I. Introduction: Network Security

A. Where We Are Now

Today’s technology environment is defined by mobility. It’s a productivity enhancement few organizations can be without – but the gain in productivity is causing an explosion of network security concerns.

Consider the dramatic increase in the number and capabilities of mobile devices: according to Gartner, the dominant trend in computer buying has shifted to notebooks, which now make up 29% of computers sold in the US and 31% of those sold worldwide.1. And not only are laptops becoming the computer of choice for many corporate employees, more and more IP-enabled devices are coming into the mix - PDAs, mobile phones, and gaming systems, to name a few, each bringing new security vulnerabilities onto the network. Further enhancing productivity – and jeopardizing network security – is the ubiquity of access. Whether at home, in a hotel, at a Starbucks, or even on a park bench, users require and expect access to corporate networks at a data rate that enables full productivity. The widespread adoption of broadband and wireless networking has made mobile computing the standard, not the exception.

This has created great challenges for IT and security professionals. Controlling the devices accessing the network has become increasingly problematic as these devices move in and out of protected corporate networks, and as the line between office and personal computer blurs or even disappears. And now, it’s easier than ever for unmanaged IP devices to make their way into corporate networks.

This technology shift has IT security professionals asking two questions:
How do I control the access to my corporate networking resources?
-and-
How do I ensure that the resources that are allowed on my network aren’t creating a security risk?

Before we can answer these questions, we must understand the roots of IT security.

B. How We Got Here

The correlation between productivity-enhancing technology and security technology is not new. As new technologies are adopted, criminal elements find ways to misuse them. Let’s examine the origins of three prevalent security technologies: antivirus software, firewalls, and Virtual Private Networks (VPNs), the development of each driven by key advancements in non-security technologies.

1. Antivirus
In the early to mid 1980s, antivirus technology development was driven by the success of MS-DOS, and its impact on businesses and home PCs. A key new capability provided by personal computing was the ability to easily share and transfer files via floppy disks. As file sharing became standard behavior, the first viruses evolved to exploit it. This malware attached itself either to individual files or to the boot sectors of PCs to infect all floppy disks subsequently used on that PC. Antivirus technology arose and was widely adopted to preserve the value of data transfer through external media.

2. Firewalls
Firewalls are often associated with the advent of the Internet, but they actually came about as a result of networking and routing technology. As businesses began to connect their small departmental networks to larger shared networks, concerns arose about the ability of individuals to access computing resources and data on networks that didn’t belong to them; the development of the firewall was the result. The firewall inserts itself as a barrier between a local trusted network and one or more external networks, regulating traffic between networks to prevent access to network and system resources from unknown or unauthorized sources. Connection to the Internet and its millions of worldwide users has made firewalls mandatory, and a standard part of virtually all networked environments.

3. Virtual Private Networks
VPNs, while not quite as prevalent as antivirus and firewall technologies, are found in almost all medium to large organizations. The need for VPNs was driven by two factors. First, corporations were looking for alternatives to expensive private networks connecting remote sites. Second, companies needed to enable their employees to connect to their corporate networks remotely. And of course, confidentiality of the data in transmission was critical: because this connection was going over open networks, it was susceptible to eavesdropping for both passwords and data. VPNs provided a mechanism to protect the confidentiality of the data and assure that the connection being made was legitimate.
These advances made the network perimeter stronger, acting as a moat between data and threats. But as perimeter security evolved, so did the methods designed to get at that data.

II. The Need for Something New

Today’s threats are not entering corporate networks through the perimeter, protected as it is by the technologies reviewed above, and others, like intrusion detection systems. Rather, they are taking aim at the network’s soft underbelly, through authorized endpoints, which, as known devices, completely bypass perimeter defenses.

A. An Example: the Zotob Worm
A recent example of this occurred in August 2005, during which the Zotob worm took advantage of a Microsoft Windows Plug and Play vulnerability. The worm infected PCs and propagated across networks by looking across random Class B addresses and sending a SYN packet (connection request) to port 445 on remote systems it found active. Upon finding a vulnerable machine, the worm exploited the vulnerability by downloading a copy of itself, infecting the PC and looking for other targets. Networks were flooded with traffic and crashed, costing organizations untold amounts in productivity.

Incredibly, this worm should never have been able to spread. Its propagation methodology required access to a TCP port through which other worms, most notably Sasser and Nimda, already had spread threats. Thanks to the notoriety of these other worms, almost every organization with an Internet connection blocked traffic to port 445, and assumed that they did not need to be concerned about Zotob. Despite this, Zotob quickly spread around the world, becoming one of the fastest spreading worms in history2.

Beyond simply proving the cliché that assumptions are dangerous, this incident highlighted a crucial flaw in traditional network security: the ability, or rather, the lack thereof, to manage every device that plugs into the network. In the case of Zotob, for example, the worm entered organizations when known, infected mobile PCs entered the network, either directly or through VPN connections.

III. Voilá: NAC

Network Access Control (NAC) aims to do exactly what the name implies: control access to the network. It is still an emerging technology space, and many vendors are taking advantage of this lack of definition to jump on the NAC bandwagon. But if we boil down NAC to its essence, we are referring to the ability to:
• Enforce security policy and restrict prohibited traffic types

• Identify and contain users that break rules or are noncompliant with policy
• Stop and mitigate day zero and other threats

IV, Mirage NAC

For a NAC solution to be effective, it must deliver two essential pre-admission capabilities. First, it must be able to identify a new device connecting to the network. Second, it must be able to test the endpoint for adherence to security policy and restrict access for those devices that do not meet defined entry criteria. Together, these capabilities should provide data that can be used to compare a device’s current security state against established security policy criteria, to determine how much or how little access that device is allowed.

Mirage NAC offers just this and we at CATS-NET are proud to be associated with Mirage. Our engineers have been trained on Mirage Solution and we would be happy to discuss your requirements and advice on the best NAC approach to protect your crucial data assets.