The firewall is one of the most widely deployed pieces of network security
infrastructure. Yet for some reason it hasn’t benefited much from
network
access control (NAC), one of the most hyped pieces of network security infrastructure.
That’s about to change, thanks to Check
Point Technologies, one of the pioneers of the firewall.
Next week, Check Point is officially announcing the latest revision to its
widely deployed VPN 1 firewall technology. The company said version R65 includes performance enhancements that speed packet inspection throughput, as well as adding additional management features.
NAC is also a key part of the new release.
“The most successful security product ever is likely the firewall and so far
it’s not involved in NAC,” Bill Jensen, product marketing manager at Check
Point, told internetnews.com. “We want to change that with R65.”
NAC is a widely used term that was first coined by Cisco as part of its Self Defending Network Strategy.
Check Point VPN 1 R65 does what is commonly referred to as
pre-admission NAC, which can be used to admit traffic onto a network, as well
as validate the “cleanliness” of a particular end point for security.
The
actual endpoint is validated by being integrated with Check Point’s
Integrity endpoint security suite, which is the enterprise version of its
popular Zone Alarm personal firewall software. With Integrity a network administrator can remotely manage multiple PCs across an enterprise deployment.
As a second method of NAC enforcement Check Point is also taking advantage
of Intel’s vPro technology. VPro is a remote management technology that enables
administrators to turn PCs on and off or do troubleshooting.
Jensen said the company is interested in it more from a security perspective.
He explained that vPro technology is built into Intel chips for PCs, as well
as for their NICs (network interface cards) that are widely deployed.
“We’re able to do NAC endpoint enforcement with a combination of VPN 1 and
Intel vPro technology,” Jensen said. “It enables quarantine right down to
the individual desktop. It’s post-admission NAC; it’s behavioral based NAC.”
One thing that Check Point isn’t doing with its new NAC-aware firewall is
providing interoperability with the major NAC frameworks.
Currently, Cisco
NAC, Trusted Computing Group’s TNC (trusted network connect), which is used by
Juniper among others, and Microsoft NAP are the three key groups all vying to become the standard for NAC implementation.
Check Point won’t have anything to do with any of them.
Rather, the vendor will be focusing on the underlying IEEE 802.1x standard, which is a port-based technology standard for authentication that is a key
implementation method for all three of the competing NAC architectures.
“Right now we’re focused just on 802.1x, as we feel that a standards-based
solution is going to win out eventually, and there is too much confusion in
the marketplace currently — whether it will be Microsoft NAP, Cisco NAC or
TNC,” Jensen said.
The confusion around NAC standards and what NAC actually means is actually
one of the problems around adoption, according to Jensen.
“I compare it to how DHCP
DHCP client took different options and didn’t work well together with
different DHCP servers,” Jensen explained. “You couldn’t use a Windows DHCP
server with a Mac client. We’re at that point with NAC.”