Page 2 of 3   « previous page   next page »

Another aspect to be considered is the policies assigned by the radius server: they should already be available on the switch. Otherwise there will be delays during the authentication process, leading to scaling and redundancy problems at the policy manager of the corresponding manufacturer.

Often only simple VLAN policies are supported and there is no control in a VLAN:

•    What happens if someone connects an unauthorized DHCP server to the VLAN (and logs on using the right      credentials)?
•    How does a soft phone (on a PC) differentiate between VoIP and data traffic?
•    How does one stop worm propagation in a VLAN?

Ideally, a policy should comprise VLAN, access control, priority, and rate-limiting rules, which also apply to specific traffic on the authenticated user/device.

Proactive Quarantine

It’s essential to know not only who is accessing the corporate network, but also the user’s hardware security level (if it is a “user” in the conventional sense of the word and not “just” a machine/sensor). The appropriate access or quarantine methods should then be derived from that.

The most frequent end-system security holes that cause problems are as follows:

•    The correct service pack or the current patches aren’t installed.
•    The correct virus scanner isn’t active or the current signature files aren’t installed.
•    Routing isn’t deactivated. A VPN or RAS client with activated routing can represent a security risk.
•    There’s no firewall installed for the Internet and/or wireless interface, or it isn’t active.
•    There’s no password-protected screen saver that initiates after a defined waiting period.

The appropriate network quarantine technology can, among other things, check for these holes and prevent or restrict access to the corporate network. However, new questions can arise:

•    How does one monitor or patch IP phones with an embedded Linux, Symbian, Windows, or proprietary OS?
•    How does one monitor or patch, for example, an X-ray device, an industrial control system, a security camera,
      or a printer?
•    How does one monitor devices (laptops in particular) of external people (guests, service technicians, etc.)?

Installing one cure-all agent for all problems, as some postulate, isn’t plausible for either technical or organizational reasons. Therefore a proactive quarantine solution should offer agent-less and agent-based options without modifying the overall architecture.

Above all, SSL VPN appliances offer agent-less scanning via Java or ActiveX. In the future, this capability may also be of interest for switch-based solutions. An open architecture is preferable, but it has to be checked to determine whether the access switches used work with such a solution. There are some compromises since agent-based solutions offer the advantage of being highly precise and multi-functional, but are typically inflexible.

Agent-less solutions without an appliance approach can influence the decision-making process considerably. The solution can be a radius proxy that intercepts the normal authentication requests and forwards all simple user authentication requests, but then modifies the radius response and the corresponding policy based on defined parameters. This situation could be the result of a vulnerability scan, but other parameters, such as the source of the authentication request being the user location, are also possible.

This “location-based policy” means that the system/user’s network access rights will be modified depending on whether a user or a newly connected end-system meets certain requirements. All of these tasks are executed “from the outside,” so that the end-system need not be modified before the system has full access to the network. Although agent-less solutions are highly flexible, they lack the vulnerability-scanning precision to detect all security problems in advance.

Intrusion Detection

Another important decision-making factor depends on whether the maker of the switch product is also an expert on general security technologies such as intrusion detection and firewalls and whether this knowledge is well integrated into the switch solutions. It’s important to note that a firewall or intrusion detection plug-in module available for a switch doesn’t fall into this category.

Rudimentary intrusion detection is becoming more and more available on the switch level. For instance, the analysis of layer 3 and 4 flows (see Figure 2) detects worm propagation at an early stage and initiates the appropriate reactions (e.g. Flow Setup Throttling or FST) or a packet-per-second rate limit function for certain types of traffic (such as ICMP, TCP sessions with set TCP SYN, or ACK). In the future, this area will continue to expand, opening up deeper analysis and intrusion prevention options. In this respect, the preferred supplier should offer a strategy and solutions.

Page 2 of 3   « previous page   next page »