Dramatically improve network security

While most organizations use identity management and authentication, authorization, and accounting (AAA) to authenticate users and authorize network privileges, there has been virtually no way to authenticate the security profile of a user’s endpoint device. Without an accurate way to assess the health of a device, even the most trustworthy user can inadvertently expose everyone else in the network to significant risks posed by either an infected device or by one that is not properly protected against infection.

NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware. Customers implementing NAC are able to restrict network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can control the access of noncompliant or unmanaged devices.

NAC is unique because it is designed to be integrated into the network infrastructure. So why should a policy compliance and verification strategy be implemented in the network instead of somewhere else?

￿Virtually every bit of data that an organization is interested in or is concerned about touches the network.

￿Virtually any device that an organization is interested in or concerned about is attached to that same network.

￿Implementing admission control in the network gives an organization the ability to deploy the broadest possible security solution covering the largest number of networked devices.

￿This strategy uses an organization’s existing infrastructure, security, and management deployments, so it has the smallest IT overhead footprint possible.

With NAC in place, whenever an endpoint device attempts to make a network connection, the network access device (LAN, WAN, wireless, or remote access) automatically requests a security profile of the endpoint device, which is provided either through an installed client or through assessment tools. This profiled information is then compared to network security policy, and the level of device compliance to that policy determines how the network handles the request for admission. The network can simply permit or deny access, or it can restrict access by redirecting the device to a network segment that limits exposure to potential vulnerabilities. It can also quarantine a noncompliant device by redirecting it to a remediation server, where it may be updated with components that will bring it into policy compliance.

Appendix B. Network Admission Control

473

Page 491
Image 491
IBM Tivoli and Cisco manual Dramatically improve network security, 473