What You Should Know About Network Admission & Access Control

This area of the portal provides a brief summary of the fundamental things we feel you should know about NAC solutions in general. In other areas of Secure Access Central we address vendor- and product-specific topics.

1. When will NAC become widely adopted in the enterprise?

Network admission and access control (NAC) are now two of the most talked about subjects in network security. Both established security vendors and a growing number of small companies are filling the media with promises, initiatives, architectures and first-generation products all designed to attract the attention and spending of early technology adopters. Many enterprises are "putting their toes" into the water with testbeds and small scale deployments. And a few have made major commitments, usually in the more basic types of NAC.

While such strong attention to an emerging technology usually (and deservedly) produces substantial skepticism we are confident that enterprises will readily appreciate the high value of NAC and embrace it over the next 2-3 years. However, how to proceed and when will remain persistent key issues for individual organizations. There are many approaches to NAC and the tradeoffs are significant. So debates will linger and forecasting winners and losers - in terms of NAC architectures and vendors - will remain a popular pastime. It is important to remember that we have only seen the "tip of the iceberg" in terms of innovation and as the collective industry experience remains small. We expect both will advance rapidly, steering products and implementations in the "right direction".

Infonetics Research estimates that worldwide annual sales of NAC enforcement systems will reach almost $3 billion by the start of 2009. While sales forecasts for complex IT and security solutions like NAC often tend to be most rosy when markets are still quite immature, we nevertheless believe that NAC sales will likely fall at least $2B in this timeframe. As a comparison, it is noteworthy that annual sales of antivirus software reached $4B in 2006 and SSL VPN gateways about $200M. One problem will remain: what software, hardware and appliances should be included in any tally of NAC-related sales. This will become clear only as the market matures.

Source: Infonetics Research June 2006

2. What are the primary reasons for your organization to employ a NAC solution?

3. What security functions can NAC solutions provide?

The lack of a widely-accepted industry definition for NAC has led to much debate and confusion about the value, costs and issues associated with implementing a NAC solution. Unfortunately this situation will not change during 2007.

To deal with this problem Secure Access Central employs two reference models for NAC solutions, network admission control and network access control.

"Network admission control" deals with controlling what network or network segments an authenticated user can access based on their identity and the security posture of their device. This solution is designed to prevent authorized network users from unknowingly and unintentionally allowing their computers to infect other client devices and servers on a private network without introducing an unacceptable burden on both users and the IT organization.

All network admission control solution includes several primary functions:

authenticate users (and often their devices),

check the trustworthiness of computers by confirming compliance with pre-configured security policies - before and after they are on the network,

and enforce policy-based, user privileges - either at the endpoint or at specific points within the network infrastructure. Out-of-policy assessments can trigger a range of responses including the complete denial of access, restricted access, full user access privileges accompanied by messages to the user and the redirection of non-compliant devices to remediation services on a quarantine network.

Some vendors offer additional security functions in their products. These include:

threat detection and prevention in the form of an network intrusion protection (IPS). Since even compliant devices can be infected by zero-hour attacks all network traffic is continuosly scanned for malware activity.

discover and monitor all endpoint and networking devices; detect and block rogue devices employed by unauthorized network users.

*Network Admission* Control**	=	Who are you?	User Authentication
	+	How trustworthy is your device?	Endpoint Security Policy Compliance¹
	+	Do you want to make your device compliant?	Remediation Services2
	+	Is your device a source of malicious traffic?	Network IPS3
	+	What devices are on the network? Rogue?	Universal Device Discovery

Note 1:detection & enforcement including quarantine

Note 2: generally NOT provided by network admission vendors

Note 3: included in some products

"Network access control deals with controlling what resources individual users can access once they are admitted to the network. These resources can be subnets, VLANs and individual applications, file serves and databases.

The capabilities of network access control solutions vary more dramatically. The most robust ones now offer some of the following additional security functions:

implement resource access control, i.e., assign and enforce user resource access privileges based on user identity, roles, and situational attributes.

monitor and store identity-based usage data; generate security alerts and management reports. Usage data can include user name, MAC address, device IP address, network location, the identity of accessed resources, time stamping of connections, and compliance check-related activities.

*Network Access* Control**	=	Who are you?	User Authentication
	+	How trustworthy is your device?	Endpoint Security Policy Compliance¹
	+	Do you want to make your device compliant?	Remediation Services2
	+	What network resources can you use?	Resource Access Control

Note 1:detection & enforcement including quarantine or

Note 2: generally NOT provided by network admission vendors

4. Where to Use Network Admission Control?

Although network admission control could be deployed as a universal solution for an entire enterprise, few companies will start with such an ambitious undertaking but will instead identify high priority user communities and usage contexts, define suitable access policies and then roll out NAC in a limited and well-controlled manner.

Likely early implementation scenarios include:

extending the capabilities of VPNs that support mobile users, telecommuters and business partners
wireless LANs and "guest access" LANs
shared and kiosk computers
PCs that connect to mission critical application servers

In addition, some companies will initially deploy NAC on a broader scale but limit its operation to monitoring user policy compliance rather than controlling network access. Their primary goal will be to acquire valuable knowledge about how well users are complying with existing policies before they enforce and possibly tighten them. This knowledge can shape pre- and post deployment education programs and help security personnel shape their enforcement policy priorities.

5. What are the primary components of a Network Admission Control solution?

The following components are found in a comprehensive network admission control solution. Clearly, most organizations will start out with something more modest.

A NAC security policy manager enables a security administrator to define and configure endpoint security policies, update NAC clients, retrieve user and user group info from user directories and logically link this data to specific "security policy zones" and define what physical networks or VLANs an individual user can access.
NAC-enabled network systems (e.g. LAN switches) and inline NAC enforcers serve as the primary NAC enforcement points. These systems permit, deny or redirect user traffic under the direction of NAC security policy manager.

The NAC enforcer is the component that actually make access control decisions. It examines compliance data, compares the data to appropriate security policies and then directs the NAC enforcement control points to implement its decisions. The enforcement controller is either packaged with a out-of-band security policy manager or deployed as a separate inline system.

An endpoint scanner collects compliance data and reports it to the NAC enforcer. In many implementations the host checker is performed by NAC client software on a managed endpoint. In others the scan is performed by a downloadable browser plug-in.. If an unmanaged device will not accept either a NAC client or a browser plug-in it can either be denied access or checked with a remote vulnerability scanner (e.g., Nessus). Note that the type of host checking implementation determines the scope and depth of possible compliance checks AND whether or not the checks can be repeated once a device has been initially admitted. In some implementations (e.g., Cisco NAC Framework with Cisco Secure Access Control Server) the NAC enforcer passes the compliance data to a posture validation server (PVS) which determines whether the latest individual security software is installed. The PVS returns its assessment to the NAC enforcer where policy decisions are made.

NAC-clients often include endpoint security software which either complements or competes with personal security products from other vendors. These can include protected workspaces for unmanaged devices and a wide variety of security capabilities for managed ones - advanced personal firewalls, signature-based file scanning for malicious code removal, behavioral analysis that blocks malware processes from running, net scanning to identify and close network vulnerabilities, peripheral device control that prevents the movement of data between endpoints and portable storage and wireless devices, and operating system intrusion protection (e.g., buffer overflows, registry and file access control, process execution control).

Remediation servers enable enterprises to automate updates of endpoint software - operating systems, browsers, applications, personal security software, and NAC clients including host checking configurations.

Quarantine and restricted networks are used for devices that either must access remediation servers or are granted access only to limited production resources.

6. How do Network Admission Control Architecture differ?

The are several architectural approaches to network admission control. They differ primarily in terms of where network admission is enforced and how admission is controlled, i.e., MAC and IP addresses, ports, ACLs.

The enforcement points can be

embedded in the existing network infrastructure (L2 and L3 LAN switches, wireless access points),
built into network firewalls or proxies (e.g., SSL VPN gateways),
provided by inline NAC appliances that are located at the edge of the network,
provided by out-of-band NAC appliances that are located at the edge of the network,
and provided by NAC client software.

The actual granting and denying of admission privileges can be controlled in a number of ways. A brief analysis of the tradeoffs between these approaches is presented by David Greenstein, Chief Architect of Stillsecure and Ofir Arkin, CTO of Insightix.

In summary,

NAC Admission Control	Special Client Software*	Compatible LAN Equip.	Enforcement Points	Pre-Admission Enforcement	Quarantine Enforcement	Admission Enablement
802.1x	Yes	Yes	Switches	802.1x proxy	None or VLANs	Authenticated MAC address
DHCP Proxy	Yes	No	Routers	Non-routable IP address	Subnet (Non-routable IP address)	Routable IP Address
Authenticated DHCP	No	No	Routers	Non-routable IP address	Subnet (Non-routable IP address)	Authenticated, Routable IP Address
Inline NAC Appliance	No	No	Appliances	Packet filtering	Subnet or VLAN	Authenticated IP or MAC Address
Out-of-band Appliance	No	No	Switches & Routers	Packet filtering	Subnet or VLAN	Authenticated IP or MAC Address
ARP Poisoning	No	No	User Device	ARP Tables	ARP Tables	IP or MAC address
Client Software	Yes	No	User Device	Client Software	Client Software	IP or MAC address
Note: Some LAN switches include port-level, access control lists (ACLs) so user privileges can be controlled with more granularity than simply VLANs.

An 802.1x-based NAC requires 802.1x-compatible software on both the user device and edge LAN switches and wireless access points. With this technology the 802.1x proxy on the switch initially allows only authentication-related and compliance-related traffic to pass between the device and the production network. Once the user is authenticated and a posture check has been performed, the NAC server connects a device to either a production or quarantine VLAN using either MAC or IP addresses.

A DHCP Proxy-based NAC requires an identity-based, DHCP proxy software on both the client and DHCP server. With this technology a user device receives a temporary IP address during the host-checking phase and a production IP address once compliance has been verified. LAN switch ACLs are pre-configured to allow only traffic from devices with predefined production network IP addresses.

An authenticated DHCP-based NAC requires an authentication portal. When the user device requests an IP address it is automatically assigned a temporary one. Once the user authenticates himself AND the device has passed host checks a MAC address is registered with the DHCP server and bound to a production network IP address. Once authorized the user can access any network segment or individual resource that is permitted by LAN switche, router and firewall ACL's. This architecture blocks IP spoofing.

An inline NAC uses an inline NAC controller/control appliance that acts as a MAC bridge/firewall. Like an 802.1x LAN switch it requires user authentication before other data traffic is permitted to pass through the control point. And once a posture check has been performed, the inline NAC appliance connects the user device to either a production or quarantine VLAN.
An out-of-band NAC passively listens to and controls data traffic flowing through a switch port. Otherwise its enforcement operation is similar to an inline appliance.
With ARP Poisoning a NAC controller resets a devices ARP tables so that it is denied network access until posture checking has been performed. Once tested the device can be assigned a quarantine or production IP address.

IPSec Health Certificates are used only in the Microsoft NAP solution. You can visit the Microsoft site to learn about this technology.

7. What types of security compliance checks can be performed on endpoints?

NAC solutions generally check endpoints for compliance with security policies BEFORE user authentication. The following is a list of the types of checks that are available across the universe of NAC products. Since NAC products vary a great deal in their trust assessment capabilities it is important to closely examine the capabilities provided by individual vendors.

Version, service pack, patches for operating system and browser
Operating system configuration and browser settings
Version and configuration of personal firewalls
Version and signature files for antivirus and anti-spyware software
Application white, gray and black lists
Version, service pack, patches for specific client applications
Personal security software operation - before and after authentication
MAC, IP address (where is device located), and digital certificate
Existence of specific removable media storage devices
Results of vulnerability scans for malicious code

You also need to examine which individual software products can be checked by the NAC "out-of-the-box". Fortunately most NAC products enable you to add your own definitions but if you are in a large heterogeneous IT environment you will likely want to minimize this workload by selecting a vendor that does it for you.

8. Does NAC prevent infected computers from spreading malware on private networks?

Unfortunately the correct answer is no but no single security product ever provides 100% protection against all such attacks. However, NAC DOES deliver significant value as it checks to see if computers are compliant with an organizations security policies. Properly configured computers updated with the latest security releases are a key element in a security scheme. But it's still possible for an infected device to be assessed as compliant and granted access to the network. That is, the effectiveness of either endpoint or network-based infection-detection and blocking security ultimately determines how well infections are contained. If the computer is well-protected that's a plus. If the network intrusion protection is used that adds another security layer. A proper risk assessment can lead to the optimal usage of these various security technologies.

9. How are users authenticated?

NAC implementations usually rely on existing user directories (e.g., Active Directory, LDAP, RADIUS) for user and user group data and on third party authentication servers (e.g., SecureID) for authentication services. After network access is enabled additional user authentication may be required for access to specific applications. And some vendors support seamless integration with single-sign on services.

All types of user authentication can be supported.

Some NAC solutions support Microsoft's integrated Windows single sign-on authentication; others require the use of a vendor-provided, authentication portal.

Most NAC products also support 802.1x port-based authentication (authentication proxies at network entry points). That is, the NAC controller monitors the entire 802.1x user authentication process and then performs its compliance checking and enforcement. If the device fails, an inline NAC controller will block access; if an out-of-band controller is used, it can require the switch to block the MAC addaxes of the device.

10. What types of authorization are supported?

A basic NAC solution controls user access to the entire private network. That is, once a user device has been deemed compliant and the user has been authenticated at the network level, resource-level user authorization is performed by either a secure access gateway (for remote users), ACLs on network equipment, or individual applications.

More advanced NAC solutions enable organizations to implement user-based, access control policies which limit what network resources individuals can use and what tasks (e.g., file downloads) they are permitted to perform.

11. What NAC client software is required?

NAC solutions require either an installed NAC client, a "clientless" NAC ActiveX or java agent, or an agentless network-based scan for checking endpoint compliance. (Note: for a good summary of the general advantages and drawbacks of different endpoint scanning methods, view the exhibit titled Assessment Strategies in Mike Fratto's article Network Access Control on the Network Computing web site)

The installed client supports BOTH pre-and post authentication assessment and enforcement.
In contrast, the agent method offers identical assessment and enforcement capabilities BUT ONLY at the time of initial connection. On the plus side, the agent does work with unmanaged devices if they permit agent downloads.
The agentless scan requires that a central server access the RPC-based functions, registry, and/or file sharing capabilities of the endpoint. This approach requires administrator access to endpoints and can create new security concerns (e.g., device must be configured to accept inbound RPC messages).

12. How are non-compliant devices handled?

When a user device is assessed as non-compliant it is denied access to the production network. Instead, a connection is established - usually automatically - to a remediation server on a quarantine network. There the user is either offered ways to correct the identified compliance problem(s) or the remediation is automated. Either way the endpoint is then reassessed (A few NAC solutions will also proactively scan and remediate LAN-connected devices whenever a security policy has been updated on the NAC central policy server, performing these services even when users are not logged onto their devices- that's powerful. It can completely eliminate many compliance failures that would otherwise occur when a user attempted to access a network resource).