Follow several incremental steps to appropriately ensure that the chosen vendor's solution meets your needs and that the full rollout will go smoothly. In our experience, most organizations follow a typical four-point deployment, as shown in Figure 11-1:
Proof-of-concept test
Pilot implementation
Larger scale rollout focusing on evaluating policies, rather than enforcing them
Full deployment of the NAC program
Your company may use a slightly different phased deployment, but understanding what goes on in each phase can help you form your own plan, even if you don't use the deployment steps that we detail in this chapter.
You typically first do a proof-of-concept test on a vendor's equipment. This test lets you determine major roadblocks that you might run into when you move forward into the deployment. In this phase of testing, you want to work with key stakeholders in the organization to ensure that the proposed NAC solution meets their needs:
Network architects or designers: They want to ensure that the NAC solution meets the security objectives set forth in the policies.
Network administrators: These stakeholders want to ensure that the system is manageable and user-friendly, and that it offers the appropriate level of visibility into events and traffic on the network. They also want to ensure that any software-based agents work on standard corporate machines, and other potential endpoint systems, such as those belonging to guest users that might be connecting to the network.
Helpdesk personnel: They want to make sure that they have access to the appropriate troubleshooting tools, as well as logging and auditing capabilities. In addition, they want the system to appear seamless to the end users, thereby minimizing incoming helpdesk calls.
End users: The entire cast of people involved in the proof of concept should realize that end users just want to get their work done. They want easy access to the network — they don't want to deal with loss of connectivity, figure out how to patch their machines, or worry about the intricacies of network access control!
Do a proof of concept on a small scale, making many of the policies and configurations similar to what you plan to eventually roll out across the organization. You want to assess the solution at a high level and identify potential product gaps or redesigns that you need to do before moving on to the pilot implementation.
You can frequently do the test itself in conjunction with your vendor or systems integrator. Don't be afraid to leverage these folks for information about how to conduct a proof of concept or how to design the solution. They deal with these products on a daily basis and have a lot of in-depth deployment knowledge that you can tap into. In many cases, because they also provide equipment and facilities for the proof of concept, they're already involved, so use the opportunity to take them for a test drive. You can ensure that they really offer the support that they promise, and at the same time, you can validate the marketing claims that they made during their sales pitch.
After the successful selection of vendor and proof of concept, you're ready for the pilot implementation.
NOTE
The pilot implementation involves a larger group of users. It's the final test of the design and implementation before you roll out NAC to the rest of the organization.
Keep the same set of stakeholders that you involved in the proof of concept when you move on to the pilot implementation, but also open the test to a larger group of end users so that you can get their feedback.
|
You may find selecting the appropriate group of end users challenging — they don't really have a lot to gain by participating in the pilot, and they don't necessarily know enough about NAC technology or the goals of the stakeholders to provide adequate feedback. Follow these guidelines when choosing end users for your pilot implementation:
Choose end users that have the time and willingness to participate.
|
Choose end users who know enough about technology to provide valuable feedback. They do not need to be technical experts, but those with a base level of technical knowledge, such as
A working proficiency with PCs
Some level of networking or security knowledge.
Select a group of participants who represent the broadest possible cross-section of endpoint devices, operating systems, and corporate-application and data-access requirements.
Provide adequate training for the pilot participants for these reasons:
To increase the likelihood of a successful pilot because end users know what they're testing and why
To get a chance to refine training tools and delivery before you roll out NAC to the broader end-user community.
After you choose the participants, you can begin the pilot test in much the same way that you start the proof of concept (as discussed in the preceding section). When you design the pilot test, you must identify the testing methodology and the critical success factors:
When you begin the pilot, carry forward any findings from the proof-of-concept testing.
You might learn, for example, how
Certain policies will require you to change software on your endpoint devices.
Changes need to be made to your corporate directory to support the role-based policies that you want to create when rolling out NAC.
Document any potential problem areas uncovered during the pilot so that you can ensure they're tested thoroughly during the controlled pilot environment. For example, say that the NAC solution you're testing includes an 802.1X supplicant. You encounter installation issues with that supplicant on a machine during proof-of-concept testing, so you need to ensure that the issue doesn't persist on multiple machines when you roll out the pilot to the test group.
Some of the questions that you might want to answer during this phase of the deployment testing include
Does the proposed vendor's solution work with your existing network and security infrastructure? If not, what type of upgrades might you need in order to fit NAC into your environment?
Does the vendor's client software consistently work with the types of systems and machines that you have running on your network?
Is the end-user interaction smooth and trouble-free? Do non-technical end users have any problems getting on the network? Does automatic remediation of the endpoint device work with minimal end user interaction?
Do all your end users get access to the appropriate data and applications that they need to get their jobs done?
Does your intended NAC solution properly account for guests, partners, contractors, and any other third parties on the network?
Does the solution meet your needs in relation to both threat prevention and threat containment/control? Can it properly mitigate attacks on the network from authorized users?
What type of reporting capabilities does the NAC solution offer? Can you easily provide key reports to management and other interested parties?
Does the solution properly log end-user access in accordance with the company's compliance (such as Sarbanes-Oxley, HIPAA, and PCI) needs? Are the logs granular enough to allow you to conduct proper troubleshooting and network-event analysis?
Does the NAC solution tie in with your existing network management and analysis tools?
Use the questions in the preceding list as a starting point, but generate a list of questions specific to your organizational needs and environment. We've seen Requests for Proposals (RFPs) that include hundreds of questions that each NAC vendor needs to answer about how a NAC solution fits.
Always keep in mind the current environment, your end users, and your administrators. The impact of NAC on each of those three categories can mean the difference between success and failure for your NAC implementation.
Regardless of the format that you choose, the test plan document becomes a key communication vehicle that indicates how you plan to run the test, who's responsible for what, time constraints, and key success factors. Given this huge task, the pilot test plan is crucial. To give you an idea of what your pilot test plan might look like, we provide a sample test plan in the following sections.
The following test plan is basic — probably more basic than the one that you need to create — but it gives you an idea of the key elements that you should incorporate into your plan.
This pilot test plan outlines the scope, goals, and deliverables for the For Dummies, Inc. network access control implementation. Upon successful completion of this project, For Dummies, Inc. plans to move forward with an enterprise-wide production implementation of network access control from XXXYYYZZZ Networks.
The overarching goal of the network access control project is to provide a much stronger level of network security on the For Dummies, Inc. network than currently exists. While our workforce becomes more mobile and our network opens to a broader set of devices and users, implementing identity-based access control has moved from a nice-to-have feature to a must-have component on our networks. After we complete the project, NAC will authenticate all users on the network and check those users' machines for an appropriate security posture before allowing access to any sensitive information on the network. If a user fails any of these checks, the NAC solution will quarantine him or her, and provide extremely limited access only to non-sensitive network resources and the Internet.
This pilot involves stakeholders from across the organization who, with assistance from the vendor, will refine the proposed implementation and ensure that the NAC solution will meet the needs of For Dummies, Inc. Table 11-1 shows the targeted stakeholders that will be involved in the implementation. Because the NAC implementation involves coordination across so many groups within For Dummies, Inc., a successful pilot will involve not only a technology readiness assessment, but also an organizational readiness assessment — ensuring that each team can work closely with the others.
Role/Title | Department | Number of Users | Responsibility |
---|---|---|---|
CSO | Corporate IT | 1 | Final approval of NAC implementation |
Security architect | Corporate IT | 1 | NAC architecture design |
Network administrator | Corporate IT | 5 | NAC implementation in test network |
Network administrator | Each business unit (units A, B, and C) | 3 | Business unit liaison/implementation in business unit network |
Helpdesk personnel | Corporate IT | 4 | Troubleshoot user issues, evaluate tools and end-user impact |
End users | Business units A, B, and C | 30 | Test and evaluate end-user impact |
Sales engineer | Vendor | 1 | Design and implementation support |
Support engineer | Vendor | Multiple | Vendor support liaison |
This document describes the project, timelines, and goals of the For Dummies, Inc. Network Access Control deployment, and isn't intended to be a full description of the pilot configuration and NAC technology. Those details should be documented elsewhere in the appropriate design documents and vendor descriptions, and should go hand-in-hand with this pilot test plan description.
The goals of the pilot test are to ensure that
The chosen network access control solution can adequately protect against insider threats, which are outlined in the requirements of the For Dummies, Inc. corporate security policy document.
Implementation of this technology will have minimal impact on For Dummies, Inc. end users. End users shouldn't have significant barriers to full network access, nor should they need to interact often with the chosen technology.
End-user training and support methodologies are refined prior to a full-scale deployment.
The needs of every business unit within the organization are met.
The helpdesk can appropriately field questions and troubleshoot issues raised by end users.
The management tools provided by the vendor meet the needs of the For Dummies, Inc. network administrators.
The cross-functional team chosen to lead the NAC implementation can work together successfully, despite their differing goals and objectives.
The chosen access control, logging, and reporting tools meet the Sarbanes-Oxley Act compliance requirements for both control and auditing.
The pilot team, with the exception of the end users, will meet on a weekly basis to review schedules and milestones, discuss past and current issues and progress, and ensure that the entire pilot team has adequate cross-functional communication. An e-mail alias ([email protected]) will provide an outlet for end-user feedback and intra-team e-mail.
Prior to the start of the pilot test, the network administrators will fully train end users in how to use the draft training materials created by corporate IT. The administrators will also bring end users up to speed on the goals of the NAC implementation, the goals of the pilot, and key areas in which feedback is most valuable. End users will document all feedback via e-mail to the NAC team e-mail alias or in trouble tickets when they open helpdesk tickets. The pilot team will summarize the results of this feedback and present it prior to the weekly pilot team meeting.
The pilot implementation will be conducted on a non-production network for the duration of the test. Pilot testers will use a second wireless network deployed for this purpose. This wireless network requires successful authentication into the NAC solution via 802.1X before the user is granted any access onto the network. No non-pilot end users can access this network — For Dummies, Inc. will force them to stay on the production network. The network administration team has staged vendor gear, in addition to all other required network equipment and software, for deployment onto this network, with the goal of replicating the production environment as closely as possible.
The pilot test is scheduled to last three months from start to finish, with an aggressive deployment timeline thereafter. If, after three months, the pilot NAC implementation hasn't successfully reached its major goals, the pilot team, including the Security Architect, will re-evaluate the solution, with final sign-off on forward plans conducted by the CSO. If either the vendor or For Dummies, Inc. considers the existing challenges insurmountable, the team will explore alternative solutions.
Table 11-2 shows the proposed timeline for the various milestones that are targeted for the pilot implementation
Requirement | Responsibility | Completion Date |
---|---|---|
End-user recruitment | Business unit network administrators | One month prior to pilot |
Network equipment procurement | Network administrator (Corporate IT) | One month prior to pilot |
NAC pilot equipment procurement | Sales engineer (Vendor) | One month prior to pilot |
Test design plans | Security architect | Two weeks prior to pilot |
End-user training | Network administrator (Corporate IT) | One week prior to pilot |
Pilot go-live approval | All stakeholders | Day 0 |
User feedback | End users | Continuous |
Helpdesk feedback | Helpdesk personnel | Continuous |
Operational feedback | All network administrators | Continuous |
Status review meeting | All stakeholders | Weekly |
Mid-pilot milestone review | All stakeholders | Week 6 |
Pilot end | Week 12 | |
Final recommendations | All stakeholders | Week 13 |
Production rollout approval | CSO/all stakeholders | Week 14 |