How much can a LAN switch protect your network?
By Phil Hochmuth, Network World | Network World US | Published: 00:00, 16 November 2006
Call it NAC (Cisco's Network Admission Control) or, well, NAC (network access control), or even NAP (Microsoft's Network Access Protection). Any way you refer to it, these schemes for shutting out unwanted users at the LAN switch port level are among the most buzzed about network technologies.
Almost all Ethernet vendors offer some sort of NAC technology -- even D-Link, SMC and Linksys on the low end. Advanced network product integration, such as Cisco's NAC or Nortel's Secure Network Architecture, allow LAN switches to communicate with back-end security gear to filter dangerous or unsecure users and shut down unwanted network activity -- in theory. And almost every LAN vendor offers basic network protection features, such as 802.1X, access control lists, and media access control address filtering.
So how much protection a LAN switch can provide to an overall network is really a question of how much protection is needed, and what extra gear is required to make a meaningful impact on LAN security, experts say.
"How much security can NAC provide? I don't know -- say, seven pounds," jokes Joel Snyder, senior partner at Opus One and a Network World Lab Alliance member. In all seriousness, Snyder has extensively tested most NAC products on the market, and says there are four points along the 'enforcement spectrum,' or levels of protection that make up NAC.
The first is called 'go/no-go'. This is a very basic pass-fail authentication challenge that a switch can provide. "It's similar to if you try to get on a wireless LAN, but don't know the WEP key," Snyder says. Most enterprise switches support the 802.1X protocol, which, when deployed with a back-end RADIUS authentication server, can provide this basic kind of pass/fail NAC protection.
The second level is what Snyder calls virtual LAN 'schwinging,' in which users are put on different virtual LANs (VLAN) based on a NAC framework. A campus could be divided into several VLANs, each designated for various departments, or employee levels with certain access privileges. Based on credentials presented at the 802.1X authentication phase, users can be shunted -- or 'schwinged' -- into their proper network segment. This involves a more intelligent back-end server or application, which is able to identify credentials, correlate user identities with access rights, and send commands to LAN switches to adjust switch port VLAN settings accordingly.
"There isn't a huge amount of granularity," with this technique, Snyder says. But most switches on the market support VLANs and a standard called RFC 3580, which is the method for telling a switch what users are on what VLANs.
"That must be driven by some outside piece of software, so the switch by itself is not a standalone NAC solution," Snyder says.
The next two levels are simple packet filtering, and the highest level is full firewalling, or packet inspection.
With simple packet filtering, "some switches can do more than just put you on a VLAN," Snyder says. "They can limit where you can go on a per-user basis." This is known as Port-based Access Control Lists -- where an ACL is applied to a specific port or user -- and not to an entire switch or VLAN. This kind of feature is found on higher-end LAN switches, such as those from Cisco, Enterasys, HP and Nortel, Snyder says.
This fourth level is the area of some focused niche NAC start-ups. "It's more of a speciality product. It's not like you're going to go into your wiring closet and find a LAN switch already installed that can do stateful packet filtering," Snyder says. Companies offering this kind of 'firewall-to-the-LAN-port' feature include ConSentry and Nevis, both of which have appliances that sit behind a LAN access layer and provide firewalling.
"The switch designer's mind is different from the firewall engineer's mind," Snyder says.
Switch engineers think in terms of maximum throughput and availability, while firewall makers look to keep things out. This conflict of philosophies makes switch-based NAC a tricky product to design, which has kept product development and adoption at a slow pace.
But for even the lowest levels of NAC, the technology is "a huge step forward -- not necessarily what a total anal-retentive security person might ask for, but it's a lot," Snyder says. "For most people, the question is, what can we do with the switches we've got?"