Inline appliances can add NAC functionality to your network. You can transparently layer these appliances on top of the existing network infrastructure, so you can very easily roll out NAC. When you add inline appliances you don't have to re-architect your network just to add NAC.
Inline appliances allow you to differentiate between different users and devices on the network, and enforce different policies for each user and device.
|
All users are connected to the corporate network and receive an IP address in the same Layer 3 network. They all get addresses from DHCP and can see the datacenter. You need a way to differentiate between the different users in the same network — which is what an inline appliance enables you to do.
Inline appliances allow you to enforce different policies for different users who are in the same network. But the appliance needs to sit inline in the traffic flow between the user and the appliance (or resource) to which you want to control access. You typically place an inline appliance in front of a datacenter or server location.
You can use two main types of inline devices: A firewall or hardware-based enforcement device, and a NAC appliance.
A firewall is a hardware appliance that's designed to enforce network policies at high speed. This appliance sounds like a perfect device to use for NAC, doesn't it?
NOTE
In the past, you'd use static policy based on the five-tuple policy (source IP, source port, destination IP, destination port, and protocol). By using network access control, you now can make the policies dynamic, meaning that the policies change based on the users or devices connecting to the network. To add this type of intelligence, NAC extends the basic concept of a firewall policy. A firewall that supports doesn't just statically control network policy anymore. It now uses policy based on such data as network information, user identity, and endpoint state.
|
Old firewall policy: This is what the existing firewall rule for this Web server looks like:
Source IP: Any
Source port: Any
Destination IP: 192.168.1.100
Destination port: HTTP
Action: Allow
NAC firewall policy: If NAC leverages the firewall as a part of your NAC infrastructure, you can
User: Valid Corp user authenticated against LDAP
Endpoint: Up-to-date AV, latest OS patches
Source IP: Received from the authenticated user
Source port: Any
Destination IP: 192.168.1.100
Destination port: HTTP
Action: Allow
The NAC policy can dynamically change based on user and endpoint information. The policy enforcement now ties directly to the IP address of the user who connects to the network, instead of providing general enforcement for everybody who connects. The NAC policy also opens access after the user provides valid credentials and authenticates to the network. The policy is also valid only if the software on the endpoint is valid and up to date. In the preceding example, you take a lot of the risk away from the Web server. You create a rule that allows only valid users who have compliant machines to have access to the server.
Firewall-based enforcement brings Layer 3 access control power to the table for NAC. Hardware-based firewalls are designed to enforce policies at high data rates, which you need for enforcement in front of network areas, such as datacenters, to which all your users need access.
NAC appliances are NAC-solution devices that are designed to enforce policies in the network. NAC appliances fall into two main categories — software-based appliances, and hardware- or application-specific integrated circuit (ASIC)-based appliances.
The performance of these appliances differs greatly when it comes to enforcing NAC policies in the network. This difference comes from the design of these devices.
Many vendors offer software appliances in the NAC space. These appliances can come in multiple forms. You can purchase software that the network administrator installs on x86 hardware to make a network enforcement point for NAC, or an appliance can come with software pre-installed to make that appliance a NAC enforcement point.
|
Consider what happens when the NAC appliance locks, freezes, and needs upgrades so that when you're deploying it, you have plans to deal with all these contingencies.
Hardware appliances are devices built specifically for the special requirements of network-based enforcement. These appliances usually include ASICs, special network-based hardware that enables the appliances to process and enforce network policies with higher performance than a software-based appliance.
|