« Mutating malware: the coming storm | Main | Where have all the worms gone? »
March 04, 2005
Network access control: a folorn attempt to rebuild the perimeter
Let's face it, the perimeter is moribund, and no amount of desperate longing is going to bring it back. Certain segments of the industry recognize this and embrace the power and flexibility it gives business. For example, the Jericho Forum talks enthusiastically about "de-perimeterisation". They discuss the enormous savings they foresee in both cost and manpower, and the increased flexibility achieved by moving away from the definite perimeter.
But not all are happy with the loss of the perimeter. In particular, some industry giants seem to regard the perimeter as the only way to truly secure systems. For instance, Cisco is touting Network Admission Control (CNAC) as a way of protecting the computing devices on the network by only allowing those mobile devices that are "sufficiently secure" to connect to the network, for some definition of "sufficiently secure". This is clearly an attempt to return to the perimeter, because NAC is intended to once again create a notion of a secure "inside" versus an insecure "outside": everything verified by NAC is safely on the "inside".
Unfortunately, NAC is based on the assumption that you only really care what happens to devices on the "inside" - it offers no protection for those many mobile computing devices on the "outside". But the problem is that as workforces become more mobile, what happens "outside" matters just as much as what happens "inside", if not more. If the CEO's laptop is compromised "outside" the network, it could be an absolute disaster. It seems to me that as the workforce becomes increasingly mobile, any NAC system will end up protecting a diminishing core of computing resources, with increasing numbers of computing devices existing permanently outside of the protection scheme.
Even assuming that you only care about what happens "inside", there are other problems with proposed NAC protocols. Industry expert Richard Stiennon has grave doubts about NAC. In his blog he discusses why he believes NAC will "never work". Most striking is his notion that network administators will never tolerate the addition of extra overhead when trying to connect to the network.
Another problem was pointed out by Vlad Gorelik, CTO of Sana Security. All NAC protocols are designed to quarantine a computing device if its signatures and/or patches are not current. Quarantined computing devices require remediation in the form of downloading patches and signatures to update the device, and only allow full access once the device is in compliance. But there is a conceptual flaw that revolves around bringing the computing device into compliance. It may be a simple and rapid matter to update the patches and signatures on the device, but that is no guarantee that the device has not already been compromised, and doesn't harbor a nasty trojan. The only way to ensure that the system is not compromised is to do a comprehensive system scan, and that could take hours - if you've ever done a full system scan looking for spyware, you'll know what I mean. And considering the high likelihood of not keeping a mobile system up to date, many devices will require such scanning, which will cripple business operations. But the alternative of just doing a superficial scan is pointless because it negates the whole idea behind the NAC - that of only allowing "clean" devices to connect. A condundrum indeed!
Even if we step away from enforcing signatures and updates using NAC, there are still problems. NAC could be used to ensure that mobile devices are running other security systems that don't rely on signatures and updates, such as behavioral antivirus. Although apparently a good idea, NAC really is superfluous in this situation: if every device "inside" is already protected, then those devices are not under threat from infected machines, so why worry? And if the local security system on those devices is not proof against unprotected "Typhoid Marys", then having an operative security system as a price of admission is not sufficient to protect devices on the "inside".
I believe that the danger of NAC is that it could make people feel safe: it could lull them into a false sense of security and encourage them to live in the past and believe that once "inside", you can be open and relaxed; behind the fortress walls, you can let down your guard. That is a highly dangerous notion indeed: I'm worried that NAC is the placebo that encourages enterprises to ignore the very real danger that modern attack techniques pose in today's dynamic and distributed business environment.