Network Access Control: What is NAC?

Joel M Snyder Senior Partner Opus One [email protected]

Agenda: Defining NAC

Why are we thinking about NAC? What is a definition of NAC? What are the four key components of NAC? What are the industry NAC architectures? Authentication, Environment, and Enforcement in Depth

Security Management Is Moving Towards the End User

Last Year
Poke holes in the firewall for specific IP addresses and specific services Create IPsec remote access solutions that give broad network access

Next Year
Determine security policy by who is connection not where they are connection from Create remote access solutions that focus on the end-user, not the network

While You Were Out We Dissolved Your Perimeter!

Partners
SSL VPN

mail

dns web
IPsec VPN Branches

Clearly, Perimeter-based Security Wont Work All the Time So what do we do?
Defense in Depth Authenticate and Authorize all Network Users Deploy VLANs for traffic separation and coarse-grained security Use stateful firewalls at the port level for fine-grained security Place encryption throughout the network Detect and remediate threats to network integrity Include end-point security in policy enforcement Re-Perimeterize Re-create microperimeters where you can Use NAC (network access control) on the LAN

Use touch-down points (like tunnel servers) to re-establish controls: NAC on the VPN
5

Re-perimeterize Means Creating Virtual Perimeters

A hole has definite characteristics that make a defendable border
SSL VPN

mail dns web

IPsec VPN

VPNs touch down in a device thats a virtual perimeter!

Network Access Control Wraps a Perimeter Around the Network

At the access point (wireless, wired, SSL or IPsec VPN), NAC comes into play
SSL VPN

1: 2: 3: to

Who are you? What do I know about you? Does your end-point comply policy?

Lets Define NAC: User-Focused Network-Based Access Control

OK, wait a second. Isnt Access Control what a firewall does? You shall not pass!
Internet

Absolutely! The difference is in the decision!

9

NAC Is Firewalling, but With a Difference

Common Firewall Decision Elements Source IP and port Destination IP and port Position Between two networks

Common NAC Decision Elements Username, Group Access method, Destination End-point security status Position Between user and network
10

The Marketing View of NAC

The Internet

Corporate Net

11

NAC Has Four Components

1. Authentication of the user

End users are authenticated before getting network access

12

Environmental Information Modifies Access or Causes Remediation

1. Authentication of the user

Where is the user coming from ? 2. Use environmental information as part of policy decision making When is the access request occurring? What is the End Point Security posture of the end point?
13

Access Controls Define Capabilities and Restrict the User

1. Authentication of the user 3. Control usage based on capabilities of hardware and security policy

2. Use environmental information as part of policy decision making

Allow or deny access. Put the user on a VLAN. Send user to remediation. Apply ACLs or firewall rules.
14

Management of Policy is the Weak Link in most NAC Solutions

1. Authentication of the user 3. Control usage based on capabilities of hardware and security policy

2. Use environmental information as part of policy decision making

4. Manage it all

Usable management and cross-platform NAC normalization

15

An Architecture Helps to Understand NAC Better The

Internet

Corporate Net
NAC Policy Server

16

Lots of NAC Products but Only a Few Good Architectures

Network Endpoint Assessment Client
Posture Collector

Network Endpoint Assessment Server

Posture Validator

Client Broker Network Access Requestor

Network Enforcement Point

Server Broker Network Access Authority

These are the IETF terms for each piece. TCG/TNC, Microsoft, and Cisco all have their own similar ones

17

Posture Collector

Posture Validator

Client Broker Network Access Requestor

Network Enforcement Point

Server Broker Network Access Authority

What is it? Network Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall.

TCG TNC Policy Enforcement Point

Microsoft NAP NAP Enforcement Server

Cisco NAC Network Access Device

18

Posture Collector

Posture Validator

Client Broker Network Access Requestor

Network Enforcement Point

Server Broker Network Access Authority

What is it? Posture Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to-date?' Client Broker "Middleware" that talks to the Posture Collectors, collecting their data, and passes it down to Network Access Requestor Network Access Requestor Connects the client to network, such as 802.1X supplicant. Authenticates the user, and acts as a conduit for Posture Collector data

TCG TNC Integrity Measurement Collector TNC Client Network Access Requestor

Microsoft NAP System Health Agent NAP Agent NAP Enforcement Client

Cisco NAC Posture Plug-in Apps Cisco Trust Agent Cisco Trust Agent 19

Posture Collector

Posture Validator

Client Broker Network Access Requestor

Network Enforcement Point

Server Broker Network Access Authority

What is it? Posture Validator Receives status information from Posture Collectors then validates it against policy, returning a status to the Server Broker Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority Network Access Authority Validates authentication and posture, then passing policy to the Network Enforcement Point.

TCG TNC Integrity Measurement Verifier TNC Server Network Access Authority

Microsoft NAP System Health Validator NAP Administration Server Network Policy Server

Cisco NAC Policy Vendor Server Access Control Server Access Control Server 20

http://www.networkworld.com/research/2006/040306-nac-overview.html

How Does the Authentication Actually Work? The

Internet

Three options are commonly used

Corporate Net
NAC Policy Server

802.1X Web-based Authentication Proprietary Client

21

802.1X is Preferred and the Most Secure Approach Internet

Corporate Net

User brings up link (or associates with AP) AP/Switch starts 802.1X (EAP) for authentication User authenticates to central policy server If authentication (and other stuff) is successful, policy server instructs edge device to grant appropriate access. User gets IP address.

NAC Policy Server

22

Web Authentication is Easy to Do

Internet

Corporate Net

User gets on network; gets IP address User opens web browser and is trapped by portal User authenticates to central policy server If authentication (and other stuff) is successful, portal lets traffic through or reconfigures network to get out of the way

NAC Policy Server

23

Proprietary Clients can do it either way (or both) Internet

Corporate Net

NAC Policy Server

User connects and gets IP address Client magically authenticates to NAC device If authentication (and other stuff) is successful, user is allowed on network
24

Lets Look at Environment Briefly

25

This is the (and other stuff) part

Internet

Corporate Net

NAC Policy Server

User associates with AP For some, this is the AP starts authentication main reason to want NAC! User authenticates If authentication (and other stuff) is successful, user is given appropriate network access
26

Environmental Information Can Include Lots of Things

Pure Environment Access Method (wired, wireless, VPN) Time of Day/Day of Week/Date within Limits Client Platform (Mac, Windows, etc.) Authentication Method (user/pass, MAC, etc.) End Point Security Does the device comply to my policy regarding Security Tools (A/V, FW) Applications (running/not) Patch Level Corporate signature

27

Key Concept: Access Is a Function of Authentication and Environment Who You Are

What you can = do

Darn We just summarized NAC in one slide. What else is there to talk about?

Where You Are Coming From How Well You Comply with Policy
28

+
+

Lets Look at Access Control Briefly

29

Access Control Enforcement Has Two Main Attributes to Understand

Control Granularity On/Off the network VLAN-level assignment Packet filters Stateful firewall Control Location On the client itself At the edge of the network A barrier between user and network Deep within the network core At the server itself

30

Granularity is a Spectrum Largely Determined by Hardware

Most granular, most secure, most powerful

Joels Fantasy of How Secure Networks Are Run

Least granular, least powerful

Stateful Full Firewall Likely Reality for Next Few Years

Basic Packet Filters

VLAN Assignment

Go/No-Go Decision

Typical Current Approach (and likely SMB approach in future)

31

Weve Just Grazed the Surface of NAC

NAC needs to be on your radar Tools like 802.1X should be part of your short and long range plans anyway

Dont jump into a proprietary solution without considering the emerging standard architectures

32

Thanks!
Joel Snyder Senior Partner Opus One [email protected]