Extending NAC enforcement to network security devices

NAC enforcement tools can be extended to network security and management devices -- and in return user and machine identity can be integrated into firewalling, VPN, application access, intrusion prevention and detection and anti-virus control.

'Network Access Control for Dummies' book cover

It's now possible to extend Network Access Control (NAC) enforcement tools to a number of network security devices and network management tools. Extending NAC policy enforcement to these devices strengthens access control, while also allowing user and machine identity to be used as part of each of the security and management tools.

Integrating user and machine identity into security and management points means the ability to create identity-aware firewall enforcement, use identity detection and prevention (IDP) or intrusion prevention system (IPS) monitoring for access control, apply corporate anti-virus tools to devices accessing the network, and enforce NAC policies for remote users.

In the second portion of "Extending NAC," Chapter 14 of the book Network Access Control for Dummies, learn the options available once NAC policy enforcement is extended to network security and management tools. In part one of "Extending NAC," Integrating NAC with network security tools, we learned the basics of how to extend NAC to network security and management devices.

  Extending NAC: Chapter 14 of Network Access Control for Dummies  

Because NAC has matured in the marketplace, and new APIs and standards have become available, you can choose from an expanding number of possible enforcement models.

Read all of "Extending NAC" from NAC for Dummies
Part 1: Integrating NAC with network security tools

Part 3: NAC integration at the endpoint

The following sections discuss some of the many potential policy enforcement points that you can use in a NAC environment containing some of today's leading NAC solutions. You can't use all these points with all NAC solutions, nor do all enforcement-point vendors support the standards and APIs necessary to accomplish such a goal. But we introduce you to the possibilities before you proceed with a NAC deployment so that you can determine whether your organization's network and security goals, as set forth in your security policy, require a solution integrated with other security devices.

Some of these enforcement points come in different form factors. Multi-function network and security devices have become very popular in recent years -- in many cases, encompassing all the enforcement models discussed in the following sections.

Remember! The descriptions in the following sections describe logical enforcement modules, rather than fully separate standalone devices and appliances.

Integrating NAC with network security tools NAC integration at the endpoint

Firewall enforcement

Your organization has, in all likelihood, already deployed many firewalls at various points throughout your network, such as

  • The ingress and egress points to the network
  • In front of datacenters
  • Separating locations and departments

Because of their strategic placement, firewalls make logical sense as a point in which you can extend NAC enforcement.

Tip! In fact, some NAC solutions already use firewalls as enforcement points, as we describe in detail in Chapter 10. For other NAC solutions, however, extension of NAC to firewalls requires integration through available APIs and standards.

Firewalls also offer good NAC enforcement points because of the types of policies that the organization can potentially enact on a per-user or per-role basis. For example, a firewall placed in front of a corporate datacenter and integrated with a NAC solutions can allow an organization to define very granular per-role policies for each group of users on the network. The organization might allow all employees access to features such as e-mail servers and certain file shares, but it can utilize firewall policies to allow only finance users to access sensitive financial data and applications.

This concept, increasingly referred to as identity-aware firewalling, is growing in popularity among organizations in all lines of business -- including not only those that must meet the needs of compliance mandates such as Sarbanes-Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA), but also any organization that wants to segment their network by function and allow each user access to only the information that he or she needs to do his or her job. From a compliance perspective, the firewall now has visibility into the user, allowing organizations to not only enforce granular access control, but also to prove for audits and other reporting requirements that the organization has in fact enforced these policies.

In today's mobile world, users coming from multiple locations and multiple devices might show up anywhere on a corporate network at any particular point in time. As a result, some of the statically defined source and destination IP-address -- based firewall policies are no longer relevant. By NAC-enabling firewall policies, you no longer have to rely on static firewall policies, allowing the firewall to essentially follow the user while he or she moves from one location and device to another. This strategy is much more aligned with the spirit of how and why these policies were first put together. No longer do firewall security policies apply to users only when they physically plug into Ethernet ports by their office desks. The firewall now enforces its policy on a per-user or per-group basis.

IDP/IPS enforcement

You can use intrusion detection and prevention (IDP) or intrusion prevention system (IPS) devices as mechanisms to monitor end-user behavior on corporate networks, providing a feedback loop by which your NAC solution can change access control decisions based on end-user behavior.

These same systems have excellent visibility into all traffic that passes through them. In many cases, organizations have deployed IDP/IPS so that they can determine not only whether certain traffic is malicious, but also what application is involved in that traffic. These systems can restrict access to certain types of applications based on this technology. For example, an organization might not want users utilizing peer-to-peer applications on their network or non-approved instant-messaging applications, so well-positioned IDP/IPS systems can help accomplish this application level control by dropping any traffic that's not in compliance with these policies.

By extending this type of system to NAC, these policies can now become role-based. For example, certain groups of users might have a legitimate reason to use certain peer-to-peer applications. By extending NAC to IDP/IPS, you can allow those specific users to use these applications but fully restrict other users. Because end users bring so many of their own devices onto corporate networks, this type of policy enforcement can prevent access of unwanted applications -- the same applications that you can restrict users from installing when they access the network from managed laptops and PCs.

Integration makes the NAC policies you now employ much more granular -- at the application layer, rather than at the network layer -- affording you a level of control that you can't get otherwise in many standard NAC solutions.

Table 14-1 lists only a few of the policies that you might put into place across your organization. In fact, if you have an IDP/IPS solution that has these capabilities, you might already have rolled out these kinds of policies. But when you include NAC with your IDP/IPS policies, you can alter or change the types of policies based on the specific user or user group, instead of setting the policies based on source and destination IP address. This type of policy applies well in situations in which you have mobile users in different roles across the organization.

Table 14-1 A Sample IDP/IPS Integration Policy

Role

Application

Destination

Application Command

Action

Employees

P2P

Any

Any

Drop
Log

Employees

FTP

External

FTP put file

Drop
Log

Contractors

Instant messaging

Any

Any

Drop
Log

Network antivirus enforcement

You may want to deploy NAC to ensure that the computers attached to corporate networks are running up-to-date antivirus applications. The goal is to do everything possible to minimize the potential for a virus outbreak on the corporate network. Although not 100 percent effective, antivirus software is extremely popular and has helped to stem the spread of viruses in recent years.

When you roll out NAC for endpoint integrity inspection and remediation, you need to decide what to do in the event that an end user's machine is out of compliance with antivirus policies and your NAC solution can't remediate it. The end user might be a guest or contractor who has no antivirus software installed on his or her laptop. In this case, remediation doesn't work unless it involves fully installing antivirus software on that end user's machine -- an unlikely prospect in most scenarios. For example, the end user might not have the appropriate privileges to install new software on the machine, or your organization might not want to pay for licenses for these types of users.

Luckily, you can find network antivirus systems that you can use to help alleviate this issue, provided that you can integrate the antivirus system in question to extend your NAC solution. When performing this type of integration, you want to force all traffic from non-compliant systems through the antivirus gateway on the network. On the corporate network, you can use a configuration that includes switches, firewalls, and other network elements.

Thus, the antivirus gateway inspects all the user's traffic, so your organization doesn't have to face the always difficult decision of whether to actively quarantine or restrict access to users who aren't in compliance with the stated endpoint security policies.

Remember! Maintain productivity without sacrificing security. If you can find a NAC solution that allows you to perform this antivirus integration, you can provide full access to required applications and data while maintaining the best possible security.

URL/Web-filtering enforcement

URL/Web filtering is a popular type of technology that restricts access to certain types of Web content and to specific sites. Often, these systems monitor all outbound Web traffic and consult categorization lists provided by the vendor to restrict users from browsing to Web sites that serve forbidden content. Restricting access to pornographic material on a business network is an often-cited example.

These systems have the potential to one day become a key part of the NAC solution. Now, instead of having simple blanket policies for URL/Web policing, the organization can roll out user and role-based policies that are more specific to each user's particular role or job function.

For example, your company might want to restrict access to employment Web sites to prevent employees from looking for other jobs while at work, as shown in one of the blocking policies in Figure 14-4. At the same time, you might have in-house recruiters or human resources professionals who require access to these sites as part of their jobs. By leveraging group membership records in the corporate LDAP directory, you can ensure that the people who require access to these sites have the appropriate level of access and the majority of your users are restricted. Of course, if a large number of your users are attempting to access employment sites while on the job, you probably have some bigger issues to worry about than simply restricting access!

VPN enforcement

NAC shares many common types of concepts and policies with SSL VPNs.

A VPN solution -- whether it's an SSL VPN, an IPSec VPN, or some other type of VPN -- allows access to the corporate network, even though the user isn't physically located on the corporate network itself. Many organizations want to employ the same NAC policies for remote users that they employ for local users.

For example, if the NAC policy states that every user on the local network must authenticate with a one-time password from a machine that runs an up-to-date antivirus application, that policy really makes sense only if you can apply it globally. By allowing remote-access users to bypass these policies, the organization opens security holes and exposes itself to the exact threats that it wants to mitigate by designing these policies in the first place.

By integrating a VPN solution with NAC, you can extend your NAC deployment to ensure that it enforces the NAC policies for every user on the network, regardless of the user's physical location. This type of integration might take a number of forms, but in a generic case, you could use some of the same APIs and standards mentioned in the section "Learning from your Network," earlier in this chapter. For example, a couple of leading NAC solutions include native abilities to set and enforce IPSec VPN policies for both remote and local users.

This global enforcement of access control enables you to centrally manage all your access-control policies, ensuring that you consistently enforce every policy.

Application enforcement

No NAC vendor has announced or released a solution for integration of applications, but vendors will eventually create these types of NAC extensions allowing seamless integration of network policies (via NAC) and application policies (via the applications themselves).

Remember! Although most applications do (and will continue to) have authentication, NAC can provide additional information to each application so that the application can increase security and provide a better overall solution.

For example, if an IDP/IPS system senses an attack on the network and the NAC system detects that attack, NAC can provide that information to the application so that the application can determine whether the end user should have continued access to the application. Or, if the end user is allowed onto the network with restricted access because of a non-compliant endpoint machine, he or she might still need to gain access to certain applications. The application, however, can respond to this information by offering a more granular, intra-application control over that end user, such as by restricting certain functions within the application itself. The application might provide read-only access, rather than read/write access, for example.

In the next part of the chapter, read about NAC integrationat the endpoint.

About Network Access Control For Dummies:

Network access control is how you manage network security when your employees, partners, and guests need to access your network using laptops and mobile devices. Network Access Control For Dummies is where you learn how NAC works, how to implement a program, and how to take real-world challenges in stride.

You'll learn how to deploy and maintain NAC in your environment, identify and apply NAC standards, and extend NAC for greater network security. Along the way you'll become familiar with what NAC is (and what it isn't) as well as the key business drivers for deploying NAC.

  • Learn the steps of assessing, evaluating, remediating, enforcing, and monitoring your program
  • Understand the essential functions of Authentication, Authorization, and Accounting
  • Decide on the best NAC approach for your organization and which NAC policies are appropriate
  • Discover how to set policies that are enforceable and reasonable enough to be followed, yet still effective
  • Become familiar with the architectures and standards essential to NAC
  • Involve and motivate everyone in the organization whose support is critical to a successful implementation

Network Access Control For Dummies shows you the steps for planning your implementation, who should be involved, where enforcement should occur, and much more. When you flip the switch, you'll know what to expect.

This was first published in September 2009

Dig deeper on Network Access Control

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close