Let software perform guard duty

Information technology officials in Fulton County, Ga., say they believe in empowering their employees ' to a point. When they realized they would need to grant systems administrator rights to one-fifth of the county's 5,000 employees to make certain software programs work properly, they were instantly aware of the security issues they faced.Having 1,000 employees with administrator privileges would be a security nightmare. Any of them could, against county policy, disable their firewall or virus and spyware protection, or decline new software patches. Any of those actions would threaten not only individual computers but also the entire network, said Robert Taylor, the county's chief information officer and director of IT. 'We're very dependent on endpoint protection to keep the network safe,' Taylor said.The challenge was to guarantee that only healthy and fully protected devices could access the network. So county officials decided to try a new approach to security management called network access control. NAC requires user names and passwords, but it goes a step further by verifying that a user's device is compliant with the organization's information security policies. It checks to see whether a device has properly configured security and system software before it grants access to the network. In addition, NAC often includes automated remediation capabilities for fixing noncompliant machines. The technology is not a substitute for firewalls, virus protection and other endpoint security measures. Instead, it adds a layer of protection and enforces security policies. It can be especially helpful for an agency that must allow different groups of users to access its networks, including employees from other departments or outside contractors whose devices the agency does not control. Although promising, NAC technology is far from being a quick and easy solution. Large-scale implementations are rare, and the market is characterized by incompatible products and vendor hype. Prices for products and installation can easily hit six figures. And creating the proper policies to harness the product's capabilities is among the toughest challenges. The tipping point for Fulton County officials came when a small breach of policy briefly brought down the entire network. A laptop PC in the Sheriff's Office, an organization that manages its own computers, became infected with the Welch virus, which then spread to the county's network. Administrators quickly contained the malware on 20 machines, but the virus' activity used up the network's bandwidth, bringing traffic to a standstill. Taylor and others were determined to find a way to protect the network without having to wall off any departments or revoke everyone's administrative rights. The county's PCs run Microsoft's Windows XP operating system. Because the county lacked the money for a new security solution, Taylor instead became a beta tester two years ago for Microsoft's NAC product, called Network Access Protection (NAP).The county uses NAP on a handful of desktop PCs that run Vista, the latest version of the Windows desktop operating system. It has NAC features built in. The county will load Vista and NAP on all its computers when Windows Server 2008 becomes available early next year. Microsoft is not alone in its commitment to developing NAC solutions. Cisco Systems started work on its Network Admission Control product line more than five years ago, said Irene Sandler, a product marketing manager at Cisco. The company's current offering is called the Cisco Network Admission Control Appliance. And Symantec will include NAC as part of its Endpoint Protection 11.0, which is due out this fall. Dozens of security and network vendors say they plan to offer NAC products, no doubt encouraged by optimistic estimates for the technology's adoption. Market researcher IDC has estimated that NAC sales will rise to $3.2 billion in 2010, up from $526 million in 2005. Furthermore, an Aberdeen Group survey released last fall showed that 75 percent of organizations that allow employees, partners, contractors and even unknown guests to access their networks have virtually no ability to see or control whether endpoint devices comply with the organizations' security policies. The specifics of any NAC project depend on the needs of the organization, but the overall objective is the same. 'Agencies want to make sure that any device that connects to the network is healthy and remains healthy throughout the connection,' said Mark Bouchard, founder of the consulting company Missing Link Security Services.Like most new technologies creating a lot of buzz, NAC has generated some confusion in the market. A NAC implementation can be as simple as allowing or denying access based on one or two simple policy parameters, such as the presence or absence of anti-spyware tools. A full-blown implementation could check devices for dozens of characteristics and apply different remedial actions based on the type of problem or user. 'How much you need to know [about the endpoint device] and what you do about it are some of the decisions that make up the project plan,' said Tim Kelleher, vice president and partner at Unisys Federal Systems.All NAC implementations offer a capability called pre-admission control, which ensures that virus protection is turned on and the client machine complies with the organization's security policies. In addition, most NAC implementations provide post-admission control, which checks periodically to see if the client's status has changed. For example, a post-admission check would reveal if the user had disabled the machine's virus protection after connecting to the network. 'Pre-admission decides if I have the right attire to get into the restaurant,' said Joel Snyder, a senior partner at Opus One, an IT consulting firm. 'Post-admission determines if I behave myself while there.'Even when virus protection is installed on client devices, however, there is still a danger of zero-hour attacks from viruses that take advantage of previously unknown vulnerabilities. A complete NAC protection system includes procedures for continuously monitoring traffic and quarantining devices that display suspicious behavior.  As NAC technology evolves, a major challenge for organizations will be to find ways to take full advantage of the capabilities available.'Policy decisions are the most difficult and potentially problematic aspects of an implementation,' Snyder said. 'Suddenly you have all this control. What do you do with it?'Organizations must decide which security parameters they will check in addition to detecting the presence of firewalls, antivirus software and security patches. For example, an organization might use NAC to discover the version and settings of the client device's operating system and Web browser. NAC can also check for particular versions of software and for unauthorized software. 'There are a lot of management-level decisions to make,' Bouchard said. Administrators must decide whether they will allow users to have file-sharing applications or attach removable media to the network and, if so, which types. Some organizations might want to assign applications and add-on hardware to white lists and black lists, then grant access to white-list items and deny access to black-list items.Administrators must also decide what to do when a device is deemed to be noncompliant. Small agencies or workgroups might be able to adopt the most straightforward approach and simply prevent that device from accessing the network. But for most government organizations, a yea-or-nay decision will result in angry users, reduced productivity and a heavy toll on the help desk. 'You need some kind of automated remediation to put noncompliant machines back into compliance,' Bouchard said. For example, devices that are denied access to the network should be sent to a quarantined area. An automated remediation routine can correct problems by removing illegal applications, installing upgrades and patches, and performing a complete virus check. Another option is to give users a choice between going through a complete remediation process and afterward being given full access to the network or declining remediation and being limited to certain sections of the network. Organizations must be careful about liability when they create automated remediation processes, especially when the users are contractors or guests. 'If you have a contractor whose device is noncompliant, do you want to add patches that might affect the device?' Snyder asked. Organizations don't want to be in the position of having their help desks trouble-shooting computers for people who don't work for the organization. Policy decisions such as those could be among the most difficult challenges for organizations deploying NAC technology, experts say.