Network Admission Control is a Blind Alley

By Richard Stiennon

(Back to article)

Let us, for a moment, think back to the summer of 2003. Microsoft had just announced vulnerabilities in most versions of Windows. The RPC DCOM vulnerabilities then led to the outbreak of MSBlaster, a worm that spread from infected machine to infected machines.

Because RPC DCOM is fairly easy to block at firewalls most organizations reported they were not infected with it. Until, that is, employees began to bring their infected laptops in to work and the worm wreaked havoc.

The next development was driven almost entirely by Cisco with the help of a few analyst firms. Cisco put forth their concept of the “Self Defending Network” which was prominently featured on billboards along Highway 101 between San Francisco and the airport.

The vision was really Cisco’s roadmap for moving on to the desktop. Cisco would deploy an agent based on their Okeena acquisition that would interact with the LAN switch whenever someone attempted to connect to the network. The switch or a separate appliance would query the device to determine if it was “healthy”, that is, to see if it had the latest anti-virus signatures and firewall settings.

If it was not healthy, it would be shunted to a separate VLAN that contained update servers. Once it was all up to date it would be allowed on the network.


From a security perspective there are many things wrong with this concept. The primary concern is that of trusting an endpoint to report its own health. But the reasons that so-called network admission control (NAC) has not caught-on is it requires a massive investment in infrastructure to counter a problem that has already been addressed by patch and configuration management.

Laptops that are patched do not get infected. The fear of the zero-day worm or virus has proved ungrounded. And besides, if it is zero-day, then having the latest DAT file from Symantec does you no good.

While various NAC solutions have been put forward, significant developments are leading to network security solutions that will not require switches, routers, laptops, servers, and vendors to work in concert with each other. I call this emerging solution secure network fabric (SNF).

The concept is simple. Start by de-coupling network and host-based security. Rather than require them to work together let them work alone.

Host-based security solutions, while suffering from management and deployment issues are quite effective at protecting hosts. But internal network security has been neglected in large part due to the rapid change and growth of the corporate network. Acting to restrict this traffic flow is fraught with peril because blocking one port could lead to cascading unintended consequences.

The concept of SNF is a comprehensive policy, a deny all except that which is explicitly allowed, philosophy for the internal network.

Internal segmentation has always been problematic because the level of policy setting required is too granular. Most organizations cannot determine and enforce a policy that controls which machines get to talk to which resources over which protocols.

Behavior-based network modeling based on NetFlow data is a way to create these policies without explicit pre-determination. Knowledge of protocols and the way each end point uses them is gathered from NetFlow data and models of normal network usage are built over any hour of the day/week/year.

ACL's in switches can then be used to enforce "normal" behavior and block abnormal behavior such as a desktop acting as an FTP server or the scanning activity associated with a worm infestation; or, the activity of a malicious insider who is exploring your network probing for data, weaknesses and exploits.

There is an opportunity to secure the network fabric by combining the functions of NetFlow-based behavior modeling, the switch, IPS and firewalls. One result of the proposed secure fabric is that infected machines would be rendered impotent.

In other words, the disciplines of network and host security would be de-coupled. Since this aligns well with the way most enterprises operate, it has a better chance of getting deployed then the health checks and quarantine of NAC.

SNF in Action

This solution relies most heavily on a switched network architecture. These usually involve core switches as well as access switches. VLANs would be used to provide granularity down to the device-level where needed. The switch enforces policy based on layer 2 and 3 information. It is directed by the NetFlow based behavior monitoring system.

Normal data streams would be allowed and filtered by additional IPS functionality. The IPS filtering could be performed by a separate device or, ideally, a processor card supported by the switch.

Connections to the Internet and third parties would be made with firewall capabilities provided by additional cards in the switch. The onboard firewall would also provide additional network segmentation such as for Transaction Zones and departmental barriers.

Vendors that currently provide NetFlow based behavior modeling include Arbor Networks, Lancope, Mazu Networks, and Q1 Labs. Firewall capabilities could be provided by many of the existing vendors. One in particular, Juniper, is well positioned because, after the Netscreen acquisition, Juniper has switches, firewalls, and IPS in their product line up.

Look at the recent acquisition of TippingPoint by 3Com for an example of a company that is thinking along these lines. Another example of this trend is Force10’s acquisition of MetaNetworks, an IDS/IPS company, last fall. Even the LAN security players that have strong NAC messaging such as Consentry and Lockdown Networks have focused on proactive defenses that go well beyond the health check and quarantine promised by Cisco.

IPS capabilities exist in several dozen products. McAfee, 3Com, Reflex Security, ISS, are examples. Combining those capabilities with the switch is next for them.

So while NAC has been a blind ally, exciting progress on internal network hardening is beginning to emerge with real solutions that will address the security issues of the future, not those of 2003.

Richard Stiennon is the former VP of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.