Network Admission Control (NAC) is a popular network security topic these days. While so many people have heard the term, there are many who don't fully understand what NAC does and how it can really improve your network security.
What is NAC?
NAC is a method of allowing access to one's network by means of compliance to a set of standards that the implementation or security team helps to create. It can be used on devices from desktops to handheld PDAs. Rather than blindly restricting access, as in the case of a firewall, NAC attempts to incorporate intelligence into network access. There are a variety of solutions to choose from and a variety of reasons for implementing a NAC solution. This article will give a brief overview of NAC and show you how a NAC solution can help improve your network security. It is very important to remember that, as with most solutions, proper planning is crucial to success.
What are the components of a NAC solution?
There are three main components to a NAC solution:
- End user device
- Authentication system
- Policy server
Of course, the number of components can vary, depending on the solution you choose. The end user device will typically have an agent installed. If you are a guest needing access to an organization's network, simply attempt to log on; you'll get a Web page that allows you to download and install an agent. Once your machine is brought up-to-date with the minimum requirements, you will be allowed onto the network. The NAC agent on the end user device talking to the policy server is the key to the whole solution. Figure A shows a snapshot of the communication flow of Cisco's Network Admission Control Appliance.
This scenario depicts an in-band and out-of-band appliance server. This method ensures maximum enforcement of the security standards, no matter where in the network you're attempting to log in. This is because the appliance is inline between you and the resources you need; there's no way around it.
How does NAC improve network security?
There are several ways that a NAC solution can help improve network security and overall efficiency of your organization. In fact, with NAC you may even get more efficiency than you will security.
Network and Windows admins spend a lot of time trying to figure out how to force the end user's device into compliance with the necessary Windows patches, anti-virus updates, and firewall settings. Various methods have been used over the years to keep virus definition files up-to-date, ensuring virus scans have been run, and that the latest set of patches has been applied. All of these efforts have improved network security, but there is always something manual that can compromise the process. For example, one can automate the updating of virus definition files; however, the end user can cancel virus scans or disable their agent. A NAC solution can ensure compliance with AV updates and do much more.
Besides efficient ways of forcing compliance on your users, a NAC solution can detect and quarantine an "unsavory" device. If you've ever fought a worm manually manipulating access control lists, you understand the importance of this solution's ability to quarantine a device to a predetermined VLAN, thereby containing the spread of the worm to other areas of your network. Again, this is done from a centralized point.
Efficiency is not only gained from centralization; your expensive security and network teams are not tied up battling worms and viruses the old-fashioned manual way. Not only will a NAC solution detect and quarantine, as we learned above, but it will update the device with the appropriate virus definition files and patches to bring the device up to the minimum security standard before allowing it access to your network; viruses and worms never have a chance to gain access to your resources. Based on who you are as reported by your agent, you will have access to only what you need, if your solution is designed properly.
Provide guest access
Vendor and guest access is something a lot of companies struggle with. This became a bigger issue with wireless. Solutions to the problem range from loaner computers, isolated guest access VLANs, Web-based presentations (so they can present using anyone's PC), to the guest simply not having network access while at your site. With NAC, there is no struggle to get the guest what they need; they simply have to become compliant. Before, the process was completely manual, often requiring several hours of work before the device would have been allowed on the network. All of this was in an attempt to avoid the obvious risk, but what about the less obvious risks?
Risk avoidance is definitely an improvement when it can be achieved. Obviously, preventing the spread of a worm is risk avoidance, but what about risky daily practices? Voice over IP brought great pressure to security teams attempting to meet the demands of their users while protecting them. A typo in a firewall policy can bring an entire organization's phone system down. Once your access policies are tied to your NAC solution, your firewall administrators have one less thing to worry about.
Things to consider before purchasing a NAC solution
Not knowing everything you need to know will always be an issue for organizations considering any solution. Sales people love to take advantage of this. Don't be a victim of the latest hyped solution; there are a few things to consider before investing in a NAC solution.
A NAC solution assumes you have a fairly advanced set of policies defined, such as authentication, security, and network access, to name a few. Professional services can always be helpful if in the budget.
If you are thinking about tying authentication to your NAC solution, be sure you understand the limitations of your authentication solution. For example, LDAP or NIS on a UNIX server may have nothing to do with your Active Directory solution for your desktops and Microsoft servers. Your sales team and internal technical teams need to get together to discuss the impact of these limitations. Regarding authentication in general, it is important that your authentication policy is consistent across all segments of the network you are trying to protect. It is important that you have written documentation on which your organization has been trained (i.e., ID expiration, cross-platform functionality, or access already defined by the authentication mechanism).
Security policies are a never-ending battle. It is a thankless, politically-charged exercise aimed at protecting the organization. The trick is to do this without compromising business-critical processes. The reason security policies need to be well-defined is as much to alleviate headaches during implementation as it is to ensure the solution functions correctly. Something to address before you implement a NAC solution is the interaction of a NAC appliance and a firewall: What happens when access is blocked by a firewall that the NAC thinks should be available? Having well-defined security policies that the technical teams are aware of will avoid having to deal with these issues on the backend.
Network access policies have a lot to do with how your network is designed. As business grows, poorly designed networks have trouble adhering to network access policies.
Conversely, having poor policies and procedures dealing with growth creates a poorly implemented network. Either way, a detailed, up-to-date network diagram will be mandatory in order to implement a NAC solution properly. While this may seem obvious, never overestimate a sales team's due diligence. Keep in mind that most sales teams will want to sell you a product and move as quickly as possible to the next customer. Purchasing professional services is an excellent way of keeping their interest; also, the engineer assigned to your account will likely have a lot of practical, field-based knowledge that can save you a lot of time. If not, request someone who does.
Secure your network with NAC
Overall, a NAC solution can greatly improve the security of your network. One should never underestimate the amount of planning it takes to implement such a solution. Not only do you need a knowledgeable network resource, but also the cooperation of your Windows, security, desktop, and corporate policy creation teams.
Implementing NAC is not as simple as dropping an appliance in-band: authentication must be standardized, minimum desktop standards need to be set, and the back end firewall rules and network devices must comply with your solution to allow the access that the policy server is attempting to grant. These are things that all organizations struggle with. If your organization hasn't finalized these things, then, at the very least, they need to be put into the NAC project plan. A NAC solution can help you become more efficient by keeping end-user devices compliant, supplying a safe, easy way for guests to have access to your network, and giving you an audit trail of user access in your network. It can also help minimize risky administrative tasks by not allowing worms and viruses to spread throughout your network.