines

21

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Recommendations: vendor selection
‡ Pick vendors that focus on:
» Identity: Without identity, NAC is device-centric and misses the full-policy-compliance framework. » Remediation: The ability to remediate or enforce compliance is key to automating NAC.

‡ Look for solutions that focus on interoperability:
» Microsoft: NAP » Cisco: NAC » TCG: TNC
22
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Recommendations: deployment best practices
Phase in NAC to maximize short-term effectiveness: ‡ Phase 1 ² Create NAC policies: Leave three months to simply write policies and understand who goes where under what conditions. ‡ Phase 2 ² Deploy an overlay pre-admission solution: Get policy-savvy solutions in place that allow you to begin NAC but may not have a full set of enforcement capabilities. ‡ Phase 3 ² Add more enforcement and post-admission: Once you have the right policy infrastructure in place, you can scale out enforcement with 802.1X and behavior monitoring with IPS. ‡ Phase 4 ² Build remediation capabilities: Finally, you can enable user-remediation or auto-remediation with configuration management solutions.
23
Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Thank you
Robert Whiteley +1 617/613-6183 rwhiteley@forrester.com

www.forrester.com

24

Entire contents © 2006 Forrester Research, Inc. All rights reserved.

Selected bibliography
‡ September 8, 2006, Trends ³Refreshing Enterprise LAN Infrastructure´ ‡ May 12, 2006, Trends ³Getting The NAC Of It: 2006 Network Access Control Adoption´ ‡ November 2, 2005, Best Practices ³Securing The Network From The Inside Out´ ‡ June 28, 2005, Tech Choices ³Choosing The Right Network Quarantine Solution´

25

Entire contents © 2006 Forrester Research, Inc. All rights reserved.