The use of computer networks has recently grown significantly. As end nodes capable of connecting to a network (hereafter, end node) have become more portable, and users more transient, traditional network security methods based on port segmentation and access lists are no longer sufficiently effective.
Network Access Control (NAC) implementations reduce the risk of an unauthorized end node accessing a network, accessing inappropriate resources within the network, or propagating malicious software in the network. The sophistication of internal and external network attacks from both malicious users and well intended users of end nodes hosting viruses, Trojan horses, worms and malware has increased dramatically. Those factors and others have necessitated the development of more advanced NAC methods. To address the risk of attacks, advanced network access control methods check both the end node authorization level and posture of the end node, i.e., posture checks determine if software that is potentially harmful to other devices on the network has compromised the end node before determining whether or not to grant network access to the end node.
There are three basic components that interact to provide network access control enforcement:
End nodes, which can be either client devices or servers
The network access and interconnection devices
Security data and policy stores and servers
Each of those three basic components may each support one or more of multiple authorization processes and posture processes. Unfortunately, many vendors have provided propriety NAC solutions for each of those components that are not compatible with other proprietary NAC solutions even when those functions are specified by standards.
The end node capabilities can also vary. An end node may or may not support IEEE 802.1x standard supplicant functions. Also, there are many implementations of the IEEE 802.1x supplicant, since that standard provides a selection of optional allowable methods. The end node may have a way to assess the potential risk of the software on the end node. Network access control may determine both an authorization of an end node and a posture of the end node, e.g., risk of dangerous software, to grant limited, full or no network access to the end node.
The network capabilities vary. The network may or may not support virtual local area networks (VLANs). Network devices that provide access control enforcement can include Ethernet switches, wireless access points, virtual private network (VPN) remote access devices, firewalls, and Intrusion prevention systems (IPS), to name a few. The protocols and enforcement capabilities and device management methods can vary from one network device to another.
The security data and policies can also vary. They may be in Active Director® software from Microsoft Corporation, or on a LDAP server, a DNS server, a policy server, or any other network accessible data store. The available structures of that data and the protocols used to access the data results in many combinations of potential methods to provide network access control of varying effectiveness.
Therefore, there is a need for a system and method to assess the functions of the components needed to provide network access control and determine a NAC implementation that is most effective for the combination of end node, network, and security data to apply to a network access attempt.