Key standards drive NAC implementation. This section takes an in-depth look.
RADIUS is the acronym for Remote Authentication Dial-In User Service, an IETF standard originally designed for use in dial-up networks. One of the main purposes for the RADIUS standard is to provide authentication.
RADIUS is a client/server security protocol that has been (and, in some cases, continues to be) used to authenticate, authorize, and account for dialup users. But NAC vendors extended RADIUS for use in today's enterprise switching infrastructures.
Wireless networks also use RADIUS heavily, and although it wasn't initially intended to be a wireless security authentication method, it improves and strengthens the weak Wired Equivalent Privacy (WEP) encryption key standard. However, the real mettle of RADIUS is in its robust user authentication capabilities.
NOTE
In RADIUS, user authentication is based on network credentials, not device information or other data. RADIUS centralizes the management of network credentials and authentication data. Already a widely deployed standard, RADIUS servers can either store network credentials, and authentication data or attributes; or they can access external credential data stores and databases, such as those based on Lightweight Directory Access Protocol (LDAP) or Structured Query Language (SQL), as well as Microsoft Active Directory, to name just a few examples. RADIUS can use and access many other types of back-end data stores and databases.
The RADIUS standard is very useful in a NAC solution, particularly one that implements or leverages the Institute of Electronics and Electrical Engineers (IEEE) 802.1X standard for port-based network access control. As shown in Figure 13-1, the authentication server in an 802.1X network receives RADIUS messages and uses those messages to authenticate the user, and his or her device. The authentication server makes the authentication decision — whether it can authenticate a user for access to the network — and communicates that decision to the authenticator, usually an 802.1X-capable device, such as a network switch or wireless access point, which enforces the authentication decision.
Simple Network Management Protocol (SNMP) was designed to exchange device management information between network devices, called elements. They still primarily use SNMP for this information exchange. It allows administrators to gather information or change settings on a network device.
Although SNMP was originally designed for use with routers, other network elements (such as printers, switches, access points, and software) now include SNMP capabilities.
SNMP provides a very simple mechanism that allows you to monitor and configure a network device by using a centralized manager.
Although SNMP is readily available and simple to work with, it does have some limitations concerning the three versions of SNMP that you can deploy:
The two older versions of SNMP don't employ strong security mechanisms, which can leave them open to unauthorized access, such as snooping or eavesdropping:
SNMP version 1 (SNMPv1): The original version of SNMP that continues to be a standard protocol for the Internet.
SNMP version 2 (SNMPv2): Offers enhancements to SNMPv1, such as additional protocol operations. SMNPv2 was replaced to address several security concerns, including authentication and privacy.
SNMP version 3 (SNMPv3): Includes message authentication and packet encryption.
|
|
When employed in a NAC solution, the SNMP standard can serve as a notification mechanism, enabling the solution to monitor the behavior and state of endpoint devices via alerts and traps on SNMP-enabled network switches. If your network has an ill-behaving endpoint device, a trap on an SNMP-enabled network switch sends an alert to the NAC solution.
The NAC solution may also dictate diverting the endpoint device that tripped the alert to a virtual local area network (VLAN) with limited or no access to the network and other services. You can also invoke this enforcement mechanism by using SNMP if both the network switch and VLAN are SNMP-managed. You may need to limit network access before you provision or access overall resources with a NAC solution that leverages the SNMP standard, depending on the solution and implementation. Figure 13-2 shows how SNMP accomplishes quarantine or network restriction.
The Dynamic Host Configuration Protocol (DHCP) is built on a client-server model and automates the configuration of devices on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. By using DHCP, devices can automatically obtain the configuration parameters that can enable them to operate on the TCP/IP network.
|
Configuration data delivered by DHCP can include
Gateways and Domain Name Systems (DNSs)
TCP/IP stack configuration parameters
IP addresses for printers and other servers
NOTE
Originated from the Bootstrap Protocol (BOOTP, the first mode of dynamic delivery of IP addresses to network devices), the DHCP standard has two components:
Protocol: Defines the mechanism for delivering device-specific configuration parameters for any IP device (routers, servers, or other devices) on a network from a DHCP server or workstation (which is also a device) that runs the application or service which is supplying the parameters to IP devices.
Method: A means to automatically assign and distribute IP addresses to devices on the network
When a DHCP application or service monitors network traffic and sees a request for DHCP, it responds with an IP address. It can also provide additional configuration parameters. The DCHP server can allocate or assign ranges of available or appropriate IP addresses to devices as they join the network.
The client-server structure on which DHCP is built can automate the process of adding devices to a TCP/IP network. DHCP uses and supports three different ways to provide IP addresses to requesting devices. You can use these methods alone or together on a network:
Automatic allocation: The DHCP standard can assign a permanent IP address to a specific device.
Dynamic allocation: The DHCP standard can assign a limited-time IP address to a device; or it can assign the IP address to a specific device until the device surrenders the IP address.
Manual allocation: DHCP simply acts as the delivery mechanism for an IP address that an administrator or other individual in authority has manually assigned to a specific device.
NOTE
Allocated and delivered IP addresses should be unique, not duplicated.
A NAC solution based on DHCP might include a DHCP proxy device placed between the centralized DHCP server and network switches:
After an endpoint device connects to a switch port, the DHCP proxy device replies to the endpoint device.
After it sends a reply and assigns an IP address to the endpoint device, the NAC solution (which can be on the same device as the DHCP proxy device, or the solution can actually serve as the device) could take over the access process and direct the endpoint device to launch a Web browser (and login page), begin assessment of the endpoint device, or take another action.
When you use DHCP as a NAC enforcement mechanism, as shown in Figure 13-3, it can enforce a situation in which it provides an endpoint device that fails an assessment check with a configuration that restricts the device from communicating with other devices on the network.
IPSec delivers
Data privacy (by using encryption)
Message integrity (ensuring that a message doesn't change during transmission)
Protection from certain attacks
IPSec also facilitates the negotiation of necessary security algorithms and security key handling processes, addressing IP network security needs.
NOTE
Although a number of NAC solutions use IPSec, IPSec itself doesn't provide the means for network access control, nor is it a method of providing NAC. However, NAC solutions do put the IPSec standard to good use.