The influx of employee-owned mobile devices, Software as a Service apps and other elements beyond IT's control drive organizations to reevaluate their network access control security.
Until recently, the only devices connecting to the network were controlled by IT. First-generation network access control
"In the past, the value proposition of knowing what's on your network wasn't a big concern for IT," said Chris Rodriguez, an analyst at Frost & Sullivan, a research firm based in Mountain View, Calif. "It was a blind spot they could deal with."
That's no longer the case. With so many different devices hitting the network, IT shops need deeper visibility into what those devices are and how they interact with the corporate network.
NAC security in the consumerization era
Today's NAC security tools offer agentless endpoint visibility, access and a security mechanism instead of just access control, said Jon Oltsik, an analyst at the Enterprise Strategy Group in Milford, Mass. Through application programming interfaces, NAC tools integrate with other infrastructure components -- such as mobile device management (MDM) and Microsoft's System Center Configuration Manager (SCCM) -- to tie systems together, aggregate data and automate security and monitoring, Oltsik said.
"My experience with older NAC systems was they weren't worth the hassle," said Nick Duda, principal information security engineer at Vistaprint, a marketing services company based in Lexington, Mass. "But now I can't even imagine managing my environment without it."
Vistaprint has a progressive work culture that encourages employees to use whichever devices they prefer. The sales team uses iPads, the developers use a variant of Linux, senior execs prefer MacBooks, and it's nearly impossible to keep track of all the different mobile devices connecting to the network, Duda said.
Vistaprint uses ForeScout's CounterACT automated security control product to close the gaps where Microsoft's SCCM has problems. CounterACT provides an automated workflow bridge between Vistaprint's MDM instance, vulnerability scanning software, Lightweight Directory Access Protocol, and even external databases such as Oracle and MySQL via the Data Exchange (DEX) plugin.
DEX allows Vistaprint to quickly generate real-time data reports on the effect of potential vulnerabilities. Take, for instance, an August 2012 zero-day Java exploit that Oracle didn't immediately patch. Duda was able to generate a report for all the endpoint devices potentially affected within about five minutes of learning about the exploit. From there, his team remediated a patch.
That stands in stark contrast to the March 2012 MS12-020 security problem that affected Remote Desktop Protocol. Because the NAC security tool wasn't yet deployed, it took Vistaprint's IT team about 2,000 man hours to investigate and remediate a patch for all the endpoint devices connected to the network.
"It's proactive monitoring, and we can respond faster to our business and security needs with the data we are generating about our endpoints," Duda said.
NAC security a home run for Miami Marlins
When the Miami Marlins moved into their new ballpark in 2012, they reimagined how they manage and secure nearly 7,000 open ports -- many of them publically accessible -- for IP devices to plug into. The team is laying the foundation to expand their network for internal bring your own device (BYOD) initiatives to eventually offer network connectivity to fans during games. But they want to harden the system and work out all the potential kinks before doing that.
The Marlins picked Bradford Networks' Network Sentry product, which they initially deployed in parts of the ballpark during the second half of the 2012 season. By the end of the 2013 season, the NAC security product will be ballpark-wide.
One perk is the manpower the team has saved by automating its network visibility and security.
"It's like having a network admin on staff 24/7," said David Enriquez, the Marlins’ senior director of IT.
With Network Sentry, the IT team has set up automated policies for connecting any device that plugs into a port -- from IP TV boxes to point-of-sale terminals to the proper virtual LAN -- while rogue devices that attempt to connect are sent to and trapped within a null-VLAN.
"There are parts of the ballpark, especially the West Plaza, where fans congregate and practically anyone could plug a device to get access to our network through these open ports," Enriquez said. He would have deployed NAC security technology earlier, but was hindered because the Marlins didn't own the infrastructure at the team's old ballpark. "We realized we would be in a serious situation if we didn't do something."
In a BYOD context, Enriquez said the team will be able to detect which devices are jailbroken or missing antivirus and register them for MDM automatically before allowing them to connect. Devices that don't adhere to the established policy would be sent to a guest network or would not be allowed to connect at all.
There are, however, some barriers to overcome to maximize NAC's potential.
"Some organizations use out-of-the-box policies and get value from that," Rodriguez said. "But to really automate and tie together various systems, it can get really complex quickly and require a high degree of technical expertise for IT departments."
It also requires different IT teams, such as security, mobile and networking, to work together to devise a workflow and policy engine that spans a multitude of infrastructure components.