Network access control is a relatively new security technology. But what have we learned about NAC in the past few years? What are the best ways to use it today?
NAC was originally conceived and introduced as a perimeter defense mechanism to stop the spread of worms and other infections. It can check the health of all devices that attempt to access an enterprise network, and it can quarantine and repair infected or vulnerable devices before releasing them onto the main network.
This approach has worked well for many organizations, but it has drawbacks and fails to utilize the full potential of NAC. Let’s look at some lessons I have learned from hundreds of NAC deployments.
Trying to fix all the devices on your company’s network and keep them healthy is daunting. Critical users and devices have become more mobile, spending a lot of time off the enterprise network. For many organizations, the traditional NAC model (perimeter health checks) is not a top priority.
Instead, savvy security teams focus resources on their most critical assets: customer data, financial systems and intellectual property. Protect these assets well and everything else will follow. Placing a NAC enforcement point in front of critical assets will give your company much tighter control over access, especially in light of the growing capabilities of NAC.
Modern NAC systems consider many factors other than health in deciding what access should be granted. Who is the user? What is his or her job? How is he or she connecting to the network (through wired, wireless or remote access)? From what location? At what time of day? What device is he or she using? For what is that device being used?
Gathering all this information lets you create and enforce much more useful access control policies. Instead of traditional firewall rules such as “IP address A can access IP address B,” you can create policies such as “users in the procurement group can access the acquisition server, but only when using a healthy PC in the procurement office and only during business hours.”
To factor in identity, an organization’s NAC system must be integrated with its identity management system. To examine behavior, it will need to be integrated with your intrusion detection system (IDS). Some products don’t provide for such integration, and some manufacturers integrate only with their own products to lock an organization into their product line.
To enable interoperability, look for products that support open standards, such as Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP) and Trusted Network Connect (TNC, a family of NAC standards from the Trusted Computing Group). Requiring your NAC system to support the TNC standards ensures that it can support and operate with a variety of clients, servers, health-check tools and enforcement mechanisms.
The newest such standard, IF-MAP, offers the broadest form of security integration. Your NAC system can use the standard IF-MAP protocol to store information about who and what is on the network in a distributed database called a Metadata Access Point (MAP). Sensors — monitoring systems such as IDS and data leakage prevention (DLP) programs — use IF-MAP to report questionable behavior to the MAP, which alerts the NAC system so that it can take appropriate enforcement action.
Some NAC systems let a company keep records of who did what and when. These records are gold mines. Generate reports to learn what behavior is normal or abnormal among your users, and track compliance with corporate policies for audits or specific problems. Good logging and reporting is essential for NAC.
Embedded devices such as phones and printers are rarely secure and can be quite sensitive to disruptive network traffic. Configure your NAC system to identify these devices and quarantine them in a safe place. Make sure that your NAC system includes this capability; surprisingly, some don’t.
Hackers and compromised endpoints can “lie” about their health. Don’t take their word for it. Monitor their behavior after they connect to the network to detect malfeasance, and act if necessary.
For high-security environments, consider using the Trusted Platform Module in your notebook computers to verify endpoint security. TPM chips enable the secure generation of cryptographic keys and include other features to authenticate hardware devices and platforms.
Attackers are always looking for new vulnerabilities. Stay informed about new threats, and be prepared to react promptly. Having a strong, flexible NAC system lets you change your policies on acceptable behavior and device configuration, detect noncompliance, and take whatever action is necessary on the fly (warn, notify management, restrict or block access).
If your NAC system relies on open standards, you can add new endpoint types, sensors, health checks and enforcement methods with ease. Being nimble is essential to mounting a good defense.
No single defender can match the combined resources of all attackers, and no functional computing system is completely secure. Still, if you continue to improve your security approach and tune your NAC based on your lessons learned and on best practices forged by others, you can maximize your security while minimizing costs.
Steve Hanna, a distinguished engineer for Juniper Networks, is co-chairman of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chairman of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force.