Network Access Control in Converged Networks

Enterasys

Network Access Control (NAC) has become a hot topic for a wide range of corporate stakeholders, including business leaders, networking teams, and security teams. With all the different NAC solutions on the market there is still a lot of confusion about what NAC actually does and more importantly why is it important for an enterprise network in today’s environment. Before looking at the important role of NAC to the successful deployment of a converged voice/video/data network, it is important to understand in simple terms what NAC is and what it does.

First let’s look at what part of the network NAC controls. NAC is targeted at the access layer where users/computers and devices like IP phones and printers connect to the network. The network access layer is particularly vulnerable because it is inside the corporate firewall and considered somewhat protected by physical building security. It is a part of what most enterprises consider the trusted network. The problem is that many employees have laptop computers that they use from home and at the office. At home they are not protected by enterprise strength corporate firewalls so the systems can easily become infected with viruses and trojans. When they connect an infected system to the corporate network the virus or trojan can then spread through and compromise the corporate network. Another problem is in the way employee’s computers are managed. In some cases, to save management overhead and expense, end users are given responsibility for things like installing patches and updating virus definitions. Many organizations have corporate policies that require the IT department to enforce that an employee computer meets corporate standards before allowing it full access to the network. That enforcement includes checks for up-to-date patches and virus definitions, operational anti-virus programs, and checks for the presence of any unauthorized programs.

In order to meet the requirements of securing the access layer, NAC provides functionality to:

• Detect and identify the type of devices connecting to the network
• Authenticate that users are who they claim to be
• Assess if the end system meets corporate security standards
• Authorize full or limited network access based on the first three functions
• Remediate any assessment problems by helping the user bring a system up to corporate standards.

After an end system is allowed network access it should be monitored to be sure it does not become a threat. This is a continuing process to:

• Monitor for compliance with security policies
• Contain any threat by limiting network access
• Remediate any problems.

Any complete NAC solution should include all of these functions.

Converged Networks

Today’s enterprise networks are complex and ever-changing environments that present a wide range of challenges for the corporate IT group. The proliferation of mobile devices such as laptop computers and smart phones combined with a host of other devices from security cameras and card readers to printers and scanners all need to be connected to the network. Business units are constantly adding new applications such as Voice over IP (VoIP) that need network access. Virtualization of data servers promises to save money not only on hardware but on cooling and power consumption but introduces networking challenges as virtual servers are deployed dynamically across different hardware platforms. The IT group has the responsibility for making sure this converged network is secure and that all of the applications such as VoIP and IP video that rely on the network receive the resources they need.

The first step in managing this environment requires an understanding of:

• What devices and users are connected to the network
• Whether the device or user is authorized to connect to the network
• Where (what location, switch and port) they are connected
• If the device meets minimum security standards or is a threat to other networked resources
• What resources (servers, applications, bandwidth) each device or user requires.

Who, What and Where

Network Access Control (NAC) can provide answers to these questions. NAC will detect a device when it first connects to the network and will determine what type of device (e.g., laptop, IP Phone, IP camera, printer) it is. NAC will then map that device to the switch and port it is connected to. Depending on the type of device NAC will either authenticate the device locally or will send the authentication request to an authentication server. For example if NAC detects an IP Phone connecting to the network it can authenticate it locally or it can send the phone’s unique MAC address to the authentication server for validation. If the device is a laptop the user will most likely be authenticated by sending the user’s login credentials to the authentication server. If the user’s login credentials are valid the authentication server will return an accept message and the user can be granted access to the network.

Is It a Threat?

Having answered the questions of who, what, and where, the next step is to determine if the device meets minimum corporate security standards. This can be accomplished in one of two ways: via a network scan or via an agent-based scan.

Network Scan

A network scan is the simplest and least intrusive scan. At the basic level the system is scanned for vulnerabilities. These vulnerabilities are associated with applications so the scan will show applications that are vulnerable to attacks. The next level of network scan requires the scanner to have login credentials for the user’s system. This allows the scanner to log into the end system and determine things such as the type and patch level of the operating system and if the user is running the required anti-virus software. The scan can also determine if the anti-virus signatures are up to date.

Agent-based Scan

Agent-based scans provide deeper levels of inspection than network scans but they require the scanning systems to download an agent (i.e. a small program) onto the end system. Agents can be configured to continuously monitor virus scanners and firewalls and report if the user turns them off. They can also monitor for running programs such as file sharing applications that may not be permitted by corporate security policies. Agents can be configured to automatically remediate problems. This means that they will start required programs such as firewalls and terminate programs that violate security policies. The agent can be either dissolvable or persistent. Dissolvable agents delete themselves from the end system when it is rebooted. Persistent agents are reloaded after a reboot and will continue to monitor the system.

Pros and Cons

Network-based scans have the advantage of not needing to load anything onto the end system but they do not provide as deep a scan as agent-based scans. Agent-based scanning has met with resistance in some organizations that are reluctant to deploy agents that impact performance on their end systems. The tradeoff is between the level and length of scanning and the impact on the system being examined. The scan usually takes place at the same time the user’s login credentials are being sent to the authentication server.

What Resources Does It Need?

The ideal way to guarantee that network resources are correctly aligned with business requirements is to create different security and quality of service policies for different enterprise roles. These roles are assigned to users as they access the network and control the allocation of networked resources. The easiest to understand example is the guest role. The typical guest role grants guests enough resources for Internet access, web mail and VPN access to the guest’s corporate network. Bandwidth is usually limited to minimize impact on business critical applications. Additional roles can be created for other corporate groups. The network operation group will need access to different applications and servers than the sales group. Similarly, sales will have different needs than the engineering group.

If the end system is a device such as a printer or IP phone determining the resources required is straightforward. An IP phone only needs to send packets to the servers running the VoIP services. We can also determine the protocols that the phone will use to communicate with servers. Finally, there is a need to prioritize the VoIP packets to provide the best possible voice call quality. For security reasons the VoIP traffic will be rate limited to a level that will protect the rest of the network from a VoIP-based denial of service attack while at the same time providing good voice quality.

Once the policies have been defined there is a need to decide how they will be applied to the correct devices and users. Policies can be applied statically to ports supporting devices such as printers that are always attached to the network in the same place. Dynamic policies allow devices and users to access the network from different places and have their policies follow them.

When NAC detects and authenticates a device like an IP phone connecting to the network it can apply the security and quality of service polices defined by the IP phone role. When a user authenticates onto the network NAC will assign polices defined by their role in the organization.

Staged Deployment

As with any technology that has the potential to deny large numbers of users access to the resources they need to do their jobs, NAC should be deployed in a careful and controlled manner.

In the first stage NAC will be configured to only identify the devices connected to the network. This will give a full understanding of what users and devices are connected to the network access layer. It will also provide a map of where all the devices are connected. Once any unauthorized devices are removed you can move to the next stage.

In the second stage authentication will be enabled but NAC will not be configured to enforce it. This will show which users would have failed authentication and been prevented from accessing the network. After correcting the user authentication problems and monitoring NAC until everyone is successfully authenticating, NAC can be configured to enforce authentication without fear of a large disruption in network service.

Stage three will enable assessment but will not enforce the results. This will give a list of all non-compliant systems connected to the network. After all of the problems with the non-compliant systems have been resolved NAC can be configured to enforce assessment.

In some environments it may make sense to configure NAC for detection, authentication and assessment but not configure it to enforce any of them. This would allow IT to track any problems without risking any network access interruptions. Example: Benefits of NAC in a Unified Communications Environment

By adding NAC to a unified communications environment, Enterasys can add value in a number of areas to prioritize and secure communications-enabled business processes. By using NAC’s location services, when an IP phone is first connected to the network, the phone and the phone number can automatically be associated with the switch and port it is connected to. This automatic association reduces administrative and operational costs since the information does not have to be manually entered into a database. This is important because quickly locating a phone is critical for supporting emergency services. Once an IP phone has been recognized and authorized NAC can automatically apply the IP phone role to all traffic from that phone. This policy has a security and quality of service element. The security element protects the IP-PBX from attack by only permitting authorized IP phones to send VoIP protocol packets to the server. The quality of service element of the policy marks and prioritizes all packets coming from the soft-phone or IP telephone handset to minimize network delays and to improve the quality of the voice call. This prioritization will prevent increased network traffic levels from potentially compromising voice call quality. These capabilities are delivered for Siemens unified communications environments along with Avaya, Cisco, Nortel, ShoreTel and others through our open-architecture, standards-based support for voice and video applications.