After you define the policy, you decide how and where to enforce your policies. Enforcement gives your network access control policies teeth, so to speak, allowing them to have meaning and purpose on the network.
|
Endpoint enforcement, the most basic form of enforcement, involves the endpoint client enforcing policy that the policy engine pushes. The enforcement can be network-access-based or software-based. For network-access-based enforcement on the endpoint, the endpoint client restricts or changes access for a network user based on a policy that the policy engine sends. Endpoint enforcement can use a couple of different methods, but the most common method uses a software firewall-based approach. The other method of enforcement is software based, which is limited only by your imagination. For example, the software based approach can block certain applications from running or start a virtual desktop.
|
802.1X enforcement, which is becoming one of the most popular methods of enforcement, is an authentication standard that's supported on most modern switches and wireless access points. 802.1X uses the Extensible Authentication Protocol (EAP) that's defined in RFC 2284.
|
For 802.1X to work, you need three stages of hardware and software.
The authentication server is a RADIUS server. In the case of network access control, the RADIUS server is typically a part of the policy engine. The authentication server takes all the authentication requests, validates them, and then says yay or nay to the access request.
The authenticator is your switch or access point and is the simple device in the middle:
The authenticator takes authentication requests that it receives from a supplicant and forwards those requests to the authentication server.
After an authentication server determines that the endpoint should have access, the authentication server sends an access accept to the authenticator.
When the authenticator receives the access accept, it allows the endpoint to have access to the network.
The supplicant is a piece of software that enables an endpoint to communicate over Layer 2 for 802.1X authentication. In network access control, the supplicant is typically a part of the endpoint client. The supplicant needs to support the form of EAP that your network uses. The supplicant collects all the user credentials and any other information that the authenticator needs for authentication, and then sends that information to the authenticator (the switch or access point) for authentication.
802.1X enforcement is typically used in conjunction with VLANs. VLANs are a way of separating traffic at Layer 2 into virtual networks that don't have access to one another. In the case of NAC, think of having all your valid compliant endpoints in a corporate VLAN and all your non-compliant machines in a quarantine VLAN. The endpoints in the quarantine VLAN don't have access to any of the resources in the corporate VLAN, so the quarantine VLAN has restricted access, as illustrated in Figure 4-2.
Typically, the only access available in the quarantine VLAN is the access needed to update virus signatures or any other remediation that the machine needs to become compliant. After the machine is compliant, the 802.1X authentication transaction happens again, and the endpoint is put in the corporate VLAN.
Inline enforcement is a method of enforcement that enables you to differentiate between different Layer 3 IP addresses and provide the appropriate access to protected resources on the network.
With inline enforcement, you put a device in between the user and the resources that he or she is accessing so that you can control the access of the user's access as it flows through the device.
|
The most popular form of inline enforcement is the firewall. Firewalls allow administrators to define a policy based on IP addresses, specifying which IPs can reach which resources. Network administrators defined this policy statically in the past. Network access control now extends firewall policy and creates dynamic policy based on any number of attributes that the policy engine checks.
IPSec enforcement, an extension of inline enforcement, is used to create an IPSec connection from the endpoint to a virtual private network (VPN) concentrator in the network. The VPN concentrator can also be a firewall or other appliance, but its main purpose is to provide data privacy across the internal network.
You can use IPSec VPN where encryption of traffic is important, such as your company's financial information. If you don't want anyone else to see the traffic, then IPSec is for you.