7.1. Analyzing the Terrain
Deploying a NAC solution — in most cases — involves more than simply plugging the solution in and letting 'er rip. Deploying a NAC solution can mean dealing with managed user endpoint devices, such as laptops that the organization owns and operates, and that employees use; and unmanaged devices, such as devices that guest users (including contractors and partners) own and operate.
In some instances, organizations don't provide employees with endpoint devices, instead giving employees a budget and allowing them to pick their own devices. So, how do you control and manage devices in that sort of situation?
In some organizations, you will have to deal with endpoint devices that really don't belong to any particular owner. These devices have an IP address on the network, and users may share the devices. Many industries operate in this manner, with devices passing between employees from shift to shift. Although your organization manages (meaning it owns and maintains) the devices, different users can run into different issues, require different policies that they need to adhere to, and so on.
The unmanagablesSome devices that have no clear owners — and may be used and shared by many users — may not be able to accept downloads or identify themselves to a NAC solution in the way that a desktop PC, laptop, handheld, or other user-driven device can. You can categorize these devices as unmanageable because no particular, individual user manages, meaning owns and operates, each unmanageable device. Some examples of unmanageable devices include printers, fax machines, copiers, cash registers, bar code scanners, and even HVAC systems and vending machines. If a network-connected device that has an IP address doesn't allow a NAC solution to analyze or question it, you may consider that device unmanageable. But even an unmanageable device can serve as an entry point for a malicious person bent on wreaking mayhem on or pilfering vital information from your network. The malevolent user only has to unplug the unmanageable device from its network jack and plug in their system to hack or infect a network, or steal vital data; or hijack the device's wireless signal to breach the network, and potentially can launch additional breaches and malware exploits. The inability to control network access by unmanageable devices makes a network vulnerable. Your NAC solution needs to make sure that any unmanageable device attached to your network acts as expected, day in and day out. |
7.1.1. Authentication
Authentication is a crucial part of most NAC solutions. So, after a user, and his or her device, attempt to access the organization's network, your NAC solution needs to authenticate both the user and device; that is, determine that they're who they say they are.
In Chapter 1, we give an airport metaphor for NAC — when you go to an airport, you need to present a valid, government-provided ID to the personnel at the airline customer-service counter, who check to be sure you're who you say you are. That is authentication. These same airline customer service personnel also check to see that you're authorized to fly to your destination; that you have a reservation for that flight to Cucamonga. Well, that process is authorization, and a NAC solution does basically the same thing to you and your endpoint device when you attempt to access a network.
NOTE
A NAC solution checks to see that you and your device are authorized to access the network, and what level of authorization you and your device have on that network — where you can go on the network, what servers and data you can access, and so on — based on several different criteria, often including from where you're attempting to access the network.
7.1.2. Endpoint checking
Throughout this book, we discuss NAC solutions that include the ability to check and analyze endpoint devices that attempt network access so that you can ensure that those devices meet your organization's access policy baseline — for both pre- and post-admittance. Most NAC solutions can check whether the endpoint device features items such as antivirus and other malware protection capabilities; the level of malware protection invoked; and (depending on the NAC solution) even the existence of specific files, applications, registry settings, or security hardware and devices. Many NAC solutions can then leverage this information when deciding whether to grant or deny you and your device network access. A number of NAC solutions can integrate with an organization's existing antivirus or other malware policy servers, leveraging those existing policies for a baseline of access policy. This integration helps organizations because it saves time and energy by allowing your NAC solution to use existing policies, meaning that your organization doesn't have to re-invent the policy wheel. Integration can even help ensure that the NAC solution enforces uniform policies across the organization.
7.1.3. Clients and agents
Some NAC solutions include a client or agent that the solution needs to push or preload automatically (or the organization need to preload manually), or even download dynamically, onto a user's device before or during an attempt to access the network. Some NAC solutions provide a Web-based interface for network access, without needing an agent or client of any kind, but others deploy a dissolvable agent or client — an agent or client that lives on a user's device for a limited period of time and ceases to exist after the user leaves the network or shuts down his or her system.
Throughout this book, we write about client-based NAC solutions, solutions that add an appliance to an existing network, and still other solutions that utilize both clients and appliances. You can even find client-less NAC solutions. Some NAC solutions that use a network device can allow their device to deploy inline, serving double duty as a policy server and an enforcement point for access control policies. NAC solutions that include a network device can deploy their appliance out-of-band in an existing network environment.
7.1.4. Scanning the NAC terrain
You can use and deploy NAC solutions to handle a number of pressing security and networking issues, as well as to address your organization's need to comply with industry or government regulations. You can use a NAC solution to address control over wired or wireless access. The NAC solution may be able to interoperate with a number of already-deployed security, compliance, or network infrastructure components in an existing network environment. Some NAC solutions can leverage data from the existing network infrastructure and devices to use in formulating or updating access control policies, and as well as in their access control decision-making process.
Most NAC solutions can also cordon off endpoint devices (whether those devices are managed, unmanaged, or unmanageable) that don't meet or maintain access or network policies. A NAC solution can then repair those devices — manually, semi-automatically, or automatically; on demand, or without human or user intervention; or without the user even knowing — until the devices comply with policy.
So, do you know how many different groups within an organization a NAC solution can affect? Get your best herding horse ready and figure out where you stand.