NAC Now and Future Proof for Tomorrow
This chapter covers the following topics:
- Policing your information highway
- Begin by laying the framework
- Value is in the NAC partners
- Examples of admission control uses
Initial Network Admission Control (NAC) Framework implementations typically involve a solution that consists of partner NAC-enabled software that works with Cisco network infrastructure to limit security threats, such as worms and viruses, by focusing on validating host credentials and enforcing compliance. One of the many features NAC Framework provides is the capability to add the identity of both the user and host computer into the NAC enforcement decision mix.
This chapter describes additional capabilities that businesses can include with their future admission policies, requiring the network infrastructure to do the following:
- Use learned information about a host computer or user, or about where the computer or user resides on the network to determine rights and privileges that dictate resource authorization or access to certain data applications
- Detect company assets and enforce asset management policies by user or role
- Enforce regulatory compliance to protect client privacy and reduce the opportunity for leakage of business-sensitive data
- Automatically remediate noncompliant hosts and self-heal infected hosts
Policing Your Information Highway
Use NAC to police your information highway. NAC is analogous to a policeman who protects and enforces a variety of rules that users must abide by to have the privilege of traversing your information highway.
The traffic policeman’s role and tools have evolved over time. During initial automobile use, policemen had fewer enforcement requirements and fewer tools to aid in their determination of compliance to the road rules. With increased automobile adoption, more rules and requirements were created to validate a minimum skill set for drivers as well as a minimum requirement for the automobile using the roads. Similarly, minimum compliance enforcement and identity verification are what many businesses will initially implement in their NAC deployments.
Compare the evolution of the modern traffic policeman’s role and tools to NAC’s protection and enforcement characteristics (noted in parentheses):
- The registration of the vehicle (host identity) by way of a vehicle identification number, or VIN (host serial number), the automobile license plate linked to the VIN (MAC address), an annual registration sticker to identify the tax paid for the privilege of driving the vehicle (accounting for billing to track who did what, where, and for how long).
- Vehicle inspection tag (host posture) that expires annually (host posture revalidation timer) to verify that the vehicle meets minimum standards to drive on the roads.
- Driver’s license (user identity) that identifies that the driver has passed minimum driving skills. Sometimes a vehicle class (role or class of service) is assigned to indicate what type of vehicle a person can drive and to identify extra privileges. Physical characteristics are provided that identify the driver (user login) along with the expiration of the license (user identity revalidation timer).
- Police monitor the highway to ensure that drivers abide by road rules and do not exceed the maximum speed (posture compliance policy). Location can dictate a different set of rules (remote access versus LAN policy).
- When a violation occurs, the policeman assesses many criteria (credentials and policy). Besides the initial violation, he usually checks other database(s), such as outstanding arrest warrants, to determine compliance to other policies (external policy servers) before determining his action. For a minor violation, the driver might be warned but allowed to resume her journey without receiving a ticket (user notification stating out of compliance but network access allowed for now). Or, the policeman could determine that a more egregious violation, such as driving under the influence, or worse, such as a serious auto accident, occurred. The policeman can issue a ticket or tickets for the violation (application posture token for each posture credential).
- A driver might be required to appear in court (URL redirect) before a judge (policy server). The judge reviews the violations (application posture tokens) and sentences the driver based on the most severe violation (system posture token). In a simple case, the judge can issue a warning, fine, community service, or a temporary jail term (remediation in an attempt to make compliant). In severe cases, the judge can seize the driver’s license, revoking her privilege to drive (no network access).
- The policeman (network access device [NAD]) enforces the judgment on the driver. The driver now has a record in a violation database; other police officers have access to the driver’s history of violations (behavior trend).
Use NAC today to start policing your information highway. Start with a simple implementation, such as enforcing PC software compliance and validating user authentication. Over time, extend NAC’s capability by adding more identity functionality to provide secure access to the ever-growing set of applications and system resources.