Network Access Control

09:05 Goals of Network Access Control

Network access control mitigates non-zero-day attacks. NAC is used to authorize and authenticate network connections. It does so by using role-based control of users, devices, or applications. It also encrypts traffic through wired and wireless networks via network protocols.

“So you’re not getting connections from just any rando out there.”

NAC uses automation and other tools to define roles based on information about the end-station. One of the major benefits of Network Access Control is that it doesn’t allow end-stations without antivirus or with outdated patches. This reduces the risks of cross contamination between stations or nodes on a network.

Network access control solutions provide policy enforcement. It allows network administrators to set polices. These include computers allowed on a network, role based access to areas of the network, and switches or routing.

“It’s not just who you are but it’s where you are.”

Identity and access management are provided through network access control. Conventional IP networks allow access via IP addresses. NAC networks authenticate users or user end-stations.

18:20 Admission (Pre and Post) to the Network

“You kinda have to pass the bill before you know what’s in it.”

NACs are designed to either enforce policies before or after accessing the network. The idea is to prevent clients with out of date antivirus and other security patches from connecting to secure server. This is done via pre or post admission checks.

Pre-admission design inspects the end-stations before allowing them on the network. This includes checking login credentials. It also checks that the end-station complies with security standards. Authentication allows networks to differentiate users and their roles within the network. Posture checking is a way of validating the endpoints by detecting if malware is present.

“Pre is authentication and post is authorization.”

Post-admission allows access to the network then enforces policy based on user actions. This can include limiting capabilities such as VLAN steering. Post admission allows networks to control what users are allowed to do once they gain access to the network. Any NAC that has post-admission can also have pre-admission policies. This doesn’t work in reverse. If a NAC has pre-admission policies that doesn’t mean it can or will have post admission policies.

24:15 Gaining End System Information

NAC allows access to a network through decisions based on information about the device at the end-station. These systems can be agent based or agent-less systems. In addition they may be on a single device or distributed.

“The way you design your NAC is based less on the policy and more on the network and the age of the network you are on.”

Older NAC designs use scanning and network inventory techniques to get information about the end-station. When an end-station joins a domain a user logs into the domain and the NAC verifies the end-station complies with access policy via a domain controller. Active Directory is such a domain controller where users log in or out when accessing the network. Users can be assigned roles or placed into groups. The roles or groups are used to determine if the user has sufficient privileges to access that area of the network.

Some newer NAC designs require using agent software to report on the end-station device. An agent is basically an app or service that performs functions based on behalf of another app. It’s the code that authenticates end-stations and users, verifies end-station devices have up to date protection software, and checks for prohibited apps. While some agents exist on the end-station they do not need to be there. Agents on the end-station are persistent agents meaning it’s always available and can run continuously. Dissolvable agents exist in a portal separate from the end-station that the user downloads via a link and does not require installation on the end-station.

A NAC is an out-of-band system if it’s agents are distributed across end-stations. The end-station agents report information about themselves to a central console. The console acts as a switch to enforce network policy. Out-Of-Band systems are able to reuse existing infrastructure.

“It’s hard to kinda glue this stuff into something that’s already build.”

On the other hand, inline systems can be on a single device. The device acts as an internal firewall for access-layer networks. The single device enforces network policy by directly controlling individual packets. These systems are easier to deploy on newer networks.

34:05 Remediation Strategies

“They’re a valid user as understood by people but not as understood by machines.”

When using a NAC it is expected that some valid users will be denied access for various reasons. NAC needs to have a way for the end-station user to address the issue that caused the denial. There are two common strategies for remediation.

Quarantine networks provide users with routed access to certain hosts and applications. When a NAC finds an end-station out of date it will route it to a patch or update. This is implemented through a virtual local area network (VLAN). Address Management is another way to quarantine that doesn’t require managing VLANs for quarantined end-stations. Address resolution protocol is used to discover the lowest layer address such as the MAC (media access control) address. Neighbor discovery protocol is another way to get the lowest layer address.

“This is kinda similar to the way that hotel and restaurant wifi works.”

Captive Portals intercept access to web sites via HTTP. They redirect to a web app that allows the end-station to update. Until the end-station updates they are only allowed to the captive portal. External captive portals are wired or wireless controllers and switches offloading the work from the hosting web portal.

42:10 Mobile NAC

“If someone has an iPhone X, that’s a commitment.”

Mobile devices and a workforce that connect via different wireless networks create new concerns. This can be workers that travel or sales associates that use tablets for making sales. Denial of access to the network can mean that the device is useless and work is halted. Remediation strategies may take longer over a wireless or mobile network.

“You have to think about data exfiltration concerns.”

Mobile NAC are similar to wired, except that the scanning software is run continuously. This occurs whether it resides on the device or on the server. It also runs whether or not the device is attempting to connect to the network.

A mobile specific NAC allows the network admin to control the level of remediation. Networks may send warnings for lesser concerns like out of date software. Whereas a compromised device may be quarantined until remediation can take place.

Automated remediation can be set to only occur under certain conditions. This could be when only on a Wi-Fi or LAN connection of at certain hours. A balance between keeping workers productive and the need for security can be achieved.