IT Leadership

EXPERT ADVICE

My Net Is Your Net: Providing Guest Access Without Blowing Security

The other day I was visiting a partner company and asked if they had wireless Internet access I could use. The IT guy said they had not installed a wireless network due to security concerns, so instead he let me plug into the network to get access to a Web site I needed for our discussion. I don’t believe he saw the irony in that decision.

It’s amazing how many companies delay implementing key technologies like wireless due to perceived security risks but allow non-employees to plug directly into the corporate network without thinking about the incredible risk that places on the network, other devices and company data.

Be My Guest

Guest access has become one of the challenges IT must face, as it attempts to balance security with worker productivity. This is especially true amid periods of economic downturn, when companies rely more on outsourcing and contractors to get work done than on hiring new employees. In spite of this clear trend, guest access control is often lower on the priority list than employee access. In fact, in a recent user survey done by Forrester Research around network access control, only 21 percent of respondents put guest access as a top priority for IT investment.

Yet controlling guest access is as important as, if not more important than, controlling access by employees and managed laptops, because you have absolutely no control over these systems nor do you know if these third parties are maintaining any level of anti-malware protection or keeping their operating systems and applications patched and up to date.

“Even if non-employees represent a small percentage of your organization, they are the greatest threat,” said Rob Whiteley, principal analyst with Forrester Research. “Companies need to put clear security policies and a solution in place that ensures guests receive only controlled access to local printers or the Internet, or to select resources needed for their project.”

Controlling Access

An emerging market that solves both the guest access and employee network access challenge is network access control (NAC), which is designed to do just as the name implies: control access to the network. NAC typically includes both pre-admission endpoint security policy checks and post-admission controls over where users and computers can go on a network. The overarching goals of NAC are to mitigate security threats and enforce security policies, while also controlling and enforcing device health, identity and guest access.

Microsoft and Cisco are most frequently associated with NAC, and both of these companies have frameworks and architectures that embrace their own technologies as well as interoperate with other networking and security solutions. Microsoft’s Network Access Protection (NAP) is a policy enforcement platform built into the client and server operating systems, Windows XP SP3 and Windows Vista and Windows Server 2008. Microsoft is widely believed to be leading the NAC race, as its NAP platform integrates with some 120 other technologies and products. Cisco Network Admission Control is an architectural-based framework and an appliance. The biggest challenge with both of these frameworks is the complexity and upfront investment required to fully roll them out.

Other Entities

In addition to Microsoft and Cisco, there are many other NAC solutions which vary in price, feature/functionality and complexity, and which span software, hardware and in-the cloud services. Nearly all of these are targeted for the large enterprise market, and sometimes it’s hard to separate the hype from reality, as all types of vendors — firewall, virtual private network, identity management, and others — have jumped on the NAC bandwagon.

If you are a smaller enterprise (under 1,000 computers), you should look for NAC solutions that require a low initial investment but scale easily as your needs increase. Typically, the more switch or appliance form factor solutions are the best for this size organization. Beyond affordability and extensibility, look for ease of deployment and management and limited impact on both your network and user productivity. And while we are focused on guest access right now, you should ideally purchase a solution that solves both the guest and employee access with centralized management and policy control. Many vendors are now offering Web-based management services, which simplify the management process. Finally, the solution should integrate seamlessly with nearly any antivirus or antispyware solution, as well as other networking or security technologies.

Before buying any solution, outline the key security policies and IT requirements around guest access for your company:

  • Identify and develop a clear list of what resources your non-employees need and will be allowed to access.
      These can include printers, the Internet, SharePoint or other intranet sites, etc.
  • Decide if any of these resources will require authentication, such as a username and password, to access.
      Authentication should only be required for key applications, fileshares or intranet sites
  • Identity which printers you will designate for guest access.
      Depending on the number of printers you have, data protection requirements, and budgetary considerations, you can either use the same LAN (local area network) printers for cost efficiency or use an isolated printer for greater security.
  • Identify areas in the office where you can create controlled wireless zones for third-party users, such as conference rooms.
  • Calculate the number of non-employee users who will need access concurrently at any given time.Note that these are only related to the guest access portion of network access control. There are many other policies and steps needed around employee access control.

    If even 5 percent of your users are non-employees, you cannot afford to ignore the guest access issue. By carefully setting criteria and using the right technologies, you can ensure that you are supporting business goals and be productive without putting the corporate network and data at risk. And hopefully, the next time a partner asks you for Internet access, your answer will not be handing over an Ethernet plug to your network.


    Todd Hooper is the CEO and cofounder of Napera Networks, a provider of network solutions that enable small and medium enterprises to build safe, secure and healthy networks.


  • Leave a Comment

    Please sign in to post or reply to a comment. New users create a free account.

    LinuxInsider Channels