Other Enforcement

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

10.5. Other Enforcement

You can leverage protocols and standards for NAC enforcement in new or unique ways.

10.5.1. DHCP

The Dynamic Host Configuration Protocol (DHCP) is the method that most enterprises use to assign IP addresses to endpoints that connect the network. When a host or endpoint connects to the network, the endpoint sends out a Layer 2 broadcast (called a DHCP request) that asks for an IP address. The DHCP server on the network then responds to the request with an IP address from its database for the endpoint to use so that it can connect to the network.

DHCP makes assigning IP addresses dynamic and prone to change. An endpoint may get a different IP address each time it connects to the network, which makes audit trails for traffic difficult to follow. Without DHCP in the network, all endpoint machines would need statically configured networking, which would create a deployment and management nightmare. This process doesn't scale for large environments.

Certain NAC vendors can use DHCP to control network access for endpoints:

When an endpoint connects to the network, it requests an IP address.
The NAC solution, rather than the DHCP server, responds to the DHCP request.
If the endpoint doesn't meet the corporate security policy or the user isn't authenticated yet, the NAC DHCP server sends a quarantine IP address back to the endpoint.
NOTE

This quarantine IP address differs from the normal IP addresses that corporate machines receive. DHCP enforcement separates user traffic by using a different IP address range on top of the same Layer 2 network. So, if two different machines — the first a regular corporate user and the second a quarantined user — reside on the same network, they can't communicate with each other over IP. Their different IP addresses don't route between each other, so it separates them at Layer 3, even though they're on the same Layer 2 network.

The biggest drawback to DHCP enforcement is that it's security by obscurity. It doesn't really separate users, and it can circumvent it easily. For example, say that two users are coworkers, and one is quarantined but the other isn't. The quarantined worker can't reach the network properly, so he calls over the cubicle wall to his coworker and asks her for her IP address. The quarantined worker sees that his IP address is different than his coworker's, so he decides to change his IP address to something similar to his coworker's. When the worker changes his IP address, he bypasses the DHCP enforcement and can get on the network.

DHCP enforcement can easily separate users, but it's not the most secure solution, so use it cautiously.

10.5.2. IPSec

When data integrity is critical, IPSec comes to the rescue. Some NAC solutions offer IPSec as a form of enforcement. IPSec is a collection of protocols designed to secure IP-based traffic by adding authentication and encryption for each packet that's sent across the network.

IPSec is well suited to handle several types of use cases, including protecting traffic going to business-critical applications or servers. For example, when users gain access to critical financial data on a finance server, IPSec can add encryption to the users' traffic so that the data stays private. To make this encryption work, two parts are required:

The IPSec client: The client is usually a part of the NAC endpoint agent.
The IPSec termination point: This point can be an IPSec concentrator or a device such as a firewall.

The policy engine dynamically provisions IPSec policies to the endpoint client and the termination point so that when a user tries to access the resource, the traffic triggers the IPSec tunnel, which encapsulates and encrypts that traffic.

Encryption provides data privacy for user traffic, which you may find useful if you're concerned about the privacy of information traveling across the corporate network. In a way, IPSec adds an authenticated transport across the network. IPSec enforcement can typically run in two different modes:

Encapsulation only: You can use this mode when you're concerned about man-in-the-middle types of spoofing attacks on the network. By leveraging IPSec, you can ensure that the traffic is genuine. The endpoint brings up the IPSec tunnel in a null encrypted mode, which allows the traffic to be in the clear but still encapsulated in IPSec so that it can still sign it to guarantee authenticity. If you have intrusion detection systems on your network, you can usually inspect this traffic because it's still in the clear. Null encryption or encapsulation only adds a tamper-resistant seal to the data.
Encrypted: If you're concerned about the privacy of your data, you can add data encryption on top of data encapsulation. Administrators leverage encrypted IPSec in most types of implementations.
You may also find encryption very useful when an endpoint connects across potentially risky parts of the network, including any location where guests or contractors connect and you want to access secure information.

If you're considering leveraging IPSec enforcement, you need to decide what you're more interested in:

Protecting against spoofing attacks on the network
Adding data privacy to protect against network-based sniffing

In most NAC solutions, you can leverage either configuration, depending on which makes sense for a particular situation. These configurations usually don't operate in an all-or-nothing way, and you can turn them on or off as necessary, or configure them however you want.

10.5.3. ARP

Address Resolution Protocol (ARP) is the foundation of network communication. Network devices use ARP to create bindings between the Layer 2 address (the MAC address) and the Layer 3 address (the IP address) of machines that attempt to communicate on the network.

Pop enforcement quiz

Start thinking about your NAC solution's enforcement potential in your network.

Start asking yourself these kinds of questions:

How close to the user do you want to enforce policies?
Do you consider any resource on your network mission-critical?
Do you want to segregate users from each other?
Are you willing to replace network infrastructure?
Can you logically create enforcement phases? Where should you start (for example, would enforcing user access to the datacenter be most important)?

Answering these questions can help you narrow down what you want from an enforcement technology, which can dictate how much you're willing to pay for your NAC solution. In other words, what can you leverage in your current network without spending additional money, and what do you need to add or replace in your network to enable NAC? Remember, the cost of your NAC solution includes not only the capital investment of purchasing equipment, it can also include costs associated with reconfiguring existing infrastructure to enable NAC.

A network has two devices. Device 1 wants to communicate with Device 2, but it hasn't communicated with that device before. Device 1 sends a broadcast message — the ARP message — out over the network asking for the MAC address of Device 2's IP. Device 2 responds, and it creates an entry on both devices that features a table of IP-to-MAC address correlations, called the ARP cache. The two devices now have the basic network information that allows them to communicate.

ARP-based enforcement involves the manipulation or modification of the ARP cache on devices on the network. A NAC solution that uses the ARP table as a method of enforcement sends ARP messages on to the network that changes the IP-to-MAC address binding tables on devices. For ARP enforcement to work correctly, it must modify the ARP tables on all devices. If the ARP table of a device includes any static ARP entries that it can't modify, communication with another device whose ARP table does change therefore breaks.

You can use ARP-based enforcement to

Break or block communication.
Trick devices' traffic so that it goes forward to a captive portal or Web page, where it can log into the network.

ARP cache manipulation can cause networking problems for some devices on the network. ARP cache manipulation can cause problems for some devices on the network. If you want to use ARP cache manipulation as an enforcement mechanism, make sure that you thoroughly test it before you deploy it in your network.

Pop quiz: Sizing enforcement

While you consider enforcement, think about what size and scale you'll need to make the NAC solution work for your deployment.

Decide where you plan to enforce:

At a datacenter: How many users will need to get access to the datacenter and resources? What throughput will you likely see for users accessing the datacenter?
At the access layer: How many switches do you want to enforce access on?

How many concurrent users do you plan on having? How many are managed users, guests, unmanaged devices, contractors, and so on?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Other Enforcement

Create new playlist

Sign In