Advertisement

Network Admission Control: An In-depth Review

Although network admission control could be deployed as a universal solution for an entire enterprise, few companies will start with such an ambitious undertaking but instead will identify high priority user communities and usage contexts, define suitable access policies and then roll out NAC in a limited and well-controlled manner.

Likely early implementation scenarios include:

• extending the capabilities of VPNs that support mobile users, telecommuters and business partners
• wireless LANs and "guest access" LANs
• shared and kiosk computers
• PCs that connect to mission critical application servers

In addition, some companies will initially deploy NAC on a broader scale but limit its operation to monitoring user policy compliance rather than controlling network access. Their primary goal will be to acquire valuable knowledge about how well users are complying with existing policies before they enforce and possibly tighten them. This knowledge can shape pre- and post deployment education programs and help security personnel shape their enforcement policy priorities.

Functional View of Network Admission Control

1. Define endpoint security policies
2. Configure policy rules
3. Check endpoints for compliance
4. Enable either restricted or unrestricted privileges, or quarantine endpoint
5. Help users remediate compliance problems
6. Monitor endpoint compliance post-admission
7. Continuously log user compliance data and generate alerts and reports
8. Identify and block malicious traffic if this capability is provided

Types of Security Compliance Checks On Endpoints

The following is a list of the types of checks that are available across the universe of NAC products. Since NAC products vary a great deal in their trust assessment capabilities it is important to closely examine the capabilities provided by individual vendors. Solutions generally check endpoints for compliance with security policies BEFORE user authentication, but this is not always the case.

• Version, service pack, patches for operating system and browser
• Operating system configuration and browser settings
• Version and configuration of personal firewalls
• Version and signature files for antivirus and anti-spyware software
• Application white, gray and black lists
• Version, service pack, patches for specific client applications
• Personal security software operation - before and after authentication
• MAC, IP address (where is device located), and digital certificate
• Existence of specific removable media storage devices
• Results of vulnerability scans for malicious code

You also need to examine which individual software products can be checked by the NAC "out-of-the-box". Fortunately most NAC products enable you to add your own definitions but if you are in a large heterogeneous IT environment you will likely want to minimize this workload by selecting a vendor that does it for you.

Does Network Admission Control Prevent Infected Computers From Spreading Malware?

Unfortunately the correct answer is no but no single security product ever provides 100% protection against all such attacks. However, network admission control DOES deliver significant value as it checks to see if computers are compliant with an organizations security policies. Properly configured computers updated with the latest security releases are a key element in a security scheme. But it's still possible for an infected device to be assessed as compliant and granted access to the network. That is, the effectiveness of either endpoint or network-based infection-detection and blocking security ultimately determines how well infections are contained. If the computer is well-protected that's a plus.

If the network admission control solution includes network intrusion protection this adds another important layer of security.. And if it can identify the specific source(s) of malicious data traffic the potential disruption caused by "false positive" assessments can be narrowly limited those endpoints. A proper risk assessment can lead to the optimal usage of these various security technologies.

Handling Non-compliant Endpoints

When a user device is assessed as non-compliant it is denied access to the production network. Instead, a connection is established - sometimes automatically - to a remediation server on a quarantine network. There the user is either offered ways to correct the identified compliance problem(s) or the remediation is automated. Either way the endpoint is then reassessed (A few NAC solutions will also proactively scan and remediate LAN-connected devices whenever a security policy has been updated on the NAC central policy server, performing these services even when users are not logged onto their devices- that's powerful. It can completely eliminate many compliance failures that would otherwise occur when a user attempted to access a network resource).

User Authentication

Network admission control implementations usually rely on existing user directories (e.g., Active Directory, LDAP, RADIUS) for user and user group data and on third party authentication servers (e.g., SecureID) for authentication services. After network access is enabled additional user authentication may be required for access to specific applications. And some vendors support seamless integration with single-sign on services.

All types of user authentication can be supported.

Some network admission control solutions support Microsoft's integrated Windows single sign-on authentication; others require the use of a vendor-provided, authentication portal.

Most network admission control products also support 802.1x port-based authentication (authentication proxies at network entry points). That is, the NAC controller monitors the entire 802.1x user authentication process and then performs its compliance checking and enforcement. If the device fails, an inline NAC controller will block access; if an out-of-band controller is used, it can require the switch to block the MAC address of the device.

User Authorization

Basic network admission control enables users to access network segments for which they have been granted privileges. Once their device is deemed compliant and the user has been authenticated, resource-level user authorization can be performed by either a separate SSL VPN gateway (for remote users), ACLs or VLANs on network equipment, or by individual applications.

Advanced network admission control enables organizations to implement user-based, access control policies which can limit what network resources individuals can use and what tasks (e.g., file downloads) they are permitted to perform.

Primary Components of a Network Admission Control Solution

The following components are found in a comprehensive network admission control solution. Clearly, most organizations will start out with something more modest.

• A NAC security policy manager enables a security administrator to define and configure endpoint security policies, update NAC clients, retrieve user and user group info from user directories and logically link this data to specific "security policy zones" and define what physical networks or VLANs an individual user can access.
  
  
• NAC-enabled network systems (e.g. LAN switches) and inline NAC enforcers serve as the primary NAC enforcement points. These systems permit, deny or redirect user traffic under the direction of NAC security policy manager.
• The NAC enforcer is the component that actually make access control decisions. It examines compliance data, compares the data to appropriate security policies and then directs the NAC enforcement control points to implement its decisions. The enforcement controller is either packaged with a out-of-band security policy manager or deployed as a separate inline system.
• An endpoint scanner collects compliance data and reports it to the NAC enforcer. In many implementations the host checker is performed by NAC client software on a managed endpoint. In others the scan is performed by a downloadable browser plug-in.. If an unmanaged device will not accept either a NAC client or a browser plug-in it can either be denied access or checked with a remote vulnerability scanner (e.g., Nessus). Note that the type of host checking implementation determines the scope and depth of possible compliance checks AND whether or not the checks can be repeated once a device has been initially admitted. In some implementations (e.g., Cisco NAC Framework with Cisco Secure Access Control Server) the NAC enforcer passes the compliance data to a posture validation server (PVS) which determines whether the latest individual security software is installed. The PVS returns its assessment to the NAC enforcer where policy decisions are made.
• NAC-clients often include endpoint security software which either complements or competes with personal security products from other vendors. These can include protected workspaces for unmanaged devices and a wide variety of security capabilities for managed ones - advanced personal firewalls, signature-based file scanning for malicious code removal, behavioral analysis that blocks malware processes from running, net scanning to identify and close network vulnerabilities, peripheral device control that prevents the movement of data between endpoints and portable storage and wireless devices, and operating system intrusion protection (e.g., buffer overflows, registry and file access control, process execution control).
• Remediation servers enable enterprises to automate updates of endpoint software - operating systems, browsers, applications, personal security software, and NAC clients including host checking configurations.
• Quarantine and restricted networks are used for devices that either must access remediation servers or are granted access only to limited production resources.

How Network Admission Control Architecture Differ

The are several architectural approaches to network admission control. They differ primarily in terms of where network admission is enforced and how admission is controlled, i.e., MAC and IP addresses, ports, ACLs.

The enforcement points can be

• embedded in the existing network infrastructure (L2 and L3 LAN switches, wireless access points),
• built into network firewalls or proxies (e.g., SSL VPN gateways),
• provided by inline NAC appliances usually located at the edge of the network,
• provided by out-of-band NAC appliances that are located at the edge, distribution layer or core network of the network,
• and provided by NAC client software.

The actual granting and denying of admission privileges can be controlled in a number of ways. A brief analysis of the tradeoffs between these approaches is presented by David Greenstein, Chief Architect of Stillsecure and Ofir Arkin, CTO of Insightix.

In summary,

NAC Admission Control Method	Special Client Software*	Compatible LAN Equip.	Enforcement Points	Pre-Admission Enforcement	Quarantine Enforcement	Admission Enablement
802.1x	Yes	Yes	Switches	802.1x proxy	None or VLANs	Authenticated MAC address
DHCP Proxy	Yes	No	Routers	Non-routable IP address	Subnet (Non-routable IP address)	Routable IP Address
Authenticated DHCP	No	No	Routers	Non-routable IP address	Subnet (Non-routable IP address)	Authenticated, Routable IP Address
Inline Blocking	No	No	NAC Appliance	Packet filtering	Subnet or VLAN	Authenticated IP or MAC Address
Out-of-band Appliance w/Traffic Filtering	No	No	Switches & Routers	Packet filtering	Subnet or VLAN	Authenticated IP or MAC Address
Out-of-band Appliance w/ARP Poisoning	No	No	User Device	ARP Tables	ARP Tables	IP or MAC address
Client-based	Yes	No	User Device	Client Software	Client Software	IP or MAC address
Note: Some LAN switches include port-level, access control lists (ACLs) so user privileges can be controlled with more granularity than simply VLANs.

 

• An 802.1x-based NAC requires 802.1x-compatible software on both the user device and edge LAN switches and wireless access points. With this technology the 802.1x proxy on the switch initially allows only authentication-related and compliance-related traffic to pass between the device and the production network. Once the user is authenticated and a posture check has been performed, the NAC server connects a device to either a production or quarantine VLAN using either MAC or IP addresses.
• A DHCP Proxy-based NAC requires an identity-based, DHCP proxy software on both the client and DHCP server. With this technology a user device receives a temporary IP address during the host-checking phase and a production IP address once compliance has been verified. LAN switch ACLs are pre-configured to allow only traffic from devices with predefined production network IP addresses.

• An authenticated DHCP-based NAC requires an authentication portal. When the user device requests an IP address it is automatically assigned a temporary one. Once the user authenticates himself AND the device has passed host checks a MAC address is registered with the DHCP server and bound to a production network IP address. Once authorized the user can access any network segment or individual resource that is permitted by LAN switche, router and firewall ACL's. This architecture blocks IP spoofing.
• An inline NAC uses an inline NAC controller/control appliance that acts as a MAC bridge/firewall. Like an 802.1x LAN switch it requires user authentication before other data traffic is permitted to pass through the control point. And once a posture check has been performed, the inline NAC appliance connects the user device to either a production or quarantine VLAN.
  
  
• An out-of-band NAC passively listens to and controls data traffic flowing through a switch port. Otherwise its enforcement operation is similar to an inline appliance.
  
  
• With ARP Poisoning a NAC controller resets a devices ARP tables so that it is denied network access until posture checking has been performed. Once tested the device can be assigned a quarantine or production IP address.
  

• IPSec Health Certificates are used only in the Microsoft NAP solution. You can visit the Microsoft site to learn about this technology.

Network Admission Control Client Software

Network admission control solutions require either an installed NAC client, a "clientless" NAC ActiveX or java agent, or an agentless network-based scan for checking endpoint compliance. (Note: for a good summary of the general advantages and drawbacks of different endpoint scanning methods, view the exhibit titled Assessment Strategies in Mike Fratto's article Network Access Control on the Network Computing web site)

• The installed client supports BOTH pre-and post authentication assessment and enforcement.
• In contrast, the agent method offers identical assessment and enforcement capabilities BUT ONLY at the time of initial connection. On the plus side, the agent does work with unmanaged devices if they permit agent downloads.
• The agentless scan requires that a central server access the RPC-based functions, registry, and/or file sharing capabilities of the endpoint. This approach requires administrator access to endpoints and can create new security concerns (e.g., device must be configured to accept inbound RPC messages).

 

Additional Information on NAC

1. What security problems do organizations expect NAC to solve?

2. What different types of NAC solutions are available today?

3. Network Admission Control: An In-depth Review

4. Network Admission Control Best Practices

5. NAC Facts, Opinions and Misunderstandings

6. NAC Product Selection Guide (20 vendors)

7. Portal Blog

8. Interop iLabs NAC Resources