Adding unified access control to an organization is a superior way to ensure tight security for an organization.
By implementing 802.1x port-based authentication, network managers can build rugged protection for both wired and wireless networks that covers full-time and mobile staff and keeps out everyone else.
It’s fine if the endpoints can easily be identified. But what if they can’t?
That was the problem faced by the city of Sudbury, Ont., a community of about 159,000 people which about a year ago decided to implement 802.1x security viaa Juniper IC 4000 unified access control appliance to protect the municipal wired and wireless networks.
“One of our big concerns is to protect the water treatment, because it rides on our back,” explained Jim Dolson, the city’s network manager, whose department oversees the water works. The treatment plants are spread across the municipality’s 34,000 sq. km. and range from big facilities to small pumping stations in outlying areas. A supervisory control and data acquisition (SCADA) network oversees programmable logic devices (PLDs) that automatically collect data, adjust water levels and dispense chlorine and sends information back to the city’s data centre over the wide area network.
But not all of these facilities are manned. So someone with mischief, or worse, on their minds could do irreparable damage if the network is compromised. Implementing an 802.1x -based network access control to the city’s wired and WiFi networks was the solution.
Soon after it began planning, Dolson and his staff realized that the water treatment network posed a problem. While the Juniper appliance can identify desktop PCs and laptops on the network – in fact anything with a media access control (MAC) address – it couldn’t identify non-intelligent devices like a PLD with an IP address at a water treatment plant.
There was another problem: If a devious hacker could get into the network, clone a MAC address and connect a PC, the intrusion would be ignored. To find all the “black boxes” would add considerable time and money to the 802.1x project, Dolson said, and “we would not be secure the way we wanted to be secure.”
This hole is a common problem, said Usman Dindhu, an IT researcher at Forrester Research, one of the pieces missing from most network access control product portfolios. Recently, however, some have started to come up with automated network discovery solutions.
In this case, Juniper suggested Dolson contact Great Bay Software of Greenland, N.H., a technology partner that makes the Beacon Endpoint Profiler appliance, which can discover any endpoint, and sniff out cloned MAC addresses, as well as manage guests on the network.
The appliance, which comes in 1U and 2U sizes starting at US$25,000, can manage up to 100,000 endpoints. The system can tell who has authenticated to the network, their location, and their history of network usage.
Great Bay shipped a demo unit of its model 5000 to the city on the promise that if it worked it would be paid for. “We realized pretty quickly it would do exactly what we wanted,” said Dolson. “It adds intelligence where the Juniper appliance doesn’t,” he said.
“The Juniper appliance is the front end and the Great Bay appliance is the intelligence that plugs in the back and gives us a wealth of additional features on top of what Juniper gave us.” Beacon “allows us to treat MAC identification in a form that is more centralized and almost user-like.”
Essentially, Sindhu said, Beacon fingerprints a network to discover everything from badge readers to printers. “We haven’t seen network access control vendors doing that specifically,” he said, although several, including McAfee and Symantec, are working on it. Other NAC startups including Bradford Networks and Mirage Networks, are also adding similar network discovery capability to their products. For example, Bradford Device Profile and Control was expected to be on the market in the first quarter of 2009.
This fall, Dolson’s staff extended network access control to every water treatment site. Eventually, he’d like to “every network jack in the city,” so only city-authenticated devices can get on the internal network. Approved consultants or occasional users would be bumped to a virtual private network.
One lesson from the Sudbury experience, said Sindhu, is that network access control involves heterogeneous solutions. It’s unlikely that everything needed can come from one vendor.
“One of the things about 802.1x is you’ve got to make it fit your network,” said Peter Houle, a Sudbury city system specialist who headed the project. “Each network is very different.”