What
is NAC?
NAC, as the abbreviation of Network Access Control
or Network Admission Control, is a method of bolstering the security of a
proprietary network by restricting the availability of network resources to
endpoint devices that comply with a defined security policy. Of course, this
definition may not summary NAC very well which is result in many
misunderstandings. Some view NAC as simple registration and authorization of
network connected end systems, while others treat NAC as a solution to protect
the network environment from viruses and worms; there are also some view NAC as
a gatekeeper function to control how end systems and guest systems, which are
not compliant with corporate computing guidelines, can access the network. In
fact, a well architected NAC solution is actually all of these things. Network
Access Control is the integration of several technologies to provide a solution
that proactively and reactively controls end system communication on the
network. A well architected NAC solution will leverage a number of important
functions including end system detection, authentication, assessment,
authorization, and remediation. This more easily enables IT organizations to
quickly deploy NAC, and more importantly, to enable phased deployment to best
align with business needs.
Functions
of NAC
There are a number of individual functions
that make up a comprehensive NAC solution. A well architected solution should
integrate highly advanced, policy-enabled network infrastructure, along with
advanced security applications and centralized management to deliver all of the
required functions for pre and post-connect secure network access. Now, let’s
share the details on Detection and identification of new devices connecting to
the network step by step.
1. Authenticate - Authentication of users
and/or devices. A traditional network access server (NAS) is a server that
performs authentication and authorization functions for potential users by
verifying logon information. In addition to these functions, NAC restricts the
data that each particular user can access, as well as implementing anti-threat
applications such as firewalls, antivirus software and spyware-detection
programs. NAC also regulates and restricts the things individual subscribers
can do once they are connected.
2. Assese -
Assessment of end systems regarding their compliance and/or vulnerabilities. The
access-control policy in NAC could range from simple, such as a go/no-go
decision on network access or a choice of virtual LANs, or it could be as
complex as a set of per-user firewall rules defining which parts of the network
are accessible. Besides, the function of assessment goes beyond the switch port
and tries to assess the end system itself. Assessments, or health-checks, can
be separated into two methods: Agent-less (Network Based - a network scanner
scans the end system remotely over the network; Applet Based - a java applet is
used to launch assessment functions on the end system (web browser based) or Agent-based
(Thin Agent - a temporary agent which can be loaded and unloaded on the end
system using various vendor-specific techniques; Fat Agent - a persistent suite
of assessment software with firewall and host intrusion detection established
on the end system)
3. Authorize - Authorization to use the
network based on the results of the authentication and the assessment. The
authorization process applies all the rules planned during the preparation
phase of a NAC deployment. Additionally, choice of authorization enforcement
options also depends on the required level of security as well as the design of
the infrastructure itself. It is important to know if more than one end system
needs to share ports or if devices, users, ports, or individual traffic flows
need to be considered.
4. Monitor - Monitoring users and devices
once they are connected to the network. The NAC solution should include a
general variety of configuration options to meet the requirements of the
network. The chosen NAC solution should work flexibly but based on templates to
keep administrative effort at a minimum and simplify troubleshooting.
5. Contain-You should
quarantine problem on end systems and/or users to prevent them from negatively
impacting the overall network environment.
6. Remediate - Remediation of problems with
the end system and/or user. Remediation is the process of supporting end
systems to reach the required level of compliance and to then offset
restrictions to the network. To minimize the manual remediation process,
problems with end systems and user actions should be solved automatically or by
the user rather than forcing involvement of the IT helpdesk.
With embarking on a project to implement
NAC, there are a few major business benefits you can accomplish with the NAC
solution for those fundamental elements for a NAC project can determine who is
allowed to connect to the network; How are they allowed to communicate; what
are they allowed to connect to; and where should they get access.
Some materials are referred from:
www.enterasys.com/company/literature/enterasys-nac-guide.pdf