Network Admission Control (NAC) is a popular network
security topic these days. While so many people have heard the term, there are
many who don’t fully understand what NAC does and how it can really improve
your network security.

What is NAC?

NAC
is a method of allowing access to one’s network by means of compliance to a set
of standards that the implementation or security team helps to create. It can
be used on devices from desktops to handheld PDAs. Rather than blindly
restricting access, as in the case of a firewall, NAC attempts to incorporate
intelligence into network access. There are a variety of solutions to choose
from and a variety of reasons for implementing a NAC solution. This article
will give a brief overview of NAC and show you how a NAC solution can help
improve your network security. It is very important to remember that, as with
most solutions, proper planning is crucial to success.

What are the components of a
NAC solution?

There are three main components to a NAC solution:

  • End user device
  • Authentication system
  • Policy server

Of course, the number of components can vary, depending on
the solution you choose. The end user device will typically have an agent
installed. If you are a guest needing access to an organization’s network, simply
attempt to log on; you’ll get a Web page that allows you to download and
install an agent. Once your machine is brought up-to-date with the minimum
requirements, you will be allowed onto the network. The NAC agent on the end
user device talking to the policy server is the key to the whole solution. Figure
A shows a snapshot of the communication flow of Cisco’s Network Admission
Control Appliance.

Figure A

This graphic is courtesy
of Chesapeake NetCraftsmen.

This scenario depicts an in-band and out-of-band appliance
server. This method ensures maximum enforcement of the security standards, no matter
where in the network you’re attempting to log in. This is because the appliance
is inline between you and the resources you need; there’s no way around it.

How does NAC improve
network security?

There are several ways that a NAC solution can help improve
network security and overall efficiency of your organization. In fact, with NAC
you may even get more efficiency than you will security.

Force compliance

Network and Windows admins spend a
lot of time trying to figure out how to force the end user’s device into
compliance with the necessary Windows patches, anti-virus updates, and firewall
settings. Various methods have been used over the years to keep virus
definition files up-to-date, ensuring virus scans have been run, and that the
latest set of patches has been applied. All of these efforts have improved
network security, but there is always something manual that can compromise the
process. For example, one can automate the updating of virus definition files;
however, the end user can cancel virus scans or disable their agent. A NAC
solution can ensure compliance with AV updates and do much more.

Quarantine

Besides efficient ways of forcing compliance on your users,
a NAC solution can detect and quarantine an “unsavory” device. If you’ve
ever fought a worm manually manipulating access control lists, you understand
the importance of this solution’s ability to quarantine a device to a
predetermined VLAN, thereby containing the spread of the worm to other areas of
your network. Again, this is done from a centralized point.

Efficiency is not only gained from centralization; your
expensive security and network teams are not tied up battling worms and viruses
the old-fashioned manual way. Not only will a NAC solution detect and
quarantine, as we learned above, but it will update the device with the
appropriate virus definition files and patches to bring the device up to the
minimum security standard before allowing it access to your network; viruses
and worms never have a chance to gain access to your resources. Based on who
you are as reported by your agent, you will have access to only what you need,
if your solution is designed properly.

Provide guest access

Vendor and guest access is something a lot of companies
struggle with. This became a bigger issue with wireless. Solutions to the
problem range from loaner computers, isolated guest access VLANs, Web-based
presentations (so they can present using anyone’s PC), to the guest simply not
having network access while at your site. With NAC, there is no struggle to get
the guest what they need; they simply have to become compliant. Before, the process
was completely manual, often requiring several hours of work before the device
would have been allowed on the network. All of this was in an attempt to avoid
the obvious risk, but what about the less obvious risks?

Risk avoidance

Risk avoidance is definitely an improvement when it can be
achieved. Obviously, preventing the spread of a worm is risk avoidance, but
what about risky daily practices? Voice over IP brought great pressure to security
teams attempting to meet the demands of their users while protecting them. A
typo in a firewall policy can bring an entire organization’s phone system down.
Once your access policies are tied to your NAC solution, your firewall
administrators have one less thing to worry about.

Things to consider
before purchasing a NAC solution

Not knowing everything you need to know will always be an
issue for organizations considering any solution. Sales people love to take
advantage of this. Don’t be a victim of the latest hyped solution; there are a
few things to consider before investing in a NAC solution.

A NAC solution assumes you have a fairly advanced set of
policies defined, such as authentication, security, and network access, to name
a few. Professional services can always be helpful if in the budget.

If you are thinking about tying authentication to your NAC
solution, be sure you understand the limitations of your authentication
solution. For example, LDAP or NIS on a UNIX server may have nothing to do with
your Active Directory solution for your desktops and Microsoft servers. Your
sales team and internal technical teams need to get together to discuss the
impact of these limitations. Regarding authentication in general, it is
important that your authentication policy is consistent across all segments of
the network you are trying to protect. It is important that you have written
documentation on which your organization has been trained (i.e., ID expiration,
cross-platform functionality, or access already defined by the authentication
mechanism).

Security policies are a never-ending battle. It is a
thankless, politically-charged exercise aimed at protecting the organization.
The trick is to do this without compromising business-critical processes. The
reason security policies need to be well-defined is as much to alleviate
headaches during implementation as it is to ensure the solution functions
correctly. Something to address before you implement a NAC solution is the
interaction of a NAC appliance and a firewall: What happens when access is
blocked by a firewall that the NAC thinks should be available? Having well-defined
security policies that the technical teams are aware of will avoid having to
deal with these issues on the backend.

Network access policies have a lot to do with how your
network is designed. As business grows, poorly designed networks have trouble
adhering to network access policies.

Conversely, having poor policies and procedures dealing with
growth creates a poorly implemented network. Either way, a detailed, up-to-date
network diagram will be mandatory in order to implement a NAC solution
properly. While this may seem obvious, never overestimate a sales team’s due
diligence. Keep in mind that most sales teams will want to sell you a product
and move as quickly as possible to the next customer. Purchasing professional
services is an excellent way of keeping their interest; also, the engineer
assigned to your account will likely have a lot of practical, field-based
knowledge that can save you a lot of time. If not, request someone who does.

Secure your network
with NAC

Overall, a NAC solution can greatly improve the security of
your network. One should never underestimate the amount of planning it takes to
implement such a solution. Not only do you need a knowledgeable network
resource, but also the cooperation of your Windows, security, desktop, and
corporate policy creation teams.

Implementing NAC is not as simple as dropping an appliance
in-band: authentication must be standardized, minimum desktop standards need to
be set, and the back end firewall rules and network devices must comply with
your solution to allow the access that the policy server is attempting to
grant. These are things that all organizations struggle with. If your
organization hasn’t finalized these things, then, at the very least, they need
to be put into the NAC project plan. A NAC solution can help you become more
efficient by keeping end-user devices compliant, supplying a safe, easy way for
guests to have access to your network, and giving you an audit trail of user
access in your network. It can also help minimize risky administrative tasks by
not allowing worms and viruses to spread throughout your network.