10.2. Endpoint/Software Enforcement

Endpoint enforcement involves software on a connecting client that enforces policies. This kind of enforcement is similar to putting firewall software on an endpoint. In the firewall software, you can control with what the endpoint can communicate by using source IP, destination IP, ports, and protocol type of a nomenclature. That type of functionality is the most basic of endpoint enforcement. In the case of NAC, the policy engine controls the policies, instead of statically configuring those policies on the endpoint.

You can use endpoint enforcement for not only network enforcement, but also endless types of policies (including which software can be run).

Never use endpoint enforcement on its own in a NAC deployment. Because of the nature of an endpoint, if it's compromised and contains malicious code, you can't trust the software on the endpoint to do its job. In other words, if you're using endpoint enforcement to control what server or IPs the endpoint can reach, you put all your eggs in one basket. If the endpoint is compromised, malicious users can circumvent the software to reach the network. Always use endpoint enforcement in conjunction with another form of enforcement, such as 802.1X- or firewall-based enforcement. This extra enforcement adds an external check and balance so that if the endpoint becomes compromised, the firewall, in all likelihood, won't be compromised at the same time. Also, when the user terminates the endpoint agent, the endpoint may not have any endpoint enforcement in that state.

NAC can use two distinct types of endpoint or software enforcement: hostbased and server-based.

10.2.1. Host-based

NAC host-based enforcement is a software-based approach that has its functionality bundled in the endpoint agent.

The functionality available in host-based enforcement differs greatly from vendor to vendor.

10.2.1.1. Network policy enforcement

Network policy enforcement is the most common of the policies that administrators use in conjunction with NAC. Network policy enforcement dictates with what the endpoint can communicate on the network, usually based on the five-tuple concept:

• Source IP

• Source port

• Destination IP

• Destination port

• Protocol

The simplest example is a policy that says a user can't reach the exchange server if he or she doesn't have an up-to-date antivirus program installed and running. The endpoint agent blocks any traffic that tries to reach that server by filtering packets on the network interface of the endpoint.

Don't use host-based enforcement as your only form of enforcement. If the machine is compromised, you could have malicious software on that machine that may be able to bypass the agent on the endpoint. This is not such a big deal if there is a network based enforcement point also enforcing the policy; it will still block the traffic.

10.2.1.2. Software or application enforcement

One of the biggest benefits of having an agent on the endpoint is that the agent can control what software the endpoint runs. By using NAC, you can create policies that prevent a user from running instant messaging software on the endpoint. The endpoint agent can't monitor whether the user attempts to run the instant messaging software, and it can't block the software or terminate the application. Therefore, you have the power to actually control what applications run on an endpoint that's connected to your network.

10.2.1.3. Virtual environments

A virtual environment is a temporary workspace on top of the existing desktop. A virtual environment protects the user, and his or her data, when he or she connects to the network.

10.2.2. Server-based

Server-based enforcement deals with policies on an agent that's running on a server. This agent controls which users have access to a particular application or the server itself.

If possible, take server enforcement off of the server because enforcement can add additional strain or load to the server. But keep application authentication on the server for NAC because of audit trails. In some cases, you can tie your network access control into your application authentication infrastructure, which can allow your applications on the server to have Single Sign-On (SSO) functionality.