Knowing What You Need

Yesterday, I spent about four hours yesterday configuring a Cisco Aironet 1240AG access point, a Cisco 3750 switch, and an HP Procurve switch to authenticate hosts using 802.1X against a Windows 2003 Enterprise Server AD deployment. During the deployment I was reading the docs for the switches (yeah, yeah, shocking), and noted that the 802.1X configurations could be set with default actions like putting the port into a default VLAN, if an 802.1X authentication failed or there was no supplicant on the host (there are some other features I will dive into at a later date). So I have to wonder, if you can run 802.1X and you simply want to keep outsiders on a guest VLAN with limited resources, do you really need a NAC system? I was sitting down to read some news and check email when Dan Clark from Lockdown Networks IM'd me. We chat about amplifiers, coffee, geek stuff. While we were talking, I asked him the question I posed above and he pointed out some obvious issues with my simple scenario like the access decision is rarely a binary one, not all organizations have 802.1X capabilities everywhere, and sometimes organizations want to intercede in a session perhaps to force a user to accept a EULA. These are all good points and if your goal is a more complex policy decision than employee/guest, a NAC system maybe in your future. But if you needs are simple, look to what you already have.

The Desktop ProblemI have read the NAC materials from vendors, gotten the vendor briefings, taken the products for a test. I get it. In very simple terms we can lump computers into two groups-those that are managed like corporate owned computers and computers that are unmanaged that are brought in by guests and contractors. Managed computers should be under IT's control and as such, with proper desktop management practices should be able to keep them up to date and patched. If that is the case, then the risk of infection is vastly reduced. If you follow the practice of least user privilege-taking users out of the local Administrators group, for example-will also go a long way to blocking the most egregious issues.

There is a whole industry dedicated to desktop management covering topics as diverse as asset management, patch management, application management, rights management, data management, configuration management, and back-up management. If your laptops are properly managed, then the chances of getting infected while off-site should be pretty low and with desktop management practices in place, you get all the benefits of managed systems.

A NAC solution in this case can be used as a check in a check and balance system. For example, the patch management product says all hosts have a certain patch, but this particular host reports the patch doesn't exist, so let's take some action like starting an update or notifying desktop support. There are lots of interesting things you can do.

The Guest ProblemGuests pose a unique problem depending on the level of access they need. A simple policy might state that guests can only access the Internet. By putting unauthenticated computers on specific VLAN, they will be segregated from the corporate LAN. But contractors, consultants, system engineers, and others often need access to corporate resources and will come equipped with their own hardware. Simply telling them they can't use their equipment may not be possible or even desirable.Knowing what software a guest computer is running or the computers configuration really doesn't tell you anything meaningful or even useful. If a consultant's laptop is running Windows XP Service Pack 1, their IT department may have a very good reason for doing so. Perhaps some critical application won't work with Service Pack 2. Better yet, if the consultants company uses an anti-virus application that is different from yours, how do you know 1) that is acceptable and 2) that it even works? You don't unless you research all anti-virus packages. These are just two examples of potential ambiguities that can't be easily resolved.

Perhaps the practical response is to use the NAC system to restrict access to specific resources-much like an in-line firewall might do-and monitor their activity via the NAC system or an external product like an IDS or network anomaly detection engine.

Unmanaged Corporate ResourcesIf you have deployed an appliance like an IDS, firewall, IP PBX, network camera, printer, DNS appliance, etc on your network, you have an unmanaged computer to deal with. In most cases, you don't have the ability to patch or install software on those systems and more to the point, doing so violates any warranties or service contracts. Several years ago we have a network connected camera broken into and was scanning for other hosts to infect. The spate of vulnerabilities in the early years of Windows affected any appliances that also ran Windows 2000 as the base OS.

In many cases, the only solutions are to white list the host taking it out of the NAC system, lock down access to just the services that are needed using an external firewall or something similar, and monitor activity using an IDS/IPS or network anomaly detection system.

Using what you already haveWhile I am not necessarily a fan of the "layered security" model where multiple security technologies are deployed in the hopes that overlapping features will keep the worst out, you can use your existing infrastructure to mitigate many of the risks before going the NAC route.VLAN's, routing, and network firewalls are good ways to restrict access to servers and can provide much of the functionality of a NAC. Placing IDS/IPS, network anomaly detection, and network monitoring at the choke points can serve to monitor any activity to and from the restricted VLAN. You may have to do a little re-architecting.

Modern switches from Cisco, Enterasys, Extreme, Foundry, and HP, to name a few, have been adding advanced features to their access switches that perform functions like track DHCP leases, can lock MAC addresses to port dynamically, apply ACL on a per MAC basis, quell broadcast storms, and ARP spoofing.

Basic 802.1X in a Windows environment using passwords for wired and wireless access is pretty simple and straight forward. You can even steer users into specific VLAN's based on their credentials or set-up a default VLAN for unauthenticated users.

Exploring existing options will not only help you determine what you requirements are, but pilot projects will help define your requirements before you embark on a NAC deployment.