2.6. Be Our Guest
Because of the exponential growth of user mobility and mobile devices, the number and types of users requesting and requiring network access is also growing exponentially. In fact, you can categorize almost anyone — aside from trusted employees who use managed devices — as a guest user.
Guest users come in many shapes and sizes. All guest users require their own level of distinct network and application access:
Contractors: You may treat contractors like employees, giving them access to the corporate offices, access rights to the corporate network, and sometimes even a managed device. And, like employees, they often require access to sensitive network resources to get their day-to-day jobs done. However, in many cases, contractors use unmanaged devices (devices that your company hasn't provided, therefore you must consider those devices potential threats). Although you treat these users like employees in many ways, for the most part, with network access, you often have to give them a different level of access — for instance, access only to specific servers or applications, and not to others — than you give to an employee.
Partners: Partners often provide specific services to companies. They may be part of the corporate supply chain — for example, your company may consider its shipping agency or import/export agent a partner. A partner may provide a piece of your company's end product, such as an OEM manufacturer. Or they may be a sales partner, an organization that helps market and sell your company's end product or service to your end users. You can come up with countless other examples of partners, but all partners need to have access to core portions of your company's network — either locally or remotely — to ensure that they can perform their duties, whatever they may be, in the manufacturing, processing, sales, support, or delivery of your company's products or services. If a once-trusted partner attempts to launch an attack on your network, they become an insider threat, and can be addressed by the NAC solution. This scenario is covered in "Insider Access and Threats" later in this chapter.
Hackers have begun to recruit partners to assist in stealing sensitive corporate or consumer data, using a disgruntled partner's approved credentials to access sensitive areas of the corporate network. Those disgruntled partners won't have the ability to access those sensitive areas if the company has the proper access controls in place. To secure your company's network and data, make sure that partners have access only to the portions of the corporate network that they need to perform their services and do their job effectively.
Customers: Customers may require network access; for example, a customer visiting your company site may request access to his or her own network via a virtual private network (VPN) or to the Internet. In order to gain this access, he or she first needs access to your company's network. Even though your company's network is simply the conduit for the customer to access another network or the Internet, your company needs to ensure that the customer can gain only Internet access and not be able to access any other portions of your company's network, accidentally or intentionally.
Guests: Some guest users are truly guests. For example, on Take Your Child to Work Day, your company really wants to protect your child from unintentionally surfing to dangerous or inappropriate Web sites or chat rooms, and their core data from inadvertent access. For instance, they don't want your child to be able to access the company's financials or its order-processing application while he or she is IMing friends or surfing the Internet. They also don't want your child's messaging or surfing to accidentally infect and launch a virus or other malware on their network.
NAC can regulate which guest users can access which networked resources. It can check the user's and device's credentials and, based on that data, provide the access for which the user is authorized.
For example, a contractor may have different network access rights and be authorized to access different applications, servers, data — any network asset — than an average guest user. Each form of guest user may have different network and resource access rights — all defined, implemented, and managed by a NAC solution. If a user attempts to access data or a portion of the network for which he or she isn't authorized, the NAC solution can deny that user access.
Now, add to this scenario managed and unmanaged devices.
NOTE
A managed device is a device that your company has provided to the user, so your company can, to some extent, control that device. An unmanaged device is any device that your company didn't supply or doesn't manage.
NAC can ensure that an unmanaged device — just like a managed device — meets a minimum requirement for security before the NAC solution and enforcement points grant that device network access. If the unmanaged device doesn't meet the baseline of security policy, as dictated by the company — for example, the device isn't running the latest antivirus signatures — the NAC solution may place the unmanaged device onto a quarantine network, depending on the enforcement of the company's policy. Or the NAC solution, in conjunction with enforcement points, if needed, may limit the unmanaged device to Internet access only. The NAC solution may allow the device to go through remediation, in the same way that the NAC solution enables managed devices. Or the company may choose to limit network access to only managed devices, not allowing unmanaged devices to have any network access, or only Internet access.
When deploying NAC and defining access control policies, the company usually decides how leniently or stringently they want to enforce their access control policies for compliant or non-compliant unmanaged devices.