NAC helps aerospace firm's network blast off

By Andrew R. Hickey, News Writer 26 Jul 2006 | SearchNetworking.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The aerospace industry is highly regulated. Working with the government and NASA means a lot of checks and balances.

And EADS Astrium North America Inc. knows all about that. The network holds sensitive data that cannot, and should not, be accessed by just anyone. But that introduces an interesting dynamic, especially because the network is also accessed by guests, contractors and visitors from other companies.

"We have to secure the data from people on the network who can't have access to it," said George Owoc, the company's director of business administration.

Recently, EADS Astrium -- a subsidiary of EADS, a European aerospace company -- rolled out Lockdown's Enforcer NAC appliance in a beta environment.

The standalone box can enforce network access based on a flexible set of parameters, Owoc said. Access can be granted or denied based on port location, installed software, applications, critical updates, and patches. The sweet spot, however, is that Enforcer can grant or deny access based on identity within Active Directory.

In the secure area, only certain groups can enter the subnet based on identity, Owoc said. In order to exchange and view data in that area, anyone accessing it must be licensed. The need to comply with license requirements prompted the NAC solution, he said.

"Fundamentally, it keeps someone out of jail," he said (only half joking), adding that allowing anyone to access such licenses could "affect our ability to secure licenses in the future."

Others who authenticate to the network are put into a separate VLAN, Owoc said. And guests and visitors are dumped into a different VLAN altogether, which is similar to a network in a hotel, where the Internet can be accessed but other applications cannot.

"By virtue of VLANs, we control that access," Owoc said. "It's very similar to Cisco's NAC in function …it's a one-stop solution for us."

Before putting Enforcer into a beta environment, his company used Lockdown's Auditor, Owoc said, but that couldn't integrate Active Directory. During that time, if a guest wanted access, Owoc had to be there to grant it.

"If I'm not there, how do they get access?" he said. "Now, it's hands off. I don't need to be there watching these guys."

To local users, the NAC solution is invisible; it kicks in when they authenticate, Owoc explained. Guests and visitors are put into the "hotel" network. Since it is identity based, it doesn't matter which port a user plugs into.

"This way it's all automated," he said. "I don't have to worry about who plugs in where."

Using Enforcer has generated interested in trying Lockdown's upcoming offering: iNAC (intelligent NAC). With iNAC, Owoc said, instead of blocking a user from accessing the network because of a misconfiguration or lack of a patch or anti-virus, the system pushes an update to the machine.

"Rather than shutting them down, I can force the upgrade," he said.

The iNAC solution, according to Lockdown, integrates with the Dragon and Sentinel security appliances from Enterasys and also with Patchlink. Owoc said he's hoping to integrate it with Patchlink once EADS Astrium North America obtains and rolls out iNAC.

According to Dan Clark, Lockdown's marketing vice president, Enforcer's integration with third-party vendors adds a level of security and automates many two-way communications between different appliances.

While Lockdown plans to integrate with solutions from Enterasys, IBM, Intel and Microsoft, the Patchlink pairing adds extra checks to an NAC system, Clark said.

When integrated with Patchlink, the Enforcer audits and requests a patch from Patchlink, which automatically updates the device. After it is updated, the device is put back onto the network.

This article originally appeared on SearchNetworking.com.

Tags: VLAN,  Network Access Control Basics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us