Controlling who can access your network
What is Endpoint NAC (Network Access Control)
Endpoint NAC gives us the ability to control who can access our network. Networks really have become complex beasts with the addition of advanced aspects such as VLANS, wireless, VPN’s, remote user’s, MPLS networks and so on. This also means it is difficult to know who is connected to our network and what are they doing and many more un answered questions.
Endpoint NAC gives us the ability to resolve the following questions
Who is connected to the network?
How they are connected - VPN, Wireless, plugged into a switch?
What do they have access to?
What programs are they running on their system?
Is it a personal laptop or corporate?
What operating system is running on the laptop?
Are the updates and patches for the operating system and applications up to date?
Does it have anti virus / anti spyware software?
Does it have any host intrusion prevention software?
Does it have a firewall?
What is the user doing, which programs is he/she running?
What do they have access to? Are they allowed this level of access depending on who the user is?
How NAC is deployed and how it works
You would have a central NAC manager installed on a server to manage your policies and systems.
You would have enforcers that check and enforce restrictions on systems that do not meet requirements.
Enforcers can come in different forms depending on what is right for your environment and exactly what you are trying to achieve.
Flavours of NAC enforcers
NAC enforcers can come in the form of DHCP enforcer, inline gateway enforcer, 802.1x enforcer, Microsoft NAP enforcer and self enforcement via agent clients which are installed on the client system themselves.
DHCP enforcer – A plug in installed on the DHCP server or an appliance in front of the DHCP server. If a client does not meet the policy requirements then it would not be able to receive a DHCP address from the DHCP server, or it may assign the client a limited IP address assigned to the guest VLAN for example.
Gateway Enforcer – Usually inline and is a physical appliance. Used when a client is attempting to access the network from the outside world such as via VPN.
LAN enforcement using 802.x – Switches are required to support 802.1x to use this type of enforcement capability. Optionally Radius can also be setup for client authentication. A VLAN assignment can be handed to the switch depending on whether the client has met policy requirements. If Radius is used for authentication then certain VLANS can be assigned depending on who the client is. For example users in HR group may be entitled to access the HR VLAN and also the Corporate VLAN, where standard employees can only access the corporate VLAN. Or it can be more granular. So for example if the user is from the HR group but does not meet policy requirements such as the anti virus signatures are not up to date, you may only give it access to the corporate network only and not the HR network.
Microsoft NAP – Ability to integrate with Microsoft Network Access Protection for enforcement.Self enforcement – Using the client agent a client can be quarantined if it does not meet the policy requirements defined on the management system. For example the client has to be running a certain application; else the client is quarantined and given access to a portal where it is able to download this required application.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com