Enforcement is the action defined in a policy in response to a host's state. It can range from doing nothing to logging an event to kicking a computer off the network. Typical access-control enforcements use 802.1X, DHCP and ARP management, DNS redirection to a walled garden, system updating, and rate shaping to alter traffic or a user's network access. Refer to the enforcement chart (below) for a rundown of methods.
| NAC Enforcement Methods | |||
| Enforcement methods are the actions that are applied to computers. In many cases, enforcement is automated. Many vendors support multiple enforcement methods simultaneously, so you can select the best for each situation. | |||
| Method | How it works | Benefits | Drawbacks |
| 802.1X | This is a Layer 2 protocol, meaning authorization occurs before IP addresses are handed out. Ports begin in an unauthorized state. A client, called a supplicant, sends credentials to the switch. The switch sends the credentials to a server via RADIUS. Upon successful authentication, the switch port is enabled. | Authentication and authorization occur before a host even accesses the network. Multiple authentication schemes are supported, and 802.1X is designed to be extensible as new technology arrives. | All hosts need to have supplicants properly configured, and users, or computers, need to have accounts. Many switches put a port into one state or another, so if there are multiple hosts on a port, they are all treated the same. |
| VLAN Steering | VLANs segment networks into logical zones, and steering moves hosts onto particular VLANs. Steering happens by leveraging a switch's native VLAN management system or through other protocols, like SNMP. | VLANs are well understood, and many companies use them already. Virtually any port can be in any VLAN, so mobility is easily accomplished. | A VLAN architecture can be complex and dynamic VLAN assignment may make troubleshooting difficult. Some switches have been vulnerable to attacks against switches which rendered VLANs unstable. |
| Host Enforcement | Arguably, this was the original NAC system, where assessment and host enforcement through a host firewall allows or denies access to network traffic. | It is possible to not only control access of traffic from the network to the host, but also control which applications on the host can access network ports. Unless a host is a mail server, there is no reason for an application to take over the mail port. Also, enforcement follows the host, even while off the network, so a host can be protected according to your company policy while attached to remote networks. | Host software has to be managed, and troubleshooting a remote user who is having connection issues can be difficult. |
| DHCP Management | DHCP hands out IP address assignments to hosts. A DHCP management setup intercepts DHCP requests and assigns IP addresses instead. Thus, NAC enforcement occurs at the IP layer based on subnet and IP assignment. | Easy to install and configure. Because DHCP is well supported, it will work with any host that uses DHCP to request an IP address. | DHCP management is easily defeated by a host that statically assigns its own IP address. |
| ARP Management | Also called "ARP spoofing" or "man-in-the-middle." The Address Resolution Protocol is used to tell other hosts which IP addresses are assigned to a MAC address. These assignments are held in an ARP table on each host and updated periodically. This method manages a host's ARP table by dynamically sending ARP tables with different IP-to-MAC mappings. | ARP is used in any IP host and will always work without any configuration changes to hosts. | Similar to DHCP management, statically assigning an ARP table entry defeats this method. In addition, new security functions in switches designed to prevent malicious ARP spoofing may make this method unusable. |
| Wildcard DNS | ARP maps IP address to MAC addresses. Similarly, DNS maps host names to IP addresses. Wildcard DNS will respond to any DNS query with an IP address, effectively redirecting hosts to a specific server. | Like DHCP and ARP management, this method works with any host that uses DNS. Often, the user ends up at a Web page, where he has to authenticate or accept an agreement. Relies on the fact that users will eventually use a Web browser and thus be redirected to a Web page. | Like DHCP and ARP management, if a host never uses DNS, then this method fails. Also, computers can have static host entries. |
| Walled Garden | A walled garden forces a user onto a private network, where they can access limited resources, like a Web page to accept an agreement, update systems, and perform other functions. Once a host has passed, they can be allowed on to another network. | If a host is denied access to the network, how can they get updated? A walled garden is often used in conjunction with another enforcement method. | You have to maintain update servers and other equipment within the walled garden. |
| Inline Block | Inline blocking is similar to a network firewall except the access control is on a per-host basis and dynamically assigned. In addition, in-line systems can monitor network traffic and take action on malicious activity. | Inline blocking is generally fairly fine-grained because ports and, in some cases, even traffic payload can be controlled. Other methods are primarily only host-based. | Inline blocking is often between switching layers, and than means that a malicious host may be able to attack other hosts that are accessible without having to pass through the inline device. Inline devices have to be deployed at each choke point. |
| TCP Resets/ICMP Messages | The NAC system kills TCP connections by sending TCP resets to both the client and the server. Once the host receives a TCP reset, the TCP connection is closed. Non-TCP protocols are managed using ICMP messages. | Similar to other passive methods, TCP resets work with any TCP-enabled computer and will pass through any firewall or security gateway. Non-TCP protocols use ICMP messages, but there is no guarantee that either host will honor ICMP messages. | Non-TCP protocols are difficult to support. Single-packet attacks that use UDP, like SQL Slammer, will pass right through. |
| Patch, Update, Configure Change | Also used in conjunction with other enforcement methods, patching a host either automatically or manually can bring it into compliance and prepare it for a reassessment. | For company-owned computers, this is a good measure to ensure hosts are updated and properly configured. | You can't always force external users, like contractors, to update their computers or install software. In addition, forcing an update prior to network access may impact productivity. |
The thornier side of enforcement is dealing with exceptions. Hosts that can't be assessed using any of the defined methods still need enforcement of some kind. Think about all the devices on your network that you can't install software on—from printers to Web cameras to VoIP phones to application appliances. Typically, the only enforcement method is white-listing these devices' MAC addresses. However, because MAC addresses are easily spoofed, implement MAC-based security features in your access switches to prevent, or at least reduce the likelihood of, these attacks.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
