Use Network Access Management (NAC) to ensure system security

The term security used to mean solid locks, enough walls, barrier, and a grumpy German Black Bay. Computer security needs to defend against all viruses and malware, including firewalls, intrusion protection systems (IPS), and encryption technologies.

In addition, there will be another technology in a good security solution-Network Access Management (NAC) or network license management. This technology is designed to protect any device (such as a terminal, laptop, PC, BlackBerry, or handheld device) that people use to access the company's network from threats, and will not infect the entire network.

"NAC technology allows the company to control the permissions of people logging on to their networks," says AndressM, senior vice president and partner of Nemertes research. "It can supplement peripheral security policies that have been eroded by roaming users, wireless access, and segmented networks. It also prevents infected systems from logging on to the network and spreading viruses ."

Although many sellers regard NAC as a general concept, in fact its framework comes from Cisco Systems and is part of Cisco's vision of an automatic defense network. This framework includes the features of network switches and routers and many other Cisco products. NAC is not a standard, but it integrates many existing standards.

In addition, some specific aspects of NAC are gradually standardized. For example, the client reports its own situation to the interaction point of the network device. However, other aspects of policy storage and execution are far from reaching any consensus.

Furthermore, the definition of NAC has gone beyond Cisco's framework and has become a more general concept, which means "managing access to the network and selectively checking the status of the terminal ". More vendors use this definition, rather than the NAC solution proposed by Cisco. Microsoft also has a similar framework called network access protection (NAP ). Other organizations are also proposing different NAC standards from Cisco.

"Regardless of the combination of these letters, the standardization process has been slow for more than four years," mongoopoulos said. "NAC and NAP frameworks have interoperability in some aspects, but there are no general standards ."

Who needs NAC?

NAC is clearly not one of the features required by every small business. Except for the most sophisticated Home Office, all small businesses will be able to avoid it. Similarly, for companies that do not adopt many anti-virus, anti-spyware, and firewall measures, NAC will not solve all their problems. There are also companies that have not yet established their own internal LAN consisting of at least one vswitch and one or two vrouters, it is also likely that there is no suitable device to adjust NAC-not to mention any direct demand.

"Companies with less than 100 people will feel that this feature is too costly to implement, mainly because IT is too complicated and the company lacks IT staff, not because of money," said mongoopoulos. "As technology matures, more and more small enterprises will use it ."

Michelle McLean, Senior Product marketing director of ConSentry networks, also believes that small enterprises may not need NAC. After all, the smaller the enterprise, the more it can control the people who access the network. This type of enterprise makes it easier to identify insiders and outsiders, and can also perform manual operations.

"Small enterprises don't think it is very valuable to set up a single NAC unless they have hundreds of people working in the same place," McLean said. "However, A small enterprise also has the option to use the product devices that contain NAC, such as security switches, so that they can introduce NAC to the enterprise network while upgrading the switch."

However, Cisco does not agree that it claims that the target users are extensive.

"Any company that relies on internal networks for basic operations-generating orders, tracking records, storing files, or conducting business processes-should also consider using NAC, said Irene Sandler, Cisco's product marketing manager. "We now have fewer than 100 employees, but there are thousands of customers ."

Select Product

Enterprises can select a wide range of NAC products. For example, the ConSentry LANShield controller is a self-contained, independent NAC device that does not affect the current network. For small and medium-sized enterprises, the CS1000 model is the most cost-effective and supports more than 800 of users. The LANShield platform supports authorization and status check functions, allows you to view all users and applications of the entire network, restrict the permissions of users on the LAN according to their identities, and perform anonymous detection and restriction. The starting price of the LANShield controller is USD 179.95 million. In addition, small and medium-sized enterprises may also try to select the LANShield switch when upgrading their cabinets to switches. It has the same features as the LANShield controller, but is a 48-port Gigabit Ethernet switch. It is priced at $12995.

Symantec provides Symantec terminal Protection Service, which combines anti-virus, anti-spyware, and "Configuring NAC" terminal software. Currently, Beta testing programs of this service can be downloaded for free. However, it should be noted that this product requires the cylinder network access control to centrally control terminals and implement the NAC policy on those terminals. Symantec plans to release an entry-level version of the NAC product. At the same time, Symantec's current NAC product is priced at $40 per employee.

"These policies can be applied on the central console for Symantec terminal protection without any additional proxies," said Patrick Wheeler, Symantec's Senior Product Manager. "You don't need any complex network-level components, you don't need to change the network system, and you don't need to add additional proxies or policy servers-you just need to use the existing Symantec terminal to protect the configuration ."

Similar to Consentry, Cisco's NAC device has a server and a manager. The solution is charged by the server rather than by the number of terminals, because people generally cannot know exactly how many terminals are in the network. Therefore, Cisco uses the server license price based on the estimated number of online users at any given time. Regardless of the size, you only need one manager. The minimum number of concurrent online services is 100, and the corresponding fee is about 18000 USD.

In addition, other suppliers in the NAC field include Vernier Network and Foundry Networks Inc.

Direct experience

Omneon Video Networks of Sunnyvale, California has 250 employees. It uses the ConSentry network LANShield controller to control Guest Login operations to the network.

Omneon is a company that provides streaming media servers and wireless reliability services to optimize workflows and digital media. "Customers often want to access the Internet in the conference room," said Steve Berg, the company's IT Director. "We urgently need a separate device to manage the customer's internet services ."

For example, Omneon partners often use Omneon hardware to test their software products. Similarly, distributors and users often visit their headquarters. However, once anyone in these people connects to the network, it may cause certain data risks and possibly cause malware to threaten the network. However, if you refuse to allow them to log on to the Internet, it is clearly not the way to do business. With ConSentry, we can control their access, monitor their network transmission, isolate machines that introduce specific threats, set policies, and maintain network security.

Another company in California, Novato, applied smaller-scale configurations for hard drive rescue and data recovery. The company's 80 employees helped rescue important data from the destruction of serious hard drives. To better manage local and remote terminals and better protect key applications, the company has installed Cisco's NAC device.

Installation prompt

According to kerberopoulos, whether to configure NAC is still a controversial topic due to many aspects involved. He suggested that people choose a solution suitable for the current device and in line with future planning. And if you prefer a solution that is too expensive, you can wait until there are better standards, wait for the market to mature and the price to lag back and buy again.

To reduce the installation burden, McLean recommends that small and medium-sized enterprises use existing user logon and identity libraries without changing the network or client architecture. In other words, the device can be used in an existing LAN architecture without installing new software on each client workstation.

She also believes that various organizations should gradually implement NAC. For example, a good way to start is to select a fast device, that is, a device that can directly overwrite the configuration without changing the network layout.

"The self-contained NAC solution that does not rely on clients or switches is the easiest to configure and can achieve the fastest value options," McLean said. "The Vista operating system supports some NAC, so when you want to upgrade to the Vista operating system, be sure to check whether Vista supports the NAC you are using. For organizations that do not use Windows, make sure that the Linux and Mac platforms support the solution you choose ."

The suggestion of the Wheeler's is that NAC should be combined with the existing terminal security system, which is the most convenient and best choice.

"It is agreed that the NAC policy is being integrated into its logic-terminal policy ." Said Wheeler. "Therefore, you should select the NAC solution that matches your terminal protection solution ."