3.2. Taking Inventory
Your users and machines go through the first phase of the NAC lifecycle — assessment — when they attempt to join your network and access network resources, as shown in Figure 3-2.
Typically, this step involves two primary sets of policies:
User or machine identity
Machine security posture
In some instances, you might also want to include other environmental factors related to your policy.
Figure 3.2. The basic steps of NAC implementation.
3.2.1. User and machine identity
Knowing who's on your network is a key advantage of deploying NAC.
In today's environment, mobile users, authorized third parties, and users on non-standard corporate devices make it more and more difficult to figure out exactly who's accessing your corporate resources. NAC allows you to
Determine who's using which machine
Tie that information to specific policies for that user's access
When a user first comes onto the corporate network, the NAC system authenticates him or her.
NOTE
Authentication can take many forms — ranging from a statically defined user name and password, to more complex forms such as biometric identification and X.509 digital certificates. Regardless of the credentials used, the goal of authentication is to prove beyond reasonable doubt that people coming onto your network are who they say they are.
The same authentication holds true for machines, too:
In some cases, organizations simply want to determine whether a particular machine is a trusted asset, and then make the access control decision based solely on that information.
NOTE
In other cases, that machine might be an unmanned machine on the network. For example, an employee might have logged off of his or her machine and gone home for the evening, leaving the machine running. IT can take this opportunity to patch that particular machine without having to interact with the end user. In these cases, NAC authenticates, assesses, and patches the machine, making it ready to go — fully compliant — when the user returns to work in the morning.
A NAC-enabled system can prompt a user for authentication in many ways:
If the user is an employee using a company-owned asset, that asset may have a NAC software agent installed as part of your standard corporate image.
If the user is a guest or partner, coming to your network for a short duration with no need for a permanently installed agent, his or her machine's Web browser may act as the agent, redirecting the user to a captive portal for authentication.
When the user comes onto the network (through some method or another), NAC determines who that user is and feeds the info into the next step of the lifecycle — evaluation (which we talk about in the section "Putting the Pieces Together," later in this chapter).
|
3.2.2. Clean machines
In the assessment phase, NAC takes note of the security posture of the machines attempting to join the network to ensure that you don't inadvertently allow insecure, improperly patched machines onto the network. The risks of allowing just anything onto the network are staggering — with the potential for spyware, malware, viruses, remote exploits, and more breaking out on your network, NAC needs to gauge the risks associated with allowing unmanaged devices on the network and then take appropriate action.
|
3.2.3. How's the weather?
The assessment process also involves determining other environmental factors such as location or access time.
Environmental factors can include any number of additional pieces of information, other than identity and machine integrity, that you might use as part of your policy decision:
Location might be one factor that plays a part in your decision about whether to allow a user on the network.
For example, you might restrict guest access solely to certain areas of the corporate network — such as conference rooms and public areas. If a guest machine suddenly shows up in a restricted area, NAC provides you with the ability to deny access.
You might employ time of day or day of week restrictions for certain users. For example, you might want to ensure that certain employees or other users are accessing corporate data only during business hours. When that employee tries to access sensitive corporate data from home and on the weekend, you can have a policy in place that automatically denies access.