Tutorial: Network Access Control (NAC)

No network is airtight—malware continues to get in, whether via mobile employees, guest or contractor laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let's face it: Sometimes attackers are just smarter than we are. Even companies following best practices get hit.

We don't just mean just security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in your policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; her computer's patch level; and if anti-malware or desktop firewall software is installed, running and current, IT can decide whether to limit access to network resources based on condition. A host that doesn't comply with your defined policy could be directed to remediation servers, or put on a guest VLAN.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.

That's the promise, but NAC is no magic bullet. The solution to the Slammer scenario is to either patch the vulnerable system when you can, or remove access to MSDE from the network. But if your NAC system doesn't check for applications like MSDE or their patch levels, it wouldn't preclude a vulnerable node from accessing the network.General Architecture

Three basic components are found in all NAC products: the Access Requestor (AR), the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); see General NAC Framework diagram in the image gallery. Vendors have their own names for these, but we'll use the terms defined by the Trusted Computing Group Trusted Network Connect working group because they're fairly clear-cut.

Individual functions of the PDP and the PEP may be contained on one server or spread across multiple servers, depending on vendor implementation, but in general, the AR requests access, the PDP assigns a policy, and the PEP enforces the policy.

The AR is the node that is attempting to access the network and may be any device that is managed by the NAC system, including workstations, servers, printers, cameras and other IP-enabled devices. The AR may perform its own host assessment, or some other system may evaluate the host. In either case, the AR's assessment is sent to the PDP. The PDP is the brains of the operation. Based on the AR's posture and a company's defined policy, the PDP determines what access should be granted. In many cases, the NAC product management system may function as the PDP. The PDP often relies on back-end systems, including antivirus, patch management or a user directory, to help determine the host's condition. For example, an AV manager would determine whether a host's AV software and signature versions are current, and inform the PDP.Once the PDP determines which policy to apply, it communicates the access control decision to the PEP for enforcement. The PEP could be a network device, like a switch, firewall or router; an out-of-band device that manages DHCP or ARP; or an agent on the AR itself.

NAC Cycle

When a host attempts to connect to a NAC-enabled network, there are typically three phases: pre-admission or post-admission assessment, policy selection, and policy enforcement. The criteria governing each step are based on your company's policy and your NAC system's capabilities.

Before you select a product, determine exactly what your company's goals are. For example, How far out-of-date can patches or AV signatures be before a host can no longer access the network? What is the acceptable condition for a guest host before it can have access? Do you want to base access on user ID or not?

Assessment

The NAC cycle begins and ends with assessment. Pre-admission assessment occurs before a host is granted full access to the network. Post-admission assessment, after access has been granted, enables a host to be periodically reassessed to ensure it does not begin to pose a threat. Host assessment gathers information, like a host's OS, patch levels, applications running or installed, security posture, system configuration, user login, and more, and passes it to a PDP. What information is gathered is a function of your defined policy and the NAC product's capabilities.

Assessments can use either a permanently installed agent, common in host based NAC, or more likely dissolvable agents, so named because they are based on Java or ActiveX and disappear after they're used. Dissolvable agents are sometimes called agentless NAC, but this method does in fact involve agents that must be downloaded and installed on the host computer.Problem is, the security models in Windows, Mac OS X and Linux often require agents, either permanent or dissolvable, to have local administrator rights in order to run. This becomes a problem in organizations that (wisely) don't let laptops and desktops run with local administrator privileges. In some cases, agents may need administrator privileges only the first time they're installed; that may allow IT to work around this limitation.

But what if you can't place an agent on a system? In that case, agentless assessments are conducted through remote scanning methods, such as running a vulnerability scan, or by using RPC (remote procedure call) or WMI (Windows Management Instrumentation) to query a host. Alternatively, passive scanning, using intrusion detection and network anomaly detection, looks for malicious hosts based on actual traffic. An assessment could even be defined as forcing a user into signing off on an Acceptable Use Policy before being granted access to the network.

Post-connection reassessments occur after the host is granted access. These are overlooked at your peril because a host's condition can change while connected. A worm might be activated, or a malicious user could start attacking. Post-connect assessments can be initiated automatically after set a time period; by an administrator as needed; or based on a change in the host, such as a desktop firewall or AV being disabled. New assessments are compared with the current policy, and defined actions are taken.An interesting twist to post-connect assessments are products that use passive network monitoring, either within the NAC system or by integrating with an existing intrusion detection or network anomaly detection system, to alert on malicious activity. These external monitors alert on network traffic and can detect problems missed by host-based assessments.

Policy Selection

Robust policy definition is critical to a successful NAC deployment. Defining rules that are flexible enough not to unduly burden end users yet strict enough to protect the network will take planning and testing. A binary policy, such as, "Comply with the current policy or be denied access," sounds good on paper, but often fails in the real world. A laptop that has been offline, say while a user went on vacation, may not be up-to-date on its AV signature, but that doesn't mean it's infected. Do you really want to cut an employee off, or would it be better to get the laptop current in the background while the user continues to work?Fortunately, NAC policy engines aid in policy creation. Finding an engine that fits your needs in terms of ease of use and granularity is especially vital as NAC vendors add more features to their products, and policy interfaces reflect this growing number of options. Like any management UI for a complex system, features like grouping, the ability to build custom objects and easily readable rule sets are important.

How external systems are integrated is equally crucial. For example, if your NAC system uses Active Directory for user authentication, the management system should be able to synchronize objects like users and groups from within AD, rather than having to recreate them. In a similar fashion, antivirus products, managed firewalls and patch management systems should also feed the management UI seamlessly.

A word on politics: It's dicey business for IT to make policy decisions dealing with upper management. But resist the temptation to treat executives differently. The CFO's laptop is no less vulnerable to attack than that of a field representative. Educating about sound practices and, where applicable, pointing to regulatory compliance implications can help here.

EnforcementEnforcement is the action defined in a policy in response to a host's state. It can range from doing nothing to logging an event to kicking a computer off the network. Typical access-control enforcements use 802.1X, DHCP and ARP management, DNS redirection to a walled garden, system updating, and rate shaping to alter traffic or a user's network access. Refer to the enforcement chart (below) for a rundown of methods.

The thornier side of enforcement is dealing with exceptions. Hosts that can't be assessed using any of the defined methods still need enforcement of some kind. Think about all the devices on your network that you can't install software on—from printers to Web cameras to VoIP phones to application appliances. Typically, the only enforcement method is white-listing these devices' MAC addresses. However, because MAC addresses are easily spoofed, implement MAC-based security features in your access switches to prevent, or at least reduce the likelihood of, these attacks.Deployment Styles

There are four basic ways NAC systems integrate into the network, each with benefits and drawbacks. Many NAC products provide for more than one deployment model.