Power Of Four
In the most current offerings, NAC happens in four phases: assessment, validation, decision and enforcement.
» ASSESS: If IT assets remained static, a host of ills would be eradicated. Dream on. Devices change state constantly during use, so if a NAC product performs only a pre-assessment, as in Nortel's Secure Network Access and StillSecure's SafeAccess, the system can't detect changes on the host and, quite frankly, the value of the product plummets. Access control cannot be fire and forget. Assessments and reassessments, continuous or periodic, are critical (see "Assessment Strategies" left).
Posture assessment updates are triggered using a variety of mechanisms. These can be simple--802.1X re-authentication, a scheduled reassessment or passive monitoring--or complex, like triggering an assessment based on host activity. We surveyed NAC vendors about their reassessment strategies; most claim to continuously reassess hosts (see "Good Posture?" right).
Don't take that to mean real-time assessment. In many cases, "continuous assessment" and "periodic assessment" are used synonymously, when in fact a continuous assessment is really a periodic assessment.
ConSentry, Enterasys, Extreme Networks and Nevis Networks use passive monitoring--IDS, behavior analysis or both--to determine when a host needs a reassessment based on its behavior. Triggering an IDS signature or worm activity that leaves a distinct network footprint, such as scanning off-net or sending lots of e-mail, may cause a host to reassess itself.
Assessment is easy to say, difficult to do. Nearly all assessment strategies, except for external scanning and passive monitoring, require authenticated access to assess the computer--sometimes with local Administrator privileges--just to run a persistent or dissolvable agent. Even remote procedure calls require credentials. This is especially problematic for unmanaged computers and guest access, where installing or running mobile code is often not feasible. Granted, many organizations give their mobile users elevated privileges, but the coming User Access Control in Vista may change that since doing away with Administrator rights will be easier.
» VALIDATE: Validation is a two-part process as posture information is gathered, then validated. How data is gathered depends on the NAC product and the integration points between products. For example, vendors like Symantec or BigFix that integrate with Cisco's NAC or Microsoft NAP write to those APIs to report on their applications' conditions. Many other vendors, including CA, Sophos and Symantec, have done custom integration or use SDKs from OPSWAT, a provider of system integration development tools for endpoint security applications and a Cisco NAC, Microsoft NAP and TCG member. Assessments are passed to the policy server using standardized protocols, like 802.1X, EAP or EAP-TLS, or using a proprietary protocol. Remember, if your NAC system uses 802.1X as a transport, your hosts need supplicants, and the access switch needs to support 802.1X as well.
The Policy Server validates a host's condition based on a defined policy by leveraging other repositories on the network. For example, if all Windows OSs must have all patches installed, the Policy Server would take the host assessment and compare it against a list of required installed patches--discrepancies set a host into remediation mode, where it's quarantined until it gets a proper patch profile. The resulting patch process may be made more or less transparent.
» DECIDE: Once the host assessment is validated, the host's access permission is determined. This process is the heart of NAC.
Hosts that match all defined policies are granted the access assigned to them. But what about hosts that fail to match one or more conditions?
This is where your organizational policy comes in. A policy that states "any host that fails any check will be remediated before accessing the network" simply won't work in most cases because, like it or not, users' computers are much more varied than we like to admit. If applying a patch will disable VPN software--as happened with Windows XP SP2--forget enforcing an all-or-nothing policy. Likewise, if a computer can't reach a patch server, it won't be able to access the network.
Clearly, the exceptions, not the norm, are the pain points in a NAC deployment. A NAC system must allow many validation policies that can be applied to specific systems or users, so the wider the criteria the NAC system can use to assess and validate a host's condition, the better.
» ENFORCE: If the decision process is the heart of NAC, enforcement is the soul.
Types of enforcement vary widely by NAC vendor and often depend on the network infrastructure already in place. If your switches don't support 802.1X, for example, you may be out of luck.
The most versatile NAC offerings, such as those from ConSentry and Nevis Networks, provide a variety of in-band and out-of-band enforcement methods that not only allow you to tailor enforcement for specific network segments, but provide a migration path.
Remote users connecting over dial-up or VPN links should be handled using the same NAC policies as any other hosts. IPsec VPN and SSL VPN gateway vendors, including Cisco, Juniper and Nortel, have supported host assessment and access control for many years. Consider using RADIUS as the transport channel. Assessment attributes can be sent to the RADIUS server and attributes returned to the gateway defining an access policy.
Make no mistake: Any enforcement mechanism means significant changes to your infrastructure. Inline appliances are no exception. The closer enforcement is to the host, the tighter the access control (see "Attack Surface" diagram, nwc.com/2006/1012). When enforcement happens on an access-switch port--a method supported by 802.1X, VLAN steering, port ACLs or a NAC-enabled switch appliance--infected hosts have limited access to network components. When enforcement occurs closer to the core, at the distribution layer or further in, more hosts are available to an infected system.
Balancing enforcement choices against other options, such as architecture and enforcement method, isn't as difficult as you might think. When port-based control is not an option, decide how many hosts will be reachable to a malicious computer. Decision factors include the likelihood an unknown host will connect to the network, and your managerial control over legitimate mobile computers. Enforcement for ports in public locations like conference rooms and wireless access points will naturally be far different from that for internal ports.
» EXCEPTION HANDLING: If the 80/20 rule applies anywhere, it's NAC: VoIP phones, printers, network cameras, Solaris and Linux servers and desktops ... some network gear simply won't have NAC agents or 802.1X supplicants installed. These exceptions are typically handled by whitelisting the MAC address.
Plan ahead for guests who need more network access than the standard guest policy allows. At $250 per billable hour, you don't want a contract developer hired on a per-project basis idling while IT scrambles to provide access to a subset of development servers.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs and former editor in chief of Secure Enterprise. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at [email protected].
