Feeds

NAC's looming identity crisis

Will persistence pay off for NAC vendors?

The Essential Guide to IT Transformation

Current network access control (NAC) technologies are not persistent enough, a security vendor has warned.

Dominic Wilde, product management veep at Nevis Networks, said that most NAC schemes rely on out-of-band appliances which check whether a client device is "clean", and once it passes muster they grant it access.

This makes them easier to install and remove, but he said it also means that once a client has been approved, there's no further control over where the user can go on the network or what they can do there.

"The first thing you need in the security world is to be stateful, so you understand the request going out and marry it to the response coming back," he said.

The second, he added, is to persistently track the user's identity: "Networks are by nature anonymous - you have MAC and IP addresses, but that's meaningless when customers are trying to solve compliance issues of who has access to what and when."

Needless to say, Nevis's security gear doesn't suffer this flaw, Wilde claimed. It sells an in-line security appliance and a secure access switch, both of which have built-in logic capable of controlling what the user can do and where they can go on the network. It also doesn't need agent software on the client to ensure it stays clean, he said.

Speaking as Nevis opened its UK office this week and began recruiting resellers for its devices, Wilde added that part of the problem is that most NAC technology operates at Layer 2 - the switching layer - using techniques such as virtual LANs to quarantine infected PCs.

"People are taking technologies designed for networking and applying them to security, and that's not what they're designed for," he said. Instead, they should work at Layers 3 and 4 - the routing and TCP layers - drawing user information from the corporate directory and using it to create an access policy for each user, he added.®

The Essential Guide to IT Transformation

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
Forrester says Australia, not China, is next boom market for cloud
It's cloudy but fine down under, analyst says
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.