Guide to Network Access Control

How Does NAC Work Anyway?

It's simple: Who you are should govern what you're allowed to do on the network.

By Joel Snyder, Network World Test Alliance, Network World, 04/03/06

Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network.

When all of the parts are in place, NAC will be a way to apply a policy for network access across LAN, wireless and VPN infrastructures. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible.

Within a NAC deployment, the IT manager uses three main elements to pick an access-control policy: authentication, endpoint-security assessment and network environmental information.

Authentication is the straightforward "Who are you?" transaction that users are accustomed to with other applications. As a concept, NAC doesn't have special requirements for authentication.

A good NAC deployment would use the same authentication system as other applications. For example, if you're applying NAC to a remote access IPSec VPN tunnel, you should use the same authentication to bring up the IPSec tunnel as you do to authenticate a user.

Endpoint security assessment is the most complex part of selecting a policy in NAC, but it's also the driving factor for deploying NAC in the first place.

The underlying idea is that the security posture of the connecting laptop, desktop or server should be a part of access control policies. For example, if a connecting system doesn't have the standard corporate anti-virus package, the user should get a different access control policy than if everything is installed and all the signatures are up-to-date. 

Network environmental information is a small but important part of selecting access policies in a NAC scheme. Environmental information might be circumstantial data about whether you're connecting via a wireless network or through a VPN, or whether you're in the building or in another country.

These circumstances play into the decision of what access control policy is assigned to the connecting system.

For example, if you're coming in on a VPN, you might not be able to get to as many parts of the network as if you were in the building.

NAC is a hot buzzword; therefore, this component-level definition of what NAC is won't map directly to all NAC products and architectures.

But most products being offered as part of an overall NAC strategy include at least some component, if not all, of this definition.

Mapping NAC terms across vendors
While we've pointed to the Trusted Computing Group's Trusted Network Connect architecture as the one to use to get a handle on NAC terminology in general, this chart shows how vendor-specific terms relate to each other.

  Trusted Computing Group Trusted Network Connect terminology (TNC) What is it? Cisco Network Admission Control terminology Microsoft Network Access Protection terminology Juniper Infranet terminology
Client-side components, collectively called the "Access Requestor" Integrity Measurement Collector Third-party software that runs on the client and collects information on security status and applications, such as is A/V enabled and up-to-date? Applications, through plug-ins to the Cisco Trust Agent, including Cisco's own Cisco Security Agent. System Health Agent uses its own API to communicate with Network Access Protection Agent. Supports third-party Integrity Measurement Collector, and you can use Juniper's Host Checker.
Trusted Network Connect Client "Middleware" that runs on the client and talks to the Integrity Measurement Collectors (IMC) collecting their data and passing it to Network Access Requestor. Cisco Trust Agent or, if none is there, Cisco Network Admission Control Agentless Host. Network Access Protection Agent uses its own API to communicate with Enforcement Client. Infranet Agent includes this function.
Network Access Requestor Client-side software that connects the client to the network. Typical examples might be 802.1X supplicant, IPSec VPN client, or (in Microsoft's NAP) DHCP client. Used to authenticate the user, but also as a conduit for IMC data to make it to the other side. Cisco Trust Agent incorporates the communications, with options for using integrated or standalone 802.1X supplicants. Enforcement Client Infranet Agent, using either Juniper's Enterprise Infranet Agent with their own framework or the Odyssey Agent which uses TCG protocols above.
Network-side components Policy Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or wireless LAN, VPN gateway or firewall. Network Access Device Enforcement Server Enterprise Infranet Enforcer
Network management components, collectively, the "Policy Decision Point" Integrity Measurement Verifier Third-party software that receives status information from Integrity Measurement Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server. Policy Decision Points also called the Policy Vendor Server. System Health Verifier API to Network Access Protection Administration Server below. No specific term but the function can occur directly on the Infranet Controller or can call out using the Host Check API.
Trusted Network Connect Server "Middleware" acting as an interface between multiple Integrity Measurement Verifiers (IMV) and the Network Access Authority. This function is incorporated into the Policy Server Decision Points. Network Access Protection Administration Server Part of Unified Access Control Policy incorporated into policy server, through Host Check Server Integration Interface, Host Check policies or through interfaces with TNC-TCG IMC/IMVs.
Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Policy Enforcement Point. Access Control Server v4.0 Network Policy Server (replaces the Microsoft IAS RADIUS server) Enterprise Infranet Controller

Subscribe to the Business Brief Newsletter

Comments