4.3. Enforcement Time

After you define the policy, you decide how and where to enforce your policies. Enforcement gives your network access control policies teeth, so to speak, allowing them to have meaning and purpose on the network.

Most network access control deployments use several enforcement methods. When selecting the best method to enforce policies, take a look at each method and see what makes sense in your network. You may even choose to do no enforcement at all and just run the entire deployment in monitor mode. Whatever you decide to do, do your homework and test each option thoroughly.

4.3.1. Endpoint

Endpoint enforcement, the most basic form of enforcement, involves the endpoint client enforcing policy that the policy engine pushes. The enforcement can be network-access-based or software-based. For network-access-based enforcement on the endpoint, the endpoint client restricts or changes access for a network user based on a policy that the policy engine sends. Endpoint enforcement can use a couple of different methods, but the most common method uses a software firewall-based approach. The other method of enforcement is software based, which is limited only by your imagination. For example, the software based approach can block certain applications from running or start a virtual desktop.

Try to avoid using endpoint enforcement on its own. Malicious users can get around endpoint enforcement alone more easily than a deployment that includes another form of enforcement.

4.3.2. 802.1X

802.1X enforcement, which is becoming one of the most popular methods of enforcement, is an authentication standard that's supported on most modern switches and wireless access points. 802.1X uses the Extensible Authentication Protocol (EAP) that's defined in RFC 2284.

802.1X enforcement has some really big advantages for most networks. Because 802.1X is a Layer 2 based authentication mechanism, you can authenticate users or machines before they have an IP address and are a part of your network. 802.1X allows you to be pro-active and decide who you want on your network before they actually get on your network.

4.3.2.1. Enforcement stages

For 802.1X to work, you need three stages of hardware and software.

4.3.2.1.1. Authentication server

The authentication server is a RADIUS server. In the case of network access control, the RADIUS server is typically a part of the policy engine. The authentication server takes all the authentication requests, validates them, and then says yay or nay to the access request.

4.3.2.1.2. Authenticator

The authenticator is your switch or access point and is the simple device in the middle:

4.3.2.1.3. Supplicant

The supplicant is a piece of software that enables an endpoint to communicate over Layer 2 for 802.1X authentication. In network access control, the supplicant is typically a part of the endpoint client. The supplicant needs to support the form of EAP that your network uses. The supplicant collects all the user credentials and any other information that the authenticator needs for authentication, and then sends that information to the authenticator (the switch or access point) for authentication.

4.3.2.2. Usage

802.1X enforcement is typically used in conjunction with VLANs. VLANs are a way of separating traffic at Layer 2 into virtual networks that don't have access to one another. In the case of NAC, think of having all your valid compliant endpoints in a corporate VLAN and all your non-compliant machines in a quarantine VLAN. The endpoints in the quarantine VLAN don't have access to any of the resources in the corporate VLAN, so the quarantine VLAN has restricted access, as illustrated in Figure 4-2.

Typically, the only access available in the quarantine VLAN is the access needed to update virus signatures or any other remediation that the machine needs to become compliant. After the machine is compliant, the 802.1X authentication transaction happens again, and the endpoint is put in the corporate VLAN.

Figure 4.2. VLAN endpoint enforcement.

4.3.3. Inline

Inline enforcement is a method of enforcement that enables you to differentiate between different Layer 3 IP addresses and provide the appropriate access to protected resources on the network.

With inline enforcement, you put a device in between the user and the resources that he or she is accessing so that you can control the access of the user's access as it flows through the device.

For example, when you have two endpoints, those endpoints are both connected to the corporate network and have IP addresses in the same subnet, but the users are two different people with two different job functions — one is an engineer, and the other works in human resources. The engineer shouldn't see the HR database, and the HR person shouldn't see the engineer's source code server.

The most popular form of inline enforcement is the firewall. Firewalls allow administrators to define a policy based on IP addresses, specifying which IPs can reach which resources. Network administrators defined this policy statically in the past. Network access control now extends firewall policy and creates dynamic policy based on any number of attributes that the policy engine checks.

Think of inline enforcement as a firewall in front of a datacenter. In the past, a firewall had static policy based on source IP, destination IP, ports, and protocols. But if your users have Dynamic Host Configuration Protocol (DHCP), the users' IP addresses are always changing, so you can never fix a policy that applies to the users directly. If you switch to an inline enforcement point (a firewall controlled by the policy engine), you can have dynamic policies created on the enforcement point when a user is authenticated and joined to the network. So, the HR guy can see only the HR server, and the engineer can see only her source code.

4.3.4. IPSec

IPSec enforcement, an extension of inline enforcement, is used to create an IPSec connection from the endpoint to a virtual private network (VPN) concentrator in the network. The VPN concentrator can also be a firewall or other appliance, but its main purpose is to provide data privacy across the internal network.

You can use IPSec VPN where encryption of traffic is important, such as your company's financial information. If you don't want anyone else to see the traffic, then IPSec is for you.