NAC: Remediation and Integration
Options for notification and remediation, as well as NAC integration techniques and technologies.
Even though NAC has been put on the top of the priority list for security administrators, other security technologies cannot be ignored. A good NAC solution should integrate seamlessly with other technologies like intrusion detection, vulnerability assessment, identity management, and remediation tools to create a layered security model. As a result, administrators make network access decisions based on data from multiple security systems. This provides them with the network security control—and the sound night’s sleep—they have been searching for!
Creating a truly policy driven network is easier said then done. It requires coordination between many components. Since NAC performs the access control piece for the network, it makes sense that it should be the coordination center for policy decisions. To do so, NAC tools should have open and accessible APIs (Application Programming Interfaces).
Look for APIs that allow the following:
- The ability to perform custom actions in specific situations. For example, when a new device is discovered; a user is authenticated or fails authentication; an endpoint fails a health check; and when an endpoint is allowed or denied access to the network.
- External control. This includes allowing or denying an endpoint access to the network, gathering information about endpoints and users on the network, and initiating a policy test on the endpoint.
- The ability to customize and extend the out-of-box default tests. Having full access to the testing mechanisms will allow you to create tests for security issues unique to your network environment.
These APIs will allow you to integrate your NAC solution with other components on your network if necessary. A NAC solution’s existing policy capabilities should also facilitate the following integrations.
Local Area Intrusion Detection and Prevention
Before an endpoint is authenticated and tested, and once a healthy and compliant endpoint has been admitted to the network by your NAC tool, an intrusion detection/prevention system (IDS/IPS) should search for suspicious activity from the endpoint. Before admittance, the NAC policy engine should query and consider the IDS/IPS information to see if there has been any suspicious activity from the endpoint. After admittance, if the IDS/IPS detects suspicious activity, indicating a change in posture, the NAC solution should allow the IDS/IPS to dynamically trigger a policy decision and potentially quarantine the endpoint.
IDS/IPS’s are known for their high degree of false-positives. So, the signatures or behaviors that trigger the NAC solution to quarantine should be carefully chosen.
In addition to integrating with IDS/IPS, vulnerability assessment (VA) tools should also be used in conjunction with NAC. Before admittance, the NAC policy engine should query the VA rolodex for critical vulnerabilities on the endpoint. If a new critical vulnerability is found after admittance (indicating a change in security posture) the VA tool will dynamically trigger a policy decision within the NAC solution and potentially quarantine the endpoint.
There may be some overlap in functionality between the vulnerability checks performed by the VA tool and the health tests performed by your NAC solution. VA tools however, have the capability to do a much more thorough scan of an endpoint from a network perspective. So, the vulnerability scan should be performed out of band with the network access decision.
Identity management (IDM) systems provide a more centralized and secure way to authenticate users as well as assignment of user and group level network access privileges. When the NAC solution authenticates a user to the network it should have a mechanism to take advantage of the IDM authentication mechanism. For 802.1x NAC implementations, this is a feature of the 802.1x supplicant which must support your IDM vendor’s authentication scheme. It must also respond to a switch’s 802.1x authentication challenge with the appropriate IDM certificate or credentials.
After a user’s authentication and health have been verified, the IDM and NAC solution should coordinate to assign the appropriate access rights or VLAN placement for the user. For 802.1x NAC implementations this occurs during the RADIUS response, in which the IDM and NAC must coordinate their RADIUS attributes to assign the appropriate ACLs, QoS, bandwidth and VLAN for the user.
Once an endpoint is placed in quarantine due to health issues you’ll want to get them out of quarantine as quickly as possible (and hopefully without a support call). There are several remediation strategies, each useful for different situations. A good NAC solution should support at least two of these remediation techniques so you have 100 percent coverage across different types of users.
- Self-remediation: This functionality alerts a user via a popup or redirects a user’s browser to a web page that instructs the user how to fix their system. This is most useful for unmanaged endpoints for which you cannot install software or patches, or for issues that patch management solutions can not handle.
- Auto or built-in remediation: Some NAC tools provide a mechanism to download and run a script or executable to automate a simple fix on an endpoint. This is also useful for unmanaged endpoints for which you cannot install a patch management client.
- Third-party remediation: If you already have a patch management system in place you’ll want your NAC solution to use it to patch issues as soon as an endpoint is quarantined. Once patching is completed, the NAC solution should revalidate the health of the endpoint so it can be granted access to the network. A seamless integration with a patch management solution includes the ability to launch a patch as well as the ability to synchronize the patch manager policy with the NAC policy.
With all of these security tools and integrations you’re probably wondering if there is one vendor that does it all. The answer is “no” at this point in time. However, NAC vendors are expanding their functionality and embedding these technologies quickly. Never-the-less, if you have a large investment in these other security technologies it will be important for a NAC solution to integrate with them seamlessly.
Dave Greenstein is the Chief Architect at StillSecure where he is responsible for the technical vision of the StillSecure product suite, including their NAC solution, Safe Access. Dave has more than 10 years of experience in the Web analytics and network security industries.