Evaluating network access control: NAC policy enforcement matters

After thinking through your usage cases for NAC, select the enforcement approach that meets your security requirements, budget and complexity tolerance.

Network access control (NAC) tools can provide greater control over the many stripes of users needing access to an organization's networks. CIOs considering NAC as part of their overall security strategy must identify the primary scenarios

More NAC resources
Appliance-based network access control keeps university network secure

Network access control: A hybrid approach

For network access control, this shop chose Microsoft NAP; here's why

Network access control evaluation tips: NAC systems insights for CIOs
for NAC: guest networking, endpoint baselining, identity-aware networking and monitoring and containment.

But just as important in selecting a product is the technical approach that your organization wants to take in enforcing NAC policy. Enforcing NAC may not be a top priority for many companies yet, but eventually you will want to be able to "throw the switch in case of an emergency," said Gartner Inc. analyst Lawrence Orans.

He enumerated four common technical approaches for enforcing NAC policy and rated them in terms of cost, complexity and adaptability:

  • Virtual LAN steering. This approach simply moves the user from one VLAN port to another. A noncompliant endpoint, for example, could be moved from the production environment to a quarantine VLAN or guest network.
  • Dynamic Host Configuration Protocol (DHCP). Enforcement involves assigning an IP address in a quarantine subnet, a subtle difference from assigning someone to a different VLAN. A drawback? Users can bypass DHCP security by using static IP addresses.
  • In-line enforcement puts an intrusion prevention system or similar system on the network to check out the endpoint before it connects. If the endpoint does not authenticate, every packet from that endpoint is dropped.
  • Address Resolution Protocol (ARP) modification is employed in some solutions that do not have an agent. An appliance in the network that acts as a "honeypot" for all traffic can modify the ARP tables of the endpoint.
Government NAC integrator uses VLANs, switch-blocking
Wesley Ward is an IT security engineer at American Systems Corp. The Chantilly, Va.-based company provides systems engineering to government and private customers, including the General Services Administration, Internal Revenue Service, branches of the U.S. military and the Department of Homeland Security. American System's NAC implementation needed to offer guest networking for business partners, as well as monitor devices before and after connection to the network and quarantine those that did not comply. The solution also had to be clientless.

American Systems uses VLAN assignment, virtual firewalls and switch-blocking for NAC enforcement. Ward said he also notifies users.

"We send the user an email that they are out of compliance and let them know why they have been moved from one VLAN to another, to get them to comply with corporate policy before getting access back to the production VLAN," Ward said.

American Systems went with Cupertino, Calif.-based ForeScout Technologies Inc., but Ward said most of the vendors the company looked at were able to do some kind of enforcement. "We wanted to be able to take various different actions for various violations, and ForeScout gave us the best flexibility in doing that," he said. -- L.T.

In-line enforcement is typically the most expensive of the bunch, Orans said. "Anytime you put a bump in the wire, it has to be high-performance, so it does not add latency to the network. It has to be transparent to users, and from a topology standpoint, you have to have it at all key points, so you are more likely to deploy more boxes than if you took an out-of-band approach."

On the other hand, in-line enforcement tends to be less complex to deploy than VLANs, he said, since appliances can be inserted in-line without making changes to the switches themselves.

VLANs are low-cost but they can be complex to deploy, due to the burden of managing multiple VLANs in large environments, Orans said. One or more VLAN may need to be added to every switch to enforce the NAC policy. "And you have to make sure that the endpoints that have been quarantined can get back from some remediation server, so that can be complicated," he said.

DHCP is also cheaper and less complex, but it's the least-secure NAC policy enforcement option, Orans said. Likewise, ARP modification is low in cost and complexity, but it isn't commonly deployed and does not support enforcement in Secure Sockets Layer virtual private network (VPN) environments.

In terms of adaptability, all four approaches will allow you to put NAC in the LAN, but some are not good for wireless networks (VLANs) and others are not ideal for VPN-based approaches, where an in-line appliance excels.

Googling NAC: "You get really confused, really quickly"

"The key thing is that before you go looking at the 20-some NAC vendors is to think through the enforcement mechanisms that will be important to you and which will work in your environment," Orans said.

So, if DHCP seems to make a lot of sense, that would rule out market leader Cisco Systems Inc., Orans pointed out, because not surprisingly the network provider believes the hardware itself should enforce NAC, not DHCP, which it does not support. "If you're Microsoft and don't sell switches, then there is nothing wrong with using DHCP, a great approach for reassigning someone to a quarantine subnet," he said.

Indeed, as our companion piece on defining a usage case points out, NAC requires IT to do its homework before shopping.

"If you start by Googling NAC and talk to eight vendors, you get really confused, really quickly," Orans said. "Many of them have valid solutions but totally different approaches to NAC. Go in knowing what you want to do."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close