RealTime IT News

NAC Hits The (Check Point) Firewall

The firewall is one of the most widely deployed pieces of network security infrastructure. Yet for some reason it hasn't benefited much from network access control (NAC), one of the most hyped pieces of network security infrastructure.

That's about to change, thanks to Check Point Technologies, one of the pioneers of the firewall.

Next week, Check Point is officially announcing the latest revision to its widely deployed VPN 1 firewall technology. The company said version R65 includes performance enhancements that speed packet inspection throughput, as well as adding additional management features.

NAC is also a key part of the new release.

"The most successful security product ever is likely the firewall and so far it's not involved in NAC," Bill Jensen, product marketing manager at Check Point, told internetnews.com. "We want to change that with R65."

NAC is a widely used term that was first coined by Cisco as part of its Self Defending Network Strategy.

Check Point VPN 1 R65 does what is commonly referred to as pre-admission NAC, which can be used to admit traffic onto a network, as well as validate the "cleanliness" of a particular end point for security.

The actual endpoint is validated by being integrated with Check Point's Integrity endpoint security suite, which is the enterprise version of its popular Zone Alarm personal firewall software. With Integrity a network administrator can remotely manage multiple PCs across an enterprise deployment.

As a second method of NAC enforcement Check Point is also taking advantage of Intel's vPro technology. VPro is a remote management technology that enables administrators to turn PCs on and off or do troubleshooting.

Jensen said the company is interested in it more from a security perspective. He explained that vPro technology is built into Intel chips for PCs, as well as for their NICs (network interface cards) that are widely deployed.

"We're able to do NAC endpoint enforcement with a combination of VPN 1 and Intel vPro technology," Jensen said. "It enables quarantine right down to the individual desktop. It's post-admission NAC; it's behavioral based NAC."

One thing that Check Point isn't doing with its new NAC-aware firewall is providing interoperability with the major NAC frameworks.

Currently, Cisco NAC, Trusted Computing Group's TNC (trusted network connect), which is used by Juniper among others, and Microsoft NAP are the three key groups all vying to become the standard for NAC implementation.

Check Point won't have anything to do with any of them.

Rather, the vendor will be focusing on the underlying IEEE 802.1x standard, which is a port-based technology standard for authentication that is a key implementation method for all three of the competing NAC architectures.

"Right now we're focused just on 802.1x, as we feel that a standards-based solution is going to win out eventually, and there is too much confusion in the marketplace currently -- whether it will be Microsoft NAP, Cisco NAC or TNC," Jensen said.

The confusion around NAC standards and what NAC actually means is actually one of the problems around adoption, according to Jensen.

"I compare it to how DHCP was back in 1998 when everyone's DHCP client took different options and didn't work well together with different DHCP servers," Jensen explained. "You couldn't use a Windows DHCP server with a Mac client. We're at that point with NAC."