Security Watch | Matt Hines » Hanna - mixed grades in NAC report card

September 11, 2007 | Comments: (0)

Hanna - mixed grades in NAC report card

TAGS: Security

Network access control technologies are making progress, but much work remains to be done to make the authentication tools easier to use and integrate with other systems, according to NAC industry evangelist Stephen Hanna, who co-chairs the Trusted Network Connect Work Group standards effort and serves as a distinguished engineer at Juniper Networks.

Speaking to the assembled audience at the ongoing Security Standard conference in Chicago, Hanna shared his thoughts on a number of NAC trends that he sees as positive of troublesome.

"NAC certainly remains a hot topic, there's a lot of change in this area with new products and alliances being announced almost every week," said Hanna..

"It's important to keep track of these changes and the problems we're trying to solve," the security expert said.

Among the biggest problems that remain with today's NAC technologies is the ability for hackers to create methods by which they can misrepresent elements of a device's overall security standing, such as through the use of rootkits, Hanna said.

The expert conceded that the issue is a fundamental offshoot of the very nature of the device authentication tools, as the validity of a machine's stated security posture is at the center of how the technologies work.

"Lying endpoints are a classic problem with NAC, what's really very concerning is that if a machine is infected with a rootkit that's when it is most likely to lie," Hanna said. "In that sense a system that is based on asking the endpoint if it is healthy or not has some issues."

The TCG is working on a solution to the problem centered around its Trusted Platform Module (TPM) which will give NAC systems the ability to communicate security standing before their OS even boots up, eliminating the threat of rootkit interference, he said.

Intel also recently announced that its latest vPro and Centrino microprocessors will include the ability to report security data to NAC systems prior to OS booting.

"If we can't do that it will become an arms race with rootkit designers," observed Hanna.

Other challenges that Hanna detailed included:

- A lack of scalability in many existing NAC products
- Poor interoperability between tools made by different vendors
- A lack of commitment to industry standards by some vendors (namely Cisco)
- The cost of implementing systems that require drastic network reconfiguration

On the positive side, Hanna noted that:

- Security functionality in most tools has become sufficient
- Product performance is acceptable in most NAC systems
- Some vendors are achieving interoperability
- A variety of reasonably-priced products have come to market

Moving forward Hanna said that the industry will see NAC technology moving directly into endpoint systems, as it already has in Microsoft's Vista desktop OS, along with growing adherence to industry standards among vendors (even Cisco).

As he is wont to do, Hanna leaned on the industry to come together more closely on standards for the sake of benefiting end users.

"I don't think that any of us vendors has everything for everyone, all the pieces and parts need to work together for NAC to work," Hanna said. "The solution has to be open standards, otherwise things will be steered by one vendor or another."

Posted by Matt Hines on September 11, 2007 10:57 PM

RATE THIS ARTICLE: