This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This report investigates and documents the need of network access control within the NHS Grampian. It highlights the current security threats in the NHS Grampian network and the vulnerability of the network to the rogue devices.
This report identifies the risk facing the NHS Grampian and how the Network Access Control Solution can provide security against these threats. It is a discussion of available NAC solutions and the chosen approach to tackle these security issues. This report includes step by step detail of NAC implementation within NHS Grampian.
NHS Grampian's Department of eHealth has overall responsibility for the Management, Support, Procurement and Installation of ICT Infrastructure across the region. Included within this responsibility is the remit to ensure that the ICT Infrastructure is "fit for purpose" to deliver the required level of service to NHS Grampian staff and its Partners. In total there are approximately 15,000 users and 9,000 workstations accessing the NHS Grampian environment. The vast majority of estate is utilised with HP or DELL desktops running Windows XP PRO operating system (service packs 2 and 3), with Sophos Anti Virus version 7.6. NHS Grampian supports inter-agency working and the network is connected to a number of other public organisations including Councils and Aberdeen University.
In Aberdeen there are four main Hospitals which are connected to ARI. The Summerfield house is connected to the ARI through two 100 Mbps LAN extensions, one from Woodend to Summerfield house and other from Cornhill to Summerfield house. Woodend hospital is connected to ARI through a 100 mbps LAN extension. Cornhill is connected to the ARI with 1 Gbps link on fiber optic which is owned by NHS. Links between Summerfield to Cornhill and Woodend to Summerfield are 100 Mbps LAN extensions which are controlled by BT. NHS pay rental to use these 100 Mbps LAN Extensions. As described in figure 1.1
Figure 1.1 NHS Grampian Network Layout
Aberdeen Royal Infirmary (ARI)
In NHS Grampian N3 intranet is used for data communication where distance is a limitation. Locally in Aberdeen Royal Infirmary a few buildings are linked together with Fiber optic cables, mostly 3COM 4400, 5500 and 4500 series switches are used to provide client end connectivity to users. There are around 100 NODE rooms in Aberdeen Royal Infirmary only and there are many different VLANs used in this network to keep the data separate and secure form other networks. Figure 1.2 shows the network layout.
ARI Core Network
Figure 1.2 ARI Core Network
3Com switches are used throughout the majority of the network with a limited Cisco switch deployment. Routers are Cisco of varying age and type.
There are approximately 500 servers including SQL and Web servers delivering a range of applications (approx 250 applications are currently supported). This also includes a number of Active Directory servers.
NHS Grampian currently has variety of measures in place to secure NHS Grampian's network, they have Internal & External firewalls, Web filtering, Anti- virus and Intrusion prevention. In addition they have implemented USB stick encryption (Lumension Device Control) and laptop encryption (PGP Whole Disk).
Flaws in the network
Securing hospital's network is very important in order to providing the best possible patient care, as well as for protecting confidential patient information. The best way of securing patient information is that who and what can get onto the network, and then to manage the resources that are accessible to each user. Limiting the network access to only authorized users and devices is the first step to protect the confidential information and even authorized users have different requirements for information. Confidential patient information should be accessible only to the people who need it.
NHS Grampian still have vulnerability at the end point, a lack of control over what connects to the network and if a connection is permitted, how healthy the device is, and if it poses a threat.
In current scenario anyone can connect to the network. Once a device is connected to the network DHCP server will automatically assign an IP address, gateway, DNS and other network information that are necessary to access the network. When the device is on the network it can access some of the resources available on the network. If the device is virus infected then it can spread the virus across the network. There are different organizations in NHS Grampian which work with calibrations of NHS and are granted access to the network on different VLAN e.g. Aberdeen University, None NHSG users (Contractors etc).
Threats to the network
In NHS Grampian very sensitive data is processed and stored, they cannot afford to lose the important patient information. The impact on service and the potential cost involved in recovering from such an attack is so severe that NHS Grampian has been looking for a new network security product that can protect the network from rogue devices and unauthorised access. This network vulnerability to the rogue and unauthorised devices is a direct threat to the NHS Grampian data protection act and it must be handled quickly and efficiently.
NHS Grampian has a big and complex IT infrastructure. Although it's connected to the N3 network which is a private network managed by BT, but high level security measures has been taken to protect it from the network threats from the outside world. There are many core firewalls (check point) installed which filters the network traffic coming in or going out from the internal network. But there is no security available to protect the internal network from internal threats. If any member of staff brings his/her own laptop with him/her and plug it in one of the network points (network outlets) then they will be able to access the intranet of NHS Grampian without the need of any username or password. In other words a user can simply plug a device into a network point and will receive instant access. This is a massive security risk. If unintentionally or intentionally an infected device is plugged into the network it can have catastrophic consequences and can have a devastating effect to service which NHS Grampian cannot afford due to the nature of its work (health services).
The Need of data protection in NHS Grampian network
The challenge for NHS Grampian is that the network should be easily accessible to every authorized person and everything that belongs on it, but at the same time they need to manage different levels of access in order to protect patient data and other confidential information. For example:
Network ports (outlets) throughout a hospital provide connectivity to a range of medical devices. If these ports are not secured, unauthorized devices can be easily connected and could leading to security breach and unauthorized access to patient information. Computers at nursing stations in each hospital ward provide easy access to patient data. If unauthorized users are able to access these machines, patient data and the security of the network are at risk. Doctors, nurses, and others have different needs for information, so each should have a unique level of access to see only what they need.
NAC and its features
Network Access Control (NAC) products started out as admission control managers that authenticated users and ensured their systems met security policy requirements before granting them access to the network. Today these products, typically dedicated appliances, can also manage users' access once they're already on the LAN to certain servers, applications, and data. Different companies and vendors have different definitions of NAC but all solutions are based on the basic rules and security needs. Below are a few important reasons that every organisation requires from a standard NAC solution.
The most important job a NAC does is that it restricts the access of devices to the network unless they comply with the specific security policies.
Controlling the access of guests by limiting their access to network.
Scanning and checking the devices before allowing them the access to the network that if they meet the security requirements for patches, anti-virus definitions etc.
Scanning the remote devices which are most likely to be infected by virus and checking if these devices have security patches installed before granting them access to the network.
Making sure that authorized devices access the resources that they only authorized for.
Enforcing corporate policies so that employees and other trusted insiders (contractors) can only get to the information they need for their daily jobs.
Scanning the connected devices on regular bases and keeping them up-to-date with current security patches and antivirus updates.
Should Work with other devices and systems already in place such as firewalls, intrusion detection and prevention etc. to provide a complete security solution for the enterprise.
Should provide centralised administration with low administration cost.
NHS Grampian NAC requirements
NHS Grampian has a requirement for a Network Access Control (NAC) solution to help secure the end points on our data network. The primary goal of implementing such a solution is the blocking of "rogue" devices connecting to our data networks, presenting a risk to Confidentiality, Integrity and Availability of information. The secondary goal of implementing a NAC solution is to provide NHS Grampian PCs with a health check and remediation service to ensure that any approved PC joining our network has the appropriate levels of Antivirus, patches, etc implemented and where this is not the case, providing access to such services install to a known minimum standard.
Below is a list of key requirement that any NAC solution should provide.
Able to stop rogue devices accessing the network either wired or wireless.
Should be able to check trusted devices to ensure that they meet the security policy for allowing devices onto the network, also should check on a regular basis.
Should be ideally a centralised solution that can scale up to and beyond 100 sites, 100 subnets and approximately 9000+ endpoints
Solution should be easy to install and maintain with a demonstrated low management overhead
Should integrate well with existing infrastructure and not be dependant or reduce functionality by being dependant on certain supplier's equipment.
Good reporting facilities are important, need to have excellent feedback on what endpoints are breaking the security policy and why
The solution provided should be redundant, this redundancy should ideally overlay onto our Primary and Secondary computer room setup as well.
Should be able to integrate into the existing NHS Active directory setup
Should be able to allow to use a mixture of enforcement methods i.e. 802.1x and DHCP together without the need for any additional hardware
All 802.1x Radius services should ideally be part of the solution
Should be as transparent to the user as much as possible, no additional logins
Integrate with well known patching solutions such as Microsoft SMS to allow remediation.
Provide automatic access to remedial services for users, there should be flexibility to the administrator on how remedial services are provided
There should be minimal data traffic while end points are being checked, figures should be provided on how much traffic any software agents would produce
Management should be allowed from multiple consoles, ideally a web based console should an option
Good level of support, ideally need access to 24hr Helpdesk with a UK office
Ideally provide options for data encryption on the end point or the provider should show that this is on their roadmap
There should be options to allow the creation of security policies down to the registry level
A solution needs to allow base lining of our network against a security policy to ascertain compliance without quarantining
If software agents are used there is a preference for a single agent.
Any software agent used should be shown to be efficient and not hog end point resources be it CPU or memory
If a software agent isn't used then other methods of compliance testing are to be provided.
Available NAC solutions
There are many NAC solutions available in the market but due to size and requirements of NHS Grampian network not every solutions is compatible. There are a few NAC solutions provided by companies which meet the requirements of NHS Grampian network. Four of the NAC Solutions are listed below.
Bradford Campus Manager
Sophos NAC Advanced
Juniper Unified Access Control
The solution provided by Bradford Network is based on Bradford`s Network Sentry platform. The NAC solution by Bradford Networks called "Bradford Campus Manager" automatically identifies authorized users and verifies security policy compliance of endpoint devices before granting network access. If users fail to gain access, Campus Manager provides options allowing non-compliant users to update their systems themselves so they can access the network after meeting the network standard requirements. Campus Manager continuously enforces security policies. It records the previous network activity and generates reports for security threat analysis and regulatory compliance.
When a user attempts to connect an endpoint device (PC, laptop etc)to the network, the edge switch or wireless access point alerts Campus Manager, which determines whether the device is registered and requires the user to authenticate (log in). As part of the login process, the endpoint device is quickly scanned to check for up-to-date OS patches, anti-virus and anti-spyware software, and/or other system checks defined by IT. If the scan is successful, Campus Manager instructs the switch or wireless access point to allow network access, typically by assigning the user to an appropriate VLAN, such as a Student VLAN or Staff VLAN. If a problem is found when scanning the device, such as anti-virus software that is out-of-date or not turned on, a separate VLAN is used to
limit or prevent network access. Campus Manager can also provide users with easy instructions for updating their systems themselves so they can get normal network access. If a rogue user attempts to log in without a valid username and password, Campus Manager prevents network access by telling the switch or wireless access point to assign a Quarantine VLAN or to disable the user's physical connection. An alert can also be sent to let IT administrator know that an unauthorized user has attempted to access the network.
Sophos NAC Advanced
The Sophos NAC Advanced is a well-designed product which offers the ease of administration in order to protect the network. In Sophos NAC Advanced there are two ways to deploy the NAC tool. First is an agent-based install in which a small client software is installed on each machine in the network. The second method uses a web browser and an ActiveX control. In both methods the policy is pulled from the Sophos configuration interface, which resides on the server and if the client meets the security requirements then it will be granted access to the network.
There are 5 basic rules that sophos nac advanced works on.
Define security policies for all Lan and mobile, managed and unmanaged computers centrally
Assess compliance proactively prior to network access and also during the network session
Report and alert on the state of compliance over time.
Remediate computers to bring them into compliance.
Enforce compliance systematically for operating systems, patches, and applications.
There are two kind of client side components that need to be installed on each client before granting them access to the cooperate network.
â€¢ Sophos Compliance Agent (preinstalled Compliance Agent)
â€¢ Sophos Compliance Dissolvable Agent (on-demand Compliance Agent)
These agents determine whether each computer is in compliance with the defined policy.
Symantec NAC is all about compliance: ensuring that devices on your network properly comply with the endpoint security policy you set in your Symantec Endpoint Protection console. The Symantec Network Access Control (SNAC) solution, through integration with 802.1x switch configuration, LAN Gateway or DHCP Service provision, can stop rogue devices accessing either wired or wireless network infrastructure. Symantec NAC includes its standard endpoint protection suite for desktops, and one or more appliances that act as enforcers for NAC policy. When you first configure an enforcer appliance, you tell it whether to be an 802.1X enforcer, a DHCP enforcer, or an inline gateway enforcer that applies packet filters to the traffic flowing through it.
The strong point of the Symantec NAC product is endpoint security, but there are other features, such as a simple guest portal (if you have a gateway enforcer) with on-demand endpoint security scans, which also include support for MAC-based authentication (for VoIP phones and printers).
Symantec NAC includes support for VLAN assignment in Cisco wired and wireless switches, Alcatel-Lucent, Foundry, HP, Nortel, and Extreme switches, as well as Aironet wireless controllers.
Juniper Unified Access Control
The Juniper Unified Access Control (UAC) solution provides the ability to control access to the network to ensure that only authorized devices access the network. Identification of authorized devices can use the Juniper software agent (the Juniper Odyssey Access Client, for devices that support this software - Microsoft, Linux and Apple Operating Systems are supported), or by MAC address for devices that do not support a software agent, such as IP phones, printers, video conferencing units etc. Devices that do not have the Juniper software agent (or other 802.1x agent) installed can also be authenticated using a web browser (commonly used for guest access). Authentication of users and devices can be integrated with Active Directory, authorization using Active Directory groups or attributes can also be used to provide different levels of access. For wired switches and wireless access points that support 802.1x or MAC address authentication the switch or access point will assign a VLAN to the user as instructed by the Juniper Infranet Controller (UAC appliance), for other hosts a VLAN is assigned that connects the user to a Juniper Enforcer (a Juniper firewall). The UAC appliance provisions access on the Enforcer that allows the user access to the appropriate resources.