Network Access Control (NAC)
The three cardinal questions for security compliance, which every network administrator and owner endeavour to answer are:
- How do I stop unauthorized users and endpoints from accessing resources on my network, whether through wired or wireless means?
- How do I validate the user’s and endpoint’s health status? For example: assess the level of operating system patches installed and the status of malware detection engines and definitions.
- How do I remediate the endpoints and users if they fail the above, and present a layered “defense in depth” with security technologies in a co-operative environment?
Often these questions remain unanswered, and the results are visible in the news and reports.
NAC or the end point security solution can provide the answer to all the above questions – and more – if designed and configured properly. This article presents the NAC architecture with the details of major components and their functionality, along with considerations in implementation in real production environments.
Vendors have promoted NAC solutions leveraging their own product offerings. For example Cisco’s NAC uses the Cisco PIX firewall, ASA Appliances, Routers and Switches to perform NAC functions. On the other hand Microsoft, being the dominant provider of operating systems, has offered NAC (by the name of NAP, or Network Access Protection) built on the product line offerings such as Windows server, Windows XP and recently Microsoft Vista. I will use the terms NAC and endpoint security interchangeably for the ease of the reader.
NAC solutions provide the following:
- Determine the security posture of clients.
- Grants access to various parts of the network, depending upon the outcome of first step.
- Remediate compliance failures, and distributes policy to endpoints.
For example, if a policy says to deny access to endpoints whose patch level is older than 30 days, then NAC will restrict the access of those clients which are non compliant for this policy, and optionally a remediation process will be invoked to make that client compliant by downloading and installing required patches. The three keywords in the NAC process are: Identify, Assess and Remediate.
The previous figure shows a high level NAC architecture where the end users access enterprise resources by wireless, VPN and LAN. We have the option of enforcing the policies at the firewall, or at other access device such as a Layer2/3 switch or DHCP server.
The fundamental components of a NAC solution are:
2. Enforcement points
3. Policy and remediation services
The vendor offerings may comprise of a combination of the above components of NAC. Understanding of these components will allow the reader to differentiate vendor offering from one another in a pragmatic manner.
First, there must be a mechanism to determine the security posture of the endpoint machine before taking any decision for identity and access management. The endpoint assessment technologies currently available include:
- Agent-less: nothing is downloaded or installed on the endpoint host.
- Agent: An application is pre-installed or downloaded at the first connection.
- ActiveX or browser plug-in: this is downloaded to the endpoint when connection is attempted.
- Scanner: performs an IP based vulnerability scan to determine the installed patches, services etc on the endpoint.
The agent-less approach uses an end point’s administrative account to connect (via Windows RPC) to central user management systems for all the end points. The administrative overhead is considerable, adding to the cost of this approach.
In the agent base approach an agent application is pre-installed or NAC prompts for the installation of agent at the first logon of the user to the network. Agents not only assist in determining the posture of the endpoint, but can also do access control and reporting to the NAC server on the end user machine, with the inbuilt firewall. One of the disadvantages of agent based approach is that it works on the assumption that the agent will be pre-installed or will be installed at the first attempt of access to the network, which can be potential source of risk.
In the scanning method the NAC scans the end machine and, based on the scan result, the posture is determined for the next step of identity and access to network resources. This approach may or may not test the endpoint’s patch levels, Anti-virus definition files status, or file/registry value. Another issue is that of the time required to scan an endpoint, which may be exacerbated at peak endpoint activity due to simultaneous endpoint scans. With the ActiveX or browser plug-in technology, the plug-in is downloaded on the end point for posture determination and to report the compliance status of the end point. The advantages of this are comparatively less memory and CPU overhead.
Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
- Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
- 802.1X: IEEE standard for port based access control.
- DHCP: IP assignment restrictions.
Inline based enforcement options include firewalls, layer2/3 switches or purpose built dedicated inline appliances. Some vendor’s NAC solutions offer support for other vendor’s firewalls and switches for enforcement, which is welcome news for users who have a multi-vendor networking infrastructure.
Considerations for inline devices are:
- Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
- High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
- The degree of separation provided between the endpoints and the business critical systems inside the network.
- Reporting from the enforcement device: for both compliant and non complaint endpoints.
802.1X or port based network access control is a protocol based on Extensible Access Protocol (EAP), an IEEE standard. New generation layer 2/3 switches offer the possibility of segregating specific IP’s onto a separate VLAN, and imposing various access control lists on the VLAN traffic.
802.1X has three major components: the Supplicant, which is the person or endpoint attempting access, the Authenticator, which is the device that the Supplicant is attempting to connect to, and the Authentication server, which holds credentials. The process of gaining access is:
- The end user machine connects to the Authenticator, which can be a WLAN access point or a LAN switch.
- The Authenticator sets the port to “unauthorized’, which will only permit 802.1X traffic, and requests authentication data from the endpoint. The endpoint returns it’s authentication data to the Authenticator.
- The Authenticator knows the Authentication server, and forward to the request to authentication server (typically a RADIUS server). The radius server returns a pass/fail.
- Once the authentication is successful, the Authenticator opens the port for the supplicant to join the network.
DHCP based access restriction works on the premise that the endpoint user will play by the rules of the game. Purely DHCP based restriction may not prove to be effective as it is possible to bypass. DHCP assigns quarantined or unknown end points to an IP address that is restricted by ACL’s on switches/routers. Some of the considerations for the DHCP method of enforcement are:
- Is this secure enough for the environment? Requires a risk analysis for the given environment.
- Is the existing environment’s architecture suitable for this enforcement? Possibilities here include placing a NAC server inline with DHCP.
- Does it require a significant additional outlay for the equipment?
Policy and remediation service
Policy and remediation services are the last part of NAC picture, though the endpoint assessment is done against the policy set by administrator at the very start of NAC process. Once the assessment is carried out on the endpoint, and matched against the policy for compliance, the decision to restrict or allow the endpoint is taken. If the endpoint is restricted due to a failure to comply with one or more policies, the endpoint is quarantined.
The next logical step is to seek to remediate the endpoint. The task of a remediation service is to make the endpoint compliant to the policy, thus restoring the access to join the network for services in a healthy state. The remediation process may be single or multiple steps. For example, if an endpoint does not have current Anti-virus definition and lacks critical Microsoft patches, then the remediation process directs the endpoint to the current Anti-virus definition and required Microsoft patches (either from Microsoft itself or on the internal patch distribution server or process).
The endpoint security posture should also be regularly re-tested, so as to remain proactive. The results of this continuous monitoring of the endpoint posture and status of compliance must be reported promptly. Another final point to consider here is the execution and delivery of policy, either to the endpoint or enforcement point. The frequency and protocol for delivery are equally important in this whole NAC framework. Needless to say the policy has to be regularly backed-up, and the facility to restore from backed-up policies should be regularly tested. Considerations for the remediation and policy service are:
- Placement and capacity of remediation servers, for example the patch distribution mechanism etc.
- Will remediation be self-service, or will be performed by help desk?
- How does the remediation server obtain the third-party details such as the Anti-virus and other malware definition currency, MS patches levels etc.
- What mechanism is in place for communication between the remediation servers and the policy server?