1.1. NAC's Evolving Description
So, what's this network access control thing that you've been hearing and reading about?
First, NAC isn't the cure-all for whatever security or access control issues and challenges confront an organization and their network. But the right NAC solution, deployed appropriately, can deliver significant protection for
Your network, its applications, and sensitive data
Your users and their endpoint devices
The right NAC solution for your organization can protect against many (if not most) dangerous malware, nefarious hackers, and any malcontent users that the fast-paced, always connected, always on(line) networked world can throw at you.
So, NAC controls access to a network. Unfortunately, that simple definition and description is only partially right.
Many pundits, experts, and vendors find defining, or (more correctly) describing, NAC very difficult and elusive. You can find almost as many different descriptions of and meanings for NAC as organizations that have or want to deploy NAC, or vendors who produce or produced a NAC solution. But a definition exactly fits your network needs — you just need to figure out which definition works for you.
|
The steps involved in operating network access control are, in many ways, similar to what happens when you go to an airport to board a plane for a trip:
You first stop at the ticket counter or self-service kiosk, where you need your confirmation number or a government-approved ID (such as your driver's license or your passport) so that the airline can authenticate your identity and confirm your reservation. You need to confirm who you are and that you're authorized to travel to your destination. A NAC solution does the same basic verification: It authenticates the user or device, and then checks the user's or device's authorization level to see whether that user or device has authorization to access the network. If your ID is valid, you have a confirmed reservation, and your name matches the name on the reservation, you receive a boarding pass, which means that you're authorized to travel on that flight. Similarly, NAC solutions match the user or device ID — such as a login user name and password, two-factor authentication (which might include a token), or a smart card — to the authentication database or data store on the network to authenticate the user. If the NAC solution authenticates the user or device, that user or device receives the appropriate keys and credentials to access the network. If NAC doesn't authenticate, the user or device isn't allowed onto the network.
After the ticket counter, you have to go through a security checkpoint, including an x-ray machine and metal detector, before you're allowed into the secure area of the terminal gates. This is comparable to a NAC solution's endpoint integrity assessment or host check. In the same way that airport security checks you and your carry-ons for forbidden and dangerous items, NAC checks your endpoint device for any dangerous malware and potential vulnerabilities that hackers and other miscreants could exploit. If you or your baggage set off the metal detector at the airport, security may conduct a further search by hand or wand, if necessary. That extra search is like NAC's host checking of an endpoint device. If a NAC solution detects something amiss in the malware protection of your device, or detects an infection, it may instruct the network to quarantine your device until it can assess and address the anomaly or cure the infection. Then, the NAC solution's host checking can reassess your device before it allows or instructs an enforcement point to allow that device network access. Also, at the airport security checkpoint, security rechecks your ID and boarding pass, which is similar to a NAC solution rechecking authentication while it assesses (and, if needed, reassesses) your device's security state and integrity.
After you reach the secure zone at the airport, security can recheck you and your baggage for various reasons, including random security checks, if you're behaving strangely, or if you leave your suitcase unattended. Well, NAC solutions operate in the same way. Even after network admission — which is comparable to being allowed into the secure area — NAC can still conduct random assessment checks on you and your device to determine whether you still meet the organization's requirements to be on their network; or the NAC solution can recheck and reassess you or your device if it uncovers a state change in the security of your device while you're on the network. And, just like at the airport, if everything checks out okay, you and your device can remain in the secure area — or on the network. If the check finds something suspicious, then security (or NAC) may eject you from the secure zone (or deny you access to the network), subject to re-examination.
If an authority figure at the airport — a police officer, security agent or guard, or airline employee — feels that you're acting strangely or inappropriately, he or she may stop you and request your ID. He or she can even eject you from the secure zone or request a recheck on you and your carry-on luggage. On a NAC-equipped network, some NAC solutions can interoperate with existing network components, such as intrusion prevention systems (IPSs), intrusion detection systems (IDSs), unified threat management (UTM)-enabled firewalls, or other network security components. And, if these devices deem that you or your device are exhibiting anomalous or bad behavior, they can signal the NAC solution. NAC can force you and your device into quarantine until you or your device stop the behavior, it addresses and solves the issue automatically (using automated remediation), or it is cured manually. NAC can also force you off the network in mid-session, not allowing you back onto the network until it clears you and your device.
The last step in your airport sojourn is the final check by an airline representative at the gate leading to the aircraft. The gate attendant checks your boarding pass and, in some cases, rechecks your ID to make sure that you're who you say you are (authentication), that you have a boarding pass (credentials), that your boarding pass matches the flight number and destination (authorization), and that your name on your ID matches the name on your boarding pass. This process is a lot like application access control on a network. Some NAC solutions can deliver applications access control, in which a NAC solution can recertify a user and device before that user and device can gain access to specific applications and servers, ensuring that only the properly authorized users can access certain specific, sensitive applications and data. For example, an air traveler named Adam may be authorized to take a particular flight to New York, but another flyer, Eve, has a boarding pass for a different flight number, so she can't board that particular flight to New York. A NAC solution delivers application access control in a similar way — only the correct users can access the applications and data.
1.1.1. What NAC is and what it does
Vendors, industry experts, and you may have difficulty in coming up with a common definition and description for NAC because a NAC solution has so many different components. Organizations have a tendency to focus on what problems NAC solves for them or why they want to deploy NAC. And the concept of network access control can include many different pieces of a network environment, or touch many different network entities or organizational departments.
When you factor in a network user's, vendor's, organization's, or individual's perspective when describing NAC — not to mention emotions, deployment, needs, and many other aspects — arriving at a commonly accepted definition or description for NAC becomes a jumble.
When you compare the components of NAC in the following sections, you might create a definition of what NAC is by what it does.
1.1.1.1. Endpoint integrity
One of the common core functions of a NAC solution involves running an endpoint integrity or assessment check, checking an endpoint device to ensure that endpoint meets a baseline of security and access control policies.
1.1.1.2. Policies
Policies are at the core of nearly every NAC solution. An organization can predefine their security and access control policies, or an organization can customize and define the policies they want to use. These policies usually focus on the actions and state of endpoint security products and software, such as antivirus, anti-spyware, anti-spam, or other anti-malware offerings; personal firewalls; host-based intrusion prevention systems (IPSs); specific operating-system and application patches and patch management; and other security-related offerings. Some NAC solutions can probe how vulnerable an endpoint device may be to attack or hack.
1.1.1.3. Assessment checks
The depth and breadth of integrity and assessment checks vary from NAC solution to NAC solution:
Some NAC solutions simply check whether an endpoint device has loaded a specific product, or a certain set of security products or offerings. NAC may also check whether the device has turned on that product.
Other NAC offerings probe much deeper, checking for the product and version name, the last scan time, when the device last updated the security product, whether the user has turned off real-time monitoring or protection, and so on.
Some NAC solutions check the security products of one or two vendors; other solutions check an assortment of vendor offerings and versions.
1.1.1.4. Extended assessment checks
A number of NAC solutions have extended endpoint device integrity and assessment checks that include operating system checks; checks for machine certificate values, specific applications, files, processes, port usage, registry, Media Access Control (MAC) addresses, Internet Protocol (IP) address; and other similar checks.
Other NAC solutions enable an organization to define and customize their own endpoint device checks that they want to include in their endpoint integrity and assessment check. Some solutions give you the ability to define an assessment check based on a specific industry or open standard. Others allow you to create your own specific endpoint assessment checks and write policies based on those checks.
1.1.1.5. Pre- and post-admission checks
The timing of an endpoint check can define a NAC solution, differentiating it from other solutions. Most NAC solutions check the integrity of an endpoint device and assess endpoint security before the endpoint device can connect to a network. This kind of check is usually called a pre-admission host or client check. However, some NAC solutions may perform these same checks periodically after an endpoint device gains admission to a network; these checks are called post-admission host or client checks. When using post-admission checks, some NAC solutions enable you to adjust or set the time for your endpoint-device integrity and assessment checks.
NOTE
Some experts, vendors, organizations, and users define and describe NAC as the act of checking and assessing endpoint device integrity.
1.1.2. AAA
The acronym AAA, which stands for authentication, authorization, and accounting, is a common term in computer networking.
To authenticate a user or device, a AAA server ensures that the user or device is who he, she, or it says it is; in other words, the network asks, "Who are you?" The user or device has to prove identity.
NOTE
Users and their devices can be authenticated in many ways, such as
User name and password
Two-factor authentication
Smart cards
Tokens
Certificates
Hardware-based authentication, such as the Trusted Platform Module (TPM), which the Trusted Computing Group (TCG) specified and standardized
The act of authentication is a must in today's networked world. Wherever you go, whatever network you attempt to access, that network needs to authenticate you. The network needs to know who you are before it grants you any level or form of network access. So, identity plays a vital role in yet another potential definition of NAC because NAC must keep track of differentiated access for different users.
In many NAC solutions, where and how a user accesses a network and its resources is dictated by that user's identity. In some solutions, NAC can also associate the user's identity with a specific role. That role determines what kind of access the user has to the network and its resources. For example, with some NAC solutions you can give guest users who attempt to connect to a network a different type of access than employees who access the same network. So, although an employee who accesses the network may have access to specific areas of and resources on that network, the guest user may receive access only to the Internet, not to any other region or resource on the network.
Some experts, vendors, and others define NAC by how NAC apportions access. But, access apportionment is only part of the definition of NAC because NAC encompasses so much more.
1.1.3. Control freak
Control is a vital part of network access control. Controlling admission to a network and controlling access while a user is on the network require similar but different capabilities. For instance, controlling admission to a network may be based on authentication, while controlling application access can be based on identity, authorization, and user roles. The ability to control the access of a user while he or she is on the network is a primary component of NAC — and, typically, a defining factor. Some NAC solutions can save you NAC deployment time and cost by allowing you to leverage existing access policies, working with appliances already deployed on the network (such as switches, wireless access points, firewalls, routers, and other equipment deployed as enforcement points within the network), or deploying new appliances to serve as enforcement points within the network environment. The enforcement points enforce the access control policies applied to users and devices, both pre- and post-admission to the network.
1.1.4. Evolving on the job
NAC needs to do more than just control network access. While threats evolve, NAC needs to adapt and evolve to protect against them.
For example, NAC solutions need to address application access control. Application access control is the ability of an organization to define policies that enable certain network users, and not others, to access specific, protected applications on their network. In effect, you can segment your network by using NAC.
You can base such access policies on user or device identity. Some NAC solutions can grant a specific user access to specific applications on a network based on that user's identity. Other NAC solutions determine where a user can go on a network, what applications that user may have access to, and how he or she can access protected resources based on a user's role. By identity-enabling application access, you can ensure that only the appropriate, approved users can access sensitive, critical applications and data on your network.
You can accomplish application access control by defining and enforcing access policies on the network that a NAC solution distributes, which routers and firewalls enforce to protect the vital network applications and resources. NAC solutions have made a huge evolution by addressing application access, and this evolution now enables organizations to best address regulatory compliance, for example.
NAC solutions also evolve by increasing visibility into, and monitoring of, user access. This extended user (and usage) monitoring and visibility can occur both when a user is attempting to gain network access and while he or she is on the network. Moreover, NAC solutions that include the ability to track users and their usage by user identity (such as user name) or a user's role on the network, are evolving faster than others. NAC solutions can address many situations (including regulatory compliance) if they can track users (particularly by user name or role, rather than simply by IP address), where those users go on the network, and what they use on the network. NAC that can track users by identity can also help address the growing scourge of insider threats by increasing the network visibility and monitoring into users already on the network, so organizations can more easily track users, and what those users are doing, throughout the network.
Your NAC solution needs to continue to evolve and expand its interoperation with other new or existing network security and infrastructure products, such as firewalls, intrusion prevention and detection systems (IPSs/IDSs), secure routers, security information and event management (SIEM) products, and so forth. Some NAC solutions can already interact with these devices, using the devices as access and security policy enforcement points to which the NAC solution pushes access control and security policies. But be sure your NAC definition includes that ability to evolve and expand.
NOTE
NAC solutions can interact with IPS/IDS appliances, SIEM products, or other products that provide network behavior analysis (NBA) or deliver network behavior anomaly detection (NBAD). By using these products to locate, monitor, or address endpoint devices' irregular behavior on a network, you can mitigate threats based on signature and policy, as well as network behavior. But, when these systems and appliances can communicate with a NAC solution (and vice versa), NAC can then tie anomalous behavior to specific access and security policies. Therefore, if a NAC solution that interacts with IPS/IDS, SIEM, or products that offer NBA or NBAD uncovers anomalous endpoint behavior, the NAC solution can propagate policies that address this situation to network enforcement points, and those enforcement points, acting on the policies created by and distributed to them by the NAC solution can shut down the appropriate port, disabling user traffic through that port.
NOTE
If the NAC solution leverages user name or role, rather than IP address, thus correlating the user name or role to the user's endpoint device and monitoring the user or device's path throughout the network, you can invoke access control and security policies specific to the user or device that's spewing the anomalous behavior through network enforcement points. You have many options open for how to handle a device that's acting anomalously. You can quarantine and remediate it; simply log its actions; or eject the device from the network (even in mid-session), forcing the user to manually remediate their device and reconnect to the network. By interacting and interoperating with additional network and security devices, and by using and referencing user and device identity and role (as opposed to an IP address), a NAC solution can better address insider threats, be more selective in how it handles certain behavior types, and be generally more effective to its organization.
1.1.5. The last word
Although you can find plenty of different types of NAC solutions available that may help define NAC, here's the reality: You may find defining and describing NAC difficult because NAC is a moving target.
How you define and describe NAC can depend on your perspective, the point of view of the user or organization deploying NAC, the issues that you want to address, and the features and functions that you or your organization want to implement. You can also define and describe NAC based on the vendor and the type of solution that the user or organization selects.
No one may ever come up with a single definitive definition or easy description for NAC. Think of NAC as what an organization wants or needs it to be. However, any NAC solution needs to be open and flexible, making it able to evolve so that it can meet ever-changing access control requirements and organizational infrastructure.
Throughout this book, we try to describe and define NAC, but you can draw only one conclusion — whatever your definition of NAC, you need to continue to extend it and allow it to evolve so that it can address the needs of a growing, shifting market and a constant, looming threat landscape.