Network Access Control (NAC)
by Naveen Sharma - CISSP - Monday, 26 November 2007.
In the agent base approach an agent application is pre-installed or NAC prompts for the installation of agent at the first logon of the user to the network. Agents not only assist in determining the posture of the endpoint, but can also do access control and reporting to the NAC server on the end user machine, with the inbuilt firewall. One of the disadvantages of agent based approach is that it works on the assumption that the agent will be pre-installed or will be installed at the first attempt of access to the network, which can be potential source of risk.

In the scanning method the NAC scans the end machine and, based on the scan result, the posture is determined for the next step of identity and access to network resources. This approach may or may not test the endpointís patch levels, Anti-virus definition files status, or file/registry value. Another issue is that of the time required to scan an endpoint, which may be exacerbated at peak endpoint activity due to simultaneous endpoint scans. With the ActiveX or browser plug-in technology, the plug-in is downloaded on the end point for posture determination and to report the compliance status of the end point. The advantages of this are comparatively less memory and CPU overhead.

Enforcement Points

Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
  • Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
  • 802.1X: IEEE standard for port based access control.
  • DHCP: IP assignment restrictions.
Inline based enforcement options include firewalls, layer2/3 switches or purpose built dedicated inline appliances. Some vendorís NAC solutions offer support for other vendorís firewalls and switches for enforcement, which is welcome news for users who have a multi-vendor networking infrastructure.

Considerations for inline devices are:
  • Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
  • High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
  • The degree of separation provided between the endpoints and the business critical systems inside the network.
  • Reporting from the enforcement device: for both compliant and non complaint endpoints.
802.1X or port based network access control is a protocol based on Extensible Access Protocol (EAP), an IEEE standard. New generation layer 2/3 switches offer the possibility of segregating specific IPís onto a separate VLAN, and imposing various access control lists on the VLAN traffic.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th