No 802.1x ≠ No NAC

by Juniper Employee on 12-01-2008 11:11 AM

"I want to deploy NAC in my network, but there are older components in my wired/wireless infrastructure that do not support 802.1x, so I can't deploy NAC yet, right?"  As a PLM for a NAC product, I hear this question constantly.  True, 802.1x is the most visible and prevalent type of NAC enforcement, but it is not the only type of enforcement provided with available NAC architectures.  In fact, depending on your security and access control needs, and your existing network architecture, one of the other options might actually be a better choice for your deployment.  Let's take a look at some of the available methods of enforcement:

 

  • 802.1x Enforcement - This is supported by most of the primary NAC solutions on the market today.  This provides ultimate control in that an end user is unable to pass a single packet until they have been authenticated and their machine has been checked for the appropriate patches, endpoint security applications, etc.  One downside, however, is that 802.1x must be enabled on every switch and wireless access point in your network.  The first switch port, for example, that is not 802.1x enabled represents a potential security hole in your NAC solution. 
  • Client Enforcement - In this model, a software agent running on the endpoint performs the enforcement.  When the user logs on to the network, the software-based agent contacts the NAC system to do the authentication, endpoint integrity scans, and apply the appropriate access control rules to the user's session. 
  • DHCP Enforcement - With DHCP enforcement, the DHCP protocol is used to assign differing network configurations to devices connecting to the network based on user authentication and endpoint integrity.  One of the traditional downsides of DHCP enforcement has been from a security perspective, with spoofed and/or static IP addresses being an easy way to bypass these types of access control mechanisms
  • Inline Appliance Enforcement - This approach leverages an appliance through which all end user traffic passes in order to perform access control.  A positive attribute of such a scheme is that it does not require any changes to the existing network configuration, nor does it require hardware upgrades.  In addition, many of the solutions out there enable a much more granular set of policy types that can be enforced versus other types of enforcement.  A downside, however, is that from a deployment perspective, a large enterprise network might potentially need to deploy a large number of these across their network in order to contain traffic sufficiently.  Some such enforcement models use existing security devices such as firewalls and IPS devices - appliances that might already be deployed in your network, minimizing even further the need to deploy additional network/security gear.

 

In actuality, most NAC solutions on the market today will provide more than one of these options, for additional flexibility.  The key point is that 802.1x is not the only approach to NAC out there.  For example, if your primary goal when deploying NAC is to restrict access to key financial applications and data stored in your primary data centers, 802.1x might not be the best alternative.  You might instead look towards an inline appliance solution, where the appliances are deployed in front of the data center.  When a Finance user needs to access that information, they authenticate to NAC.  This is a solution that is faster to deploy than an enterprise-wide 802.1x solution, but still meets the needs for this specific deployment. 

 

Remember: always start with your organization's security needs and then seek out the appropriate solution rather than the other way around.  You might miss more suitable solutions if you jump on the technologies presented to you before determining your true needs.

 

Labels:
0
About the Author
  • Michael Rothschild is the Senior Manager of Solutions Marketing at Juniper Networks, responsible for security solutions for the enterprise. When he’s not busy helping customer’s understand the importance of a solutions focus to address the new security threats affecting business, Michael is a professor of marketing and volunteers as a paramedic.
  • Krishna is a Distinguished Engineer in the Service Layer Technologies group at Juniper. He's currently working on DPI technology initiatives in products targeted at service providers and enterprise markets. Krishna has 19 years of experience in data networking involving Ethernet, ATM, IP, Switching and Security technologies. He has authored 10 patents in the areas of switching, security and QoS. He was actively involved in the IEEE 802.1 and ATM Forum standards committees. Prior to Juniper, he was the co-founder and System Architect at Top Layer Networks where he played a pivotal role in bringing multiple products to the market. He has also held senior engineering roles at Digital Equipment Corporation and Fore Systems.
  • As a Solutions Architect and Leader of Enterprise Solutions Engineering, Lior Cohen is responsible for developing reference architectures and best practices utilizing Juniper products. He has been designing and building enterprise networks and security solutions for over a decade and has helped several Fortune 500 companies develop risk mitigation strategies and implement information security technologies. Prior to joining Juniper, Lior was Chief Technology Officer for a privately held information security consulting firm where he led multi-national consulting and auditing engagements for the financial services and real estate sectors. He also filled various roles at Check Point Software, including leading the company’s Solutions Center. He holds a Bachelor’s degree in Economics and Information Systems from Tel Aviv University.
  • Rich Campagna, Senior Product Manager in the Access Business Group is responsible for business strategies, product development, partner interactions and customer engagements to help drive the growth of Juniper Networks' Unified Access Control and SA Series SSL VPN solutions. Rich is also an avid snowboarder and motorcyclist (not at the same time).
About Technically Secure
Welcome to Technically Secure, the Juniper Networks blog dedicated to trends and innovation in the world of IT risk management and security. Here we'll offer technical perspectives on network security, covering things happening within Juniper Networks as well as issues across the industry as a whole. Our mission is simple: explore ideas, share information, and provide insight that will help you take a proactive stance on threat and risk mitigation.

Our primary objective is to explore technical IT security issues as business and technology challenges that could compromise the effectiveness of enterprises and service providers. We'll share our strategies for staying ahead of today’s rapidly changing threat landscape and focus in particular on innovation in network security technologies.

We’ve assembled a great team of bloggers to kick off these conversations with you, but we encourage your participation. If there's a topic that you'd like us to cover, let us know by commenting on the blog. We’re not just talking — we’re listening.

Our Bloggers Krishna Narayanaswamy,
Distinguished Engineer

Krishna is a Distinguished Engineer in the Service Layer Technologies group at Juniper. He is currently working on DPI technology initiatives in products targeted at service providers and enterprise markets.

Krishna has 19 years of experience in data networking involving Ethernet, ATM, IP, Switching and Security technologies. He has authored 10 patents in the areas of switching, security and QoS. He was actively involved in the IEEE 802.1 and ATM Forum standards committees.

Prior to Juniper, he was the co-founder and System Architect at Top Layer Networks where he played a pivotal role in bringing multiple products to the market. He has also held senior engineering roles at Digital Equipment Corporation and Fore Systems.

Michael Rothschild,
Senior Manager
Solutions Marketing

Michael Rothschild is the senior manager of solutions marketing at Juniper Networks, responsible for security solutions for the enterprise.

When he’s not busy helping customer’s understand the importance of a solutions focus to address the new security threats affecting business, Michael is a professor of marketing and volunteers as a paramedic.

Lior Cohen,
Solutions Architect

As a Solutions Architect and Leader of Enterprise Solutions Engineering at Juniper Networks, Lior Cohen is responsible for developing reference architectures and best practices utilizing Juniper products. In his free time, Cohen enjoys mountain biking and spending time with his children.

Rich Campagna,
Senior Product Manager

Rich Campagna,
Senior Product Manager in the Access Business Group at Juniper Networks is responsible for driving the business strategies, product development, partner interactions and customer engagements to help drive the growth of Juniper Networks' Unified Access Control and Secure Access SSL VPN solutions. Rich is also an avid snowboarder and motorcyclist (not at the same time).

Labels
Blogroll