10.1. Operating Modes

Operating modes are different ways that the enforcement point can behave when controlling user access. NAC solutions can operate in two modes.

10.1.1. Evaluate only

The evaluate-only mode allows you to examine endpoints, create access policies, and log data without actually changing access to network resources.

You may find this mode useful for several reasons: Regulatory compliance: To meet regulatory compliance requirements, you may want only to log who has access to resources, when they log in, what software they have running on their machine, and so on. You can create an audit trail that meets several of the regulatory compliance stipulations. For example, you can log who had access to the datacenter, including the users' names and IP addresses. With some NAC solutions on the market, you can also log what traffic went to which server in the datacenter. If there's a question about a server or resource being accessed, you can refer back to the log data and identify the user, what machine he or she was using, and so on. Learning your network: See how NAC would change user access to resources without actually changing that access. When you start to deploy NAC, evaluate-only mode can let you figure out which users might have problems getting on the network before you actually break their network access. Using evaluate-only mode lets you locate all the access problems that your NAC configuration may create before you flip the switch and turn it on. This process takes a lot of risk out of initial NAC deployments.

10.1.2. Enforcement

Network access control flexes its muscles when it enforces policy. To use the full potential of NAC solutions, enable policy enforcement. Enforcement allows you to make devices and users adhere to a policy that you create.

For example, you can enforce a policy that controls access to a server in a datacenter. Create a policy that says all users who work in finance have access to the finance server. With this policy in place, enforce on a device in front of the datacenter to allow access to only users who are logged in and members of finance. Then, also log the traffic to create an audit trail of users who access the server. Enforcement lets you know that only finance users have access to the finance server. You can limit the number of people who can access certain data, which drastically reduces the risk of compromise for the data that exists on the network.

When you turn on enforcement, you can go from an open access network to a closed access network, which can greatly increase the security on your network.

10.1.2.1. Open access network

Some users on a network have open access to resources, such as servers. Users can typically access Active Directory and other resources directly over IP, without anything controlling access. Nothing has to authenticate you if you want to reach the resources. For example, a Web application may feature application authentication, such as a Web page that asks for credentials to log in, but you can reach the Web server without the network authenticating you. A datacenter may have a simple firewall that does some blocking, but access to resources is open and doesn't change.

The benefit to this type of a network is that you can access it relatively simply. A user typically just needs to get an IP address to reach the network's resources. If the user experiences access problems, it can usually troubleshoot those problems really easily. If the user has an IP address, the problems are usually simple, such as routing, switching, or firewall rules. Nothing changes the end-user experience, such as network login screens or required credentials to get an IP address.

An open access network has several problems:

• Weak security: In an open access network, all users typically have access to all resources. In this type of environment, you have to trust applications to protect themselves. If a user has access to a Web server that requires authentication to get access to the content, you have to trust the Web server to block access to anyone who doesn't authenticate correctly. Open access makes that server vulnerable to application attacks. If the Web server has a vulnerability, anyone on the network can exploit it and gain access to the server.

• No user-based audit trail: In most networks today, a firewall in front of an application has some sort of logging enabled, but if an attack happens, locating the offending user or machine is very difficult. DHCP makes this problem even greater. Because users get different IP addresses every time they plug into the network, you can find it hard to correlate an IP to a user or machine.

• Static configuration: Configuration in an open access network doesn't change when the networks and devices change. A lot of companies tried to deploy departmental firewalls to protect the datacenter access network problem. A departmental firewall would sit between resources, users, or business areas. These firewalls worked on the idea that if you create policies, you can limit what information or access can flow between the areas.

You most likely have departmental firewalls in your network already. If you do, make a list of where they're located. Determine whether the firewall policies are doing anything productive. After you look at the policies, ask yourself what you'd change. Do you want to control access to resources behind a particular firewall? If you do, you may want to add that firewall's location to your list of places whose network access control you want to evaluate.

10.1.2.2. Closed access network

Network access control allows you to create a closed access network. A closed access network is a network that blocks anyone from accessing anything by default. To get access to a resource, an administrator has to explicitly allow or create that access.

To illustrate the difference between open access and closed access, consider a grocery store and a military base. At the grocery store, anyone can go through the open door. At a military base, you have to show identification, and then the person at the gate decides whether you have permission to enter the base. If you receive access to the base, the gate person then tells you where you do and don't have permission to go.

A closed access network has several advantages:

• Security: When you have closed access, you can create a network that opens up access to resources under conditions that you control. In other words, you control what users can and can't see on the network.

  You may want to create a network that allows access to a finance server only after the user provides credentials proving that he or she works in finance. You can also create rules to further protect the finance server. You can add a policy that says the user has access only when he or she has an up-to-date antivirus client on his or her machine, which further protects the finance server. You can then sleep at night knowing that only finance users that have updated antivirus have access to the finance data — nobody else. You can then layer on traffic logging to create an audit trail so that if there's a data access violation, you can identify which finance user to talk to.

• Risk mitigation: With a closed access network, you can select what machines you want on your network. You can create rules that place potentially risky machines in one restricted, or quarantined, network. The machines that you decide are safe can get access to the corporate network. This quarantine process reduces your risk greatly because you separate your risky machines from the rest of the machines. Think of this security access method like preschool. If you know that one of the kids has lice, you don't want to put him or her with the other kids — you want to separate him or her, and get rid of the lice. When the lice are gone, he or she can then go play with the other kids.

In a closed access network, a user typically has to authenticate before he or she can access resources. Depending on the configuration, this authentication can make the user experience more cumbersome. In other words, if a user has to provide his or her credentials again before he or she can get on the network, you're adding one more step before a user can be productive. You need to reach a delicate balance between open access and closed access.

10.1.3. Decision making

If you're thinking about using NAC, you've likely decided that you want a closed access type of network. You need to decide how closed a network you want to create. By moving to a closed access network, you can create a network that's so closed it diminishes user productivity. You need to be very careful when you start taking away user access. You can actually go too far and make the network so restrictive that users can't get their day-to-day work done. NAC gives you great power. And as the saying goes, with great power comes great responsibility.

Make a list of the types of enforcement devices that you have in your network. You can most easily make this list if you have a network diagram of your network handy. While you go through the different enforcement mechanisms that your network has, check whether you can use any of them for NAC enforcement. After you identify all the places for enforcement, you can go through the pros and cons of each type of enforcement to figure out which enforcement makes sense for your network.

Technologies that NAC most commonly uses for enforcement are

• Inline enforcement

• Firewall enforcement

• IPSec enforcement

• Host-based enforcement

• 802.1X enforcement

• SNMP-based enforcement

• ARP-based enforcement

When you review a NAC solution, ask the vendor what technologies they leverage for enforcement. This information can help you narrow down which solution makes sense for your network.