Network Access Control: What is NAC

1
Network Access ControlWhat is NAC?

• Joel M Snyder
• Senior Partner
• Opus One
• jms_at_opus1.com

2
Agenda Defining NAC

• Why are we thinking about NAC?
• What is a definition of NAC?
• What are the four key components of NAC?
• What are the industry NAC architectures?
• Authentication, Environment, and Enforcement in
  Depth

3
Security Management Is Moving Towards the End User

• Last Year
• Poke holes in the firewall for specific IP
  addresses and specific services
• Create IPsec remote access solutions that give
  broad network access

• Next Year
• Determine security policy by who is connection
  not where they are connection from
• Create remote access solutions that focus on the
  end-user, not the network

4
While You Were Out We Dissolved Your Perimeter!
mail
dns
web
5
Clearly, Perimeter-based Security Wont Work All
the Time
So what do we do?

• Defense in Depth
• Authenticate and Authorize all Network Users
• Deploy VLANs for traffic separation and
  coarse-grained security
• Use stateful firewalls at the port level for
  fine-grained security
• Place encryption throughout the network
• Detect and remediate threats to network integrity
• Include end-point security in policy enforcement

• Re-Perimeterize
• Re-create micro-perimeters where you can
• Use NAC (network access control) on the LAN
• Use touch-down points (like tunnel servers) to
  re-establish controls NAC on the VPN

6
Re-perimeterize Means Creating Virtual
Perimeters
A hole has definite characteristics that make a
defendable border
mail
dns
web
VPNs touch down in a device thats a virtual
perimeter!
7
Network Access Control Wraps a Perimeter Around
the Network
At the access point (wireless, wired, SSL or
IPsec VPN), NAC comes into play
1 Who are you?2 What do I know about you?3
Does your end-point comply to policy?
8
Lets Define NACUser-Focused Network-Based
Access Control
9
OK, wait a second. Isnt Access Control what a
firewall does?
You shall not pass!
Internet
Absolutely! The difference is in the decision!
10
NAC Is Firewalling, but With a Difference
Common Firewall Decision Elements Source IP and
portDestination IP and port Position Between
two networks
Common NAC Decision Elements Username,
GroupAccess method, DestinationEnd-point
security status Position Between user and network
11
The Marketing View of NAC
?
?
?
12
NAC Has Four Components

• Authentication of the user

End users are authenticated before getting
network access
Authenticate
13
Environmental Information Modifies Access or
Causes Remediation

• Authentication of the user

Authenticate
Where is the user coming from ? When is the
access request occurring? What is the End Point
Security posture of the end point?
2. Use environmental information as part of
policy decision making
Environment
14
Access Controls Define Capabilities and Restrict
the User

• Authentication of the user

3. Control usage based on capabilities of
hardware and security policy
Authenticate
Access Control
Allow or deny access. Put the user on a
VLAN. Send user to remediation. Apply ACLs or
firewall rules.
2. Use environmental information as part of
policy decision making
Environment
15
Management of Policy is the Weak Link in most NAC
Solutions

• Authentication of the user

3. Control usage based on capabilities of
hardware and security policy
2. Use environmental information as part of
policy decision making
4. Manage it all
Usable management and cross-platform NAC
normalization
16
An Architecture Helps to Understand NAC Better
?
?
?
NAC Policy Server
17
Lots of NAC Products but Only a Few Good
Architectures
Network Endpoint Assessment Client
Network Endpoint Assessment Server
PostureValidator
PostureCollector
ClientBroker
ServerBroker
NetworkEnforcementPoint
NetworkAccessRequestor
NetworkAccessAuthority
These are the IETF terms for each piece.
TCG/TNC, Microsoft, and Cisco all have their own
similar ones
18
PostureValidator
PostureCollector
ClientBroker
ServerBroker
NetworkEnforcementPoint
NetworkAccessRequestor
NetworkAccessAuthority
19
PostureValidator
PostureCollector
ClientBroker
ServerBroker
NetworkEnforcementPoint
NetworkAccessRequestor
NetworkAccessAuthority
20
PostureValidator
PostureCollector
ClientBroker
ServerBroker
NetworkEnforcementPoint
NetworkAccessRequestor
NetworkAccessAuthority
http//www.networkworld.com/research/2006/040306-n
ac-overview.html
21
How Does the Authentication Actually Work?
?

• Three options are commonly used
• 802.1X
• Web-based Authentication
• Proprietary Client

NAC Policy Server
22
802.1X is Preferred and the Most Secure Approach
Corporate Net
NAC Policy Server
? User brings up link (or associates with AP)
? AP/Switch starts 802.1X (EAP) for
authentication
? User authenticates to central policy server
? If authentication (and other stuff) is
successful, policy server instructs edge device
to grant appropriate access. User gets IP
address.
23
Web Authentication is Easy to Do
Corporate Net
NAC Policy Server
? User gets on network gets IP address
? User opens web browser and is trapped by portal
? User authenticates to central policy server
? If authentication (and other stuff) is
successful, portal lets traffic through or
reconfigures network to get out of the way
24
Proprietary Clients can do it either way (or both)
Corporate Net
NAC Policy Server
? User connects and gets IP address
? Client magically authenticates to NAC device
? If authentication (and other stuff) is
successful, user is allowed on network
25
Lets Look at Environment Briefly
Authenticate
Access Control
Environment
Management
26
This is the (and other stuff) part
Corporate Net
NAC Policy Server
For some, this is the main reason to want NAC!
? User associates with AP
? AP starts authentication
? User authenticates
? If authentication (and other stuff) is
successful, user is given appropriate network
access
27
Environmental Information Can Include Lots of
Things

• Pure Environment
• Access Method (wired, wireless, VPN)
• Time of Day/Day of Week/Date within Limits
• Client Platform (Mac, Windows, etc.)
• Authentication Method (user/pass, MAC, etc.)

• End Point Security
• Does the device comply to my policy regarding
• Security Tools (A/V, FW)
• Applications (running/not)
• Patch Level
• Corporate signature

28
Key Concept Access Is a Function of
Authentication and Environment
Who You Are

What you can do
Where You Are Coming From


How Well You Comply with Policy
Darn We just summarized NAC in one slide. What
else is there to talk about?
29
Lets Look atAccess Control Briefly
Authenticate
Access Control
Environment
Management
30
Access Control Enforcement Has Two Main
Attributes to Understand

• Control Granularity
• On/Off the network
• VLAN-level assignment
• Packet filters
• Stateful firewall

• Control Location
• On the client itself
• At the edge of the network
• A barrier between user and network
• Deep within the network core
• At the server itself

31
Granularity is a Spectrum Largely Determined by
Hardware
Joels Fantasy of How Secure Networks Are Run
Stateful Full Firewall
Basic Packet Filters
VLAN Assignment
Go/No-Go Decision
Typical Current Approach (and likely SMB approach
in future)
Likely Reality for Next Few Years
32
Weve Just Grazed the Surface of NAC

• NAC needs to be on your radar
• Tools like 802.1X should be part of your short
  and long range plans anyway
• Dont jump into a proprietary solution without
  considering the emerging standard architectures

33
Thanks!

• Joel Snyder
• Senior Partner
• Opus One
• jms_at_opus1.com