Admission control adds a desperately needed leg to the security stool. It’s conceptually simple. When a device attempts to connect to a network, we examine that device to verify that it is free of malicious code before we accept a single keystroke from a user at that device. We can verify that all security measures – firewall, antivirus, antispyware, host IDS – are have all the current patches, malware and intrusion signatures, are properly configured and are operating as anticipated. If an endpoint fails to meet these criteria, we can block admission, or quarantine the endpoint to a location on our network where the user can access the resources required to bring the endpoint into compliance.

1. IT security : a five-legged sheep
Security begins with the letter “A”
Authentication and authorization are the two most fundamental and commonly employed attributes of security.
They sound alike, and their definitions are often confused, so let me begin by offering mine:
 Authentication is the means by which a person proves he is who he claims to be in a non-refutable
manner. Authentication is also a means whereby a computer system proves it is the originator of a
packet, and how an application such as a web server proves it is the agent for an e-merchant’s online
credit card transaction.
 Authorization is the process of determining whether an identity is entitled or allowed access to a
resource or asset. Authorization typically assumes that an identity has been authenticated. An identity
that is allowed access is trusted and granted access permissions, in accordance with defined policy.
Most organizations use one or more authentication methods, and extend these to branch office users. Fewer
organizations devote as much attention to authorization. Commonly, authenticated users at branch offices have
access to individual and group accounts on local servers as well as intranet servers hosted at HQ, but unrestricted
access to the web and collaborative applications like IMs and VoIP.
Assuming yours is an organization whose branch offices have an authentication strategy in place, I recommend
that you add a security A. Revisit your authorization policy for branch offices. Consider implementing egress
traffic filtering. Rather than allowing access to ANY external service, begin with a DENY ALL rule, and allow access
the set of applications you determine are business-appropriate.
So far, we’ve looked at two security attributes, and both begin with the letter A. Curiously, or perhaps
intentionally, many other security attributes begin with the letter
A: Accounting, Accuracy, Authenticity, Availability.
Three-legged Stool (Triple-A)
Not remarkably, security professionals took advantage of this happy circumstance and developed analog to
explain the fundamentals of security. An early popular analog likened the essential attributes of security to a
three-legged stool to illustrate why security, like a stool, needs more than two legs to stand on its own.
Authentication server vendors, especially those who supported what is known as the RADIUS authentication
protocol chose to add accounting for the third leg. They coined the term Triple A to kindle interest among
Service Providers who were exploring alternatives to flat monthly rate Internet access.
Today, some security professionals feel that accounting was the best choice to complement authentication and
authorization as a third leg and replace accounting with the more general (and in my opinion) practical choice
of auditing, which is the process of monitoring and recording networking and security-related events for
subsequent correlation and analysis.
Auditing is commonly implemented using event logging and most server, storage, networking and security

2. Four legs provide a sturdier seat
For many security professionals, the fourth leg of choice is Authenticity or its security synonym, Accuracy.
Authenticity is a process by which the integrity of data and its origin are verified. Authenticity assures the
recipient of data that the data he received are an exact copy of the data that were transmitted, and that the
data were indeed produced by the sender. You can implement this security A in many ways, and incrementally.
Consider whether integrity protection measures would be appropriate for the data that is likely to reside, be
stored at, or communicated to and from branch offices. For example, it might be useful to put anti-tampering
measures on servers to protect against unauthorized or unintentional modification of critical system and
configuration files. If your business routinely exchanges sensitive information using internal mail and document
delivery systems, consider whether employees should hash and sign such documents.
Four legs makes for a sturdy stool. But recently, security professionals are exploring ways to make the stool even
sturdier if somewhat unusual in appearance. Historically, authentication has been considered the enabler of all
security services. Let’s look at some examples where having verified that a person is who he claims to be isn’t
enough.
 Mary proves her identity to an air transportation security inspector using her government-issued
passport. Knowing that Mary is indeed Mary doesn’t assure us that she’s not concealing a weapon.
 John proves his identity to a US Customs and Immigration officer using his new Canadian high-security
driver’s license. Knowing that John is who he claims to be doesn’t tell us whether he’s carrying a
communicable disease.
 Beth is on her way to a confidential board meeting where her company’s earnings will be reviewed prior
to public disclosure of its annual report. She proves her identity to the security guard at her employer’s
office using her company-issued ID. Knowing that Beth is who she claims to be doesn’t tell us whether
an industrial spy’s planted a listening device on her clothing.
Suppose Mary, John and Beth are not people but computers trying to connect to networks. Mary’s concealing
a root kit. John’s infected with a virus. Beth’s hosting a keylogger. Just as in our real world examples,
authentication alone doesn’t help us assert the trustworthiness of the endpoint device from which a user will
authenticate and subsequently access data.
Adding a Fifth Leg
Admission control adds a desperately needed leg to the security stool. It’s conceptually simple. When a device
attempts to connect to a network, we examine that device to verify that it is free of malicious code before we
accept a single keystroke from a user at that device. We can verify that all security measures – firewall, antivirus,
antispyware, host IDS – are have all the current patches, malware and intrusion signatures, are properly
configured and are operating as anticipated. If an endpoint fails to meet these criteria, we can block admission,
or quarantine the endpoint to a location on our network where the user can access the resources required to
bring the endpoint into compliance.
Many organizations have successfully implemented these five As throughout their main offices and campuses.