Access-control lists, originally designed for routers to deny or admit packets entering a network from a WAN, have drawbacks in controlling a diverse group of users accessing LANs. ACLs have no knowledge of traffic-flow semantics or content, can't adjust access rights for individual users, and suffer scalability and performance limitations.
User-based LAN access control (ULA) is a new technology that redefines network admission and access. Made possible by a new breed of high-performance ASICs, emerging ULA-capable LAN security systems sit in a network at the user-access layer or at an aggregation layer, and inspect every packet on every port for security policy compliance and malware.
The technology lets an administrator identify who is using a network, where and how he logged on, what resources he can access, and whether the LAN is still secure and malware-free once the user is admitted. It also provides automatic quarantine mechanisms to isolate problem users immediately, and to dynamically change from normal to quarantine policy when malware is detected. In effect, it works to create a personal DMZ for every user on every port.
User-based LAN access control operates transparently to end users, while providing powerful security safeguards for network or security administrators. ULA-capable systems are flexible enough to offer several mechanisms for authentication, and smart enough to understand the concepts of user identity and security policies associated with each user. For example, when a user plugs his laptop in to a network, he authenticates via 802.1X, or a captive portal Web logon page, and the system immediately applies that user's security policies to all applications and network services he accesses.
This security technology also integrates with existing authentication databases to identify user-group memberships. A system matches group memberships from an existing RADIUS or Lightweight Directory Access Protocol database to security policies that will be applied on a LAN access port. This group-based approach guarantees scalability across a corporation, because policies are defined one time and all group members automatically inherit the policies at logon. When a user is transient (say, a contractor working on the latest SAP upgrade), policies travel with him wherever he connects to the network.
When malware, such as worms, or other inappropriate behavior is identified, the ULA system automatically applies quarantine policies to that user only. Before the availability of user-based LAN access control in LANs, the only way to protect against malware was to assign users to a quarantined virtual LAN. This is akin to throwing influenza sufferers in with malaria patients. With user-based LAN access control, a device completely isolates infected users with fully stateful firewall policies, while allowing access, for example, only to remediation servers.
Simultaneously, the device alerts the network administrator about the incident. Event details include who is responsible, what they did, where they are located and what's been done about it. Compare this with today's practice of combing through router and switch logs, or Address Resolution Protocol tables, looking for which media access control address caused the problem and to which port they are connected.
Finally, ULA systems offer robust security audit benefits. When a network understands user identity and what resources people have access to, and it has the capacity to log this network activity, compliance audits become much simpler.
User-based LAN access control enables companies to implement simple, identity-based security policy provisioning, rapid security incident resolution and complete compliance audit trails.
Tardo is principal security architect for Nevis Networks. He can be reached at email@example.com.