Controlling who can Access the Coporate Network
What is Network Access Control
Netowork Access Control provides the ability to control who can access the network. Networks have become complex with users having the options to connect into the network using wired, wireless and VPN technology. This also means it is difficult to know who is connected to our network and what are they doing and many more un answered questions that need to be managed.
Endpoint NAC gives us the ability to resolve the following questions
Who is connected to the network?
How is the end user connected - VPN, wired, wireless?
What does the end user have access to?
What programs are running on the system?
Is it a personal or corporate device?
What operating system is running on the device?
Are the updates and patches for the operating system and applications up to date?
Does it have anti virus / anti spyware software and is it up to date?
Does it have any host intrusion prevention software and is it up to date?
Does it have a firewall?
What programs are running on the device?
What do does it have access to? Is the user permitted this level of access?
How NAC is deployed and how it works
You would have a central NAC manager installed on a server to manage your policies and systems.
You would have enforcers that check and enforce restrictions on systems that do not meet requirements.
Enforcers can come in different forms depending on what is right for your environment and exactly what you are trying to achieve.
Flavours of NAC enforcers
NAC enforcers can come in the form of DHCP enforcer, inline gateway enforcer, 802.1x enforcer, Microsoft NAP enforcer and self enforcement via agent clients which are installed on the client system themselves.
DHCP enforcer – A plug in installed on the DHCP server or an appliance in front of the DHCP server. If a client does not meet the policy requirements then it would not be able to receive a DHCP address from the DHCP server, or it may assign the client a limited IP address assigned to the guest VLAN for example.
Gateway Enforcer – Usually inline and is a physical appliance. Used when a client is attempting to access the network from the outside world such as via VPN.
LAN enforcement using 802.x – Switches are required to support 802.1x to use this type of enforcement capability. Optionally Radius can also be setup for client authentication. A VLAN assignment can be handed to the switch depending on whether the client has met policy requirements. If Radius is used for authentication then certain VLANS can be assigned depending on who the client is. For example users in HR group may be entitled to access the HR VLAN and also the Corporate VLAN, where standard employees can only access the corporate VLAN. Or it can be more granular. So for example if the user is from the HR group but does not meet policy requirements such as the anti virus signatures are not up to date, you may only give it access to the corporate network only and not the HR network.
Microsoft NAP – Ability to integrate with Microsoft Network Access Protection for enforcement.
Self enforcement – Using the client agent a client can be quarantined if it does not meet the policy requirements defined on the management system. For example the client has to be running a certain application; else the client is quarantined and given access to a portal where it is able to download this required application.For further reading, there's some excellent electronic ebooks available for download from eBooks.com