Altaware, Inc. | Enterprise Networking & Security Solutions

Article - NAC, excellent solution, what was the problem?


NAC is one of those interesting technologies. It’s an amazing solution, but you have to step back and ask what’s the problem you were trying to solve? Another frustration and quandary is that NAC as a general term, like network management, embraces a wide variety of solutions. Some that seem to be a ig stretch from what NAC is supposed to be. Conversely, I get frustrated with simple thinking that merely controlling access will protect assets once access has been granted.

Lets start with the term NAC if you look at Cisco’s definition it is Network Admission Control. If you look at Juniper Networks, they seem to define it more as Network Access Control, though they use the term UAC to differentiation it as Unified Access Control. We have Microsoft entering the fray with NAP defined as Network Access Protection. Right off the bat, we already can’t seem to really agree accept for stating “N” means network, then again we seem to have difficulty in using the same approach for either wired or wireless networks, so perhaps even N isn’t well understood here.

I’m not going to touch on the various standards and standards groups, I prefer to stay with concepts. I’m certainly not a fan of terms like supplicants and knowing that one needs this thing called a supplicant before proceeding.

NAC is a great example where it’s important to first define the problem you want to solve before looking, touching, discussing or evaluating the solutions out there. This discussion needs to occur at all appropriate levels too. Network managers have a different take on the problem and solution than CIOs. I would argue the perspectives are different and need to be addressed before selecting a strategic approach. My opinion is that most NAC projects fail because they haven’t considered, quantified or valued the assets or business needs appropriately.

Lets step back further into the issue. It all comes down to having varying degrees, priorities or concerns about:
- What is accessing your network?
- Who is accessing your network?
- What are they (device or user) doing/carrying on your network?
- What are you trying to protect or restrict access to?
- Where are they going?
- When are they doing this?
- At what rate are they using your network resources?
- Will you have the ability to control (i.e. install software) on all devices on your network? What if you have guests and cannot control the device?
- How flexible is the solution to change and how strong or cumbersome is the change control process?

Depending upon the priority you plan on the above will dictate a different solution. I always equate this to buying a phone or smartphone. I don’t believe there is a perfect solution. It depends on your prioritization of needs for basic phone capability, scheduling, EMail, web browsing experience, texting, camera (with or without flash), voice recording, ability to play music, synch issues and methods, memory capacities, weight and compatibility with corporate systems and lastly budget. So it is with NAC, if you’re more concerned with what a user or device is doing versus what connects to your network, it’s conceivably a very different approach and solution.

I also like to break it down in terms of managed devices versus unmanaged devices and authorized versus unauthorized users. I’m a big fan of role based security. I think the NAC approach that just addresses admission control is far too simplistic and doesn’t really address security adequately. I’m very concerned over where a person can go on a network and what they are doing on the network, but that’s my personal prioritization.

If all you want to do is control who (as defined by what device, e.g. laptop) can join a network, there are 802.1x standards based solutions to address this. On the even lower end scale, I’ve seen customers deploy quite effective simple MAC authentication solutions. While simple MAC may be effective for wired networks and keeping rogue guests, contractors and such off of your networks, it certainly should never be used as the only method for wireless. Simple MAC will prevent the incapable and uninformed rogue guests (think sales people and contractors without any sense of security) from gaining entry to your network without your permission. However, this isn’t secure at all and can be easily defeated with MAC spoofing or knowing IP ranges and trying to find an unused static address. HOWEVER, something is better than nothing and WAY too many sites have nothing and can’t make or imagine the leap to full security.

I have a lot of grief with a variety of end point security products. On principle, how can I trust an endpoint to self assess itself (think loan applications) and be truthful? Sure, maybe I can require a client, deal with various gyrations to make sure it’s an authorized client and not tampered with, but ultimately if the system has been breached, it can “lie” in terms of its security posture. Also, security posture can change, some vendors only check the posture upon network admission and then it’s possible to turn off the endpoint security and continue unhindered. This seems somewhat like doing a vehicle inspection saying a vehicle is safe and then having that safe and certified vehicle engage in unsafe driving or carry malicious and dangerous cargo. So it is with data, just because the endpoint is safe (again as deemed by itself ultimately) does not mean that it’s doing safe activities nor does it guarantee a dangerous unknown or undiscovered application is not installed on it. Myself, I prefer to focus on the actions of the system/user and not allowing entry to unauthorized areas. I need to make sure it is safe before allowing entry, but then continue to observe behavior on the network in terms of content and destinations. This is similar to simple concepts like URL filtering, don’t allow a good person or device do bad things. Just because an employee passes background checks (endpoint security), that does not mean they won’t do inappropriate things. Somewhat akin to trust, but validate.

In terms of actions of a user or device, we need to again separate device and user. A device needs to be a managed or approved device and a user must be authenticated (perhaps even with strong authentication techniques) and then ultimately a role or profile should be used to dictate where a user/device can go. Behavior is a general term, it’s not just where, not just the data payload (content), but also the rate concern in terms of traffic anomalies.

Some folks also use NAC to make sure endpoints have current patches installed, host firewalls in place with certain policies, current and approved AV, etc. There’s even consideration for various approaches to either whitelisting and/or blacklisting applications. Depending upon your needs and challenges, this can be layered on as well.

So, what realistic options are there?:

Wireless Networking solutions


1 Consider a wireless DMZ, HOWEVER, I consider this approach very old school in terms of current offerings. I also don’t want wireless guests doing inappropriate things on the internet originating from my network block, showing inappropriate images on their screen in my workplace, nor do I want them consuming inappropriate amounts of my precious bandwidth competing with my business needs. I also don’t want to provide dedicated hardware just for them and consume precious air RF spectrum just for guests without deriving any benefit.
2 There are a wide variety of very good, fresh strong approaches to wireless that offer stateful role based capabilities that can be blended with endpoint options.
3 Rate limiting is fairly easy to implement as well with the better wireless solutions.
4 The great news is that in terms of wireless networking, this is rather simple to do and extremely capable and secure.

Wired Networking solutions


Wired unfortunately has more problems than wireless, though things are getting better, these are often compounded by technical issues with certain vendors that have real problems dealing with VLANs and trunking those VLANs across a switched architecture. Start with simple design basics:
  1. Segment! Separate high value servers from users. A simple concept that most companies still don’t do. Most today understand the importance of a DMZ for public facing servers, but don’t yet separate internal business servers from users or even servers from each other. Think containment and segmentation, very easy to do in principle with current high performance multi-port firewall solutions. I’m personally more concerned about protecting servers (high value corporate assets) from users (authorized or not) then protecting a network of servers and users from outsiders.
  2. Look at using role based solutions to define where users can go, what kind of traffic is allowed and consider inspecting the traffic contents for threats.

This article barely scratches the service, but we’re here to help and offer our expertise and guidance to find the ideal solution to match your concerns and budget expectations.

Author: Werner Schmidt, CISSP
Date: January 2009

Read the rest of the articles. Please contact us for more information!

Page copy protected against web site content infringement by Copyscape
Altaware > Info > Articles > Article - NAC, excellent solution, what was the problem? > 
Altaware, Inc. is a technically based value added reseller (VAR), retailer and systems integrator of enterprise networking, security and IP telephony solutions.
Proudly serving (SoCal) Southern California: Orange County, Los Angeles County, San Diego County, Riverside County, San Bernardino County, and Ventura County.
866-833-4070
CA SB certified, CAGE code, CAL-Card, U.S. Federal CCR, ORCA, eVerify, E-Rate SPIN
© 1999-2010 Altaware, Inc. All rights reserved. Contact Us