Networking

Controlling your network using Network Access Control

Alfonso Barreiro looks at the various methods of implementing network access control (NAC) in order to keep unauthorized and non-compliant devices off your network.

A common security concern in many organizations is that users can easily connect infected or compromised machines into the network and cause widespread damage. Network Access Control (NAC) solutions were born to address this concern and ensure the health of the machines that connect to the network.

Network Access Control is essentially a mechanism that allows access to network resources only to devices that are compliant with a specific security policy. This policy can include the patching level of the system, the protection level of anti-virus/anti-spyware protection and other items such as the presence of an active firewall. This type of solution is known as "pre-admission NAC", because the security policy is enforced before the device is granted access to the network. When the security policy is applied after the user has been granted access (usually based on user actions) it's known as "post-admission NAC".

There are many NAC solutions on the market and a lack of standards means that each solution can have its own unique approach. There are some key areas where the solutions tend to differ that could affect your design decisions, including:

Use of agents: Information on systems can be gathered by using a software agent or using remote scanning techniques. There is some debate as to what technique provides the best results, but ultimately you need to make sure that whatever method you choose provides all the information you need to properly evaluate the system. Inline or out-of-band solutions: Inline solutions typically consist of an appliance or server placed between the end-user systems and the network switches. This approach has the advantage of being easy to deploy and can provide some advanced capabilities. The downside is that they can be difficult to troubleshoot, especially those that manipulate the network protocols in ways that normally wouldn't happen (altering ARP tables for example). Out-of-band solutions on the other hand, typically rely on agents that report to a central service that can then control the network switches to perform policy enforcement. Their advantage lies in that can be deployed over multiple locations with a single installation. Their disadvantage is that it may require an additional investment on compatible network switches that allow on-the-fly changes to their configuration. System remediation: NAC solutions have to provide a way for legitimate non-compliant devices to remediate the issues that negate them access to the network. One solution could be to redirect the user to a remediation portal that includes instructions or tools on how to update the device. Another approach is to redirect the computer to a "quarantine" network that has limited access to certain sites or applications that can help in resolving the issues.

The solutions can also differ on their overall philosophy based on the vendors' particular strengths or focus. Some products have a greater focus on the endpoints whereas others might be stronger on networking. This diversity can make deciding on a solution that can do the job you need and that integrates well in your environment a very challenging endeavor.

Potential benefits

Among the benefits of a NAC solution is that the endpoints can be kept up to date continuously. However, it is important that the mechanisms for updating are either automated or very easy to use by an untrained user. This will prevent user resistance to the system because otherwise it could be seen as a burden or as overly intrusive.

Another oft-cited benefit is the detection of an infected endpoint before it can join the network and affect other machines. This is not always the case, as it is possible that an infected machine can pass all the compliance tests and be allowed on the network. Additional controls are needed and some products provide additional network checks to detect malicious traffic such as command and control communications or attempts to infect other systems.

It's hard to deny that a NAC implementation can be challenging, but when used correctly, it's a very effective tool in any security-in-depth strategy.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

5 comments
wcb111
wcb111

akamai.net is one of the names he uses he hack into microsoft,google,firefox riding the name of that gigantic tech co that works as their servers including the US gov. you'll find complaints about him on computer.net they assume it's legit because he rides another company's name, he hides his whereabouts but I do know he's operating out of LA I which I could find that fool I would permanently erase him....

BALTHOR
BALTHOR

I think that these live CD computer repair disks are supposed to work automatically.You put the disk in and when it's done the computer is repaired.The BIOS and firmware are just a bunch of check boxes.I did not like it that my older computers would not CD write or allow DVD usage.It's just a file here.(Note:USB pen drives are like R/W disks.They can be formatted and allow for erase and rerecording.You use the pen drive as you would use a floppy disk.You can load it up with files,erase,format,copy/paste or delete and load it up again.A USB hard drive would be the same.If I wanted to boot to a USB device the check box needs to be checked in!)

BALTHOR
BALTHOR

It's a bunch of commands to the electronics of the computer.I see drivers as registry setting adjustments that tell the computer's electronics what to do.A driver would be the operating system's regfile copy of a good functioning card.The card's firmware set to default would be even better but I think that nobody can get in that far.Computer repair could be an entire registry copy of a working computer exported then imported to the computer that has the problem.Some of these older "Computer Repair" disks would have a registry section.They were thinking different back then.

robo_dev
robo_dev

For a smaller company, it's very possible to do NAC, as the number of changes are few and far between. One eye-opener about old-school NAC (Cisco port security) is that I watched a pen-tester defeat it in roughly thirty seconds. He printed off the config page from a printer, spoofed that mac on a WLAN AP, and was connected in less than a minute. Some of the newer NAC solutions are smart enough to do the heuristics to identify what traffic patterns and protocols are normal for a particular mac address.

Michael Kassner
Michael Kassner

What is your experience with NAC and employees that work from home or are road warriors?

Editor's Picks