Question

In reference to network access control, describe some of the access control mechanism used by a network administrator to filter, inspect and detect different forms of traffic.

Answer 1

Abstract

Computers connected to the Internet are very much part of every day life. People now use their computers in many different ways, such as online banking, online shopping, email, travel planning, news gathering, etc. It has provided users convenience and the ability to search for things on a moment’s notice. However, by being able to easily log in to and access almost any worldwide site on the Internet, this has also exposed them to software called Malware, such as worms, viruses, Trojans, spy ware, data leakage and identity theft. Additionally, it places their networks at risk to which these computers are connected if they become infected. With an increased remote workforce, businesses also face these issues when their workers attempt to connect to the corporate network through Virtual Private Networks (VPN), or through a growing deployment of wireless technologies and mobile computing with devices, such as smart phones and PDAs. All these factors make Network Access Control (NAC) an important tool to have for today’s businesses. NAC controls the connections coming from the outside and also provides protection from every network connection coming from within the corporate firewall. It also provides security and controls for those, who has access to the network and its resources. This paper describes what NAC is, what prerequisites are required to implement it, and its implementation process. It also introduces the larger network environment by discussing its main players, such as: Cisco, Microsoft, Trusted Network Group, and Juniper, who are involved in developing the technology and standards.

INTRODUCTION

The security started with antivirus software from Symantec, Trend Micro, and McAfee running on end devices which uses client server communication to update the virus definition files. Antivirus software was followed by software-based personal firewalls from Microsoft, Norton, Trend Micro, and ZoneAlarm which provided some access control. The software then transformed into firewall devices, IPSec VPN devices, and SSL VPN devices with an increasing need to access remote networks. This software finally took the form of the technology called Network Access Control which added another layer of protection against potential security threats. NAC, in its original form, was host posture check, quarantine, and remediation which involved a user seeking access to a network. If the user hadn’t received recent OS patches or antivirus with an up-to-date virus definition running on its system, then the user would not be allowed in the network but instead would be placed on a VLAN or network (quarantine) until it was compliant with requirements of the network (remediation). As technology is developing, NAC is not only granting access to the network sought by employees, guests, non employees, and protecting it against security threats but also controlling the access all over the network based on the user’s role. The access to network is permitted, denied, or restricted based on the user’s identity or membership to a particular group.

OVERVIEW

Network access control should perform five fundamental functions: pre-admission host posture checking; quarantine and remediation; identity aware and policy based authentication, resource access control, and post–admission check along with ongoing threat analysis and containment. No single vendor has solution that addresses all five NAC areas but customers are attempting to solve only portions of network access control problems. A few players in network access control technology are: Microsoft with its Network Access Protection (NAP) technology works through Windows Operating Systems; Cisco has Network Admission Control (NAC), which depends on Cisco’s switching infrastructure; Trusted Network Group has standard based Trusted Network Connect (TNC); and Juniper has Unified Access Control (UAC), which uses TNC open standard specification. It is clearly becoming evident that network access control is moving towards framework architecture where various components work together to implement network access control.

TYPES OF NAC APPROACHES

As per the Garner’s report, NAC solutions can take three main approaches or any combination of them. They are described below.

Software Agent

Software agent based solutions rely on the software residing permanently or temporarily on endpoint devices. This software communicates with and authenticates to a server in the network or an appliance.

Standalone Appliances (Inline and Out-of-band Appliances)

The inline solutions, such as, appliances, switches, firewall, and SSL VPN, work inline with network traffic and examine all the traffic and manage access as required. Though they offer mitigation options, they degrade the network performance and add a single point of failure. Out-of-band solutions are adjunct to network infrastructure and require software agents on endpoint devices that direct traffic to the appliances as the user comes on network. This approach does not add a single point of failure but relies on existing network infrastructure to deal with policy violations.

Infrastructure-based NAC Capabilities

Infrastructure-based NAC capabilities integrated on switches or the software itself provide posture check and built-in authentication. This may require existing hardware to upgrade to enable NAC capabilities or upgrade to OS software to be perform network access control.

The Network Access Control technology Network Access control (NAC) mechanism consists basically of two types of assessment:

How NAC secures your network Today, network access for multiple device types or temporary users is an expectation, not an exception. Modern Enterprise network requirements include:

▶ some level of access, no matter who or where you are

▶ access for guests such as sub-contractors, partners, remote employees

▶ access control for a new range of connected devices, for example smartphones, tablets and digital cameras.

The cimpany LAN switches meet these emerging requirements, with comprehensive NAC features and integration. Used in conjunction with appropriate server-side and client-side software tools, they provide a remarkable level of control over the security status of the devices that connect to your network. The Allied Telesis NAC implementation is Trusted Computing Group’s Trusted Network Connect (TCG-TNC) standards-based, to guarantee interoperability with the major third party suppliers of NAC software, such as Microsoft and Symantec. This provides customers with the confidence to create a comprehensive NAC solution from trusted vendors.

At the heart of using NAC for your network security are three key elements:

▶ no (or very limited) access without identification

▶ the quarantine and remediation of non-compliant devices

▶ setting the level of access to network resources based on a device’s authenticated identity

In practice, this means that every device is required to identify itself when it connects, and if appropriate, is then examined for its compliance to security policies. On a typical network, devices that:

▶ Cannot provide a valid identity: are completely barred from the network (or alternatively could have restricted access to the Internet, and nothing else).

▶ Authenticate successfully but fail the policy adherence test: are given access to a remediation process, and nothing else.

▶ Authenticate successfully and are deemed policy adherent: are given access to the network resources that match their identity

In this way, security policy enforcement and resource access control are performed by the network itself, utilizing NAC. Malware cannot harm the network, as it is never allowed access to the network. Intruders cannot commit theft or cause disruption, as they are either blocked or very tightly constrained.

To provide this advance in network security, the significant elements included in Allied Telesis switch functionality are tri-authentication, roaming authentication, two-step authentication, and integration with NAC infrastructure.

Tri-authentication

Tri-authentication allows the network to identify all devices connecting to it. It can be used as part of a comprehensive NAC solution; or on its own where it provides a low overhead method of implementing network access security.

Roaming authentication

Mobile users move from one attachment point to another. Once a user has been given acccess, roaming authentication ensures they are not inconvenienced by the need to re-authenticate as they roam.

Two-step authentication

Devices and users can be separately authenticated, to prevent sophisticated attempts to circumvent security.

Integration with NAC infrastructure

The company equipment can integrate as a key component in network-wide NAC solutions.

Please up voteif you find this solution helpful.

Thank you.