Tutorial: Network Access Control (NAC)
Network access control helps overburdened security groups level the playing field. Here's how to get started protecting your networks from malicious or misconfigured hosts.
July 17, 2007
No network is airtight—malware continues to get in, whether via mobile employees, guest or contractor laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let's face it: Sometimes attackers are just smarter than we are. Even companies following best practices get hit.
We don't just mean just security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in your policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; her computer's patch level; and if anti-malware or desktop firewall software is installed, running and current, IT can decide whether to limit access to network resources based on condition. A host that doesn't comply with your defined policy could be directed to remediation servers, or put on a guest VLAN.
NETWORK ACCESS CONTROL
Immersion Center
NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE
Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.
That's the promise, but NAC is no magic bullet. The solution to the Slammer scenario is to either patch the vulnerable system when you can, or remove access to MSDE from the network. But if your NAC system doesn't check for applications like MSDE or their patch levels, it wouldn't preclude a vulnerable node from accessing the network.General Architecture
Three basic components are found in all NAC products: the Access Requestor (AR), the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); see General NAC Framework diagram in the image gallery. Vendors have their own names for these, but we'll use the terms defined by the Trusted Computing Group Trusted Network Connect working group because they're fairly clear-cut.
FRAMEWORK SUMMARY
Cisco Network Access Control | Microsoft's Network Admission Protection | Trusted Computing Group, Trusted Network Connect | |
---|---|---|---|
Host Assessment | The Cisco Trust Agent will be used for Windows pre-Longhorn and Vista, and Red Hat Enterprise 3 and 4. | Microsoft's NAP agent and 802.1X supplicant are part of Windows Longhorn and Vista. APIs are available for other vendors to create and integrate system health agents (SHAs) into the NAP framework. The vendor is responsible for how and what the SHA communicates to the NAP client. For example, self-assessment and real-time change notification are not required. | The TNC specifications deal with communication between an AR and a PDP as well as how software can communicate with the TNC AR. Another system performs the assessment. |
Validation | Credentials and assessment data are sent to the ACS for validation. The ACS sends them along to Microsoft's Network Policy Server. The ACS selects a policy based on the response from the NPS. | The NPS integrates with external Policy Servers, such as AV and patch management systems, to assess a host's health. | TNC-developed protocols and API specify how components communicate. |
Enforcement | Cisco hardware is responsible for enforcing the access policy sent by the Access Control Server. | Quarantine may be accomplished by allowing or denying a host access to a VPN or integrating with external systems. | TNC-developed protocols and API specify how components communicate. |
Partner Programs | Cisco has a large partner program populated with a number of well-known product vendors. Cisco and Microsoft both claim that they will be supporting their own partner programs as well as the NAC/NAP program. Microsoft is planning on migrating its partners to the new API for Longhorn and Vista. | Microsoft has a large partner program, and unlike Cisco, also has a number of infrastructure vendors in the fold. Microsoft also appears to be a strong partner with the Trusted Network Connect working group as well as with Cisco. | The specifications are available for download. Members of the TCG can participate in the working group. Microsoft has released its Statement of Health protocol for the TNC specification. |
Interoperability Testing | Cisco uses AppLabs, which acquired KeyLabs, for interoperability testing in the NAC program. NAC partners are expected to develop and test their products | Microsoft has no plans for an interoperability testing program. | The TNC is planning future compliance programs, but is otherwise mum on the issue. |
Individual functions of the PDP and the PEP may be contained on one server or spread across multiple servers, depending on vendor implementation, but in general, the AR requests access, the PDP assigns a policy, and the PEP enforces the policy.
The AR is the node that is attempting to access the network and may be any device that is managed by the NAC system, including workstations, servers, printers, cameras and other IP-enabled devices. The AR may perform its own host assessment, or some other system may evaluate the host. In either case, the AR's assessment is sent to the PDP. The PDP is the brains of the operation. Based on the AR's posture and a company's defined policy, the PDP determines what access should be granted. In many cases, the NAC product management system may function as the PDP. The PDP often relies on back-end systems, including antivirus, patch management or a user directory, to help determine the host's condition. For example, an AV manager would determine whether a host's AV software and signature versions are current, and inform the PDP.Once the PDP determines which policy to apply, it communicates the access control decision to the PEP for enforcement. The PEP could be a network device, like a switch, firewall or router; an out-of-band device that manages DHCP or ARP; or an agent on the AR itself.
NAC Cycle
When a host attempts to connect to a NAC-enabled network, there are typically three phases: pre-admission or post-admission assessment, policy selection, and policy enforcement. The criteria governing each step are based on your company's policy and your NAC system's capabilities.
Before you select a product, determine exactly what your company's goals are. For example, How far out-of-date can patches or AV signatures be before a host can no longer access the network? What is the acceptable condition for a guest host before it can have access? Do you want to base access on user ID or not?
The NAC cycle may end at the enforcement stage or continue, depending on the product and the policy. Click to enlarge in another window |
Assessment
The NAC cycle begins and ends with assessment. Pre-admission assessment occurs before a host is granted full access to the network. Post-admission assessment, after access has been granted, enables a host to be periodically reassessed to ensure it does not begin to pose a threat. Host assessment gathers information, like a host's OS, patch levels, applications running or installed, security posture, system configuration, user login, and more, and passes it to a PDP. What information is gathered is a function of your defined policy and the NAC product's capabilities.
NAC Assessment Methods |
---|
Host assessment is a fundamental part of determining the state of a host and the kind of access it should receive. These are the common assessment methods used today. Many NAC vendors support at least two of these methods. |
Method |
Persistent Agent |
Dissolvable Agent |
Remote Procedure Call |
Vulnerability Scan |
Passive Monitoring |
Assessments can use either a permanently installed agent, common in host based NAC, or more likely dissolvable agents, so named because they are based on Java or ActiveX and disappear after they're used. Dissolvable agents are sometimes called agentless NAC, but this method does in fact involve agents that must be downloaded and installed on the host computer.Problem is, the security models in Windows, Mac OS X and Linux often require agents, either permanent or dissolvable, to have local administrator rights in order to run. This becomes a problem in organizations that (wisely) don't let laptops and desktops run with local administrator privileges. In some cases, agents may need administrator privileges only the first time they're installed; that may allow IT to work around this limitation.
But what if you can't place an agent on a system? In that case, agentless assessments are conducted through remote scanning methods, such as running a vulnerability scan, or by using RPC (remote procedure call) or WMI (Windows Management Instrumentation) to query a host. Alternatively, passive scanning, using intrusion detection and network anomaly detection, looks for malicious hosts based on actual traffic. An assessment could even be defined as forcing a user into signing off on an Acceptable Use Policy before being granted access to the network.
Post-connection reassessments occur after the host is granted access. These are overlooked at your peril because a host's condition can change while connected. A worm might be activated, or a malicious user could start attacking. Post-connect assessments can be initiated automatically after set a time period; by an administrator as needed; or based on a change in the host, such as a desktop firewall or AV being disabled. New assessments are compared with the current policy, and defined actions are taken.An interesting twist to post-connect assessments are products that use passive network monitoring, either within the NAC system or by integrating with an existing intrusion detection or network anomaly detection system, to alert on malicious activity. These external monitors alert on network traffic and can detect problems missed by host-based assessments.
Policy Selection
Robust policy definition is critical to a successful NAC deployment. Defining rules that are flexible enough not to unduly burden end users yet strict enough to protect the network will take planning and testing. A binary policy, such as, "Comply with the current policy or be denied access," sounds good on paper, but often fails in the real world. A laptop that has been offline, say while a user went on vacation, may not be up-to-date on its AV signature, but that doesn't mean it's infected. Do you really want to cut an employee off, or would it be better to get the laptop current in the background while the user continues to work?Fortunately, NAC policy engines aid in policy creation. Finding an engine that fits your needs in terms of ease of use and granularity is especially vital as NAC vendors add more features to their products, and policy interfaces reflect this growing number of options. Like any management UI for a complex system, features like grouping, the ability to build custom objects and easily readable rule sets are important.
How external systems are integrated is equally crucial. For example, if your NAC system uses Active Directory for user authentication, the management system should be able to synchronize objects like users and groups from within AD, rather than having to recreate them. In a similar fashion, antivirus products, managed firewalls and patch management systems should also feed the management UI seamlessly.
A word on politics: It's dicey business for IT to make policy decisions dealing with upper management. But resist the temptation to treat executives differently. The CFO's laptop is no less vulnerable to attack than that of a field representative. Educating about sound practices and, where applicable, pointing to regulatory compliance implications can help here.
EnforcementEnforcement is the action defined in a policy in response to a host's state. It can range from doing nothing to logging an event to kicking a computer off the network. Typical access-control enforcements use 802.1X, DHCP and ARP management, DNS redirection to a walled garden, system updating, and rate shaping to alter traffic or a user's network access. Refer to the enforcement chart (below) for a rundown of methods.
NAC Enforcement Methods |
---|
Enforcement methods are the actions that are applied to computers. In many cases, enforcement is automated. Many vendors support multiple enforcement methods simultaneously, so you can select the best for each situation. |
Method |
802.1X |
VLAN Steering |
Host Enforcement |
DHCP Management |
ARP Management |
Wildcard DNS |
Walled Garden |
Inline Block |
TCP Resets/ICMP Messages |
Patch, Update, Configure Change |
The thornier side of enforcement is dealing with exceptions. Hosts that can't be assessed using any of the defined methods still need enforcement of some kind. Think about all the devices on your network that you can't install software on—from printers to Web cameras to VoIP phones to application appliances. Typically, the only enforcement method is white-listing these devices' MAC addresses. However, because MAC addresses are easily spoofed, implement MAC-based security features in your access switches to prevent, or at least reduce the likelihood of, these attacks.Deployment Styles
There are four basic ways NAC systems integrate into the network, each with benefits and drawbacks. Many NAC products provide for more than one deployment model.
>> In-line NAC puts an appliance as a bump in the wire, usually between the access switch and the distribution switch. When deciding where to place the device, remember that the farther you get from the hosts, the more potential targets are available to an attacker.
An in-line NAC product can block traffic, like a network firewall, but its ACL is tailored to individual hosts. Other enforcement methods, like VLAN steering, are also available. The benefit of in-line NAC is that if no other enforcement method is available, in-line blocking is still an option. The downsides are that you're adding another potential failure point (determine if the device fails open or shut), and you'll need one device for each enforcement point.
In BandClick to enlarge in another window
>> Out-of-band NAC is more commonly used than in-band and covers products that are PDPs but use other methods, like 802.1X, DHCP and ARP management, or VLAN steering, to enforce policy. As hosts come online, the NAC product intervenes and performs some kind of assessment, then grants access where appropriate. The benefit of out-of-band NAC is that there's little impact on network performance, and fewer devices are needed. The effectiveness of out-of-band NAC depends on the discovery and enforcement mechanisms. DHCP control, for example, is easily bypassed if a host has a static IP address.
Out of Band
Click to enlarge in another window
>> Switch-based NAC is similar to in-band NAC, but rather than having enforcement between the access and distribution switch, enforcement occurs on the switch itself. What differentiates switch-based NAC from simply using 802.1X to control a port? Switch-based NAC offerings don't require 802.1X to communicate with the access requestor.
Once a host requests access, it's assessed using an agent or agentless scan, and then the PDP sets policy on the switch port. Switch-based NAC products also offer internal intrusion detection and anomaly detection on a per-port basis, so there's no need to integrate an external system. Like in-band NAC, switch-based NAC can also apply access controls to network application ports and by traffic type. Ideally, NAC should be enforced at port level for the finest control, so if you're planning on upgrading your switches, investigate advanced switch features.
Secure SwitchClick to enlarge in another window
>> Host-based NAC relies on an installed host agent to assess and enforce access policy. Installed agents are centrally managed, and the access policy follows the host even when it's off-network. Unlike network-based enforcement mechanisms, host-based NAC can control not only what traffic passes to and from the network, but also which applications can use the network. For example, there's no reason why a workstation should have a program attached to the mail port. Fine-grained control of the host agent and limited interaction with the user are compelling reasons for host-based NAC. Of course, there is another software agent that has to be managed, and guest and contractor access is often not well supported. In addition, non-Windows hosts may not be supported.
Out of BandClick to enlarge in another window
Got That?
We've covered a lot of ground in this tutorial, and with forty-plus vendors in the NAC space (at last count) there's bound to be an excess of hype and hyperbole. Fundamentally, however, there are only so many ways to assess a host, and so many ways to enforce a policy. We will continue to expand this tutorial by diving deeper into the technology, testing products and challenging vendors.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs and former editor in chief of Secure Enterprise. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected]. 0
You May Also Like