Today’s panel on NAC was a blast! Mike Fratto mainly took questions from the audience. When there were slow spots, he asked some tough questions of his own. I prefer this approach to panels. Customers have the most interesting, real-world questions!
I was surprised how many of today’s questions focused on standards. The attendees were impatient with the delays in getting NAC standards implemented. I share their impatience. The TNC standards have been around for more than four years. They’ve been implemented by Juniper, Microsoft, and dozens of other vendors. Why don’t other vendors just implement them?
Steve Karkula of Nokia was a welcome addition to the usual cast of characters on a NAC panel: Cisco, Microsoft, and TCG. Steve is involved with Nokia’s SourceFire product. He pointed out the value of including behavior monitoring in a NAC system. I couldn’t agree more! These days, NAC is much more than checking the health of devices when they connect to your network. State-of-the-art NAC systems customize access for each user or role and monitor behavior so they can block misbehaving endpoints. Really cool systems link identity and behavior monitoring so that they know what behavior’s appropriate for each user!
An interesting followup question was how to monitor behavior when more network traffic is encrypted. The panelists had a variety of answers: doing monitoring on the servers, on the endpoints (only if you trust them!), or at the edge of the data center (if you terminate the encryption there, as is often done with load balancers, SSL offload devices, and such).
All in all, it was an interesting panel. I’m sorry if you couldn’t be there. I hope to see you at one of my upcoming talks!
As with assessment and evaluation, there are many options for NAC enforcement. In fact, this may be the most diverse area for NAC options! These options fall into four categories, based on where they are in the network. We’ll start at the edge of the network and move in.
Endpoint - With endpoint enforcement, the device that’s requesting network access does the enforcement. Isn’t that sort of like having the fox guard the henhouse? Yes and no. Certainly, if a machine is infected or malicious, it won’t prevent itself from doing bad things. But some customers are only concerned with keeping the healthy machines healthy. They consider infected machines a lost cause. Even if this is a bit too loosey-goosey for you, endpoint enforcement can play an important role in NAC. That is self-protection. If a machine is found to be vulnerable (maybe down-rev on its patches), it should put up its shields until it can be repaired. So endpoint enforcement can play an important role in any NAC system.
Network Edge - Probably the most common place to do NAC enforcement is at the network edge. Some systems use 802.1X, others use SNMP or CLI to control switches. VPN gateway enforcement also falls into this category. Whatever the technology, the idea is to enforce access controls at the edge of the network. This is great for security. Infected machines and unauthorized users can be completely blocked from the network or restricted to a quarantine area. The main down side is that this requires lots of enforcement points which can be expensive (but may not be, if you can use your current switches and wireless Access Points).
Peer - With peer enforcement, the endpoints on the network monitor each other. If they believe that one is acting up, they attack it with poisoned ARPs and other denial of service techniques. This approach has declined in popularity recently. I’m not surprised. To me, it sounds like you’re saving money by laying off the security guards and arming the employees!
Network Core - Doing enforcement at the core of the network can reduce costs but it also reduces security. An infected device or malicious user can attack other systems on the edge of the network. Only when they try to cross the network core will they be stopped.
Data Center / Server - If you can’t afford edge enforcement, data center enforcement may be your best choice. You can roll out NAC gradually by placing enforcement points in front of your most critical resources and then adding more enforcement points over time. If you’re into deperimeterization, you’ll love this approach.
Blended - Many vendors and customers combine several enforcement options. This can give you the best of all: the strong security of edge enforcement, the necessary self-protection of endpoint enforcement, etc.
No enforcement - A surprising number of customers are deploying NAC with no enforcement. They gain insight into who’s accessing what from what devices and how healthy those devices are. Actually, I recommend no enforcement as the first step in any NAC deployment. Learn what’s happening on your network. Then warn people who are out of compliance. Once your compliance rate is high, then you can turn on enforcement without risking a nightmare.
What do you think of these different enforcement approaches? What’s working for you (or not)? Add a comment and let me know.
Assessment is a key part of any NAC system: gathering data about the endpoint and the user before an access control decision is made. There are so many different ways to do assessment. Let’s take a look at them.
Agent - Placing permanent software (an “agent”) on the endpoint allows security checks to remain in force even when the endpoint is not connected to the network. However, many companies and most guests are reluctant to install a permanent agent.
Web-based - A lightweight solution for guests and others is to download a bit of software (ActiveX or Java) through the user’s web browser and do a quick scan of the system. However, there are many limits to what this scan can check.
None - How can you scan an endpoint without any software on it? There are several options. You can probe it from the network (port scan or RPC) or monitor its communications (passive assessment). For some devices like printers, this is the only option. The security provided is less than can be obtained with other methods. Still, probing and monitoring are valuable techniques that should not be underestimated.
As you can see, each of these options has its pros and cons. Many NAC systems these days offer all three choices, allowing administrators to use different client software for different users and devices.
Now that we have a simple definition of NAC, let’s take a closer look at how it works. The NAC process generally has three steps:
Assessment - identifying systems to check and gathering data about them
Evaluation - deciding what network access should be granted
Enforcement - enforcing decisions made during the Evaluation step
NAC may include other steps like remediation (fixing problems with the endpoint) and ongoing monitoring (of endpoint behavior and health) but the three steps listed above are the primary ones. Let’s look at each of those steps in more detail.
Assessment is all about gathering the data needed to make a NAC decision. This can include information about endpoint health, user identity, endpoint identity, and even other things like endpoint behavior and geographical or network location. There are many ways to do assessment: installing software on the endpoint, running a remote scan, etc.
Evaluation varies from one NAC system to another but it generally involves comparing the information gathered during the assessment step against a NAC policy to decide what network access should be granted. These policies can be complex with different policies for different groups. For example, “engineers have no endpoint requirements but can only access engineering equipment and company-wide services”.
Enforcement ensures that the appropriate level of network access is granted, based on the results of the Evaluation step. There are many ways to do enforcement: with switches, wireless access points, firewalls, etc. Each approach has its own pros and cons.
In order to really understand NAC, we need to dive deeper. I’m going to write a separate article on each of these steps, looking at the various technologies people use (802.1X, firewalls, NAC appliances, etc.) and the pros and cons of each.
Message Edited by SteveHanna on 09-05-2008 02:22 PM
Network Access Control (NAC) is one of the hottest buzzwords in networking. Every vendor has a NAC product - or at least they’ve found a way to relabel their existing product as a NAC product. But what does NAC really mean?
The basic concept is simple. You need to control who can access your network and what they can do once connected.
With wireless networks, this is essential. An open wireless network is like an open door. Walk right in and steal our data! Please! But wireless networks are just the most extreme case. With guests and contractors in the building, wired networks aren’t much safer.
So NAC is a way to control access across to your network. That’s a good start. Remote access gateways have included network access control for ages. But modern NAC goes way beyond traditional access controls. First, access controls can be applied to every part of your network not just remote users. Second, you can prevent the spread of viruses by checking the health of each machine when it connects to the network. Health checks are especially important for guests, contractors, customers, and other people whose machines are not controlled and managed by IT. You may also want to impose other access controls, like nobody can access the finance servers while they’re backing up at night.
So my full definition of NAC is
a way to control access to all parts of a network by checking user identity, endpoint health, and other factors
That’s it! Of course, the ideal NAC system is secure, reliable, scalable, cost-effective, easy to use, and easy to manage. But those are standard requirements for all enterprise-grade systems. In a future post, I’ll explore different NAC technologies and how they fulfill the promise of NAC.