- How do I stop unauthorized users and endpoints from accessing resources on my network, whether through wired or wireless means?
- How do I validate the user’s and endpoint’s health status? For example: assess the level of operating system patches installed and the status of malware detection engines and definitions.
- How do I remediate the endpoints and users if they fail the above, and present a layered “defense in depth” with security technologies in a co-operative environment?
NAC or the end point security solution can provide the answer to all the above questions - and more - if designed and configured properly. This article presents the NAC architecture with the details of major components and their functionality, along with considerations in implementation in real production environments.
Vendors have promoted NAC solutions leveraging their own product offerings. For example Cisco’s NAC uses the Cisco PIX firewall, ASA Appliances, Routers and Switches to perform NAC functions. On the other hand Microsoft, being the dominant provider of operating systems, has offered NAC (by the name of NAP, or Network Access Protection) built on the product line offerings such as Windows server, Windows XP and recently Microsoft Vista. I will use the terms NAC and endpoint security interchangeably for the ease of the reader.
NAC solutions provide the following:
- Determine the security posture of clients.
- Grants access to various parts of the network, depending upon the outcome of first step.
- Remediate compliance failures, and distributes policy to endpoints.
The previous figure shows a high level NAC architecture where the end users access enterprise resources by wireless, VPN and LAN. We have the option of enforcing the policies at the firewall, or at other access device such as a Layer2/3 switch or DHCP server.
The fundamental components of a NAC solution are:
2. Enforcement points
3. Policy and remediation services
The vendor offerings may comprise of a combination of the above components of NAC. Understanding of these components will allow the reader to differentiate vendor offering from one another in a pragmatic manner.
First, there must be a mechanism to determine the security posture of the endpoint machine before taking any decision for identity and access management. The endpoint assessment technologies currently available include:
- Agent-less: nothing is downloaded or installed on the endpoint host.
- Agent: An application is pre-installed or downloaded at the first connection.
- ActiveX or browser plug-in: this is downloaded to the endpoint when connection is attempted.
- Scanner: performs an IP based vulnerability scan to determine the installed patches, services etc on the endpoint.