Watching all the blogs and endless debates on pre-connect, post-connect, inline, OOB, NAC, NAP, etc. I wonder if we are really missing the point. So I thought for once lets not talk about out in-line v/s OOB, pre-connect v/s post-connect, NAC, NAP, etc. Instead, why don’t we just talk about LAN security?
So what does LAN security mean anyway? What it fundamentally comes down to is two things:
- The services that the network offers, continue to stay up in presence of threats; and
- The services can be accessed by only those users who have the right access privileges.
That inherently leads to really three facets that would comprise any LAN security solution:
- Minimizing the threat envelope to the network. This is typically done by ensuring that whatever end system accesses the network, does not pose a threat to the network. Typically this is what constitutes the endpoint integrity check. However, from a LAN security perspective this is really about reducing the threat envelope to the network. This is not about making sure the endpoint itself is clean. Nor will this eliminate threats to the network and the services the network provides. Eventually this functionality will simply become an OS feature with the likes of NAP. Until then, intermediate solutions will continue to fill the gap.
- Real time threat detection. Any threat to a network or the resources sitting on the network needs to be detected and eliminated in real time and on an on going basis. Both signature and anomaly based solutions working in conjunction provide this level of protection. Both are needed and any real time threat detection solution is incomplete without one or the other. At LAN speeds, I may add.
- Network based enforcement of user’s access privileges. This is the identity based access control piece. With most enterprises now providing access to employees, guests, contractors, vendors, etc., the need to enforce “who is allowed access to what”, at the network level itself is critical. Regulatory and compliance issues add further demands in this direction. And the traditional methods of using vlans, etc. are simply proving inadequate. Flow based solutions, in fact application-aware flow based solutions are the order of the day. Once again at speeds that scale up to LAN environments.
So what does all this mean vis-a-vis, in-line, out of band, pre-connect, post-connect, etc. All it means is that when evaluating any LAN security solution, first you need to find one that has all the three components above. Anything less and your LAN stands severely exposed.
As I mentioned above, eventually I think item 1 will become a standard OS feature. Items 2 and 3 will become standard features on a switch port. In fact this is starting to happen, and such features have been available on a standard switch for well over a year now.
Shehzad T. Merchant
Comments