This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing seven top integrated endpoint security suites."
Download it now to read this article plus other related content.
REMOTE & LOCAL CONVERGENCE|
As companies deploy wireless LANs and embed identity-based access controls into their networks, the dividing line between "local" and "remote" grows thin. Local users are no longer continuously connected or trusted, while remote users no longer stick to one company device. When the same user moves from inside to outside and back in a single day, a common strategy becomes necessary.
This is why Norwich recently decided to leverage the Cisco NAC it implemented for on-site LAN security by rolling out a new Cisco ASA (Adaptive Security Appliance). The ASA offers firewall, IPS and IPsec/SSL VPN services on a single appliance that integrates with Cisco's NAC agent. Norwich plans to move users whose needs are not satisfied by Aventail or NetScaler to an ASA-based VPN, using NAC to mitigate the higher risk associated with IPsec VPN tunnels.
"Those who connect to Oracle, administer systems or use mapped drives need [the ASA]," explains Quelch. "Those who just do email or manage a Web page can be more easily supported through NetScaler or [Aventail] SSL VPN." While nearly 3,000 employees and students connect through NetScaler or Aventail, just 50 are expected to require the ASA.
"We can't control the machine that people are coming from, but [with Cisco NAC] we can disable their access automatically.
| We can also enforce patches on Windows 2000/XP/Vista," says Quelch. But Cisco NAC constraints necessitate an incremental approach. "Since there is no Cisco agent for Linux, we're just using Web authentication there. And NAC can't keep up-to-date with every kind of virus protection, so we had to narrow our list to four [AV] programs," says Quelch.
No matter how users connect to the Norwich network, Cisco MARS monitors activities. "That was the missing piece--keeping track of who was connected to what. Now we can log security issues and be notified of attacks. If someone looks at illegal material, we can go back to see exactly what they did," says Quelch.
This was first published in November 2007