Policy enforcement: making authorisation mean something

Granting access is not enough - and may even be too much. What's needed is a granular scheme for requesting and enforcing network access rights.


There's a new kid on the network security block, and it seems to have a lot of names. Cisco can't decide what to call it, sometimes using Network Admission Control and sometimes referring to Self-Defending Networks. Microsoft is using Network Access Protection.

These names, along with those chosen by niche players in the market - CheckPoint Software and its subsidiary Zone Labs, Endforce and InfoExpress, among others - all refer to a suddenly conspicuous technology most folks refer to as policy enforcement. What's all the fuss about? Let's take a look.

Security administrators typically consider authorisation in the context of user identities, which are verified via passwords or randomly generated codes or iris scans. Once identity has been validated, it's used to establish appropriate levels of access to computers, network resources and information. People with networking and Web server experience may go so far as to include certificates in their understanding of "authentication" and authorisation, since IPsec and SSL/TLS both rely on certificates for validation of machine identities.

But authorisation can be interpreted far more broadly. Possession being nine-tenths of the law, I can reasonably call myself an "authorised" driver of my car since I possess the car's title, and perhaps more importantly, the ignition key. In the early days of TCP/IP networking, an authorised network node could be defined operationally as "any machine with physical access to my Ethernet network," since the network implementations of the time required little more than plugging in a cable and maybe configuring an address or two to establish connectivity.

The advent of widespread wireless networking has made that informal, physical definition even more permissive, since cabling is no longer required to get online.

Identity is not enoughMost network architectures and operating systems still rely solely on relatively simple-minded identity-based mechanisms to grant access. As mentioned above, IPsec and other remote access technologies, SSL/TLS and 802.1x (in most currently shipping implementations) enable decisions based on user and host identity to grant network connectivity. These tools greatly increase enterprise security. They allow access decisions to be based on an endpoint's identification as a trusted participant in the organisation, no matter where the endpoint is located. But we've learned the hard way that identity-based authorisation isn't enough.

Identity-based authorisation doesn't help much with a Blaster-infected laptop. Once that machine connects to your network, the infection will spread to whatever it can reach behind your firewall - the fact that the user logged into the domain first usually doesn't protect you. In fact, in some situations user authentication makes that situation worse. Valid user credentials on an infected machine could allow the infection to spread through network file shares and other common resources.

User log-ons don't help with exploits like the Agobot family, which disable personal firewalls and antivirus software, installing backdoors and leaving the endpoint machine and its neighbours exposed to bad behaviour. Log-ons can't guarantee that applications and updates are installed, that illegal or inappropriate software is not present on corporate assets, or that end users are running the operating systems and service packs that you require.

And user or machine identity checks test a relatively static condition. User and machine identities are generally assumed to remain the same over the course of a network connection's lifetime, at least for wireless and remote access connections. Environment and configuration checks are valuable throughout the lifetime of a given session, since an endpoint may be infected or suddenly out of compliance (if a new patch or set of AV signatures is released, for instance) at any time it's connected to the corporate LAN.

Granular access controlPolicy enforcement technologies extend the familiar notion of granular access control beyond user and machine identity, into the endpoint computer's configuration and network environment. This capability for enhanced examination of the endpoint (or target) machine is generally implemented through a proprietary software agent. This agent harvests the data required to determine whether the endpoint is in compliance with local security requirements. The agent transmits the configuration information to a stand-alone policy server, which evaluates the data and establishes the appropriate level of network access.

Policy-based, network-enforced granular access control - far too wordy a title for general use, but much more indicative of its meaning than the generic phrase policy enforcement - is in its infancy. 802.1x, a standard for user authentication for access to switch ports or wireless access points, is frequently implemented as the transport protocol between systems requesting network access and systems enforcing access decisions. Unfortunately the standard is relatively young, so most of the system-related communications are implemented as vendor extensions to the base protocol, and interoperability doesn't fully come into play.

The Trusted Network Connect subgroup of the Trusted Computing Group is developing an open architecture for collecting policy compliance data, and establishing network access based on that data. Phase 1 of the specification is expected some time late this year.

Proprietary systems vary widely in the types of checks they can perform, in their enforcement mechanisms, and in their ability to perform continuous monitoring. They may require substantial changes to your network topology, depending on how they isolate non-compliant machines.

Knowledge is powerIn order to use them effectively, you have to know what operating systems, patch levels and third-party applications are mandated within your organisation. But even at this early stage, the ability to protect resources on your network from vulnerable or non-compliant machines makes proprietary policy enforcement systems worth investigating.

For instance, consider using a policy enforcement system to isolate a workstation from your corporate network if its antivirus application isn't running. Relative to checking mandated patch levels or registry settings for network services, this single check is pretty simple.

But enforcing this single requirement would have protected your LAN from Blaster, Bagle/Beagle, Agobot/Phatbot and all their variants, even before specific antivirus signatures had been released. Each of these exploits interferes with antivirus programs and disrupts signature updates. If an infected machine is taken off-line - or assigned to a restricted network until it has been cleaned - as soon as antivirus service is disrupted, it's no longer able to infect its neighbours or overload your network with undesirable traffic.

A quick survey of the most recently discovered threats from antivirus vendors reveals that half or more of the e-mail and Web viruses in circulation interfere with local security programs. That's a lot of protection in a single check.

Imagine adding checks for the Windows RPC and JPG decoder patches - or limiting what applications can be running when a PC is connected into your most confidential database applications - and you'll see that the possibilities are endless. Environment-sensitive, policy-based access control isn't the answer to every network security problem. But it's a way to extend the powerful concepts of authentication and authorisation further into your endpoint machines.

More information:
Endpoint Security Mailing List

Tina Bird is security architect at network security provider InfoExpress. She moderates the Log Analysis and VPN mailing lists and co-moderates the newly founded Patch Management mailing list. With Marcus Ranum, she runs loganalysis.org, a portal for building enterprising logging infrastructures and interpreting log data. She is also writing a short topics guide to system logging for SAGE, the System Administrator's Guild.

For more information, our sister site Techworld has a comprehensive network security resource page.

"Recommended For You"

Aruba unveils ClearPass Policy Manager for consumer devices Fortinet offers all-in-one branch router