Tutorial of Definition and Functions of Cisco Network Access Control (NAC)

What is NAC?

NAC, as the abbreviation of Network Access Control or Network Admission Control, is a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy. Of course, this definition may not summary NAC very well which is result in many misunderstandings. Some view NAC as simple registration and authorization of network connected end systems, while others treat NAC as a solution to protect the network environment from viruses and worms; there are also some view NAC as a gatekeeper function to control how end systems and guest systems, which are not compliant with corporate computing guidelines, can access the network. In fact, a well architected NAC solution is actually all of these things. Network Access Control is the integration of several technologies to provide a solution that proactively and reactively controls end system communication on the network. A well architected NAC solution will leverage a number of important functions including end system detection, authentication, assessment, authorization, and remediation. This more easily enables IT organizations to quickly deploy NAC, and more importantly, to enable phased deployment to best align with business needs.

Functions of NAC

There are a number of individual functions that make up a comprehensive NAC solution. A well architected solution should integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access. Now, let’s share the details on Detection and identification of new devices connecting to the network step by step. 

 

1. Authenticate - Authentication of users and/or devices. A traditional network access server (NAS) is a server that performs authentication and authorization functions for potential users by verifying logon information. In addition to these functions, NAC restricts the data that each particular user can access, as well as implementing anti-threat applications such as firewalls, antivirus software and spyware-detection programs. NAC also regulates and restricts the things individual subscribers can do once they are connected.

2. Assese - Assessment of end systems regarding their compliance and/or vulnerabilities. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible. Besides, the function of assessment goes beyond the switch port and tries to assess the end system itself. Assessments, or health-checks, can be separated into two methods: Agent-less (Network Based - a network scanner scans the end system remotely over the network; Applet Based - a java applet is used to launch assessment functions on the end system (web browser based) or Agent-based (Thin Agent - a temporary agent which can be loaded and unloaded on the end system using various vendor-specific techniques; Fat Agent - a persistent suite of assessment software with firewall and host intrusion detection established on the end system)

3. Authorize - Authorization to use the network based on the results of the authentication and the assessment. The authorization process applies all the rules planned during the preparation phase of a NAC deployment. Additionally, choice of authorization enforcement options also depends on the required level of security as well as the design of the infrastructure itself. It is important to know if more than one end system needs to share ports or if devices, users, ports, or individual traffic flows need to be considered.

4. Monitor - Monitoring users and devices once they are connected to the network. The NAC solution should include a general variety of configuration options to meet the requirements of the network. The chosen NAC solution should work flexibly but based on templates to keep administrative effort at a minimum and simplify troubleshooting. 

 5. Contain-You should quarantine problem on end systems and/or users to prevent them from negatively impacting the overall network environment.

6. Remediate - Remediation of problems with the end system and/or user. Remediation is the process of supporting end systems to reach the required level of compliance and to then offset restrictions to the network. To minimize the manual remediation process, problems with end systems and user actions should be solved automatically or by the user rather than forcing involvement of the IT helpdesk.

With embarking on a project to implement NAC, there are a few major business benefits you can accomplish with the NAC solution for those fundamental elements for a NAC project can determine who is allowed to connect to the network; How are they allowed to communicate; what are they allowed to connect to; and where should they get access.

Some materials are referred from:

www.enterasys.com/company/literature/enterasys-nac-guide.pdf

Tutorial of Creating No-Router Wireless Network with Wi-Fi or ad-hoc Network

The co-operation between persons is becoming stronger and stronger in this Internet time. So does the shared materials. Imagine that you want to share your internet accessibility options with other notebooks or desktops in your room with all your friends or colleagues, but you have to do a series of connection with routers or access points. Thus, leaving apart internet is the trend. But how to create a wireless network without applying routers is a problem. There are two ways you can choose: by Wi-Fi or ad-hoc network.

First, let’s make clear what is the different between Wi-Fi and ad-hoc network.

1. Generally, to set up Ad Hoc networking, your main computer needs to have an Ethernet based Internet connection as well as a Wireless (WLAN) network adapter. But in the case of Virtual Wi-Fi, the Ethernet card is optional so you can turn a laptop into a hotspot even if your laptop itself is connected to a Wireless network and not to an Ethernet cable.

2. Computers and other wireless devices in ad hoc networks must be within 30 feet of each other but there’s no such restriction in the case of Virtual Wireless networks.

3. Ad-Hoc wireless networking is available on Windows XP, Vista and Windows 7 while Virtual WiFi, which is much easier to setup, is available on Windows 7 or Windows Server 2008.

Second, let’s share the advantages and disadvantages of no-router wireless network.

Advantage:

1. It is easy to setup with no additional Software being needed

2. It's Free without purchasing any hub or routers or service.

3. Nowadays, by default Wi-fi or Wireless Card is included when you bought a computer especially in laptops.

4. It has strong portability and mobility

Disadvantage:

1. The computer that is connected to the Internet (Gateway) must always be turned on. Unlike using a router, you can turn off any computers in the network.

2. Wireless communication quality and the Data safety performance are not so well as Bluetooth.  

3. Its distance and range are limited.

Third, let’s come to the steps of creating no-router wireless network

1. Choose a computer to use as a router, which must be operating for any other computers or devices to connect to the network.

2. In the Control Panel, click on “Network and sharing center”.  Select “Set up a connection or Network”.

3. Choose “Set up a wireless ad-hoc (computer-to-computer) network” and click on it. If the box is grayed out, press "Advanced" in the "Wireless Networks" tab and choose "Computer to computer (ad hoc) network."

4. Type a name for the network. Choose whether to use a wireless network key or not.

5. Always remember to make the security type “WPA-2 Personal”. Notify that this security type prevails over other types since it enables genuine wireless network security.

6. Make sure you select “Save this network” option else the ad hoc network will be removed if no other computers / devices are connecting to the network. 

(You can also choose your network type as “WEP”. Give a preferred network name and chose the “Security type” as “WEP”. The next step deals with providing a security key to the network to be built.)

7. Enable ICS on the router computer, which will allow you to share your Internet connection.

Right click your Internet connection and then choose "Advanced." Check the "Allow other network users to connect through this computer's Internet connection" check box. Choose "Wireless Network Connection" and press "OK."

8. Select the shared network from other computers to connect. Right click the wireless networks icon in the notification tray. Press "View Available Networks." Select the appropriate network name and press "Connect."

Additionally, if you are on Windows 7, you can instantly turn your computer into a personal Wi-Fi hotspot without having to configure anything. All you need is the free software called Virtual Router and the computer connected to the internet must be running Windows 7.

Referred link:  
www.techtipsgeek.com/create-wireless-home-network-router-windows-7vista/5182/

The Most Popular Questions and Answers for Firewalls?

Normally, there are always a few questions on firewalls that are very important but many persons may not know. Now, I’d like to share some popular questions and their answers step by step aiming to help those confused users.

What is a firewall?

What is the Difference between firewall and distributed firewall?

How do you get pass the firewall if need?

What are basic functions of Firewalls?

How to configuration firewalls?

1.       What is a firewall?

A firewall is system or group of system (router, proxy, or gateway) that implements a set of security rules to enforce access control between two networks to protect "inside" network from "outside" network. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Which is worthy of noticing is that application of firewalls must have at least two network interfaces, one for the network which is intended to protect, and one for the network which is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet.

2.       What is the Difference between firewall and distributed firewall?

This question will be clear after we know what distributed firewall is. Generally speaking, distributed firewalls are host-resident security software applications that protect the enterprise network's servers and end-user machines against unwanted intrusion. They offer the advantage of filtering traffic from both the Internet and the internal network. This enables them to prevent hacking attacks that originate from both the Internet and the internal network. This is important because the most costly and destructive attacks still originate from within the organization. They are like personal firewalls except they offer several important advantages like central management, logging, and in some cases, access-control granularity. These features are necessary to implement corporate security policies in larger enterprises. Policies can be defined and pushed out on an enterprise-wide basis.

There are a few advantages with distributed firewall:

1)       The most obvious is that there is no longer a single chokepoint. Thus, throughput is no longer limited by the speed of the firewall; in many cases, however, that redundancy is purchased only at the expense of an elaborate (and possibly insecure) firewall-to-firewall protocol.

2)       With a distributed firewall, all machines have some rule concerning port 25. The mail gateway permits anyone to connect to that port; other internal machines, however, permit contact only from the mail gateway, as identified by its certificate. Note how much stronger this protection is: even a subverted internal host cannot exploit possible mailer bugs on the protected machines.

3)       It is more subtle. Today's firewalls don't have certain knowledge of what a host intends. Instead, the distributed firewalls with the sending host, however, know. Relying on the host to make the appropriate decision is therefore more secure.

4)       Distributed firewall is clearer when it comes to protocols such as FTP. Today's firewalls--even the stateful packet filters--generally use an application-level gateway to handle such commands. With a distributed firewall, the host itself knows when it is listening for a particular data connection, and can reject random probes.

5)       The most important advantage, though, is that distributed firewalls can protect hosts that are not within a topological boundary. There is no protection whatsoever when the tunnel is not set up. By contrast, a distributed firewall protects the machine all of the time, regardless of whether or not a tunnel is set up. Corporate packets, authenticated by IPSEC, are granted more privileges; packets from random Internet hosts can be rejected. And no triangle routing is needed.

3.       How do you get pass the firewall if need?

If you need to bypass a firewall in order to allow access for certain peer to peer networking or gaming software, you will need to allow those sites and the ports they are accessed through in the firewall software itself. Depending on the program in use, you would look in the options or preferences for instructions on how to allow those sites and ports.

A firewall shouldn’t stop MySpace. That’s just port 80. You are probably dealing with some sort software on the proxy (or router but less likely) that is stopping the site. There are many sites on the web that allow you to get around these:

http://www.freeproxy.ru/en/free_proxy/cgi-proxy.htm… is a site with a list of free sites that can do that.

4.       What are basic functionsof Firewalls?

Firewalls primarily provide access control for connections between networks. Usually this will be the connection between a corporate network and the Internet. For our security purposes we classify networks at here:

1 Trusted: this is usually the corporate LAN. It is assumed that all PCs and servers in the LAN are under your administrative control. If users are able to change their IP address and install software at their will.

2 Untrusted: the Public Internet, the Firewall's WAN interface;

3 Partially trusted: the Firewall's DMZ interface. These are machines under our control, but freely accessible from the Internet. These are not fully trusted because it is assumed that being accessible they will be compromised or hacked at some time.

The LAN is allowed to access the WAN and DMZ which is allowed to access the WAN on certain ports for certain services determined according to your security policies. Services not explicitly allowed are blocked. And the WAN is allowed to access the WAN and DMZ on certain ports for certain services. (For example a Mail server in the DMZ may be allowed to access a few DNS servers on port 53 only; also it would be allowed outgoing access to any SMTP server on port 25. Incoming access would be on POP3, port 110. )

A setup as described above provides

1) Excellent security from external threat

2) Control the connections that LAN pcs are allowed out to the WAN

3) Proper utilization of expensive bandwidth

4) Full speed access to internal and external resources

As for “How to configuration firewalls?” please read at: http://goodrouterswitch.blogspot.com/2012/07/basic-steps-of-configurating-cisco-asa.html
 And more information on Cisco Firewalls' average price at:  http://www.router-switch.com/cisco-asa-5500-series-firewalls-documents-pdc-10.html

What is Access Point and How to Configure Wireless Access Point?

Acting as a central transmitter and receiver of WLAN radio signals with functions of sending and receiving signals to any number of other, local wireless devices, an access point is different from a wireless router, for it does not have a firewall and therefore is not appropriate to protect your local network against threats from the Internet. Through a basic wireless setup may not have an access point, but just a router (or a modem) and an adapter, an access point plays a very important role in the whole network. It extends the coverage within your network — it's put in a "dead spot", a place that's distant from the router, perhaps in a different room, or on a different floor.

Generally speaking, there are two types of wireless access points Intelligent/thick and thin wireless Access points. A thick wireless access point has everything it needs to handle wireless clients (Can operate stand-alone; Does not need a controller; Can be managed directly; Traffic bridged straight into network port). A Thin wireless access point is basically a radio and antenna that is controlled by a wireless switch. If you deploy several thick wireless access points they need to be configured individually. With thin wireless access points the entire configuration takes place at the switch saving you time and money.

Of course, access points used in home or small business networks are generally small, dedicated hardware devices featuring a built-in network adapter, antenna, and radio transmitter. Meanwhile, access points support Wi-Fi wireless communication standards.

Now, let’s share the steps of configuring an access point.

Wholly, there are 3 steps to complete, checking the Wireless MAC Address of an Access Point;

Setting-Up Access Point Client Mode on the WAP54G; and changing the LAN IP Address of the Access Point Client. But how to operate these steps one by one?  

1. Connect an Ethernet cable on the wireless access point (into the "Uplink" or "Internet" port of the router).

2. Type "192.168.1.1," "192.168.0.1," and/or "192.168.2.1." to open the administrator portal to your wireless access point. (Some access points will automatically open to the page for you to manage information. If not, the exact IP address is provided in instructions.

3. Enter your login and password. (Many routers have a default password in the instructions; it is highly recommended that you change this default login and password).

4. Turn on wireless connectivity typically turned off by default with enabling wireless access.

5. Create a SSID (Service Set Identifier). This is the name your wireless access point will broadcast. (It is also recommended that you change the default SSID to something you recognize).

6. Select the type of encryption you want. You can choose WEP, WPA, and/or WPA2. Assign a strong password for security purposes and apply your new configuration.

7. Open a laptop computer and your wireless connection manager in the system tray. You will see your SSID broadcasting. Choose your SSID, type your password, and browse the Internet.

Now, you have successfully configured a wireless access point. Through every new device has instructions to follow, with these concise tips, you will understand and configure the access point more easily.  This article is referred to:

www.ehow.com/how_6002540_configure-wireless-access-points.html