Network access control is a relatively new security technology. But what have we learned about NAC in the past few years? What are the best ways to use it today?
NAC was originally conceived and introduced as a perimeter defense to stop the spread of worms and other infections. It would check the health of all devices when they attempt to access the enterprise network. It would quarantine and repair infected or vulnerable devices before releasing them onto the main network.
This approach has worked well for many organizations, but it has drawbacks and fails to reach the full potential of NAC. Let’s look at some lessons I have learned from hundreds of NAC deployments.
Focus on Critical Assets
Trying to fix all the devices on your college’s network and keep them healthy is daunting. In fact, it may be undesirable if your network includes devices owned and managed by students, adjunct faculty or outside contractors. If you don’t own those devices, you shouldn’t try to manage them. At the same time, critical users and devices have become more mobile, spending a lot of time off your enterprise network. For many schools, the traditional NAC model (perimeter health checks) is not a top priority.
Instead, savvy security teams focus resources on their most critical assets: customer data, financial systems and intellectual property. Protect these assets well and everything else will follow. Placing a NAC enforcement point in front of critical assets will give your college much tighter control over access, especially in light of the growing capabilities of NAC. This approach will also help you maximize your return on investment, the value you get from NAC. You can always expand a NAC deployment to include perimeter enforcement in a second phase.
Move Beyond Health
Modern NAC systems consider many factors other than health when deciding what access should be granted. Who is the user? What is his or her job? How is he or she connecting to the network (through wired, wireless or remote access)? From what location? At what time of day? What device is he or she using? For what is that device being used?
Create Policies in Business, Not Techie Terms
Gathering all this information lets you create and enforce much more useful access control policies. Instead of traditional firewall rules such as “IP address A can access IP address B,” you can create policies such as “users in the procurement group can access the acquisition server, but only when using a healthy PC in the procurement office and only during business hours.” Policies that use university business and missions terms can more closely match a school’s security needs and avoid ceding more access than should be granted.
Integrate Security Systems
To factor in identity, a college’s NAC system must be integrated with its identity management system. To look at behavior, it will need to be integrated with your intrusion detection system (IDS). Some products don’t provide such integration, and some manufacturers integrate only with their own products to lock an organization into a product line — nice for them, but not for your school.
To enable interoperability, look for products that support open standards, such as Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP) and TNC (a family of NAC standards from the Trusted Computing Group). Requiring your NAC system to support the TNC standards ensures that it can support and operate with a variety of clients, servers, health-check tools and enforcement mechanisms.
The newest such standard, IF-MAP, offers the broadest form of security integration. Your NAC system can use the standard IF-MAP protocol to store information about who and what is on the network in a distributed database called a Metadata Access Point (MAP). Sensors — monitoring systems such as IDS and data leakage prevention (DLP) programs — use IF-MAP to report questionable behavior to the MAP, which alerts the NAC system so that it can take appropriate enforcement action.
Sensors can even read information from the MAP and automatically tune their detection rules to reduce false positives and negatives. For instance, if a security administrator scans devices for vulnerabilities, that’s probably normal. But if a clerk does that, there could be a problem. The MAP helps your security devices share such identity information to differentiate between such cases.
Mine Your NAC Data
Some NAC systems let an organization keep records of who did what and when. These records are gold mines. Generate reports to learn what behavior is normal or abnormal among your users, track compliance with university policies for audits or specific problems. Good logging and reporting is essential for NAC.
Protect Sensitive Devices
Embedded devices such as phones and printers are rarely secure and can be quite sensitive to disruptive network traffic. Configure your NAC system to identify these devices and quarantine them in a safe place. Make sure that your NAC system includes this capability; surprisingly, some don’t.
Don’t Trust Endpoints
Hackers and compromised endpoints can “lie” about their health. Don’t take their word for it. Monitor their behavior after they connect to the network to detect malfeasance, and act if necessary. For high-security environments, consider using the Trusted Platform Module in your notebook computers to verify endpoint security. TPM chips enable the secure generation of cryptographic keys and include other features to authenticate hardware devices and platforms.
Be Prepared for the Next Threat
Attackers are always looking for new vulnerabilities. Stay informed about new threats and be prepared to react promptly. Having a strong, flexible NAC system lets you change your policies on acceptable behavior and device configuration, detect noncompliance and take whatever action is necessary on the fly (warn, notify management, restrict or block access). If your NAC system relies on open standards, you can add new endpoint types, sensors, health checks and enforcement methods with ease. Being nimble is essential to mounting a good defense.
No single defender can match the combined resources of all attackers, and no functional computing system is completely secure. Still, if you continue to improve your security approach and tune your NAC based on your lessons learned and on best practices forged by others, you can maximize your security while minimizing costs.