| September 2006 |
| Mastery of increasingly important security technologies such as Network Access Control could be the key to landing that next promotion or contract. |
| By Don Willmott |
Ever since November 2, 1988, when graduate student Robert Tappan Morris unleashed the first widely publicized computer virus, the vulnerabilities of PCs to outside attack have been on the minds of virtually everyone who sits down in front of a keyboard. Today most of us are connected to a workplace network, and that network is connected to the always useful but sometimes troublesome Internet, where hackers, phishers, phreaks, scammers, and corporate spies are known to lurk.
Computer security is a big deal and a big business. IT experts are expected to design, implement, and maintain security systems that keep an organization’s networks safe from outside intruders and inappropriate access. It’s great that the technology to do all that keeps getting better, but it’s not so great that you, the IT expert, are the person that has to keep ahead of the curve, keeping up on the latest buzzwords to stay ahead of those who would do your network harm.
BLOCKING THE ENTRANCE
One important buzzword of the moment is “network access control,” the art and science of making sure that only the right people can log on and that when they do, their systems are clean and they get access only to the information that they need. It’s more than just passwords. There may be all sorts of connected devices—each of which must be configured with virus protection and up-to-the-minute patches—with all sorts of operating systems connecting to diverse databases and directories.
NAC experts like to talk about managing “endpoints,” the individual users and computers that access a protected network. Traditional LAN security and firewalls can build a perimeter of protection around LAN-connected devices, but they don’t address the problem of all those other mobile workers and outside consultants who may bring danger when they log on. The ultimate goals of NAC:
- To create a security strategy that locks out any unverified or unprotected endpoint
- To control the identities of everyone who connects
- To keep all the connected endpoints up to date with the latest fixes, patches, and security definitions
- To identify and stop any non-compliant behavior
- To mitigate the damage caused by any kind of security breach
Another goal of NAC is to make sure all the right people do get in…eventually. An NAC system should be able to fix disqualified devices so they can log on. Larry Seltzer, editor of eWEEK.com’s Security Center (security.eweek.com), says, “If a system is blocked from the network for being unqualified, it's typically segregated onto a subnet from which it can download patches and updates to get it qualified without endangering the network.” Seltzer points out that that Cisco Systems’ Network Admission Control program was the pioneering tool in the field. Cisco still leads the way today.
A typical NAC software solution (Symantec’s Network Access Control is a good example), will hope to win customers by supporting the widest possible variety of equipment, access methods, and protocols. In fact, Cisco sometimes gets knocked for requiring router upgrades and a separate desktop client, overhead that IT managers may not want to deal with. But Seltzer says that “Cisco makes the argument that its NAC can be implemented at all levels of the network: in the switch, in the router, in the wireless access point, wherever. Some vendors sell appliances in this space for the same reason appliances are generally popular: they're easy to install into a network and don't require you to modify any of your servers.”
In September, the hardware and software sides came together in a powerful way when Cisco and Microsoft teamed up to announce joint plans to connect Cisco’s NAC products with the Microsoft Network Access Protection features that will be available in its upcoming Windows Vista and Longhorn operating systems. Analysts are excited about the possibility of sleeker and more powerful NAC implementations once Longhorn finally ships sometime in mid-2007.
GETTING INTO NAC
The Cisco/Microsoft newsflash suggests that next year will bring a lot of action in the NAC space, with organizations looking for new and cost-effective solutions. A Forrester Research study of 149 IT buyers found that only one third of them had planned to adopt some kind of network access control in 2006. Their complaints: cost and manageability. It sounds like NAC experts with good ideas are going to be in demand in the months and years ahead.
eWEEK’s Seltzer recommends certification as a quick leg up. “Cisco CCSP certification is highly respected and very useful. I also find that an MCSE: Security on Microsoft Windows Server 2003 Certification is helpful as well.” Vincent LeVeque, author of Information Security: A Strategic Approach, also advises certification. “The CISSP (Certified Information Systems Security Professionals) certification is still well regarded,” he says. “It covers a very broad and very shallow knowledge base. Anyone trying to enter security management or consulting should look into it as it indicates some familiarity with the breadth of the security field.” LeVeque adds that, “I've noticed people tend to enter this field either via a system administration or network administration route, or by starting as an information technology auditor in a place like one of the big 4 CPA firms.”
Just keep in mind that it may take more than just old-fashioned networking smarts to be a successful NAC manager. It’s about office politics and smart judgment calls, too. As Seltzer says, “Are you really going to lock out that top salesman because he didn't install last week's patch? Will your butt be on the line for that?” Network managers know it can be tough to be the digital doorman.
Don Willmott is a New York City-based journalist who focuses on internet and technology trends.
Comments on this article? Share your feedback on our discussion forum, Dice Discussions.
*Please note, you must be a registered job seeker in order to submit your question to Dice Discussions.
|
|
|
