Network Access Control is in the Details

White paper NETWORK ACCESS CONTROL NAC IS IN THE DETAILS Prepared by: Dave Greenstein Chief Architect StillSecure® September 2007 Copyright © 2002-2007 StillSecure®. All rights reserved. 1 of 5 Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 NAC Policy Enforcement Options . . . . . . . . . . . . . . . . . . . . . . . .2 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 IPSec Health Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 NAC Testing Options- Validating Endpoints and Their Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 ActiveX or Browser Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . .4 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 NAC Remediation and Integration . . . . . . . . . . . . . . . . . . . . . . .4 Local Area Intrusion Detection and Prevention . . . . . . . . . . .4 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 About the author Dave Greenstein is the Chief Architect at StillSecure® where he is responsible for the technical vision of the StillSecure product suite including their industry-leading NAC solution, Safe Access®. Dave has more than 10 years of experience in the web analytics and network security industries. Contact Dave at dgreenstein@stillsecure.com. Copyright © 2002-2007 StillSecure®. All rights reserved. 2 of 5 INTRODUCTION Making intelligent decisions around a Network Access Control (NAC) solution for your network has become difficult. Several software companies have jumped on the NAC bandwagon, adding confusion to what NAC truly is. NAC, put simply, is a class of technologies that force a user and endpoint device to prove their identity and health before they gain access to a network and its resources. NAC goes beyond logins and passwords to enforce user and endpoint policy before obtaining an IP address, before their port forwards traffic, or before they have access to resources on a network. A NAC solution provides enforcement of policy at the network level rather than at the endpoint or software level. 3 main components to a NAC solution: 1. Enforcement – how do you stop unauthorized users and endpoints from accessing your network until they have been proven certified and safe? 2. Testing – how do you validate users, endpoints, and the health of an endpoint? 3. Policy and integration with other security tools – how can NAC work with other security technologies to create a layered security model? DHCP The DHCP method of enforcement is a good step to 802.1x enforcement if your network is not currently 802.1x compatible. DHCP is not as secure because it cannot enforce compliance on endpoints with static IP addresses. Even so, DHCP will prevent the vast majority of users with non-compliant or infected endpoints from gaining access to your network. DHCP simply assigns quarantined or unknown endpoints to an IP address that is restricted by ACLs at the gateway and DHCP settings that do not allow the endpoint to communicate with other endpoints (assigning a netmask of 255.255.255.255 and no gateway restricts communication to only IP addresses for which a static route is assigned). Inline Inline NAC solutions work as a layer 2 bridge between two points in the network. Typically they are used behind a VPN or RAS device. These are very easy to deploy and very secure. They have an internal firewall to restrict traffic from IP addresses that are quarantined. IPSec Health Certificates IPSec Health Certificates is an enforcement technology that will be available in Microsoft NAP. This technology is only as secure as your IPSec infrastructure. It uses the trust relationship of certificates installed on each endpoint to allow or restrict communications via IPSec, so endpoints on your network not using IPSec will be vulnerable. NAC POLICY ENFORCEMENT OPTIONS There is no silver bullet when making a decision on enforcement technologies since most networks are heterogeneous throughout, have different entry points, and require a combination of enforcement technologies to achieve 100% coverage. 802.1x 802.1x is the most preferred enforcement method available. An endpoint connects to a switch and its port is blocked from passing traffic. The switch challenges the 802.1x supplicant (client software) on the endpoint to provide authentication credentials typically using a variation of the Extensible Authentication Protocol (EAP). If authentication succeeds, then the endpoint health is verified. The health information of an endpoint may be passed to the server within the EAP authentication protocol at layer 2 or after the authentication at layer 3. NAC solutions that get health information at layer 3 are more accessible because the currently available EAP protocols that allow for embedded health information at layer 2 are vendor specific and/or alpha technologies. Once the endpoint is verified as “healthy,” the endpoint is dynamically moved into a production VLAN. If “unhealthy,” the endpoint is placed in a restricted quarantine VLAN for remediation or its port is shut down and access is not allowed. The VLAN switching is accomplished via the RADIUS protocol and various attributes the RADIUS server can send to the switch after authentication. NAC TESTING OPTIONS- VALIDATING ENDPOINTS AND THEIR HEALTH As with enforcement methods, you will need a variety of Network Access/Admission Control (NAC) policies and testing technologies to achieve 100% coverage of endpoints on your network. The available testing technologies today are: – Agentless--nothing is downloaded or installed on the endpoint device. – Agent--an installed service. – ActiveX or Browser Plug-in--downloaded via a browser. – Scanner--performs an IP based vulnerability scan. Three different frameworks also exist that enable testing. These are emerging technologies that your NAC vendor should either already support or have plans to support. 1. Cisco NAC 2. Trusted Computing Group (TCG) Trusted Network Connect (TNC) 3. Microsoft Network Access Protection (NAP) These three frameworks are almost identical in architecture. Copyright © 2002-2007 StillSecure®. All rights reserved. 3 of 5 Figure 1. Complete NAC Figure 1 shows a combined architecture diagram with each of the framework’s implementation and terminology listed in the appropriate components. They are all agent-based and require client software to be downloaded or installed. Windows Vista will have the Microsoft NAP client built in by default. The TNC framework, when compared to Cisco NAC and Microsoft NAP, has the biggest advantage in that it has the most potential to become a standard and will operate across switch and OS vendor platforms. Each of these frameworks has a mechanism for handling unmanaged endpoints. Until the time one of these frameworks emerges as the recognized industry standard, it is important to be able to flexibly test the widest range of endpoints. Today’s NAC solutions should support some combination of the testing methods described below to provide that interim flexibility. Agentless The agentless testing method uses an endpoint administrative account to connect via the Windows RPC service or SSH on Unix endpoints. This method is best when a centralized user management system exists that is used by all endpoints. Otherwise, it can become a management headache for users to specify their credentials for testing or for the NAC admin to maintain user accounts for each endpoint. This method is also best when you want to test endpoints without impacting the network since no install or download is required to get testing results. Advantages: - No install or download is necessary. This makes it great for gathering test results before implementing enforcement of your security policy. - Great for networks where all devices are on a Windows Domain since you can use a domain administrative account to log into the device for testing. Disadvantages: - SMB protocol is slow since it may require several network round trips when querying an endpoint. Copyright © 2002-2007 StillSecure®. All rights reserved. - - Difficult for users to specify credentials for testing. NAC solutions based on Nessus have local checks that use this agentless technique but may be difficult to configure and fine-tune user accounts. For Windows, this method may have limited functionality compared to an installed agent. Best for: - Managed endpoints and networks with a centralized user management system. - Unmanaged endpoints where users can provide administrative credentials. Agent An installed agent testing method offers the most potential capabilities. It can take full advantage of a platform’s API. An agent-based solution should use strong SSL encryption (generate certificates and validate the certificate on the client and server) to communicate with endpoints and take measures to secure any information it gathers and any operations it can perform. Advantages: - Efficient testing method that requires little network traffic. - Since this is a service that runs in the background, it is always available to test and enforce policy as the policy evolves and as new threats arise. - May offer capabilities to remediate and lock down critical resources on an endpoint (e.g. only allow specific wireless SIDs to be connected). Disadvantages: - Requires yet another software package to be installed on the endpoint. - User needs administrative privileges to install a service based software package. Best for: - Managed endpoints and when testing performance is critical. 4 of 5 ActiveX or Browser Plug-in A downloaded ActiveX or browser plug-in is really just an agent that happens to run within a browser’s memory space. Don’t let some NAC vendors fool you when they call this “clientless” testing. This testing method works by capturing a user’s attention in their browser similar to how airport wireless networks redirect you to pay for access to the network. Advantages: - Application disappears from memory as soon as the browser closes, so there is less memory and processor overhead. - Downloading a plug-in may be more acceptable to contractors or users with unmanaged endpoints than installing an actual software package. - Also, a user is more likely to have enough privileges to download and test with a plug-in as opposed to installing an agent that runs as a service. Disadvantages: - Only resident and available while browser is open. Once the browser closes it will be impossible to retest the endpoint as policy changes. So, this is really a one-time test before entry onto the network. - Requires user interaction. Users will have to open their browser to download the plug-in and get tested. - Plug-ins are browser specific. ActiveX may only work in Internet Explorer. Check with you NAC vendor about what browsers are supported with their plug-ins. Best for: - Unmanaged endpoints and networks where a one-time test is satisfactory for access to the network. Scanner Network based scanner solutions are typically based on the Nessus vulnerability assessment tool. These tests can check service banners but do not tell you critical pieces of information about an endpoint’s security such as anti-virus dat file versions, spyware detection, and local security policy. A network based scan may take several minutes to run. Users will not wait minutes to get logged onto the network and will usually call support. Advantages: - Also a truly agentless approach. - Works for any operating system. - Can perform an exhaustive scan from the network perspective. Disadvantages: - May be too slow to test endpoints. Surveys show that users will call support if it takes them more than 30 seconds to get onto the network. - May not be able to check local security policies and local software state as easily as an agent-based method. Best for: - Unmanaged endpoints and networks where time to access the network is not a big concern. Once you have your endpoints tested and your enforcement implemented, users will be quarantined. You’ll need a way to easily notify the user and admin, patch their systems and quickly get them onto the network. You’ll also want to know how to get the most out of your NAC solution while leveraging your existing security investments. NAC REMEDIATION AND INTEGRATION Even though NAC has been put on the top of the priority list for security administrators, other security technologies cannot be ignored. A good NAC solution should integrate seamlessly with other technologies like intrusion detection, vulnerability assessment, identity management, and remediation tools to create a layered security model. Since NAC performs the access control piece for the network, it makes sense that it should be the coordination center for policy decisions. To do so, NAC tools should have open and accessible APIs (Application Programming Interfaces). Look for APIs that allow for the following: 1. The ability to perform custom actions in specific situations. 2. External control. 3. The ability to customize and extend the out-of-box default tests. These APIs will allow you to integrate your NAC solution with other components on your network if necessary. A NAC solution’s existing policy capabilities should also facilitate the following integrations. Local Area Intrusion Detection and Prevention Before an endpoint is authenticated and tested, and once a healthy and compliant endpoint has been admitted to the network by your NAC tool, an intrusion detection/prevention system (IDS/IPS) should search for suspicious activity from the endpoint. Before admittance, the NAC policy engine should query and consider the IDS/IPS information to see if there has been any suspicious activity from the endpoint. After admittance, if the IDS/IPS detects suspicious activity, indicating a change in posture, the NAC solution should allow the IDS/IPS to dynamically trigger a policy decision and potentially quarantine the endpoint. IDS/IPS’s are known for their high degree of false-positives so the signatures or behaviors that trigger the NAC solution to quarantine should be carefully chosen. Vulnerability Assessment In addition to integrating with IDS/IPS, vulnerability assessment (VA) tools should also be used in conjunction with NAC. Before admittance, the NAC policy engine should query the VA rolodex for critical vulnerabilities on the endpoint. If a new critical vulnerability is found after admittance (indicating a change in security posture) the VA tool will dynamically trigger a policy decision within the NAC solution and potentially quarantine the endpoint. Copyright © 2002-2007 StillSecure®. All rights reserved. 5 of5 Identity Management Identity management (IDM) systems provide a more centralized and secure way to authenticate users as well as assignment of user and group level network access privileges. When the NAC solution authenticates a user to the network it should have a mechanism to take advantage of the IDM authentication mechanism. For 802.1x NAC implementations, this is a feature of the 802.1x supplicant which must support your IDM vendor’s authentication scheme. It must also respond to a switch’s 802.1x authentication challenge with the appropriate IDM certificate or credentials. After a user’s authentication and health have been verified, the IDM and NAC solution should coordinate to assign the appropriate access rights or VLAN placement for the user. For 802.1x NAC implementations this occurs during the RADIUS response, in which the IDM and NAC must coordinate their RADIUS attributes to assign the appropriate ACLs, QoS, bandwidth and VLAN for the user. Remediation Once an endpoint is placed in quarantine due to health issues you’ll want to get them out of quarantine as quickly as possible (and hopefully without a support call). There are several remediation strategies, each useful for different situations. A good NAC solution should support at least 2 of these remediation techniques so you have 100% coverage across different types of users. 1. Self-remediation – This functionality alerts a user via a pop-up or redirects a user’s browser to a web page that instructs the user how to fix their system. 2. Auto or built-in remediation – Some NAC tools provide a mechanism to download and run a script or executable to automate a simple fix on an endpoint. 3. 3rd party remediation – If you already have a patch management system in place you’ll want your NAC solution to use it to patch issues as soon as an endpoint is quarantined. Once patching is completed, the NAC solution should revalidate the health of the endpoint so it can be granted access to the network. With all of these security tools and integrations you’re probably wondering if there is one vendor that does it all. The answer is “no” at this point in time. However, NAC vendors are expanding their functionality and embedding these technologies quickly. Nevertheless, if you have a large investment in these other security technologies it will be important for a NAC solution to integrate with them seamlessly. CONCLUSION Because NAC has become such a hot topic in the security industry, a lot of vendors are trying to capitalize on the market attention and resulting confusion around implementation strategies. Despite the fact that shopping for a NAC solution can be complicated, there are ways to navigate through vendors’ “all you’ll ever need” claims about their NAC products. Understanding what testing and enforcement options are available and which are right for your network are the keys to choosing an effective NAC solution. Because no one product can really secure a network on its own, it’s equally important to understand how each potential NAC solution will integrate with other crucial network security products to build a solid, layered security architecture. Copyright © 2002-2007 StillSecure®. All rights reserved.