Access and Admission Control
Network access control (NAC) is a newer technology used to control which clients are granted access to a network. This is especially important when remote access solutions are used to allow external clients into the private network. However, NAC is also used to control infected or unhealthy clients within the network.
The overall goal of NAC is to inspect clients regularly to ensure they meet specific health requirements. Health is defined by criteria such as having up-to-date antivirus software installed and running, having a host-based firewall enabled, and keeping the operating system up to date. These elements are defined in a health policy specified by administrators. When a client is found to be unhealthy, it can be quarantined so that its access to other network computers is limited. Quarantining the unhealthy computers provides protection for the healthy clients on the network. A quarantined network would also include resources that clients can use to improve their health, such as updates for the antivirus software or operating system.
When computers are completely controlled within an organization, administrators have several different tools and methods they can use to ensure that the systems are secure. They can automate the deployment of antivirus software and updates to the clients, automate the deployment of operating system updates, control what software is installed and running on the systems, and even control what the user can do on the system, such as what software the user can install.
However, remote access users may use a home computer over a VPN connection to access the private network. Because it’s a home computer, the organization’s administrators don’t have direct control over the computer. A significant risk is related to malware. If the infected system connects to the internal network, it can easily infect other computers on the network.
Figure 4-9 shows the overall process of how a NAC solution works. When a remote access user connects via either dial-up or VPN, the remote access server coordinates with the NAC server to determine the health policy for the organization. The client is inspected to determine whether it meets the criteria of the health policy; if so, the client is granted access to the network. If the client is not healthy, access is restricted to the quarantined network only.
Figure 4-9 Using network access control
Although NAC is often used for remote clients, it can also be used for internal clients. This helps prevent unhealthy systems from staying operational on the internal network. As an example, many automated methods exist to deploy operating system updates to clients. However, there are multiple reasons that a critical update may not be installed on a system, such as if the system is powered off while a user is on an extended vacation, business trip, or leave of absence. When the user turns the computer back on and tries to access the network, NAC checks its health and quarantines it if it is not healthy.
Chapter Review
Telecommunications is the transmission of any type of signals for communicating. Many people communicate over the Internet; common Internet access methods include PSTN, ISDN, DSL, cable, satellite, and wireless. VoIP is used to transfer multimedia and voice communications over IP networks, including the Internet. SRTP provides confidentiality, authentication, and replay protection for VoIP signals. Many organizations use their own private phone systems, or PBXs, which should be protected. It’s common to protect the systems with physical security by locking them in secure server rooms. Logical protections, such as protecting the administrator password, restricting call forwarding, and restricting long distance calling, provide another layer of protection for phone systems.
Firewalls are an important element in protecting a network and individual computers. Packet filtering firewalls can filter traffic based on IP addresses, ports, and some protocols by using the protocol ID. Stateful inspection firewalls identify active TCP and UDP sessions and can open and close firewall ports dynamically based on the needs of active connections. An application firewall includes different elements to examine specific commands used by different protocols, such as HTTP, FTP, and SMTP.
A DMZ is commonly created with two firewalls from separate vendors to achieve defense diversity. This is in line with an overall defense-in-depth strategy. Even if a vulnerability appears in one firewall, it’s unlikely it will appear in both firewalls at the same time. Additionally, to succeed in penetrating an internal network that employs defense diversity, an attacker must have in-depth knowledge about firewalls from two vendors.
Firewalls can be network-based or host-based. A network-based firewall protects traffic going into or out of an overall network, while a host-based firewall protects traffic for individual systems. Network-based firewalls are typically hardware-based, while host-based firewalls typically run as an additional software component on a server or desktop system. Using both network-based and host-based systems is part of an overall defense-in-depth strategy.
Proxy servers can provide both performance gains and web-based filtering for a network. Retrieved web pages are cached on the proxy server, which retrieves subsequent requests from cache instead of using Internet bandwidth to retrieve the web page from the Internet again. Website filtering allows a proxy to block a user’s access to specific website locations. Most proxy servers also have NAT installed to translate private and public IP addresses.
Many organizations provide access to their internal network through a dial-up or VPN remote access solution. A VPN provides access to the private network over a public network such as the Internet. VPNs use a tunneling protocol to encapsulate the protocols needed on the internal network with protocols needed to transfer the data over the public network. Tunneling protocols include SSH, L2F, PPTP, L2TP, IPsec, and SSL. SSL is becoming more popular, and users often only need a web browser to connect to the protocol. Authentication protocols used for remote access include PAP, CHAP, MS-CHAPv2, EAP, RADIUS, and TACACS+. RADIUS and TACACS+ provide authentication, authorization, and accounting.
NAC helps protect internal networks by differentiating between healthy and unhealthy systems and restricting access of unhealthy systems to quarantined networks. This is very useful with remote access because remote clients aren’t directly controlled by the organization and can have varying levels of security applied. NAC can also be used within the organization to ensure that unhealthy clients are isolated from healthy clients.
Questions
1. Which of the following can provide security for VoIP?
A. RADIUS
B. TACACS
C. PSTN
D. SRTP
2. Your organization has a private phone system. Of the following, what is the best choice to control call forwarding?
A. Ensure that the administrator password is kept private and changed often.
B. Restrict phone numbers that can be used with call forwarding.
C. Restrict long distance calling.
D. Protect the phone system with physical security.
3. A packet filtering firewall can block ICMP traffic, such as ping requests. How does a packet filtering firewall identify ICMP traffic?
A. Based on the protocol ID having a value of 1
B. Based on the protocol ID having a value of 2
C. Based on the port of 50
D. Based on the port of 51
4. Which of the following choices provides the best protection against potentially malicious FTP commands?
A. Defense diversity
B. Packet filtering firewall
C. Stateful inspection firewall
D. Application firewall
5. How can you provide defense diversity with a DMZ?
A. Use a single firewall.
B. Use two firewalls from the same vendor.
C. Use two firewalls from different vendors.
D. Ensure that only trusted partners are allowed access.
6. It’s common to enable or install a firewall on a server to protect the server. What type of firewall is this?
A. Network-based
B. Hardware-based
C. Packet filtering
D. Host-based
7. Of the following choices, what represents the primary benefits provided by a proxy server?
A. Caching and filtering
B. Authentication and caching
C. Authentication, authorization, and accounting
D. Stateful inspection
8. Of the following choices, what is not used for VPNs?
A. L2TP
B. PPTP
C. SSLTP
D. SSL
9. What port does PPTP typically use?
A. 143
B. 443
C. 1701
D. 1723
10. What port does an SSL VPN typically use?
A. 80
B. 88
C. 143
D. 443
11. How would users typically access an SSL VPN?
A. With a web browser
B. With a dedicated application
C. With broadband access but never DSL access
D. With an IMAP application
12. Of the following choices, what indicates the primary improvement that MS-CHAPv2 included over previous protocols?
A. Support for biometrics
B. Use of certificates
C. Mutual authentication
D. Use of a nonce
13. Which of the following identifies the correct representation of RADIUS?
A. Remote Access Dial-in User System.
B. Remote Authentication Dial-in User Service
C. Roaming Access Dial-in User Service
D. Remote Authentication Dialing User System
14. What port does a TACACS+ typically use?
A. 25
B. 49
C. 53
D. 443
15. What can be used to examine the health of a client prior to allowing network access and restricting access of unhealthy clients to a quarantined network?
A. RADIUS
B. TACACS+
C. NAC
D. SRTP
Answers
1. D. The Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for Voice over IP (VoIP) transmissions. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS) are used to provide authentication, authorization, and accounting (AAA) for remote access. The public switched telephone network (PSTN) is one of the methods used for Internet access.
2. B. The primary way to control call forwarding is to restrict numbers that can be used for call forwarding. Protecting the administrator password and changing it often protects the overall system, but doesn’t directly address call forwarding. Restricting long distance calling is also important, but it doesn’t address call forwarding. Although physical security of the phone system is valuable, it won’t control call forwarding.
3. A. Packet filtering firewalls can filter traffic based on IP addresses, ports, and protocol IDs, and a protocol ID of 1 identifies ICMP traffic. IGMP uses a protocol ID of 2. IPsec is not identified by ports. IPsec AH has a protocol ID of 51, and IPsec ESP has a protocol ID of 50.
4. D. An application firewall (also called an application proxy or an application gateway firewall) can inspect commands used by individual protocols such as FTP and block potentially malicious commands. A packet filtering firewall can only inspect individual packets for IP addresses, ports, and protocol IDs. A stateful inspection firewall can track the activity within TCP and UDP sessions, but can’t interpret commands.
5. C. You can provide defense diversity with a DMZ by using two firewalls from different vendors; if a vulnerability appears in one, it’s unlikely that a vulnerability will exist in the second firewall at the same time (unless the second is from the same vendor). A single firewall doesn’t provide any diversity. An extranet (not a DMZ) would allow access only to trusted partners.
6. D. A host-based firewall is installed or enabled on individual systems such as desktop computers or servers and provides protection for the host. Network-based firewalls protect the network rather than individual systems. Packet filtering identifies the method used by the firewall and both network-based and host-based firewalls can filter packets.
7. A. A proxy server can cache web pages that are retrieved from the Internet. It can also block users from accessing restricted websites by filtering the web page requests. A proxy server does not provide authentication directly, although some proxy servers can be tied into an authentication system. A proxy server does not normally perform firewall functions.
8. C. There is no such thing as SSLTP that is used for virtual private networks (VPNs). However, the other choices (L2TP, PPTP, and SSL) are used for VPNs.
9. D. The Point-to-Point Tunneling Protocol (PPTP) uses port 1723. IMAPv4 uses port 143, SSL uses port 443, and L2TP uses port 1701.
10. D. A Secure Sockets Layer (SSL) VPN typically uses port 443, the same port as HTTPS. HTTP uses port 80. Kerberos uses port 88. IMAP4 uses port 143.
11. A. Users typically access a Secure Sockets Layer (SSL) VPN using a web browser instead of a dedicated application. An SSL VPN is not dependent on a specific type of Internet connection (such as broadband or DSL). Internet Message Access Protocol (IMAP) is used with e-mail, not VPNs.
12. C. MS-CHAPv2 uses mutual authentication where the client authenticates to the server and the server authenticates to the client. It does not support biometrics. MS-CHAPv2 can be used with EAP to support certificates, but it cannot do so on its own. CHAP uses a nonce (a number used once).
13. B. RADIUS is an acronym for Remote Authentication Dial-in User Service. The other choices are not valid.
14. B. Terminal Access Controller Access Control System (TACACS) and TACACS+ both use port 49. SMTP uses port 25, DNS uses port 53, and HTTPS uses port 443.
15. C. A network access control (NAC) system can check a system’s health based on a predefined health policy and restrict the access of unhealthy clients to a quarantined network. RADIUS and TACACS are used to provide authentication, authorization, and accounting (AAA) for remote access. SRTP provides confidentiality, authentication, and replay protection for VoIP transmissions.