In-Depth
NAC Testing Options: Validating Endpoints and Their Health
In the second part of our three-part series about network access/admission control, we examine considerations when testing the health of endpoint devices
As with enforcement methods we discussed last week (see http://esj.com/Security/article.aspx?EditorialsID=2282), you will need a variety of Network Access/Admission Control (NAC) policies and testing technologies to achieve 100 percent coverage of endpoints on your network. This week we examine what you should consider when testing the health of your endpoint devices.
The available testing technologies today are:
Agent-less: nothing is downloaded or installed on the endpoint device
Agent: an installed service
ActiveX or Browser Plug-in: downloaded via a browser
Scanner: performs an IP based vulnerability scan.
Three different frameworks also exist that enable testing. These are emerging technologies that your NAC vendor should either already support or have plans to support.
These three frameworks are almost identical in architecture.
Figure 1 shows a combined architecture diagram with each of the framework’s implementation and terminology listed in the appropriate components. They are all agent-based and require client software to be downloaded or installed. Windows Vista will have the MS NAP client built in by default. The TNC framework, when compared to Cisco NAC and Microsoft NAP, has the biggest advantage in that it has the most potential to become a standard and will operate across switch and OS vendor platforms.
Each of these frameworks has a mechanism for handling unmanaged endpoints. Until the time one of these frameworks emerges as the recognized industry standard, it is important to be able to flexibly test the widest range of endpoints. Today’s NAC solutions should support some combination of the testing methods described below to provide that interim flexibility.
Method #1: Agent-less
The agent-less testing method uses an endpoint administrative account to connect via the Windows RPC service or SSH on Unix endpoints. This method is best when a centralized user management system exists that is used by all endpoints. Otherwise, it can become a management headache for users to specify their credentials for testing or for the NAC admin to maintain user accounts for each endpoint. This method is also best when you want to test endpoints without impacting the network since no install or download is required to get testing results.
Advantages:
No install or download is necessary. This makes it great for gathering test results before implementing enforcement of your security policy.
Great for networks where all devices are on a Windows Domain since you can use a domain administrative account to log into the device for testing.
Disadvantages:
SMB protocol is slow since it may require several network round trips when querying an endpoint.
Difficult for users to specify credentials for testing.
NAC solutions based on Nessus have local checks that use this agent-less technique but may be difficult to configure and fine-tune user accounts.
For Windows, this method may have limited functionality compared to an installed agent.
The agent-less method is best for managed endpoints and networks with a centralized user management system, and well as unmanaged endpoints where users can provide administrative credentials.
Method #2: Agent
An installed-agent testing method offers the greatest number of potential capabilities. It can take full advantage of a platform’s API. An agent-based solution should use strong SSL encryption (generate certificates and validate the certificate on the client and server) to communicate with endpoints and take measures to secure any information it gathers and any operations it can perform.
Advantages:
Efficient testing method that requires little network traffic.
Since this is a service that runs in the background, it is always available to test and enforce policy as the policy evolves and as new threats arise.
May offer capabilities to remediate and lock down critical resources on an endpoint (e.g. only allow specific wireless SIDs to be connected).
Disadvantages:
Requires yet another software package to be installed on the endpoint. There are risks associated with any installation including upgrades, DLL mismatches, etc.
The user needs administrative privileges to install a service-based software package.
The Agent method is best for managed endpoints and when testing performance is critical.
Method #3: ActiveX or Browser Plug-in
A downloaded ActiveX or browser plug-in is really just an agent that happens to run within a browsers memory space. Don’t confuse this with “clientless” testing. This testing method works by capturing a user’s attention in their browser, similar to the way airport wireless networks redirect you to pay for access to the network.
Advantages:
An application disappears from memory as soon as the browser closes, so there is less memory and processor overhead.
Downloading a plug-in may be more acceptable to contractors or users with unmanaged endpoints than installing an actual software package.
A user is more likely to have enough privileges to download and test with a plug-in as opposed to installing an agent that runs as a service.
Disadvantages:
Only resident and available while browser is open. Once the browser closes, it will be impossible to retest the endpoint as policy changes, so this is really a one-time test before entry onto the network.
Requires user interaction. Users will have to open their browser to download the plug-in and get tested.
Plug-ins are browser specific. ActiveX may only work in Internet Explorer. Check with your NAC vendor about what browsers are supported with their plug-ins.
This method is best for unmanaged endpoints and networks where a one-time test is satisfactory for access to the network.
Method #4: Scanner
Network-based scanner solutions are typically based on the Nessus vulnerability assessment tool. These tests can check service banners but do not provide critical pieces of information about an endpoint’s security (such as antivirus .dat file versions, spyware detection, and local security policy). A network-based scan may take several minutes to run. Users will not wait minutes to get logged onto the network and will usually call for support!
Advantages:
A truly agent-less approach
Works with any operating system
Can perform an exhaustive scan from the network perspective
Disadvantages:
May be too slow to test endpoints. Surveys show that users will call for support if it takes them more than 30 seconds to get onto the network.
May not be able to check local security policies and local software state as easily as an agent-based method.
This method is best for unmanaged endpoints and networks where time to access the network is not a big concern.
Making a Choice
Given these testing methods, it can be difficult to choose a NAC vendor. It’s also easy to see why it is so important to choose a NAC vendor that gives you a choice of test methods.
Once you have your endpoints tested and your enforcement implemented, users will be quarantined. You’ll need a way to easily notify the user and admin, patch their systems, and quickly get them onto the network. You’ll also want to know how to get the most out of your NAC solution while leveraging your existing security investments.
The final article in this series, available next week, will discuss options for notification and remediation along with NAC integration techniques and technologies.