1.2. A Diagram Is Worth a Thousand Descriptions
Although a picture is worth a thousand words, a diagram can help provide a visual definition or description of NAC — especially the different types of NAC solutions and deployment methods. In the following sections, you can find diagrams that illustrate different types of NAC solutions and deployment methods.
The different types of NAC solutions available include
Appliance-based, divided by whether the appliance is inline or out-of-band
Switch- or network equipment-based
Client/host-based
Agent-less or clientless
The various types of NAC deployment methods include
Integrated with, or as an overlay to, network or security infrastructure
Layer 2 or Layer 3 authentication
1.2.1. Appliance-based NAC solutions: Inline or out-of-band
Some NAC solutions are appliance-based, which means that a server, hardened appliance, or a network device of some type needs to reside in the network on which you want to implement the NAC solution. Appliance-based solutions are either inline or out-of-band.
NOTE
An appliance may act as a policy server for the NAC solution, a receptacle in which an organization can define and manage network access and security policies, and then propagate those policies to NAC enforcement points on the network (out-of-band). Sometimes, instead of or in addition to the policies being propagated to enforcement points, these appliances may also enforce the policies. These network devices, whether inline or out-of-band, may also deliver authentication capabilities, such as serving double duty — working as both policy server and an authentication server; an authentication, authorization, and accounting (AAA) server; a RADIUS server; or even a native authentication data store. These network devices can also include policy management, as well as device management, capabilities. What your NAC solution's policy server can do depends on whether the vendor's solution includes that functionality and capability within their appliance.
1.2.1.1. Get inline
If you use an inline NAC appliance that addresses policy development and management, and also enforces policies, all network traffic generally flows through the appliance or device, as shown in Figure 1-1. This placement enables you to make the access controls on an inline NAC appliance simple because all network traffic — and all associated individual data packets — flow through the appliance, thereby allowing the inline NAC appliance to apply granular access control.
Figure 1.1. A sample diagram of an inline NAC solution.
While inline NAC appliances have their benefits (such as simplified deployment in new or renewed networks, a single-box approach, and policy enforcement and control in one place), be aware of a couple of potential challenges when you use an inline NAC appliance:
A single point of failure: If the inline NAC appliance fails, so does network access control — because it's an inline appliance, it's applied to all network traffic. So, a failed inline NAC appliance could either create a roadblock that restricts access to your network or allow access to all who attempt to sign in to the network, without applying the appropriate policy and access control checks.
Performance: Particularly in situations involving fast, substantial increases in network traffic, such as during disaster recovery, or mergers and acquisitions, the performance and rate of access control through an inline NAC appliance could suffer. Also, because all network traffic flows through an inline NAC device, that device can become a choke point in a network if too many users attempt network access simultaneously. To prevent your inline NAC appliance from becoming a choke point, you need to effectively load-balance the device and deploy it in a redundant fashion.
Scalability: An inline, single-box solution can handle only a certain amount of network traffic; while network traffic increases, or the segments of the network on which you've deployed the NAC solution expand, you need to purchase more appliances and deploy them inline. You may not be able to easily maintain this kind of scaling solution or keep it cost effective.
1.2.1.2. Standing out-of-band
In an out-of-band NAC solution, you position the NAC appliance out of the line of fire of network traffic. Although some network traffic may flow to or through the out-of-band appliance, not all network traffic has to pass directly through it, as shown in Figure 1-2.
You can deploy both inline and out-of-band NAC appliances on an existing network infrastructure, but out-of-band NAC solutions typically are easier to deploy particularly because they are not in the direct line of traffic flow and many times do not require changes in traffic or network design. It can interact with the network components, leveraging them to provide authentication validation (by leveraging authentication data stores or databases), endpoint security policies and updates (by leveraging antivirus or anti-malware policy servers), or policy enforcement (by leveraging switches, access points, firewalls, and so on). You can also deploy an out-of-band NAC solution as a separate appliance, away from an organization's network or security infrastructure, in an overlay deployment.
|
Figure 1.2. A sample diagram of an out-of-band NAC solution.
NOTE
Out-of-band NAC appliances sometimes may also incorporate a client or agent, or a clientless or agent-less mode. The NAC appliance can deploy the client/agent to an endpoint device, either as a download or preload, to assess the device's security posture and health, returning the outcome of these checks to the appliance so that the appliance can dynamically incorporate that information into policy or consider it in setting policy. The out-of-band NAC appliance can also use some or all of these capabilities via a clientless or agent-less mode, if the vendor offers such a mode. A clientless or agent-less mode can be Web-based, use a captive-portal design (similar to what a user experiences when he or she attempts to access the Internet from a hotel room or coffee shop), or be deployed by another method. A client/agent can also incorporate some security or access capabilities of its own as an added layer of protection for the user and organization against non-compliant or malware-infested endpoint devices. The client/agent may also serve a dual purpose, acting not only as a NAC host or agent, but also as an 802.lX client/supplicant that enables the user's device access to networks compliant with the IEEE 802.1X standard for port-based network access control, which we discuss in detail in Chapter 13.
|
1.2.2. Switch- or network equipment-based NAC solutions
A switch or network equipment-based NAC solution allows an organization to replace their existing switch or other network equipment deployment with a unit that has integrated NAC capabilities.
|
Switch-based NAC solutions can deliver NAC capabilities to the network's edge, which enables an organization to implement NAC functionality (such as admission control, access control, and monitoring) from the edge of the network while maintaining performance. The devices can usually integrate within an existing network environment with little disruption; some devices deliver and support multiple ways of enforcing NAC capabilities, such as 802.1X, DHCP, IPSec, or other standards.
Aside from the need to replace existing switches and equipment (which may be costly), this type of NAC solution may also have other hidden issues and costs. Keep these points in mind while exploring switch- or network equipment-based NAC solutions:
Some switch-based NAC solutions require that you have an additional device — a controller, for example — on the network to provide policy control and management, which gives you another device that you need to manage.
Like many products that combine multiple capabilities, you have to ensure that the device meets all your switching or network security requirements, not just your NAC needs.
The device may meet your switching or network security goals but fall short of meeting your NAC requirements.
1.2.3. Client- or host-based NAC solutions
You can quickly and easily deploy client- or host-based NAC solutions. These software-based NAC solutions are usually independent of the network, its infrastructure, and (for the most part) any other equipment, as shown in Figure 1-3. (In many cases, a client- or host-based NAC solution requires a policy server to work with the client- or host-based NAC solution, delivering and managing the needed security and access policies.)
Your organization really needs only software to deploy a client- or host-based NAC solution. To implement NAC, you just have to preload, push, or automatically download the client or host software to an endpoint device. You can typically find this type of NAC solution available from vendors of endpoint security and protection software, and related suites.
Client- or host-based NAC, like all NAC solutions, has its pros and cons. On the pro side of the equation, client- or host-based NAC can
Enhance interoperability.
Be cost-effective while delivering solid investment protection and scalability.
Address security challenges faced by a number of organizations today by combining admission control capabilities, such as endpoint assessment and policy compliance checks, with threat mitigation to protect the endpoint device and ultimately the network from attacks and hacks in economical fashion.
Figure 1.3. A sample diagram of a clientor hostbased NAC solution.
On the downside of a client- or host-based NAC solution:
Quick spread of contamination: If one user device is contaminated, compromised, or a lying endpoint (an endpoint device that's infected with malware which presents itself as being policy compliant and up-to-date with all its security inoculations), the organization's network is likely to become compromised, too.
How they handle unmanaged endpoint devices: If a guest user — a contractor, partner, guest, or other non-employee user — attempts to access the organization's network by using an endpoint device that the organization hasn't provided or doesn't control (an unmanaged device), you may not be able to apply a client- or host-based NAC solution against that device. A guest user probably won't willingly agree to have an unknown client (particularly one that he or she may use only temporarily) downloaded to his or her endpoint device. So, how can a client- or host-based NAC solution check the unmanaged device and deem it compliant with the organization's access and security policies? Do you deny unmanaged endpoints network access? Do you funnel all unmanaged endpoints attempting network access to quarantine? Or do you allow unmanaged endpoints to freely access your network? And which scenario is more painful? As you can see, guest users and unmanaged devices can be real issues for client- or host-based NAC solutions.
Relying only on software on an endpoint device to provide network access control across a network: A client- or host-based NAC solution can sometimes limit network security. In many cases, by deploying a client- or host-based NAC solution, an organization is attempting to check out and secure the endpoint device at the same time it is also providing the base for the NAC solution.
1.2.4. Clientless NAC solutions
Clientless NAC solutions don't require an endpoint device to have a client loaded in order for the solution to assess the device pre-admission, or for the solution to provide user or device authentication.
Some of these NAC solutions use a Web-based, captive portal-like approach or a dissolvable client that's based on Java, Active X, or some other downloadable applet that can capture user and device credentials for authentication, assess endpoint security state and posture, and measure the device against access and security policies.
Some clientless NAC solutions must deploy a device on the network that monitors network traffic and determines whether a device attempting network access is managed or unmanaged, or whether it's unmanageable (a device that's incapable of accepting a client, dissolvable or not, such as a networked printer, cash register, HVAC system, even a vending machine) — essentially, any device connected to the network and that has an IP address. Using predefined policies, the clientless system that uses a network device decides how to handle the network disposition of the unmanageable device.
1.2.5. Types of deployment
There are differing methods of NAC deployment which you may have the option of choosing, or that may be required based on the type of NAC solution you select.
While there are key differences between the various NAC deployment methods, one thing they all have in common is the ability to control access to the network (and in some cases applications) based on a number of variables and settings.
1.2.5.1. Integrated or overlay
Whether you deploy a NAC solution as an integrated part of a network or as an overlay to network or security infrastructure, for the most part, depends on the NAC solution type that you select.
|
For example, although you may or may not have an out-of-band NAC appliance integrated within your network environment — it may also be deployed as an overlay to the network environment, ensuring that any changes to the NAC solution or to the network environment don't affect the other — you need to integrate an inline NAC appliance with the network infrastructure, particularly because the inline appliance must be in the network traffic flow to operate.
You first need to determine whether the NAC solution type with which you want to work can support integrated or overlay deployment. If the deployment can be either integrated or overlay (such as when you use an out-of-band NAC appliance solution), then you can decide how intrusive and integrated you want to make your NAC solution.
Sometimes, though, the choice of integrated or overlay comes down to the type of NAC enforcement that an organization selects and uses.
1.2.6. Layer 2 or Layer 3 enforcement deployment
Layer 2 and Layer 3 refer to the data link layer and network layer, respectively, on the Open Systems Interconnection (OSI) Basic Reference Model, which provides a graphic description of computer network communications and protocols.
The data link layer (Layer 2) facilitates the communications and transfer of information between network components. (The IEEE 802.1X industry standard for port-based network access control also operates at Layer 2. Many Ethernet switches and wireless access points deployed in networks around the world today support the 802.1X industry standard.)
Many NAC solutions use Layer 2 as a key enabling technology and the standard for policy enforcement on NAC enforcement points, such as switches, wireless access points, and similar devices. Layer 2 communicates with NAC components during authentication and policy enforcement processes, as shown in Figure 1-4.
Layer 3, the network layer in the OSI Basic Reference Model, provides the means of transferring data from a source to a destination over one or more networks. Also, network routing occurs in Layer 3. Some NAC solutions use a Layer 3 access and security policy enforcement model. This model typically leverages a firewall or a secure router as a NAC enforcement point, enforcing policy-based decisions about how to handle certain users, devices, and even network traffic, as shown in Figure 1-5. A Layer 3 NAC deployment is a strong overlay NAC deployment capability, as well.
Figure 1.4. A sample diagram of a Layer 2 NAC deployment.
Figure 1.5. A sample diagram of a Layer 3 NAC deployment.
