Operating modes are different ways that the enforcement point can behave when controlling user access. NAC solutions can operate in two modes.
The evaluate-only mode allows you to examine endpoints, create access policies, and log data without actually changing access to network resources.
Network access control flexes its muscles when it enforces policy. To use the full potential of NAC solutions, enable policy enforcement. Enforcement allows you to make devices and users adhere to a policy that you create.
|
When you turn on enforcement, you can go from an open access network to a closed access network, which can greatly increase the security on your network.
Some users on a network have open access to resources, such as servers. Users can typically access Active Directory and other resources directly over IP, without anything controlling access. Nothing has to authenticate you if you want to reach the resources. For example, a Web application may feature application authentication, such as a Web page that asks for credentials to log in, but you can reach the Web server without the network authenticating you. A datacenter may have a simple firewall that does some blocking, but access to resources is open and doesn't change.
|
|
Weak security: In an open access network, all users typically have access to all resources. In this type of environment, you have to trust applications to protect themselves. If a user has access to a Web server that requires authentication to get access to the content, you have to trust the Web server to block access to anyone who doesn't authenticate correctly. Open access makes that server vulnerable to application attacks. If the Web server has a vulnerability, anyone on the network can exploit it and gain access to the server.
No user-based audit trail: In most networks today, a firewall in front of an application has some sort of logging enabled, but if an attack happens, locating the offending user or machine is very difficult. DHCP makes this problem even greater. Because users get different IP addresses every time they plug into the network, you can find it hard to correlate an IP to a user or machine.
Static configuration: Configuration in an open access network doesn't change when the networks and devices change. A lot of companies tried to deploy departmental firewalls to protect the datacenter access network problem. A departmental firewall would sit between resources, users, or business areas. These firewalls worked on the idea that if you create policies, you can limit what information or access can flow between the areas.
|
Network access control allows you to create a closed access network. A closed access network is a network that blocks anyone from accessing anything by default. To get access to a resource, an administrator has to explicitly allow or create that access.
|
|
Security: When you have closed access, you can create a network that opens up access to resources under conditions that you control. In other words, you control what users can and can't see on the network.
You may want to create a network that allows access to a finance server only after the user provides credentials proving that he or she works in finance. You can also create rules to further protect the finance server. You can add a policy that says the user has access only when he or she has an up-to-date antivirus client on his or her machine, which further protects the finance server. You can then sleep at night knowing that only finance users that have updated antivirus have access to the finance data — nobody else. You can then layer on traffic logging to create an audit trail so that if there's a data access violation, you can identify which finance user to talk to.
Risk mitigation: With a closed access network, you can select what machines you want on your network. You can create rules that place potentially risky machines in one restricted, or quarantined, network. The machines that you decide are safe can get access to the corporate network. This quarantine process reduces your risk greatly because you separate your risky machines from the rest of the machines. Think of this security access method like preschool. If you know that one of the kids has lice, you don't want to put him or her with the other kids — you want to separate him or her, and get rid of the lice. When the lice are gone, he or she can then go play with the other kids.
NOTE
A closed access network adds a lot of complexity to your network. Troubleshooting problems becomes difficult when you increase the complexity of your network. Simple problems, such as a user net getting an IP address, can suddenly become a lot more difficult. You now have to start looking at other causes for the problem. For example, do the users have valid credentials? Is the software that runs on the machine up to date? Is the endpoint agent on the device configured correctly?
In a closed access network, a user typically has to authenticate before he or she can access resources. Depending on the configuration, this authentication can make the user experience more cumbersome. In other words, if a user has to provide his or her credentials again before he or she can get on the network, you're adding one more step before a user can be productive. You need to reach a delicate balance between open access and closed access.
If you're thinking about using NAC, you've likely decided that you want a closed access type of network. You need to decide how closed a network you want to create. By moving to a closed access network, you can create a network that's so closed it diminishes user productivity. You need to be very careful when you start taking away user access. You can actually go too far and make the network so restrictive that users can't get their day-to-day work done. NAC gives you great power. And as the saying goes, with great power comes great responsibility.
NOTE
The log data that network access control gives you can usually help you meet certain regulatory requirement stipulations. If your organization has to follow important regulations, make sure that you add logging to your product evaluation plans. Logging for auditing purposes has the most value when an enforcement point can actually enforce it. If you use source IP-based logging or enforcement, that enforcement isn't 100-percent reliable. Malicious attacks, such as IP spoofing, can render this data inaccurate. If you need completely reliable logging and enforcement information in case of outside inquiry or investigation, you need to leverage an enforcement technology such as IPSec enforcement.
|
NOTE
Not all enforcement mechanisms are equal. Each type of enforcement has a different function in network access control. You probably want to use a combination of at least two types of enforcement.
Technologies that NAC most commonly uses for enforcement are
Inline enforcement
Firewall enforcement
IPSec enforcement
Host-based enforcement
802.1X enforcement
SNMP-based enforcement
ARP-based enforcement
|