Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Tutorial: Network Access Control (NAC)

Posted by Mike Fratto, Editor on July 17, 2007

  Download a Free PDF at NWCReports.com  

No network is airtight—malware continues to get in, whether via mobile employees, guest or contractor laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let's face it: Sometimes attackers are just smarter than we are. Even companies following best practices get hit.

We don't just mean just security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in your policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; her computer's patch level; and if anti-malware or desktop firewall software is installed, running and current, IT can decide whether to limit access to network resources based on condition. A host that doesn't comply with your defined policy could be directed to remediation servers, or put on a guest VLAN.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE
Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.

That's the promise, but NAC is no magic bullet. The solution to the Slammer scenario is to either patch the vulnerable system when you can, or remove access to MSDE from the network. But if your NAC system doesn't check for applications like MSDE or their patch levels, it wouldn't preclude a vulnerable node from accessing the network.



General Architecture

Three basic components are found in all NAC products: the Access Requestor (AR), the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); see General NAC Framework diagram in the image gallery. Vendors have their own names for these, but we'll use the terms defined by the Trusted Computing Group Trusted Network Connect working group because they're fairly clear-cut.



FRAMEWORK SUMMARY
Cisco Network Access Control Microsoft's Network Admission Protection Trusted Computing Group, Trusted Network Connect
Host Assessment The Cisco Trust Agent will be used for Windows pre-Longhorn and Vista, and Red Hat Enterprise 3 and 4. Microsoft's NAP agent and 802.1X supplicant are part of Windows Longhorn and Vista. APIs are available for other vendors to create and integrate system health agents (SHAs) into the NAP framework. The vendor is responsible for how and what the SHA communicates to the NAP client. For example, self-assessment and real-time change notification are not required. The TNC specifications deal with communication between an AR and a PDP as well as how software can communicate with the TNC AR. Another system performs the assessment.
Validation Credentials and assessment data are sent to the ACS for validation. The ACS sends them along to Microsoft's Network Policy Server. The ACS selects a policy based on the response from the NPS. The NPS integrates with external Policy Servers, such as AV and patch management systems, to assess a host's health. TNC-developed protocols and API specify how components communicate.
Enforcement Cisco hardware is responsible for enforcing the access policy sent by the Access Control Server. Quarantine may be accomplished by allowing or denying a host access to a VPN or integrating with external systems. TNC-developed protocols and API specify how components communicate.
Partner Programs Cisco has a large partner program populated with a number of well-known product vendors. Cisco and Microsoft both claim that they will be supporting their own partner programs as well as the NAC/NAP program. Microsoft is planning on migrating its partners to the new API for Longhorn and Vista. Microsoft has a large partner program, and unlike Cisco, also has a number of infrastructure vendors in the fold. Microsoft also appears to be a strong partner with the Trusted Network Connect working group as well as with Cisco. The specifications are available for download. Members of the TCG can participate in the working group. Microsoft has released its Statement of Health protocol for the TNC specification.
Interoperability Testing Cisco uses AppLabs, which acquired KeyLabs, for interoperability testing in the NAC program. NAC partners are expected to develop and test their products Microsoft has no plans for an interoperability testing program. The TNC is planning future compliance programs, but is otherwise mum on the issue.

Individual functions of the PDP and the PEP may be contained on one server or spread across multiple servers, depending on vendor implementation, but in general, the AR requests access, the PDP assigns a policy, and the PEP enforces the policy.

The AR is the node that is attempting to access the network and may be any device that is managed by the NAC system, including workstations, servers, printers, cameras and other IP-enabled devices. The AR may perform its own host assessment, or some other system may evaluate the host. In either case, the AR's assessment is sent to the PDP.
The PDP is the brains of the operation. Based on the AR's posture and a company's defined policy, the PDP determines what access should be granted. In many cases, the NAC product management system may function as the PDP. The PDP often relies on back-end systems, including antivirus, patch management or a user directory, to help determine the host's condition. For example, an AV manager would determine whether a host's AV software and signature versions are current, and inform the PDP.

Once the PDP determines which policy to apply, it communicates the access control decision to the PEP for enforcement. The PEP could be a network device, like a switch, firewall or router; an out-of-band device that manages DHCP or ARP; or an agent on the AR itself.

NAC Cycle

When a host attempts to connect to a NAC-enabled network, there are typically three phases: pre-admission or post-admission assessment, policy selection, and policy enforcement. The criteria governing each step are based on your company's policy and your NAC system's capabilities.

Before you select a product, determine exactly what your company's goals are. For example, How far out-of-date can patches or AV signatures be before a host can no longer access the network? What is the acceptable condition for a guest host before it can have access? Do you want to base access on user ID or not?







The NAC cycle may end at the enforcement stage or continue, depending on the product and the policy.




Click to enlarge in another window

Assessment

Page:   1   2   3  Next  »

Add Your Comment:

  Sponsored Links

Premium Content

Next Generation Data Center, Delivered, November 17th
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll