As with assessment and evaluation, there are many options for NAC enforcement. In fact, this may be the most diverse area for NAC options! These options fall into four categories, based on where they are in the network. We’ll start at the edge of the network and move in.
Endpoint - With endpoint enforcement, the device that’s requesting network access does the enforcement. Isn’t that sort of like having the fox guard the henhouse? Yes and no. Certainly, if a machine is infected or malicious, it won’t prevent itself from doing bad things. But some customers are only concerned with keeping the healthy machines healthy. They consider infected machines a lost cause. Even if this is a bit too loosey-goosey for you, endpoint enforcement can play an important role in NAC. That is self-protection. If a machine is found to be vulnerable (maybe down-rev on its patches), it should put up its shields until it can be repaired. So endpoint enforcement can play an important role in any NAC system.
Network Edge - Probably the most common place to do NAC enforcement is at the network edge. Some systems use 802.1X, others use SNMP or CLI to control switches. VPN gateway enforcement also falls into this category. Whatever the technology, the idea is to enforce access controls at the edge of the network. This is great for security. Infected machines and unauthorized users can be completely blocked from the network or restricted to a quarantine area. The main down side is that this requires lots of enforcement points which can be expensive (but may not be, if you can use your current switches and wireless Access Points).
Peer - With peer enforcement, the endpoints on the network monitor each other. If they believe that one is acting up, they attack it with poisoned ARPs and other denial of service techniques. This approach has declined in popularity recently. I’m not surprised. To me, it sounds like you’re saving money by laying off the security guards and arming the employees!
Network Core - Doing enforcement at the core of the network can reduce costs but it also reduces security. An infected device or malicious user can attack other systems on the edge of the network. Only when they try to cross the network core will they be stopped.
Data Center / Server - If you can’t afford edge enforcement, data center enforcement may be your best choice. You can roll out NAC gradually by placing enforcement points in front of your most critical resources and then adding more enforcement points over time. If you’re into deperimeterization, you’ll love this approach.
Blended - Many vendors and customers combine several enforcement options. This can give you the best of all: the strong security of edge enforcement, the necessary self-protection of endpoint enforcement, etc.
No enforcement - A surprising number of customers are deploying NAC with no enforcement. They gain insight into who’s accessing what from what devices and how healthy those devices are. Actually, I recommend no enforcement as the first step in any NAC deployment. Learn what’s happening on your network. Then warn people who are out of compliance. Once your compliance rate is high, then you can turn on enforcement without risking a nightmare.
What do you think of these different enforcement approaches? What’s working for you (or not)? Add a comment and let me know.