In this month's review, we looked at network access control (NAC) devices. NAC is a group of security management utilities that enforce which system should be allowed on the production network. NAC is most commonly used as a software component to determine if a machine is in compliance with the NAC policy. Most, if not all, vendors also support an agentless client, which uses Java and a web browser to check for policy compliance.
Regardless of how the device is measured against the policy, the typical configuration uses virtual local area networks to segregate the physical LAN into multiple parts. Usually, one VLAN is configured as part of the production network. The other VLAN is a quarantine/purgatory network segment, which only has internet access at best and, in most cases, the non-compliant device can only reach remediation servers.
There are several checks which can be performed by the agent. These include browser version, browser service packs, operating system configuration, operating system patches and hotfixes, whether anti-virus is installed, if anti-virus has the most recent update DAT files, if the system has run a complete virus scan recently, and if the required personal firewall is installed and active.
If the device passes all of these tests, the usual next step is to authenticate the user. This is where 802.1x shines. Communication between the device and the supplication begins at a data-link-only connection. This data-link-only connection further protects the network by only allowing authentication packets to pass through the supplicant to the authenticator (usually a RADIUS server or an internal user database). This allows the supplicant to function as a hardware firewall. If authentication is granted from the authenticator, many client configuration options will be sent along with the successful login message. These options can include the VLAN the device is supposed to be on and the IP address tied directly to a user ID. Additionally, encryption keys can all be passed within the 802.1x successful messages.
In the case of Cisco, the authentication can also specify the firewall rule set, which is tied to the user authentication. Despite the many security advantages of using 802.1x, very few organizations have yet to incorporate and leverage the user authentication components.
Not every NAC solution uses 802.1x for authentication, and the NAC device authenticates to a local database of users. All NAC offerings have a time checking method where the client has to continue to verify the device configuration (usually a laptop or desktop) and compare the current configuration against the NAC policy. Each NAC offering has the ability to check for newly activated ports on a switch or similar device. This allows the administrator to know within minutes if an authorized device has been attached to the network. Some NAC products use the MAC address to determine if the rogue device may possibly be an unauthorized wireless access point. Many of the NAC offerings allow the NAC enforcer to disable the physical port on the switch until the device can be manually approved or disallowed.
The biggest drawback to NAC without the 802.1x authentication is the possibility that a clever intruder can spoof both IP addresses, as well as hardware (MAC) addresses. Some NAC offerings have features to minimize the likelihood of a rogue system on the network, but the protection methods are not infallible.
Most NAC offerings include an agent, which can be used on several operating systems. We were even able to use a Windows 98 machine to install, run the client and authenticate for access to the corporate LAN. Some NAC offerings included installation clients for Mac systems, but these clients were only functional on Mac OS 10.4 and 10.5. If the Mac system did not meet the compatibility, the client, through a web browser, could still access the production network.
How we tested
Each test was performed differently depending on the manufacturer. We used up to five different clients: these include Windows XP home edition, Windows XP professional edition, Vista business edition and Mac OS 10.4. This array of clients allowed us to test the installed agent and dissolvable agents. Having been in this industry long enough to remember the first time node authentication was the security solution, we were surprised at how far these devices have come.
Regardless of how the device is measured against the policy, the typical configuration uses virtual local area networks to segregate the physical LAN into multiple parts. Usually, one VLAN is configured as part of the production network. The other VLAN is a quarantine/purgatory network segment, which only has internet access at best and, in most cases, the non-compliant device can only reach remediation servers.
There are several checks which can be performed by the agent. These include browser version, browser service packs, operating system configuration, operating system patches and hotfixes, whether anti-virus is installed, if anti-virus has the most recent update DAT files, if the system has run a complete virus scan recently, and if the required personal firewall is installed and active.
If the device passes all of these tests, the usual next step is to authenticate the user. This is where 802.1x shines. Communication between the device and the supplication begins at a data-link-only connection. This data-link-only connection further protects the network by only allowing authentication packets to pass through the supplicant to the authenticator (usually a RADIUS server or an internal user database). This allows the supplicant to function as a hardware firewall. If authentication is granted from the authenticator, many client configuration options will be sent along with the successful login message. These options can include the VLAN the device is supposed to be on and the IP address tied directly to a user ID. Additionally, encryption keys can all be passed within the 802.1x successful messages.
In the case of Cisco, the authentication can also specify the firewall rule set, which is tied to the user authentication. Despite the many security advantages of using 802.1x, very few organizations have yet to incorporate and leverage the user authentication components.
Not every NAC solution uses 802.1x for authentication, and the NAC device authenticates to a local database of users. All NAC offerings have a time checking method where the client has to continue to verify the device configuration (usually a laptop or desktop) and compare the current configuration against the NAC policy. Each NAC offering has the ability to check for newly activated ports on a switch or similar device. This allows the administrator to know within minutes if an authorized device has been attached to the network. Some NAC products use the MAC address to determine if the rogue device may possibly be an unauthorized wireless access point. Many of the NAC offerings allow the NAC enforcer to disable the physical port on the switch until the device can be manually approved or disallowed.
The biggest drawback to NAC without the 802.1x authentication is the possibility that a clever intruder can spoof both IP addresses, as well as hardware (MAC) addresses. Some NAC offerings have features to minimize the likelihood of a rogue system on the network, but the protection methods are not infallible.
Most NAC offerings include an agent, which can be used on several operating systems. We were even able to use a Windows 98 machine to install, run the client and authenticate for access to the corporate LAN. Some NAC offerings included installation clients for Mac systems, but these clients were only functional on Mac OS 10.4 and 10.5. If the Mac system did not meet the compatibility, the client, through a web browser, could still access the production network.
How we tested
Each test was performed differently depending on the manufacturer. We used up to five different clients: these include Windows XP home edition, Windows XP professional edition, Vista business edition and Mac OS 10.4. This array of clients allowed us to test the installed agent and dissolvable agents. Having been in this industry long enough to remember the first time node authentication was the security solution, we were surprised at how far these devices have come.
