As was discussed in Chapter 2 and replicated in the previous chapters, all NAC/NAP solutions consist of the same basic elements. Not all NAC/NAP solutions will contain all of the elements, and some vendors will be better at some elements than others. This section analyzes the following NAC components as they related directly to Fiberlink Mobile NAC:
A policy-related component to configure and set the policy on what specific security criteria will be analyzed on the device
A technology to communicate the security state of the device to other facets of the NAC/NAP solution
A mechanism that receives the security posture of the device and performs an action based upon those results
A policy-related component to configure and set the policy regarding what action will take place
A remediation technology whose purpose is to bring the device back into compliance
The analysis of the device is done by the Extend360 (e360) Agent. Mobile NAC differs from LAN-based NAC in that the analysis takes place any time the machine is powered on, regardless of its location. As such, the solution is completely client-based. The e360 Agent consists of the following components:
The Service Component is literally a service that is running in Windows. It runs under the context of Local System, so that any of the necessary NAC functions can occur without being concerned about whether or not the user logged in to the system has administrative rights. This is particular important when it comes to remediation.
The GUI is available in two different incantations, depending upon the needs of the company using the solution. The GUI is not responsible for any NAC functionality, but rather provides the user with an interface to the solution. All NAC functionality takes place even if the GUI interface isn't being utilized by the end user. Additionally, all NAC functions take place regardless of whether the user is connected to the Internet or VPN'd into the corporate network. Following are the two GUI choices:
Security Client — This client interface provides the end user with basic information as to the security posture of the device.
Connectivity and Security Client — This client interface shows all the information from the Security Client and also includes functionality to facilitate and control connectivity based upon the security posture of the device.
Most companies actually utilize the Connectivity and Security Client. This is because the capability to control and report on mobile connectivity is of value to enterprises. In addition, the actual connectivity itself can be provided as an optional component of the solution. For example, a user could go to a T-Mobile hotspot and connect with the e360 client. The company itself would then be billed for the connection and realize a cost savings. This savings can then be used to help fund the security solution. For static desktop systems, the Security Client would make sense. Figure 8-1 and Figure 8-2 show examples of the two different interface options.
The Mobile NAC policies are set via the Enterprise Management Center (EMC) and optionally in the initial agent installed to reflect the default policies on the server. The EMC infrastructure resides within the redundant Fiberlink NOC. To an administrator, the EMC appears to be one server that is accessible via a web browser. The EMC actually consists of many different servers that perform many different functions. The key point to understand is that none of this infrastructure needs to reside on the customer premise.
For a Mobile NAC solution to be able to work on devices as they are mobile, it is important that the proper topology be used. Specifically, the policy and other servers must be able to communicate and work with the mobile device any time the device is connected to the Internet. The way to accomplish this is to put the Mobile NAC infrastructure in a position where the servers are directly connected to the Internet, which is exactly how this solution is designed.
Timely updates to NAC policies are critical for any NAC solution. With a LAN-based solution, a policy update can be made on a server, and that server is referenced for policies when devices attempt connectivity. There really shouldn't be a significant delay between the time a policy is changed and the time the policy takes effect. With Mobile NAC, the policies themselves must reside locally on each device. The policies, being local, negate the need for the mobile device to talk to a server for NAC functions to take place. This is critical to understand.
For example, if a company wanted a policy that would prohibit public Wi-Fi hotspot access if the security posture of the device is deficient, the NAC solution must know this policy before a connection was even attempted. If the device needs to talk to a server to receive this policy, the Wi-Fi connection must be established for this policy communication to take place, which doesn't make a whole lot of sense.
With this solution, policy updates automatically occur at regular intervals. Any time a connection to the Internet is available, the policies can be automatically retrieved from the policy severs and loaded into the agent on the mobile device. The end user does not need to facilitate this connection, nor does the device need to be on the corporate LAN or VPN'd into the corporate network.
Policy configuration is unique with this solution, because it is offered in software as a software model. While companies are able to dictate exactly what policies are to be put into place and can move users between policies, the actual keypunching to create the policies is done by specially trained Fiberlink personnel. This lessens the learning curve, and helps facilitate a timely deployment of the solution, while still providing companies with complete control of their own policies.
The Mobile NAC solution allows for robust monitoring of the security posture of the device. Common polices include monitoring the following:
Antivirus application running
Antivirus definitions up to date
Antispyware application running
Antispyware definitions up to date
Personal firewall running
Encryption application running
Existence of custom files
Other custom actions
NOTE
Integration with third-party security applications does not require the use of vendor-specific Posture Plugins (PPs).
Policies exist for monitoring practically all leading security software solutions. In addition, the concept of optionality is available. This is extremely helpful for companies with many different security applications in place. Rather than creating policies for each type of antivirus application that exists in an environment, an optionality policy can be put into place that looks for any major antivirus application to be running. If some users were running Symantec and some were running McAfee, this one optionality policy would cover all of these users.
Policies for Fiberlink Mobile NAC can also be granular down to an end user. While many companies do enforce policies at a group level, the granularity of doing so at a user level has value. For example, a sales guy who turns off his personal firewall should be considered noncompliant. At the same time, the system administrator may need to disable his personal firewall to run some network tests, so he shouldn't be considered noncompliant if he does so.
As has been discussed, the topology for Mobile NAC must be and is different from the topology for LAN-based NAC. Because of these differences, the communication paths are also completely different. The agent itself performs the quarantining and remediation functionality, so it doesn't require communication to other components to perform these functions. It does, however, need to receive policy changes. Also, it needs to continually report in regarding its current security state and communicate any NAC events that may have taken place. These events may have taken place while the device did not have Internet connectivity. In that scenario, the events are cached locally and communicated the next time Internet connectivity is available. Figure 8-3 illustrates the communication flow protocols used. Specifically, SSL encryption is used to secure agent/server communication.
NOTE
Initial Mobile NAC policies are seeded into the application and exist upon installation of the e360 software.
A big part of communication with Mobile NAC has to do with communication to the end user. Unlike situations where the user is at the corporate office, mobile users are often in positions where they must fend for themselves. Consequently, it is important for mobile users to accurately understand their current security postures and whether they are under any type of restrictions. When users' machines become noncompliant, there are multiple means by which the users are notified:
A bubble appears in their system trays.
A Device Out of Compliance message is shown in the Messages portion of the GUI interface.
Figure 8-4 shows a device that has become noncompliant because the Symantec antivirus application is no longer running. Note the three different areas where the end user is notified of the compliance change. In addition to these messages, more detailed information can be provided to the end user if he or she clicks the system tray bubble or the noted security deficiency in the client. The more detailed information for this deficiency is shown in Figure 8-5
When the device becomes out of compliance, it is routinely monitored to see when the device is back in compliance. As will be discussed later in this chapter in the section "Remediating the Security Deficiency," many deficiencies can be automatically fixed. When the state changes back to compliant, end users also must be notified that they are back in compliance, and that any restrictions have been lifted. This communication takes place in exactly the same manner as when the device became noncompliant. This communication is illustrated in Figure 8-6.
With Cisco Clean Access, restrictions were enforced on an appliance. With the Cisco NAC Framework, the enforcement took place on an NAD (such as a router or switch). Because of the nature of Mobile NAC, enforcement at these points is insufficient. A user who is mobile wouldn't be affected by a restriction on these devices; the device wouldn't even be in communication with these devices. Consequently, the enforcement capabilities and remediation capabilities must take place on the endpoint itself.
With Fiberlink Mobile NAC, there are two key areas where restriction can take place:
Just as with the LAN-based NAC solutions, there is Layer 3 quarantining and restriction that can take place with Fiberlink Mobile NAC. With LAN-based NAC, the idea is to restrict a noncompliant device from accessing parts of the network other than those that would specifically work to remediate the endpoint. Mobile NAC does virtually the same thing, although this enforcement takes place on the endpoint itself. The Layer 3 restriction can be thought of as an outbound Access Control List (ACL) that controls where the device can go. Rather than just limiting or restricting LAN access when the user is attempting LAN access, this method can restrict access to any Internet location. This restriction reduces the device's exposure to the possibility of additional Internet-based threats.
When the device status is Out-of-Compliance, all outbound access can be blocked. To allow access to remediation servers and places that are deemed acceptable to an organization, exceptions can be put into place to allow that connectivity. Figure 8-7 illustrates Layer 3 restriction.
In addition to Layer 3 restriction, Layer 7 restriction can also take place. This restriction would prohibit specified applications from being used when in a noncompliant state. If a Critical Internet Explorer patch is missing, then it would be beneficial to restrict the use of Internet Explorer until that patch is received. Layer 7 restriction works even when network connectivity isn't present. So, if a user is on an airplane and disables the antivirus application, Microsoft Word and other applications can be prohibited from running. Figure 8-8 shows Layer 7 restriction.
An interesting feature of Fiberlink Mobile NAC is Restricted Application Protection (RAP). RAP works very similarly to Layer 7 restriction, though it prevents applications from ever running on the machine. Applications such as instant messaging and peer-to-peer applications can pose significant security threats to the enterprise. Being able to prohibit these applications from running is an important security feature.
Another method of restriction is stopping the device from making a network connection when noncompliant. As was covered earlier in this book, public Wi-Fi hotspots can pose significant security challenges. These challenges are amplified for devices whose security posture is deficient. Because of these challenges, it can be beneficial to prohibit public Wi-Fi connections when a device is out of compliance. The same is true for 3G connections. There is benefit to having a vulnerable machine whose security posture is below standards stopped from establishing EvDO, CDMA, and so on, connections while in the noncompliant state. Controlling this type of functionality is a key benefit of the Fiberlink Connectivity and Security Client. Figure 8-9 illustrates how this restriction takes place.
Again, the key difference to note regarding Mobile NAC and LAN-based NAC is that these restrictions take place as the device is mobile. It does not have to pass through a LAN-based appliance or networking hardware to have restrictions take place.
The goal of any NAC solution should not be simply to block out users. The goal is to have users be productive and to be secure while being so. One of the strongest attributes of Fiberlink Mobile NAC is the capability to remediate without connectivity back to the LAN. Essentially, that is anywhere the mobile device is located at the moment it requires remediation.
Remediating a system whose security posture is deficient can require a number of different steps. While pushing a missing patch is important, it's not the only form of remediation. Following are important forms of remediation within Fiberlink Mobile NAC:
Automatically pushing any missing Microsoft patches and hotfixes
Automatically making configuration changes to address SANS Top Internet Security Vulnerabilities
Automatically restarting security applications
Automatically killing any unwanted applications
Automatically pushing custom patches or custom application updates
There are three critical points to understand about Fiberlink's Mobile NAC solution:
Remediation is automatic and does not require any interaction from the end user.
The aforementioned forms of remediation are included as part of the Mobile NAC solution and do not require any customer premise equipment to perform the functionality.
Fiberlink Mobile NAC remediation does not require the end user to have administrative rights on the system for deficiencies to become resolved.
The automated remediation has distinct security and usability advantages. First, it puts the process of pushing patches and addressing security deficiencies in the hands of IT and security, as opposed to the end user. By configuring the appropriate policies, deficiencies are automatically addressed and fixed. Rather than providing the end user with a link to install software or redirecting the user to a web site for information on fixing the problem, the deficiency is just simply fixed.
Virtually all companies have a patching technology in place to patch desktops and other LAN-based device. In most enterprise deployments, these patching technologies will neither patch machines as they are mobile nor automatically restart disabled security applications. Fiberlink Mobile NAC does not necessarily act as a replacement to these existing services. Rather, it acts as a complement and supplement. Mobile NAC has been successfully deployed without compatibility issues in environments containing virtually all leading patch-management solutions.
Pushing patches to mobile devices has distinct challenges from LAN-based patching systems. Mobile users are often online for brief periods of time, and during that time, they are usually trying to be as productive as possible. If this productivity is affected by a large patch being pushed, then end users will undoubtedly complain. Mobile NAC offers the following features to address this concern:
Updates are resumable — If 32 percent of a patch gets downloaded, the remainder of the update will begin exactly where it left off the next time Internet connectivity is available.
Updates can have minimum bandwidth requirements — While a critical patch may be pushed regardless of connection speed, it may be desirable to have lower severity patches only pushed when the connection speed is at a minimum requirement (such as 128kbps).
Bandwidth throttling — This functionality acts as a Quality of Service (QoS) component, managing bandwidth to ensure end-user experience is minimally affected as updates are downloaded.
By default, Fiberlink's solution does not push any patches or updates. This is because most companies have their own timelines to test patches, and companies don't always want to push out every patch. Once companies have made a decision that a patch or update should be pushed, the solution is updated and will begin pushing the patch and update any time Internet connectivity is available.
Some Mobile NAC remediation functions are dependent upon Internet connectivity, while others are not. To receive a Microsoft patch or antivirus update, clearly the device must be able to communicate with another device to receive that data. For applications to be restarted and other nonupdate information pushed, Internet connectivity is not required.
NOTE
Automatically restarting security applications without reliance on Internet connectivity is important, as many of these applications (such as antivirus and personal firewall) provide security value at times when Internet connectivity is not established.
The reporting for Fiberlink's Mobile NAC solution is centrally located and accessible via the EMC, which is accessible via a web browser with Internet connectivity. This reporting functionality is included as part of the Mobile NAC solution and does not require any customer premise equipment. The reporting system provides detailed information such as the following:
Managerial-level reporting on the overall security state of the entire mobile workforce
Detailed security and asset management information on specific devices/users
Information on what a system contains (installed software, version of Internet Explorer, and so on)
Active hardware devices, such as network adapters, USB drives, and so on
Information on what a system is missing (critical Microsoft patches, outdated antivirus definitions, and so on)
How machines are connecting to the Internet (WLAN, public Wi-Fi Hotspots, 3G, dial-up, and so on)
Information on other security products
The EMC allows varying, role-based access to different aspects of reporting. For example, an administrator can create login accounts for other users who need access to the reporting system, while controlling the type of access they receive based upon the roles. Sample roles within EMC include the following:
Security manager
Portal administrator
Master administrator
IT administrator
Help desk engineer
Finance manager
Figure 8-10 shows the EMC login page.
For many companies, compliance is mandated by federal regulations, state regulations, and at the very least, internal compliance standards. Having a high-level, managerial report on the current state of devices has significant value in this regard. Managerial-level reporting is available for such items as how many systems are missing critical patches, how many systems are noncompliant, how many machines have received specific patches, and so on. Figure 8-11 shows an example of managerial-level information.
Being able to obtain detailed, real-time reporting information on particular systems can be invaluable. This information can be considered "what is on a machine." Detailed information can be obtained that includes (but is not limited to) the following:
The operating system and service pack level
All installed applications
All running applications
All running services
Version of all applications, including Internet Explorer
BIOS version
Detailed information on all installed hardware
One of the biggest threats to protecting enterprise data is peer-to-peer applications. Most companies I speak with do not want these applications installed. Fiberlink Mobile NAC offers a very useful report that can show exactly what software is installed across an entire user population. This can be used to identify unwanted applications, which can then be uninstalled or added to the aforementioned Restricted Application Protection blacklisting (which would prohibit them from running). Figure 8-12 shows an example report where the peer-to-peer application BitLord has been identified on a system.
In addition to showing what's on a machine, the report can show "what's not on a machine." This information lists deficiencies on the device. This is critical, because knowing what is missing is the first step in getting the proper security patches and updates into place. Figure 8-13 shows deficiencies on a specific machine that have been exported to an .xls file.
The Fiberlink Mobile NAC reporting data was specifically designed to be as real time as possible. When a mobile device receives an IP address, the agent attempts connectivity with the reporting system. From that point forward, the agent will heartbeat in approximately every 5–10 minutes (this timeframe is configurable), or when a status change occurs.
18.116.21.229