14.2. Extending NAC Enforcement

Because NAC has matured in the marketplace, and new APIs and standards have become available, you can choose from an expanding number of possible enforcement models.

The following sections discuss some of the many potential policy enforcement points that you can use in a NAC environment containing some of today's leading NAC solutions. You can't use all these points with all NAC solutions, nor do all enforcement-point vendors support the standards and APIs necessary to accomplish such a goal. But we introduce you to the possibilities before you proceed with a NAC deployment so that you can determine whether your organization's network and security goals, as set forth in your security policy, require a solution integrated with other security devices.

Some of these enforcement points come in different form factors. Multi-function network and security devices have become very popular in recent years — in many cases, encompassing all the enforcement models discussed in the following sections.

14.2.1. Firewall enforcement

Your organization has, in all likelihood, already deployed many firewalls at various points throughout your network, such as

• The ingress and egress points to the network

• In front of datacenters

• Separating locations and departments

Because of their strategic placement, firewalls make logical sense as a point in which you can extend NAC enforcement.

In fact, some NAC solutions already use firewalls as enforcement points, as we describe in detail in Chapter 10. For other NAC solutions, however, extension of NAC to firewalls requires integration through available APIs and standards.

Firewalls also offer good NAC enforcement points because of the types of policies that the organization can potentially enact on a per-user or per-role basis. For example, a firewall placed in front of a corporate datacenter and integrated with a NAC solution can allow an organization to define very granular per-role policies for each group of users on the network. The organization might allow all employees access to features such as e-mail servers and certain file shares, but it can utilize firewall policies to allow only finance users to access sensitive financial data and applications.

This concept, increasingly referred to as identity-aware firewalling, is growing in popularity among organizations in all lines of business — including not only those that must meet the needs of compliance mandates such as Sarbanes-Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA), but also any organization that wants to segment their network by function and allow each user access to only the information that he or she needs to do his or her job. From a compliance perspective, the firewall now has visibility into the user, allowing organizations to not only enforce granular access control, but also to prove for audits and other reporting requirements that the organization has in fact enforced these policies.

In today's mobile world, users coming from multiple locations and multiple devices might show up anywhere on a corporate network at any particular point in time. As a result, some of the statically defined source and destination IP-address–based firewall policies are no longer relevant. By NAC-enabling firewall policies, you no longer have to rely on static firewall policies, allowing the firewall to essentially follow the user while he or she moves from one location and device to another. This strategy is much more aligned with the spirit of how and why these policies were first put together. No longer do firewall security policies apply to users only when they physically plug into Ethernet ports by their office desks. The firewall now enforces its policy on a per-user or per-group basis.

14.2.2. IDP/IPS enforcement

You can use intrusion detection and prevention (IDP) or intrusion prevention system (IPS) devices as mechanisms to monitor end-user behavior on corporate networks, providing a feedback loop by which your NAC solution can change access control decisions based on end-user behavior.

These same systems have excellent visibility into all traffic that passes through them. In many cases, organizations have deployed IDP/IPS so that they can determine not only whether certain traffic is malicious, but also what application is involved in that traffic. These systems can restrict access to certain types of applications based on this technology. For example, an organization might not want users utilizing peer-to-peer applications on their network or non-approved instant-messaging applications, so well-positioned IDP/IPS systems can help accomplish this application level control by dropping any traffic that's not in compliance with these policies.

By extending this type of system to NAC, these policies can now become role-based. For example, certain groups of users might have a legitimate reason to use certain peer-to-peer applications. By extending NAC to IDP/IPS, you can allow those specific users to use these applications but fully restrict other users. Because end users bring so many of their own devices onto corporate networks, this type of policy enforcement can prevent access of unwanted applications — the same applications that you can restrict users from installing when they access the network from managed laptops and PCs.

Integration makes the NAC policies you now employ much more granular — at the application layer, rather than at the network layer — affording you a level of control that you can't get otherwise in many standard NAC solutions.

Table 14-1 lists only a few of the policies that you might put into place across your organization. In fact, if you have an IDP/IPS solution that has these capabilities, you might already have rolled out these kinds of policies. But when you include NAC with your IDP/IPS policies, you can alter or change the types of policies based on the specific user or user group, instead of setting the policies based on source and destination IP address. This type of policy applies well in situations in which you have mobile users in different roles across the organization.

14.2.3. Network antivirus enforcement

You may want to deploy NAC to ensure that the computers attached to corporate networks are running up-to-date antivirus applications. The goal is to do everything possible to minimize the potential for a virus outbreak on the corporate network. Although not 100 percent effective, antivirus software is extremely popular and has helped to stem the spread of viruses in recent years.

When you roll out NAC for endpoint integrity inspection and remediation, you need to decide what to do in the event that an end user's machine is out of compliance with antivirus policies and your NAC solution can't remediate it. The end user might be a guest or contractor who has no antivirus software installed on his or her laptop. In this case, remediation doesn't work unless it involves fully installing antivirus software on that end user's machine — an unlikely prospect in most scenarios. For example, the end user might not have the appropriate privileges to install new software on the machine, or your organization might not want to pay for licenses for these types of users.

Luckily, you can find network antivirus systems that you can use to help alleviate this issue, provided that you can integrate the antivirus system in question to extend your NAC solution. When performing this type of integration, you want to force all traffic from non-compliant systems through the antivirus gateway on the network. On the corporate network, you can use a configuration that includes switches, firewalls, and other network elements.

Thus, the antivirus gateway inspects all the user's traffic, so your organization doesn't have to face the always difficult decision of whether to actively quarantine or restrict access to users who aren't in compliance with the stated endpoint security policies.

14.2.4. URL/Web-filtering enforcement

URL/Web filtering is a popular type of technology that restricts access to certain types of Web content and to specific sites. Often, these systems monitor all outbound Web traffic and consult categorization lists provided by the vendor to restrict users from browsing to Web sites that serve forbidden content. Restricting access to pornographic material on a business network is an often-cited example.

These systems have the potential to one day become a key part of the NAC solution. Now, instead of having simple blanket policies for URL/Web policing, the organization can roll out user and role-based policies that are more specific to each user's particular role or job function.

For example, your company might want to restrict access to employment Web sites to prevent employees from looking for other jobs while at work, as shown in one of the blocking policies in Figure 14-4. At the same time, you might have in-house recruiters or human resources professionals who require access to these sites as part of their jobs. By leveraging group membership records in the corporate LDAP directory, you can ensure that the people who require access to these sites have the appropriate level of access and the majority of your users are restricted. Of course, if a large number of your users are attempting to access employment sites while on the job, you probably have some bigger issues to worry about than simply restricting access!

Figure 14.4. A URL/Web policy.

14.2.5. VPN enforcement

NAC shares many common types of concepts and policies with SSL VPNs.

A VPN solution — whether it's an SSL VPN, an IPSec VPN, or some other type of VPN — allows access to the corporate network, even though the user isn't physically located on the corporate network itself. Many organizations want to employ the same NAC policies for remote users that they employ for local users.

For example, if the NAC policy states that every user on the local network must authenticate with a one-time password from a machine that runs an up-to-date antivirus application, that policy really makes sense only if you can apply it globally. By allowing remote-access users to bypass these policies, the organization opens security holes and exposes itself to the exact threats that it wants to mitigate by designing these policies in the first place.

By integrating a VPN solution with NAC, you can extend your NAC deployment to ensure that it enforces the NAC policies for every user on the network, regardless of the user's physical location. This type of integration might take a number of forms, but in a generic case, you could use some of the same APIs and standards mentioned in the section "Learning from your Network," earlier in this chapter. For example, a couple of leading NAC solutions include native abilities to set and enforce IPSec VPN policies for both remote and local users.

This global enforcement of access control enables you to centrally manage all your access-control policies, ensuring that you consistently enforce every policy.

14.2.6. Application enforcement

No NAC vendor has announced or released a solution for integration of applications, but vendors will eventually create these types of NAC extensions allowing seamless integration of network policies (via NAC) and application policies (via the applications themselves).

For example, if an IDP/IPS system senses an attack on the network and the NAC system detects that attack, NAC can provide that information to the application so that the application can determine whether the end user should have continued access to the application. Or, if the end user is allowed onto the network with restricted access because of a non-compliant endpoint machine, he or she might still need to gain access to certain applications. The application, however, can respond to this information by offering a more granular, intra-application control over that end user, such as by restricting certain functions within the application itself. The application might provide read-only access, rather than read/write access, for example.