Implementing network access must generally involve one of three types of checks. First, as in the previous example of a wireless hot spot, it can be satisfied by simply asking the user to agree to a usage policy before they connect to the network. User identification and machine status are not meaningful for access to be accepted or not.
The second type is approving user validity and the third is approving machine status validity. Two types of checks are rarely used for total denial of access or full access. When using user validation, there will be different levels of access for different users. For administrators, priority is given to full access while other users will be limited to some applications. Machine status is the state of the computer related to the established security policy. If the policy is in a Windows computer that has upgraded patches for the operating system, the connection will be restricted until the patch request is completed in the access machine. By ensuring that the machines have security policy requirements, destructive failures due to network worms and viruses can be significantly reduced.
The limited connection that users are allowed before a complete network connection is allowed is an isolated state. This quarantine status does not mean that all access is locked. Security policies can allow a quarantined machine to access and download updated antivirus software files. When planning a NAC deployment, you need to understand the basic quarantine methods, its limitations and how they can link to your network infrastructure.
Isolation method
Since the new network was shared, manual isolation methods have been implemented using access control lists on routers and switches. The policy parameters include the source and destination addresses, TCP and the user data protocol port, IP protocol and MAC address. From the network architecture standpoint, this requires inline addition. The inline NAC method automates the process of managing access control lists.
Another method involves assigning virtual LANs (VLANs) to isolate machines that are isolated from the corporate network. A relatively simple method is to use dynamic host configuration protocol (DHCP) to assign a client to different networks. This method not only puts the machine into a limited VLAN layer 3, but also allows other client configurations such as DNS servers. For example, all Web page requests can be resolved within a Web server to display the usage policy with an ' Accept ' button.
In many complex switch infrastructures, an NAC system can be used in conjunction with switches to dynamically configure the machine's switch port to become a member of a certain VLAN. By default, all switch ports on the NAC protected network are designed to isolate VLANs with limited access. When the NAC system detects that the machine has some NAC requirements, it instructs the switch to change the port by providing the system with a less restrictive VLAN.
Some NAVs use 802.1x not only for authentication but also for using Extensible Authentication Protocol to remember system status information. Like the VLAN port method, access based on the established security policy is implemented at the switch port level.
Later there is an address resolution protocol (ARP) method, which is in the inline environment by managing the client's ARP table.
The NAC device is located at the switch's entry point (sometimes referred to as the SPAN port) and meets the ARP requirements for the port. NAC inserts the MAC address into the client's ARP table, thereby asking the client to send all non-local traffic to the NAC. When the system satisfies NAC parameters it will be allowed to communicate with the correct port.
Each method has different protection. With DHCP, a user can statically assign his machine a valid public address, so it can bypass DHCP isolation. ARP can also be exploited by manually creating an ARP input for the port if the MAC address for the port is exposed. However, most NAC systems have some countermeasures against these scams.
The core of access must also be considered. For example, unlike port level NAC solutions, inline NAC provides rigid control over the company's backbone network and the Internet, but access to machines on the same NAC side is not restricted. In other words, machine A can still fully access machine B if both are on the same switch after the NAC.
User credentials
Verifying user identity is an important component in NAC systems. In the simplest case as in stores with a hot spot, for example, a user is allowed what can be called a guest if he agrees to follow a user policy. In other cases, other restrictive access methods may be much more useful.
In a simple authentication environment, a NAC can query a RADIUS server to determine whether the user is allowed to access the intranet and the Internet. If the user exists and their password is correct, a full access will be granted to this user, but no default policy (for those who are not authorized) only grants common ports for visitors. Internet access (such as http, https, . is distinguished by company privacy policy).
With more complex environments, high-level managers need access to ERP systems, network administrators need access to the server, insurance regulators need to access the database. whether, user-based policies can be created here. By pairing with the Lightweight Directory Access Protocol (LDAP) or Active Directory server, user role types can indicate acceptable access levels of authentication personnel for systems and applications.
From a user perspective, authentication can be done through a number of methods. The simplest method is Web-based; however, this method requires opening the browser regardless of the application that made the access. Anything that the URL requires the browser to go to the NAC login page. Other methods use local software to go through authentication information.
Machine status
Computer worms can cripple the corporate network, infiltrate data, and disable critical systems. It is like a vulnerability in network machines. Most NAC implementations have a method of performing this vulnerability assessment on the client to check if the machine is compromised or vulnerable and freezes them as the policy states.
There are three basic types of security status assessment: external, internal, and transmission. External evaluation includes a central server that performs a scan for the client. Many NAC systems use changing Nessus scans for vulnerabilities and malicious code software. However, clients protected by firewalls can reduce the effectiveness of this scan.
Evaluating the internal state involves installing an agent on the machine to be able to manage authentication, perform assigned tests on the client and report the results to the NAC system. For example, in a Windows environment, the anti-virus installation produces a registry key that can be checked. Obviously, it can be seen that the key can be manually inserted to trick this process. In other cases, the agent can check the presence of a specific file on the local machine, regardless of the operating system.
Data transmission analysis is a much more positive method. Like intrusion prevention tools, this method uses NAC systems to scan network traffic and look for known signs of malicious code. A machine that has been allowed full access but then becomes a poisoned machine and starts to take dangerous actions will be closed access to the network immediately.
Some advanced NAC systems have a higher level of detection by relying on the operating system identification to specify which access policies should be applied. Typically, there will be more tests performed on Windows machines than other operating systems.
Breaking the OS detection is possible, depending on which method is used. For example, if detection is based on what the client browser reports, the user can simply reconfigure the browser so that it appears as if it is running on another operating system. It is quite fortunate that operating system identification techniques (such as TCP footprint checking) are constantly being developed more sophisticatedly, thus reducing such disruption.
Open source options
Clearly, some of NAC's basic rootstrokes can show open source initiatives and have some open source systems with many different features. When NAC technology is established for the mainstream market, having an open source option may be ideal depending on the necessities and NAC system policies that will be enforced.
The commercial system has more features than open source copies and they also have more support. But that is not really a problem. It does not mean that open source will become weak. There have been a few open source systems with sophisticated detection, verification and isolation capabilities.
Why not go in the direction of open source? If there is an open source system that provides all the necessary functions and technical aspects, the cost of deployment is basically low. Moreover, although it may not have the support of media carriers, in some cases, third-party companies also provide a lot of support and often have their experts answer for problems about it.