13.2. IETF Standards

Key standards drive NAC implementation. This section takes an in-depth look.

13.2.1. RADIUS: Completing the circle

RADIUS is the acronym for Remote Authentication Dial-In User Service, an IETF standard originally designed for use in dial-up networks. One of the main purposes for the RADIUS standard is to provide authentication.

RADIUS is a client/server security protocol that has been (and, in some cases, continues to be) used to authenticate, authorize, and account for dialup users. But NAC vendors extended RADIUS for use in today's enterprise switching infrastructures.

Wireless networks also use RADIUS heavily, and although it wasn't initially intended to be a wireless security authentication method, it improves and strengthens the weak Wired Equivalent Privacy (WEP) encryption key standard. However, the real mettle of RADIUS is in its robust user authentication capabilities.

The RADIUS standard is very useful in a NAC solution, particularly one that implements or leverages the Institute of Electronics and Electrical Engineers (IEEE) 802.1X standard for port-based network access control. As shown in Figure 13-1, the authentication server in an 802.1X network receives RADIUS messages and uses those messages to authenticate the user, and his or her device. The authentication server makes the authentication decision — whether it can authenticate a user for access to the network — and communicates that decision to the authenticator, usually an 802.1X-capable device, such as a network switch or wireless access point, which enforces the authentication decision.

Figure 13.1. How RADIUS works.

13.2.2. The simplicity of SNMP

Simple Network Management Protocol (SNMP) was designed to exchange device management information between network devices, called elements. They still primarily use SNMP for this information exchange. It allows administrators to gather information or change settings on a network device.

Although SNMP was originally designed for use with routers, other network elements (such as printers, switches, access points, and software) now include SNMP capabilities.

13.2.2.1. One ... two ... SNMP three

SNMP provides a very simple mechanism that allows you to monitor and configure a network device by using a centralized manager.

Although SNMP is readily available and simple to work with, it does have some limitations concerning the three versions of SNMP that you can deploy:

• The two older versions of SNMP don't employ strong security mechanisms, which can leave them open to unauthorized access, such as snooping or eavesdropping:

  • SNMP version 1 (SNMPv1): The original version of SNMP that continues to be a standard protocol for the Internet.

  • SNMP version 2 (SNMPv2): Offers enhancements to SNMPv1, such as additional protocol operations. SMNPv2 was replaced to address several security concerns, including authentication and privacy.

• SNMP version 3 (SNMPv3): Includes message authentication and packet encryption.

  SNMPv3 employs security mechanisms that include authentication, message integrity, and encryption. SNMPv3 delivers a more secure architecture to ensure that passwords don't travel over a network in open, clear text. SNMPv3 also provides for an optional, encrypted data stream that can protect the data between devices in an SNMP architecture.

  
  

13.2.2.2. Managing SNMP

SNMP wasn't built to provide security. You must ensure that you correctly configure and deploy your SNMP-based NAC implementation.

When employed in a NAC solution, the SNMP standard can serve as a notification mechanism, enabling the solution to monitor the behavior and state of endpoint devices via alerts and traps on SNMP-enabled network switches. If your network has an ill-behaving endpoint device, a trap on an SNMP-enabled network switch sends an alert to the NAC solution.

The NAC solution may also dictate diverting the endpoint device that tripped the alert to a virtual local area network (VLAN) with limited or no access to the network and other services. You can also invoke this enforcement mechanism by using SNMP if both the network switch and VLAN are SNMP-managed. You may need to limit network access before you provision or access overall resources with a NAC solution that leverages the SNMP standard, depending on the solution and implementation. Figure 13-2 shows how SNMP accomplishes quarantine or network restriction.

Figure 13.2. How SNMP works.

13.2.3. The lowdown on DHCP

The Dynamic Host Configuration Protocol (DHCP) is built on a client-server model and automates the configuration of devices on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. By using DHCP, devices can automatically obtain the configuration parameters that can enable them to operate on the TCP/IP network.

DHCP can reduce the challenges associated with device administration, provisioning, and configuration over a TCP/IP network. It also enables organizations to simply and quickly add devices to a network.

Configuration data delivered by DHCP can include

• IP information on or about local area networks (LANs)

• Gateways and Domain Name Systems (DNSs)

• TCP/IP stack configuration parameters

• IP addresses for printers and other servers

• Protocol: Defines the mechanism for delivering device-specific configuration parameters for any IP device (routers, servers, or other devices) on a network from a DHCP server or workstation (which is also a device) that runs the application or service which is supplying the parameters to IP devices.

• Method: A means to automatically assign and distribute IP addresses to devices on the network

When a DHCP application or service monitors network traffic and sees a request for DHCP, it responds with an IP address. It can also provide additional configuration parameters. The DCHP server can allocate or assign ranges of available or appropriate IP addresses to devices as they join the network.

The client-server structure on which DHCP is built can automate the process of adding devices to a TCP/IP network. DHCP uses and supports three different ways to provide IP addresses to requesting devices. You can use these methods alone or together on a network:

• Automatic allocation: The DHCP standard can assign a permanent IP address to a specific device.

• Dynamic allocation: The DHCP standard can assign a limited-time IP address to a device; or it can assign the IP address to a specific device until the device surrenders the IP address.

• Manual allocation: DHCP simply acts as the delivery mechanism for an IP address that an administrator or other individual in authority has manually assigned to a specific device.

A NAC solution based on DHCP might include a DHCP proxy device placed between the centralized DHCP server and network switches:

• After an endpoint device connects to a switch port, the DHCP proxy device replies to the endpoint device.

• After it sends a reply and assigns an IP address to the endpoint device, the NAC solution (which can be on the same device as the DHCP proxy device, or the solution can actually serve as the device) could take over the access process and direct the endpoint device to launch a Web browser (and login page), begin assessment of the endpoint device, or take another action.

When you use DHCP as a NAC enforcement mechanism, as shown in Figure 13-3, it can enforce a situation in which it provides an endpoint device that fails an assessment check with a configuration that restricts the device from communicating with other devices on the network.

Figure 13.3. How DHCP works.

13.2.4. I see IPSec

Internet Protocol Security (IPSec) is a compilation of other protocols and standards that enables secure communications over an Internet Protocol (IP) network by intertwining cryptography and security.

IPSec delivers

• Data privacy (by using encryption)

• Message integrity (ensuring that a message doesn't change during transmission)

• Protection from certain attacks

IPSec also facilitates the negotiation of necessary security algorithms and security key handling processes, addressing IP network security needs.