Network Access Control (NAC)
by Naveen Sharma - CISSP - Monday, 26 November 2007.
In the agent base approach an agent application is pre-installed or NAC prompts for the installation of agent at the first logon of the user to the network. Agents not only assist in determining the posture of the endpoint, but can also do access control and reporting to the NAC server on the end user machine, with the inbuilt firewall. One of the disadvantages of agent based approach is that it works on the assumption that the agent will be pre-installed or will be installed at the first attempt of access to the network, which can be potential source of risk.

In the scanning method the NAC scans the end machine and, based on the scan result, the posture is determined for the next step of identity and access to network resources. This approach may or may not test the endpointís patch levels, Anti-virus definition files status, or file/registry value. Another issue is that of the time required to scan an endpoint, which may be exacerbated at peak endpoint activity due to simultaneous endpoint scans. With the ActiveX or browser plug-in technology, the plug-in is downloaded on the end point for posture determination and to report the compliance status of the end point. The advantages of this are comparatively less memory and CPU overhead.

Enforcement Points

Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
  • Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
  • 802.1X: IEEE standard for port based access control.
  • DHCP: IP assignment restrictions.
Inline based enforcement options include firewalls, layer2/3 switches or purpose built dedicated inline appliances. Some vendorís NAC solutions offer support for other vendorís firewalls and switches for enforcement, which is welcome news for users who have a multi-vendor networking infrastructure.

Considerations for inline devices are:
  • Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
  • High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
  • The degree of separation provided between the endpoints and the business critical systems inside the network.
  • Reporting from the enforcement device: for both compliant and non complaint endpoints.
802.1X or port based network access control is a protocol based on Extensible Access Protocol (EAP), an IEEE standard. New generation layer 2/3 switches offer the possibility of segregating specific IPís onto a separate VLAN, and imposing various access control lists on the VLAN traffic.

Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Aug 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //