10.3. Inline Appliances

Inline appliances can add NAC functionality to your network. You can transparently layer these appliances on top of the existing network infrastructure, so you can very easily roll out NAC. When you add inline appliances you don't have to re-architect your network just to add NAC.

Inline appliances allow you to differentiate between different users and devices on the network, and enforce different policies for each user and device.

This example explains

All users are connected to the corporate network and receive an IP address in the same Layer 3 network. They all get addresses from DHCP and can see the datacenter. You need a way to differentiate between the different users in the same network — which is what an inline appliance enables you to do.

Inline appliances allow you to enforce different policies for different users who are in the same network. But the appliance needs to sit inline in the traffic flow between the user and the appliance (or resource) to which you want to control access. You typically place an inline appliance in front of a datacenter or server location.

You can use two main types of inline devices: A firewall or hardware-based enforcement device, and a NAC appliance.

10.3.1. Firewalls

A firewall is a hardware appliance that's designed to enforce network policies at high speed. This appliance sounds like a perfect device to use for NAC, doesn't it?

In this example, corporate users need access to a Web server in a datacenter. A firewall in front of the datacenter protects the Web server (which has the IP address 192.168.1.100).

• Old firewall policy: This is what the existing firewall rule for this Web server looks like:

  • Source IP: Any

  • Source port: Any

  • Destination IP: 192.168.1.100

  • Destination port: HTTP

  • Action: Allow

• NAC firewall policy: If NAC leverages the firewall as a part of your NAC infrastructure, you can

  • User: Valid Corp user authenticated against LDAP

  • Endpoint: Up-to-date AV, latest OS patches

  • Source IP: Received from the authenticated user

  • Source port: Any

  • Destination IP: 192.168.1.100

  • Destination port: HTTP

  • Action: Allow

The NAC policy can dynamically change based on user and endpoint information. The policy enforcement now ties directly to the IP address of the user who connects to the network, instead of providing general enforcement for everybody who connects. The NAC policy also opens access after the user provides valid credentials and authenticates to the network. The policy is also valid only if the software on the endpoint is valid and up to date. In the preceding example, you take a lot of the risk away from the Web server. You create a rule that allows only valid users who have compliant machines to have access to the server.

Firewall-based enforcement brings Layer 3 access control power to the table for NAC. Hardware-based firewalls are designed to enforce policies at high data rates, which you need for enforcement in front of network areas, such as datacenters, to which all your users need access.

10.3.2. NAC appliances

NAC appliances are NAC-solution devices that are designed to enforce policies in the network. NAC appliances fall into two main categories — software-based appliances, and hardware- or application-specific integrated circuit (ASIC)-based appliances.

The performance of these appliances differs greatly when it comes to enforcing NAC policies in the network. This difference comes from the design of these devices.

10.3.2.1. Software appliances

Many vendors offer software appliances in the NAC space. These appliances can come in multiple forms. You can purchase software that the network administrator installs on x86 hardware to make a network enforcement point for NAC, or an appliance can come with software pre-installed to make that appliance a NAC enforcement point.

You need to consider several factors when you're evaluating NAC appliances that you plan to use as inline enforcing policies: NAC Software: Software-based NAC appliances are usually based on Linux with some customer software on them. These appliances can usually sit inline in front of a datacenter or resource that you want to protect or control access to. They typically use two network interfaces — one in and one out. The NAC appliance then does network filtering between the two interfaces. Pro: Because the NAC appliance sees all the traffic, it can figure out a lot about a particular user by dissecting the packets. It gives you great flexibility because you can filter or block the traffic any way that you want. Con: You now have another machine to maintain on your network. And this machine sits inline with all your network traffic. Traffic limitations: Only so much traffic can pass through an x86 machine. Discuss it with your vendor to make sure that an inline NAC appliance can scale to your datacenter's data rate.

Consider what happens when the NAC appliance locks, freezes, and needs upgrades so that when you're deploying it, you have plans to deal with all these contingencies.

10.3.2.2. Hardware appliances

Hardware appliances are devices built specifically for the special requirements of network-based enforcement. These appliances usually include ASICs, special network-based hardware that enables the appliances to process and enforce network policies with higher performance than a software-based appliance.

The functionality is usually very similar, but you can position a hardware NAC appliance in a network location that has a higher traffic volume.