Cisco NAC Appliance: The Clean Machine

July 21, 2006

by Charles Waltner, News@Cisco

Network security professionals face a litany of vexing issues, but these days perhaps none is more confounding than the growing need to control the uncontrollable. "The uncontrollable" in this case is any computer connecting to a network that is somehow outside the direct management of a network administrator.

But thanks to innovative technology from Cisco Systems, network operators and their organizations have a new way to automatically check digital devices--such as laptop or desktop computers, servers, and personal digital assistants (PDAs)-for possible security threats and updated security software. Known as the Cisco NAC Appliance, the product makes networks safer while greatly lessening the possible administrative nightmares associated with hosting unregulated computers.

While the Cisco NAC Appliance is highly effective at monitoring employee computers for risk, especially those of traveling or remote personnel, network managers who use the product say it offers virtually the only option on the market for addressing the security conundrum of protecting a network from computers that are unbeholden to company security policies. Unlike employees who must typically use carefully configured and maintained computers and follow explicit security policies, partners, customers and others outside the purview of an organization can harbor any number of security threats on their computers. While these "unmanaged" devices may be perfectly safe, network managers simply can't know for sure.

NAC technologies provide a network-based system to vet "endpoint" devices for security risks by verifying their compliance with various policies, such as having up-to-date virus protection software. If NAC identifies non-compliant devices, it can deny them entry to the network or restrict them to limited parts of the system.

The NAC Appliance not only blocks unsafe computers from the network but also offers a flexible scripting and automated workflow capability for helping end-users become compliant. The NAC device, for example, can direct an individual on how to download OS patches or anti-virus updates. It can also automatically configure a computer to give it the proper security settings.

Until recently, most networking security tactics and technologies focused on building a digital fortress around a network. But the Internet, wireless technologies and other advances have made such an approach obsolete. Traveling salesmen, visiting customers, or just-in-time suppliers need to link to an organization's network to conduct business. Unfortunately, any device can be host to a devastating worm or virus, and anonymous visitors are the prime source of such risks.

Many information technology vendors have created excellent defenses for countering these threats. But most of these approaches, such as anti-virus software, rely on installing "client" programs on the endpoint computers or in some way controlling the devices that connect to the network. An organization, however, typically cannot demand that visitors install such programs on their computers. At the same time, the expanding importance of business networks and Internet-based communications demand that organizations open their networks to outsiders. Visitors must access private networks for information, or they simply need a convenient connection to the Internet and their own organizations' networks.

Beyond simply securing their networks, organizations are relying on the Cisco NAC Appliance to secure their reputations. There's no bigger event each year for The United States Tennis Association (USTA) than the U.S. Open, hosted by the group every September in New York. Like many organizations, the USTA was becoming increasingly concerned about "day-zero" viruses-ones that are so new that anti-virus software vendors haven't had time to create antidotes. Without such antidotes, these brand-new viruses are free to run amok in networks, often leading to significant damages. While the USTA had not experienced a major virus infection prior to 2005, it knew it was only a matter of time before one of these virulent software demons would hit the network. And no likelier-or more devastating--time would be than during the U.S. Open.

"We wanted to make sure we had the best possible protection for our organization and especially for the media corps that descends on our facilities during the big tournament each year," says Carlos Lakomy, director of technology development and deployment for the USTA. "We wanted to proactively defend our network and ensure our network security was air-tight during the Open."

While the USTA had been able to control the computers within its organization-insisting employees follow certain security procedures and configuring their computers for greatest safety, it does not have that option with the more than 400 international media personnel that make the annual pilgrimage to the Grand Slam tennis event. So the USTA, with the help of its network technology partner, Calence LLC, Tempe, Ariz., installed the Cisco NAC Appliance before last year's tournament.

The USTA particularly took advantage of the NAC Appliance's ability to create VLAN, or virtual local area network, links between any computer and the appliance. The ad hoc VLAN capability made it possible for the NAC Appliance to "escort" all media traffic to its Internet gateway. From there, the traffic was free to travel out to the broader Internet and connect with other networks. With the NAC Appliance in place, the USTA offered media personnel both the wired and wireless connections they needed to do their jobs yet prevented them from entering the USTA's main network.

"The NAC appliance worked wonders for solving our problem of hosting the media," Lakomy says. "This is really only something we could have addressed through the network. We couldn't install software on the media's computers, and something like a firewall just doesn't work because it is only designed to keep people completely out of a network."

While organizations such as the USTA are using the Cisco NAC Appliance to control visitors to their networks, others are finding it equally effective at regulating more familiar but nonetheless difficult to manage devices. Such devices include laptops or PDAs of traveling employees and PCs run by small, distant branch offices. Or in the case of American University, student-owned computers.

American University turned to Cisco after suffering repeated damage from viruses, culminating with the Sasser worm outbreak in the spring of 2004. The infection paralyzed the university network for three days. "We were a poster child for endpoint security," says Eric Weakland, a director of network security at the Washington, D.C. educational institution.

Weakland says many of the "mind-numbing" array of worms, viruses and other assorted threats to his network were coming from student computers--computers that the university could not practically control. But simply blocking the students from the network was not an option. University life these days requires that students have full and independent access to a school's network for everything from checking class schedules and research to email and Web surfing. And since students are not as easily held accountable as university employees, getting the students to follow security policies was mostly wishful thinking.

But by deploying the Cisco NAC Appliance technology, American University was able to take a crucial step in controlling the uncontrollable. "The key to Cisco NAC is that we can enforce security policies without ever touching the students computers," Weakland says.

Now, Cisco NAC software checks each student computer as it logs on to the network and provides automated help for bringing them into compliance, reducing the number of worm and virus encounters on the university network by 40 percent, Weakland says.

While Cisco NAC technology provides unique network protection, Weakland and other managers emphasize that like any other security tool, its success depends on thorough planning and attentive management. "The Cisco NAC technology isn't something that you can just turn on and forget about," Weakland says "The ever-changing nature of computing and security threats require constant vigilance."

Organizations should be especially thoughtful about network users, their computing needs, and their attitudes towards administrative control of their computers, network managers say. The USTA and American University designed the policies and workflows on their NAC products to be as unintrusive as possible. "Due to the nature of what the product can potentially do-cutting off access-you need to be very careful in how you set it up and what demands it makes on users to be compliant," Weakland says. "You have to balance that with your organization's security concerns, and that's a case-by-case issue."

But all agree that Cisco NAC technology provides unique and much needed help in addressing the increasingly important task of safely opening up private networks to computers beyond an organization's direct control. Best of all, Weakland says, Cisco NAC technology keeps a watch on visitors even when network managers cannot, in his case a particularly useful capability for dealing with night owl students. "It's the auditor that never sleeps so that I can," he says.

Charles Waltner is a freelance journalist in Oakland, Calif.