Network World

Back to Cisco Subnet

Cisco Security Expert

by Jamey Heary

Previous Article Next Article

Top 9 things any NAC solution must do and do well

By jheary on Sat, 08/04/07 - 3:15am.

Share
Tweet This
Email this page
Comment
Print

When evaluating any NAC solution you first need to figure out what features and functions are most important for your environment. I have created this list of the top things that any NAC solution must do and do well to help you in that end. Like most things in life the devil is in the details. So even if a vendor says that they perform these functions you want to make sure that they perform them well.
First let’s cover the top 5; these should be table steaks for any vendor’s NAC solution. However, the effectiveness of each vendor’s implementation of these requirements varies widely. In order to proactively defend the internal networks from malicious users, unauthorized users, botnets, viruses, worms, and other malice a NAC solution must support the following:

Authentication - Controlling who is allowed access. This is typically done by forcing the user to login or authenticate before network access is granted. This authentication could be in the form of a username and password, a unique MAC address, or a system fingerprinting result.
Host posture assessment - Determining if the client meets your host security requirements before allowing them onto your network. The end goal is to reduce your exposure to risk by checking the host’s security posture. This typically involves making sure the host has up-to-date operating system security patches, anti-virus software, anti-Spyware software, and is not actively infected with a virus or worm. Ongoing, continuous, host posture assessment is also desirable.
Quarantine and Remediation - Any client that does not meet the client security requirements must be quarantined and offered remediation steps. While in network quarantine a host’s network access would be isolated to only those remediation resources that are needed for them to come into compliance. Since the remediation actions will be performed by the end-user the remediation process must be intuitive and undemanding. The more automated it is the better.
Authorization - Controlling the amount of network access given to a connecting client. The end goal is to restrict network access, as much as is practical, to only those resources that the user truly needs. The amount of network access is typically determined based on the user’s identity and the security posture of their host.
Automated hotfix/version updating – The solution must be able to regularly update its security checks. At a minimum, security checks that deal with inspecting the freshness of AV, AS, and operating system security fixes should be auto updating. Whether these updating checks are auto-enforcing as well depends on your environment, but the option should be available to you. The purpose of using auto updating checks is to remove the huge burden of manually having to track down what vendor released what updates and for what version of their product. Then translating that information into a security check that will do the inspection correctly. Without automating this process, the cost of ongoing maintenance required to find and maintain this information manually could prove prohibitive.

Here are four more requirements that I submit to you should also be included in your decision criteria:

Centralized Management – Of course any NAC solution must be manageable but the key here is centralized management. Typically, a large NAC solution will involve several individual components. Ideally, a centralized management system should be able to manage all of the individual components. If the NAC solution requires the integration of multiple different vendor technologies then centralized management is more difficult to achieve. But the more components that can be centrally managed the better. Here are just a few of the benefits of centralized management:
1. Centralized Admin user access control and accounting
2. Increases consistency and accuracy of configurations across multiple NAC components
3. Simplifies policy management of multiple NAC components
4. Centralizes user tracking, reporting, and auditing

Collaborative – A NAC solution must be able to interoperate with other network, security, and authentication devices. At a minimum, it must be able to work with existing LDAP, AD, and RADIUS authentication servers for user authentication. It must be able to interoperate with your existing LAN switches for port based VLAN switching. And finally, it must interoperate with Microsoft for patch management and popular AV vendors for keeping them up to date.

Adaptable - A NAC solution must support being implemented pervasively throughout your internal network to be most effective. All clients trying to gain access, by whatever means, to the internal network resources must first be authenticated, posture assessed, and authorized. Common entry points include wired, wireless, VPN, and wan. The hardening of all entry points into your internal network in this way will give you ultimate control over who, how, when, where, and what connects to your internal resources.

Highly Available – All critical components of the NAC solution must have the option to be made redundant and fault-tolerant. Ideally it should also be able to fail open in the event of a complete NAC meltdown.

So that’s my top 9 NAC solution requirements list, what should the tenth one be?
I’d also like to hear your comments regarding this list, so blog away!

Great List

By Jamie Sanbower (not verified) on Sun, 08/05/2007 - 8:57am.

This is a great list! It is so amazing how many definitions of NAC there really are in the industry.

It is very difficult sometimes in the currently plethora of NAC vendors to really get back to the true reason for NAC... Enforcing the Organizations Security Policy. I always reccommend that organizations look at how easy enforcement of their specific security policy can be enforced with the proposed NAC solution. A good NAC solution can not only perform the normal "standard" host checks, like Windows Hotfixes, AV/AS, but also custom checks for software like HIPS, and encryption software or even check if unauthorized Peer-to-Peer or Instant Messenging software is installed or running. It is one thing to enforce what the industry thinks NAC should check for, but in the real world your NAC solution should enforce your policy and everything that encompasses that policy!

Cheers!

Jamie Sanbower
My Cisco NAC Appliance Blog

Email this comment

Nevis does it all

By Anonymous (not verified) on Thu, 12/20/2007 - 6:22am.

All the above points (including #10) are taken care of by Nevis Security Appliance. Checkout http://www.nevisnetworks.com/products.php?id=2

Email this comment

Not require a forklift

By Jeff (not verified) on Tue, 08/07/2007 - 10:48am.

10. It should not require a wholesale "forklift upgrade" of your entire network infrastructure in order to accomplish it's goals. NAC should be "minimally invasive" in terms of hardware requirements and software dependencies.

Email this comment

Here Here, I think we've

By Jamey Heary (not verified) on Tue, 08/07/2007 - 4:11pm.

Here Here, I think we've found our number 10!

Email this comment

Welcome, visitor. Register Log in

About Cisco Security Expert

Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.

Contact him.