Enforcement is the pivotal element of the whole NAC architecture, as all the access decisions are implemented here. NAC offerings from vendors tend to favour their own product lines: for example some traditional network companies implement access control on their layer2/3 switch (which may be a difficulty for users who have different brand switches). Here are the possible enforcement options currently available in the market:
- Inline: includes firewalls, layer 2/3 switches and purpose built appliances.
- 802.1X: IEEE standard for port based access control.
- DHCP: IP assignment restrictions.
Considerations for inline devices are:
- Bandwidth requirements: must support the traffic and provide future scalability, or else the inline device will become the choke point.
- High availability: redundancy is expected, in case the primary inline device fails (and the time associated with fail over).
- The degree of separation provided between the endpoints and the business critical systems inside the network.
- Reporting from the enforcement device: for both compliant and non complaint endpoints.
802.1X has three major components: the Supplicant, which is the person or endpoint attempting access, the Authenticator, which is the device that the Supplicant is attempting to connect to, and the Authentication server, which holds credentials. The process of gaining access is:
- The end user machine connects to the Authenticator, which can be a WLAN access point or a LAN switch.
- The Authenticator sets the port to Ďunauthorizedí, which will only permit 802.1X traffic, and requests authentication data from the endpoint. The endpoint returns itís authentication data to the Authenticator.
- The Authenticator knows the Authentication server, and forward to the request to authentication server (typically a RADIUS server). The radius server returns a pass/fail.
- Once the authentication is successful, the Authenticator opens the port for the supplicant to join the network.
- Is this secure enough for the environment? Requires a risk analysis for the given environment.
- Is the existing environmentís architecture suitable for this enforcement? Possibilities here include placing a NAC server inline with DHCP.
- Does it require a significant additional outlay for the equipment?
Policy and remediation services are the last part of NAC picture, though the endpoint assessment is done against the policy set by administrator at the very start of NAC process. Once the assessment is carried out on the endpoint, and matched against the policy for compliance, the decision to restrict or allow the endpoint is taken. If the endpoint is restricted due to a failure to comply with one or more policies, the endpoint is quarantined.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.