NAC Up Close: Policy Enforcement Options
In the first part of our three-part series about network access/admission control, we examine key technologies and issues so you can choose the right NAC solution for your network.
Making intelligent decisions around a network access/admission control (NAC) solution for your network has become difficult. Several software companies have jumped on the NAC bandwagon adding confusion to what NAC truly is.
Put simply, NAC is a class of technologies that force a user and endpoint device to prove their identity and health before they gain access to a network and its resources. NAC goes beyond logins and passwords to enforce user and endpoint policy before obtaining an IP address, before their port forwards traffic, or before they have access to resources on a network. An NAC solution provides enforcement of policy at the network level rather than at the endpoint or software level.
NAC solutions have three main components:
- Enforcement: How do you stop unauthorized users and endpoints from accessing your network until they have been proven certified and safe?
- Testing: How do you validate users, endpoints, and the health of an endpoint?
- Policy and integration with other security tools – How can NAC work with other security technologies to create a layered security model?
This article, the first of a three-part series, discusses enforcement technologies and considerations when choosing the appropriate NAC solution for your network.
NAC Policy Enforcement Options
There is no silver bullet when making a decision on enforcement technologies. Most networks are heterogeneous throughout, have different entry points, and require a combination of enforcement technologies to achieve 100 percent coverage.
There are four main enforcement methods to consider: 802.1x, DHCP, Inline, and IPSec Health Certificates.
802.1x is the preferred enforcement method. An endpoint connects to a switch and its port is blocked from passing traffic. The switch challenges the 802.1x supplicant (client software) on the endpoint to provide authentication credentials typically using a variation of the Extensible Authentication Protocol (EAP). If authentication succeeds, the endpoint health is verified.
The health information of an endpoint may be passed to the server within the EAP authentication protocol at layer 2 or after the authentication at layer 3. NAC solutions that get health information at layer 3 are more accessible because the currently available EAP protocols that allow for embedded health information at layer 2 are vendor specific and/or alpha technologies.
Once the endpoint is verified as “healthy,” the endpoint is dynamically moved into a production VLAN. If “unhealthy,” the endpoint is placed in a restricted quarantine VLAN for remediation or its port is shut down and access is not allowed. The VLAN switching is accomplished via the RADIUS protocol and uses attributes the RADIUS server can send to the switch after authentication.
- Do your endpoint devices have 802.1x compatible network software?
Do your switches support 802.1x, or is it feasible to upgrade your switches and switch OSs? Check what switch models and OS versions are supported with your NAC vendor.How will unmanaged endpoints get onto your network?
- Windows 2000 and MacOS 10.x and above have a built in and easily configurable 802.1x supplicant.
- Linux distributions currently do not have built-in 802.1x supplicants, but there are open source supplicants, such as Open1x, available to install.
- In addition, many switches have Web-authoring functionality that allows a non-802.1x compatible endpoint to authenticate to a port via a Web page rather then an 802.1x supplicant.
4. Can you implement new VLANs throughout your network easily?5. Do you have IP phones that act as hubs or unmanaged switches on your network? IP phones may cause a problem with 802.1x if endpoints are plugged directly into the phone—most 802.1x switches can only authenticate one endpoint per port.
- Unmanaged endpoints present a particular challenge for 802.1x because you may not be able to control whether the endpoint has the appropriate 802.1x and testing software installed.
- You’ll need a way to distribute credentials and install/download software so they can authenticate to the network.
- One option is to send unmanaged endpoints into a default VLAN with limited access and bypass the whole NAC procedure.
- Another option is to create the registration page where the user can register for a user name and password and temporary access to the network and download the testing software in the form of a plug-in or ActiveX control. In this case, you must consider if your unmanaged users will have access to download and run ActiveX controls or install software on their endpoints.
The DHCP method of enforcement is a good step to 802.1x enforcement if your network is not currently 802.1x compatible. DHCP is not as secure because it cannot enforce compliance on endpoints with static IP addresses. Even so, DHCP will prevent the vast majority of users with non-compliant or infected endpoints from gaining access to your network.
DHCP simply assigns quarantined or unknown endpoints to an IP address that is restricted by ACLs at the gateway and DHCP settings that do not allow the endpoint to communicate with other endpoints (assigning a netmask of 255.255.255.255 and no gateway restricts communication to only IP addresses for which a static route is assigned).
- Is this method secure enough to meet your needs? Assigning a static IP address avoids the enforcement completely.
- Is your DHCP architecture compatible with this method? You’ll either need to put a NAC server inline with your DHCP servers or install a plug-in on your DHCP servers.
Inline NAC solutions work as a layer-2 bridge between two points in the network. Typically they are used behind a VPN or RAS device. These are very easy to deploy and very secure. They have an internal firewall to restrict traffic from quarantined IP addresses.
- Can you bridge all traffic between two points in your network? On one side are the un-trusted endpoints and on the other side are the critical resources.
- Will the bridge scale to the bandwidth required to support traffic flow between the trusted and un-trusted networks?
IPSec Health Certificates
IPSec Health Certificates is an enforcement technology that will be available in Microsoft NAP. This technology is only as secure as your IPSec infrastructure. It uses the trust relationship of certificates installed on each endpoint to allow or restrict communications via IPSec. So, endpoints on your network not using IPSec will be vulnerable.
IPSec Health Certificates Considerations
- How feasible is an IPSec rollout to all endpoints on your network?
- Since this technology will be available via Microsoft NAP and Windows XP and later, you’ll need to consider if this will be sufficient to handle older Windows and non-Windows operating systems.
As the NAC market and technologies mature, some standards are likely to emerge as well. It is important that the vendor you choose has plans to support emerging standards and has an easy upgrade path to those new technologies. There are, however, a variety of NAC technologies to make NAC work for your network today. In next week’s article I’ll discuss what to consider when testing the health of endpoint devices.