One of the most important pieces of any network access control infrastructure is the policy engine. The policy engine is central to a NAC deployment because it controls your entire NAC deployment by creating user access rules and controlling enforcement point in the network infrastructure.
NOTE
NAC central policy engines are called many different names:
Policy engine
Policy decision point
Policy server
NAC manager
NAC controller
The policy engine is responsible for determining whether a device or a particular usage should have access to the network. The policy engine also controls all the enforcement points on the network, whether the policy engine is a network appliance or a software agent running on a desktop machine or network server.
One of the primary roles of a policy engine is to make network access decisions based on access control policies determined by the NAC administrator. The core of the NAC policy typically includes three pieces of information:
NOTE
Network information: Source, destination, port, and protocol
Traditionally, a firewall policy examined the network information. The policy engine incorporates that function.
Endpoint integrity: Identifying hardware, applications, and the security posture of the endpoint.
User identity: Identifying the user and the user's groups.
With NAC, this policy includes network, user, and device information, using the policy engine and its primary job functions.
The policy engine provides a RADIUS service with which the switch can communicate.
In an 802.1X deployment, the policy engine provides the RADIUS server to provide an authentication source for the switch or access point. The policy engine makes the final decision about whether the client should be allowed on the network and what restrictions the client should have. These restrictions can include access controls such as Virtual LANs (VLANs) or Access Control Lists (ACLs).
For a Layer 3 deployment, the enforcement points are controlled by the policy engine, meaning that the enforcement points enforce the policy that the policy engine creates.
NOTE
Here's an example corporate policy: If you're a corporate user on a compliant corporate machine, you can have access to the datacenter or some other protected resource controlled by the Layer 3 enforcement point.
The policy engine verifies user or device identity for any device that connects to the network. For instance, when a corporate user connects to the network, the policy engine verifies the user's credentials against the authentication server (we talk about authentication servers in the section "Authentication server," later in this chapter). If the user has valid credentials, the policy engine performs a group lookup to see what kind of a user is connecting — for example, the user might be an employee in human resources. The controller then knows that the user is a valid employee and should have access to the human resources network or servers. If user authentication is the only part of the policy being enforced, the policy engine can now signal an enforcement point and push a policy that gives the user access.
The policy engine verifies endpoint posture for any device connecting to the network.
|
If a device goes out of compliance (for example, if it doesn't run the correct antivirus software that has the latest virus definition files), you can
Remove the user from the network.
Quarantine the user to another network.
Block the user's access to certain parts of the network.
Pop quiz: Your network needsCan you create and maintain policies in your own NAC deployment?
|
The policy engine creates dynamic network policies that are pushed out to devices on the network and therefore must keep track of them.
For instance, a user receives access to the network because his or her device is compliant and meets all the NAC policies that you've defined, but after gaining access, the user changes his or her device so that it goes out of compliance. You want to make sure that endpoint agent recognizes the changes, communicates the changes with the policy engine, and then takes action on them. You could configure remediation messages so that the user receives a simple message or the network changes to give the user limited access.
|
Although all these functions are relatively simple to manage on their own, the usability and flexibility of the policy engine becomes critical to the success of your deployment when you combine these functions to create complex access policies. There is a potential for management to become very difficult when many functions are used together.
The policy engine's location in your network is a critical deployment consideration.
If your network access control deployment is going to control access for all your users who get on and off the network by controlling devices deployed in the network, you need to place the deployment in a location where all the devices that it's controlling can reach it.
You're adding a layer on top of your network called NAC that can potentially block all users from getting access to the network. Hmm. Users aren't going to be too thrilled if something happens to the policy engine and they can't work. If your NAC goes down, access goes down. Your NAC implementation is a service that controls your network which must always work and be available.
Do your homeworkWhen you evaluate a network access control solution, make sure that the vendor can demonstrate high availability and survivability of the policy engine. You want to make sure that when the primary policy engine goes down, your users can continue to work and connect to the network like nothing has happened. Check the reputation of your network access control vendor:
Doing a little homework can save you many headaches down the road. |
Because you want your NAC to always be on, you need to identify a solution that has high-availability options (such as an active/passive pair of policy engines) that protect you from a large network access outage if one of the policy engines were to explode. High availability means redundancy and backup, and it requires a combination of network design, hardware, and software configurations.