Network Access Control: Are the consultants compromising your network?

As a consultant who spends a high percentage of my time on site at clients, prospects, and partners, I am consistently amazed at how easy it is to get connected to most corporate networks.  Let me describe a recent day to illustrate my concern (and hopefully yours).

8:00 AM:  I start my day at a client to talk about the status of our current project.  I took the train downtown today and have 45 minutes of email written that I want to synchronize.  My meeting does not start for another 30 minutes, so I go to the team’s project room, grab an Ethernet cable from my laptop bag, connect to an empty port on the wall and send my email using Outlook Anywhere. 

What else am I doing on the client’s network while I’m connected?  Am I really an authorized user just because I’m sitting in the physical office?

10:00 AM:  I am back at my office and I get a call from another long-term client who wants me to look at a backup issue.  I still have a VPN profile for the client’s network, so I connect and look at the backup server.  The issue is resolved and the client is happy.

What happens now if I walk away from the laptop and forget to disconnect?  Does that nice person who waters the plants in the office now have complete access to my network and my client’s network? 

1:00 PM:  One of my colleagues and I are at a prospect to demonstrate Microsoft collaboration tools.  We are big believers in showing real-world deployments, so we arrive early so I can connect to the client’s network and access West Monroe Partners’ internal deployment of Microsoft Office SharePoint Server, Office Communications Server, and Exchange 2007.

This prospect does not yet know me, so he has to get a help desk person to check my laptop in order to comply with his company’s corporate security policy.  The Help Desk person checks that my anti-virus software is up-to-date and lets me plug-in to the network.

While this method of policy enforcement is better than nothing, what happens if the vice president I’m meeting is too busy to call the Help Desk or just trusts the consultants and skips this step?  Does checking for an anti-virus definition version level really make me trusted to have full access to the network? 

6:31 PM: I miss my train (again) so I visit another long-term client near the train station so I can work from there and access the Internet.

This client has at least implemented a “Guest Wireless” network, so my free hotspot does not threaten its network, or does it?  Once I access the guest network, what happens if the new hypothetical malware program I did not know was on my machine sees the active Internet connection and starts sending out phishing emails from the client’s Internet connection, causing the client’s ISP and other various SMTP blacklists to block its email servers?

How can you mitigate these risks?

An emerging set of technologies known as “network access control” (NAC)—or, as Microsoft calls it, “network access protection” (NAP)—is designed to mitigate some of these risks.  These technologies provide a wide range of capabilities, but they are primarily focused on automating the enforcement of security policies for network endpoints: primarily end-user computers, and the network ports (both wired and wireless) to which they connect.

Network Access Control typically uses well-known and tested methods (IPSEC, 802.1x) to authenticate connections to the network, and then provides mechanisms to test the compliance of the connected computers with a range of security policies, including functioning anti-virus software, firewalls, and other such security measures typically installed on a network end-point.  Authenticated computers that meet all of the required security tests are granted access to their desired applications.  Computers that are either non authenticated, or that do not meet the required security tests can be denied access, provided Internet access only, shunted to a “remediation” network, or granted various combinations of controlled access and logging.

How do these technologies differ from traditional methods?

Traditional methods of network security use firewalls that block unknown IP addresses to separate the good guys from the bad.  The problem is that this method assumes that IP addresses authenticate someone (would you give your social security number to a caller because the caller ID indicated the call originated at your bank?) and that the “bad guys” (either maliciously or unknowingly in the case of a compromised computer) are never found inside your network, on the other side of the perimeter firewall.

The benefit of NAC technologies is that we can use them to confirm who a person is rather than where the connection is coming from.  In today’s corporate climate of extranets, connected business partners, co-opetition, and telecommuting, these more comprehensive methods of identification and authentication should be used to determine access to network resources.

Once we have used NAC technologies to identify the user, we can use automation to determine the data and applications to which the person should have access.  Rather than granting access to the entire network, NAC technologies can specify the applications a user may access and even define the days and times those applications can be accessed.  For example, you can specify that a consultant working on your Exchange 2007 upgrade can access related servers but not the Microsoft SQL Server installation that supports the Microsoft Dynamics-based financial application.  These policies might also include a requirement that the machine used to access the network is fully patched and has up-to-date anti-malware and anti-virus definitions.  The most sophisticated systems will observe what and how data is being accessed and grade the user’s network behavior to further define access and mitigate risk.

How do we implement NAC/NAP technologies?

There are many ways to design and implement these technologies, but any solution should focus on these questions:

• What are the goals of the deployment?
• What constitutes a successful system?
• How do we deploy the system without crippling productivity?

Given the relative newness and power of NAC/NAP systems, users should spend time to clearly define the project’s goals and desired achievements.  A NAC system automates some basic tasks, but misapplication of its capabilities can have expensive consequences.

Too often, NAC projects have been implemented under a threat from the chief security officer (aka the chief “no” officer) that without NAC, the business will face astronomical amounts of financial risk under ____ (fill in the appropriate industry applicable compliance acronym such as PCI/GLB/SOX).  But, the reality is that business is about risk and as the chief security officer role evolves into that of chief risk officer, the organization will begin to recognize that technologies such as NAC allow it to manage risk rather than just minimize it.

The need for partners, contractors, and consultants to access your network will continue to increase, along with your employees’ needs to access data and applications from their home offices, hotels, Starbucks, and mobile phones.  The question for the chief risk officer is not, “how do I stop this connectivity so I can minimize my risk?”  Instead, the executive must ask, “how to do I enable this connectivity to improve business performance while managing the risk?” 

Why should you be looking at NAC now?

The risk of access to corporate data is real, as is the risk of direct financial cost if certain types of data are compromised.  California is leading dozens of states that already have privacy breach notification laws on the books, requiring companies to notify individuals of a breach. The federal government is likely to follow suit.

Companies can no longer sit quietly and only deal with those customers whose information is used fraudulently.  Beyond the difficult-to-measure brand and reputational losses, notifications have direct financial costs: one retailer recently spent $88 per compromised credit card record to notify and sponsor credit bureau monitoring services for impacted customers. How many social security, account and/or credit card records do you have for customers, employees, or contractors?  At $88 per record, how many compromised records does it take to pay for your NAC deployment?

The good news is that NAC deployments are becoming more affordable; the “intelligence” of today’s network edge devices means that many networks are already NAC capable.  Previously, entire network infrastructures needed to be replaced, requiring a huge capital expenditure.  Now many organizations have already made these investments for other reasons, so implementing NAC can be done with limited capital expenditure.

If you’re going to let those consultants jump on your network, you may want to consider having them deploy NAC to secure it first.

West Monroe Partners helps organizations design and implement IT systems and policies that are aligned with organizational goals and risk profiles. For more information about network access control, please contact Nathan A. Ulery, This e-mail address is being protected from spam bots, you need JavaScript enabled to view it . 

In this issue:

• Engineered Labor Standards 101: Are today's companies so good that they no longer need to worry about saving money?
• Where did the time go? Energy utilities face a long-term memory loss.
• Customer relationship management for banks