NAC Plus Smart Switches Equals Better ControlNAC Plus Smart Switches Equals Better Control
New capabilities make the technology better than ever for access control and compliance reporting.
June 25, 2008
NAC started out as a simple concept--that it's a good idea to check the health and configuration of a system before allowing it to access a network.
Admission control is, as the name implies, a simple check at the gate. Once your ticket is punched, you're admitted to the network. Any further security checks are outside the scope of the admission-control system. While conceptually it might seem OK to use different technologies to police access at different stages of network and system use, the preponderance of industry and government compliance regulations make that less desirable. Compliance with regulations requires developing policies and enforcing them as consistently as possible across all of an organization's systems.
Relying on a variety of systems to consistently implement a single policy is not only administratively problematic, it's a reporting nightmare. And the thing that will keep regulators off your back is a full and complete auditable trail that details the who, what, when, and where of network access. So if you're going to keep those regulators happy, it's a good idea to employ as few broad-reaching systems as possible. That reality, along with some good old-fashioned ambition, has pushed NAC vendors to broaden the scope of what the technology does--including post-admission health monitoring and more detailed network and system access control.
Coherent policy enforcement and reporting are not the only challenges to simple NAC implementations--there's also the matter of who and what you're trying to protect against. One straightforward way to implement NAC is to intercept a system's request for an IP address and other information, and force the system to go through configuration verification before it's given its necessary network settings.
That keeps the honest users honest, but the protocol that normally doles out network configuration, namely DHCP, wasn't designed as a security policy enforcement system. Simply put, DHCP is easily subverted as an enforcement mechanism, whether through the use of static addresses or by other means, such as setting up a rogue DHCP server or modifying a computer's MAC address so that a rogue system is given access.
SWITCHES TO THE RESCUE
Particularly at admission time, any NAC implementation can benefit from the use of 802.1X. Commonly supported on access layer switches today, 802.1X provides a more complete authentication mechanism than simply matching up physical MAC addresses to IP addresses. Instead, supplicant software running on the node to be admitted verifies the identity of the user and other parameters such as system configuration.
PUT TO THE TEST
We ran three in-band NAC systems throught their paces. Find out what we learned
>> See all our Reports <<
Along with 802.1X, there are a number of features commonly available on access switches that can help harden a network against attack (see chart, p. 42). Some of these have nothing to do with NAC. For instance, many switches support DHCP snooping, which tracks DHCP exchanges and creates a database of hosts that have successfully completed DHCP, their MAC and IP addresses, and which ports they are attached to. DHCP snooping is most effective at the access switch, where only one host per port is allowed. DHCP snooping deeper in the network, such as at distribution or core switches, doesn't make sense since MAC and IP addresses may have been spoofed and hijacked at the access switch. Once the access switch builds its DHCP database, the information can be used to ensure that IP addresses don't move arbitrarily, as they would when spoofed.COMPLETE PICTURE
The capabilities of the software used to verify system configuration vary widely and should be carefully considered. Through host assessment and reporting, a NAC deployment can independently prove that hosts are configured according to your standards and policies. In order to deliver on that promise, the host assessment component must identify the programs you wish to track as well as their status, such as installed, running, or not running. Unless the assessment component can identify everything you need, it has little value for compliance; half a report is not better than nothing.
In many cases, however, it's not practical to insist that every system gaining access to the network use your chosen assessment software. Some systems, such as printers and routers, can't run it, and those brought in by third parties such as contractors and customers usually won't run it. From a security standpoint, you may want to scan that computer before giving it access to the network, but from a business standpoint, stopping external users like consultants, system engineers, or contractors from working on their own computers may not be possible either.
Part of the provisioning process is handing out temporary guest access. Many NAC vendors like Cisco and Great Bay Software have guest-access features that force users to authenticate through 802.1X or through a Web portal similar to those used by hotels. By processing all authentication through a NAC product, you get the benefit of having the authentication information aggregated at a single place, relieving you of the job of aggregating authentication events from a variety of systems.
Provided you can restrict guests' access to sensitive resources by such means as putting them on restricted virtual LANs that only allow access to the Internet, having guest users electronically sign an end-user license agreement, or EULA, when they connect to the network may be sufficient to prove compliance where a full host assessment isn't possible. This data can then be used to document when and which users accessed the network.
Of course, having users sign an agreement, by itself, isn't sufficient to stop attackers. Users who wish to harm your organization can simply lie, but when used in the context of a larger security initiative where NAC controls entry to the network, guest access and forced signing of a EULA can go along way to proving your company is taking steps to comply with its policies and provide ammunition should you need to prosecute attackers.
Switch-Based Security Features
Watch for ...
DHCP, a critical network service, is inherently trusted and easily spoofed.
Creates a database of DHCP exchanges, tracking IP, MAC, and port information. Detects rogue DHCP servers and denies access or sends an alert.
Any new DHCP server, including yours, will be identified as a rogue. Configure switches to recognize new servers.
Dynamic ARP Inspection
Dynamic ARP Protection
ARP maps MAC addresses to IP addresses with no security checks. Attackers can easily spoof ARP, leading to man-in-the-middle and denial-of-service attacks.
Detects spoofed MAC addresses and ARP flooding attacks. Also uses the DHCP database to dynamically identify MAC addresses early.
A downstream access switch won't see DHCP exchanges on upstream switches, so the feature could disrupt communications.
IP Source Guard
Dynamic IP Lockdown
DHCP can be bypassed by statically assigning host IP addresses.
Creates a database of successful DHCP exchanges, mapping IP leases to MAC addresses, ports, and VLANs.
DHCP database isn't centralized. Hosts with statically assigned IP addresses have to be manually entered.
Attackers can disconnect an existing device like a printer and plug in their own computer on fully configured port.
You can statically define which MAC addresses can appear on a port and all others can be denied.
Not particularly effective since MAC addresses can be learned the and spoofed.
Source Port Filtering
Computers on the same switch and VLAN can communicate directly, bypassing any network-based security features.
Protected ports stop adjacent computers communicating directly with each other, essentially segmenting computers.
Stops P2P tasks like file sharing, IM, and other host-to-host communications between computers in the same broadcast domain.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
AI in Cybersecurity: Using artificial intelligence to mitigate emerging security risks
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper