Knowing whos on the LAN. Providing guest access. Limiting contractors. Controlling what users can do on the LAN. Segmenting the LAN. Documenting and auditing user activities.
There are as many reasons to do NAC and secure the LAN as there are ways to do it. In fact, with so many approaches to NAC, it's hard to evaluate potential solutions. One element to keep in mind is that LAN security is a process – what drives you to implement a solution today may be only a piece of your total security needs in the future. It's critical to consider how your LAN security will evolve over time.
Use this checklist to validate that the solutions you're considering provide the full scope of NAC and LAN security, so you solve tomorrow's problems as well as today's.
Easy integration and network independence, with standards-based deployment
Ease of integration is a top concern with any network deployment, but NAC and LAN security highlight this issue all the more because so many NAC approaches require multiple moving parts to operate. This architecture not only complicates the initial deployment – it also makes ongoing operation hard to maintain. If you change your switch software, will it break the NAC deployment? Or conversely, does deploying NAC mean you have upgrade switches? A self-contained option, that uses standards for communications and fits into your existing LAN design as is, makes the roll out much simpler. Ask these questions to understand the architecture basics.
- Can the solution drop into your existing LAN, without changes to the endpoints, switches, VLANs, ACLs, and identity stores?
- Is the system self-contained, avoiding dependence on dynamically reconfiguring switches for enforcement?
- Does the solution operate independently of a centralized policy server?
- Can you "turn off" the system for troubleshooting without affecting network operation?
- Does the system support high-availability deployments and provide redundant power supplies?
So many NAC deployments are driven initially by the need to authenticate users. The key elements are here to leverage existing identity stores wherever possible and make the authentication simple for users. Another critical factor is to be able to support devices that cannot actively participate in authentication, such as medical devices, robotic machines, or printers. These questions can help guide you to a full-featured solution.
- Does the solution leverage existing authentication databases, such as Active Directory, RADIUS, and LDAP, without any changes?
- Can you use multiple authentication mechanisms, including 802.1X and captive portal, regardless of user location, but also allow users to log into the network the same way they always have, such as to a Windows Domain?
- Does the solution make LAN authentication easy, allowing IT to leverage 802.1X where it's installed or avoid 802.1X supplicant interoperability issues where it's not?
- Does the system provide a way for non-user devices (such as printers or VoIP phones) to be authenticated onto the network but still controlled?
- Does the system require an agent for endpoints to be authenticated and controlled?
Effective posture check
Posture check may or may not lead the list of initial requirements, but if you plan to check the state of machines, keep in mind that your solution will likely straddle both managed and unmanaged machines. The solutions differ for those two device types, so these questions can help you ensure you end up with a flexible system for supporting both.
- Does the system scan machines both before and after admission to the LAN?
- Can you run these checks on managed and unmanaged devices?
- Can the solution leverage existing best-of-breed endpoint agents for managed solutions?
- Does the scan include more than just a simple check that certain software is installed, actually looking for the presence of adware or spyware or for specific Windows Registry values?
- Can you configure the solution to scan only certain machines, based on IP address or group membership?
- Can the scan take place without needing admin login credentials on the endpoint?
Complete LAN visibility
You can't control what you can't see. Visibility is crucial throughout the LAN security lifecycle. You need it before you enforce access rights, so you can learn what policies are appropriate and test whether you've got them right. And then you need it after you've implemented access controls, so that you have a documentation and audit trail. This after-the-fact visibility is crucial not only for compliance but also for incident response and troubleshooting. Ask these questions to ensure you're getting the full scope of LAN visibility features.
- Can the system audit and monitor all traffic, tied to a username, to speed incident response?
- Can you audit traffic on a per-user, per-application basis for compliance with regulations such as PCI, HIPAA and SOX?
- Can you set up access policies but have the system just log events, giving you a way to test your policies without impacting users or business processes?
- Can you easily look into any security violation, immediately knowing the user involved and the policy that was violated?
- Can the solution provide application-level inspection at Layer 7 rather than simple SNMP or NetFlow statistics?
- Can you easily compile aggregated data to provide LAN activity reports to management and to demonstrate compliance?
Complete post-admission control of users
To truly protect business-critical data and assets, you have to control not only who can come onto the LAN but also where they can go and what they can do after they're on the LAN. Identity-based control, including assigning access rights by role, application, and location, are the foundation of these post-admission control tools. These detailed questions will reveal how much control you'll really have over users on your LAN.
- Does the system see all traffic after users are on the LAN, to control user access and protect against threats?
- Does the system make it easy to apply policies based on a user's identity and role in the organization?
- Can you set both universal and context-based controls, where one policy could span wired, wireless, VPN, or local connections and another could limit access from remote locations, for example?
- Can you control user access to servers and to applications without any other tools, such as VLANs/ACLs, and does the system enable Layer 7 identification of applications instead of just Layer 4?
- Does the system let you see and control application content, such as file names in Microsoft File Services (CIFS), FTP, or IM transactions or HTTP content such as URLs?
- Does the system provide control close to the user's point of entry on the LAN?
- Does the system protect against evasion by a user applying a static IP or MAC address?
Zero-day malware containment
If a virus outbreak or other malware compromises the availability of your LAN, your LAN security has failed you. Look for a solution that can complement the signature-based protection you've deployed on endpoints and at the LAN/WAN boundary. These questions highlight the capabilities you'll need to containing the spread of malware.
Does the system provide a means for continuously detecting and blocking new, unknown attacks, without dependence on signatures and without hindering network performance?
Can you decide whether to block just the infected application or everything coming from an infected user?
Protection of critical applications
Beyond protecting access to data, you need to ensure that applications such as voice are not disrupted by accidental or malicious attacks. Given the migration to IP-based services, and the vulnerabilities posed by exposing these systems to data-based attacks, ask these questions to broaden the security beyond user devices.
Can the system extend beyond users to also protect vital services such as a voice over IP (VoIP) call manager?
Does the system apply application-based policies to prevent non-user devices from being used for attacks, such as controlling that a printer can receive traffic only from a print server?
Wire-speed LAN performance
All the security in the world won't help you if you bog down the LAN, so this final question gets at the performance. Without multi-gigabit speeds, when policies are being enforced, the platform will slow down your business too much.
Can the system provide full policy enforcement without slowing down your users?
Once you've used this checklist to ensure that the solutions you're considering will provide you the full scope of NAC and LAN security, you'll be better prepared to handle current and future security challenges.
Tom Barsi, president and CEO, ConSentry Networks