Network Access Initiatives – The
Candidates
While it is unanimously agreed that network access control is a
problem, opinions differ about how to address it. Broadly speaking,
the solutions are categorized as follows:
Posture checking: Solutions in this category aim to verify the
posture, or state, of the host before allowing the appropriate
level of access to the network. To verify posture, such systems
typically verify user identity and the health of the machine
(whether it is infected by a virus or other malware). Such systems
also may check whether the host has current versions of
anti-malware software such as anti-virus software, host firewalls,
etc.) There are a variety of solutions within this category that
vary in the following ways:
Number and types of items used to establish posture
A primary differentiator here is OS based or “clientless”
systems vs. those requiring the temporary or permanent installation
of additional client software to assess posture:
- Method used to convey the posture from the client to the
network
- Method used to “quarantine” or protect the network (and other
hosts) from non-compliant hosts
In-line packet inspection: In this category, an in-line network
device (usually a switch or an appliance) is used to inspect all
traffic for known malware signatures and/or anomalies. Solutions
within this category differ in the following ways:
- Position of the device or appliance that inspects the
traffic
- Percentage of the total traffic that is inspected
- The inspection algorithms applied to relevant traffic
When examined more closely, it becomes clear that the approaches
can be complementary if implemented correctly. This paper will
attempt to clarify how the different approaches diverge and to
identify the simplest and most secure way to implement an effective
access control solution.
Posture-based Access Control
All solutions in this category are based on the concept that a host
must be checked for “posture” prior to gaining network access.
This process validates a host against an established corporate
policy to determine compliance. The result of the posture check
helps determine the level of network access permitted to the
host.
In reality, the above description is an over-simplification.
Defining the “posture” of a client is more complex and requires
user identity and the “health state” of the client. The exact
definition of “health state” varies in different environments.
The following are examples of some common attributes that make up
the health state of a client:
Anti-malware software installed and active on the client and the
version of this software is current
Presence of any malware on the client
Network interfaces enabled and/or active
Some of the solutions that fit into this category are Cisco NAC
(both 802.1x-based and Cisco Clean Access-based), Microsoft NAP,
and Juniper UAC (Universal Access Controller). Solutions in this
category differ in several important ways. For instance, each
solution may be unique in the method it uses to:
Authenticate the user
Determine the posture of the client
Convey the posture to a server that compares the client’s posture
to configured policies
Enforce access control depending on the result of the posture
check
It’s useful to examine each initiative in more detail and compare
them across the dimensions mentioned above. Major initiatives in
this category include:
Cisco Network Access Control
Microsoft NAP
Juniper UAC
Some initiatives are based on a combination of posture and user
identity. These include:
802.1x-based solutions
IPSec-based solutions
“Clientless” Solutions
The primary difference tends to be OS based integration
(“clientless”) vs. using a downloadable software client. While
the process of establishing client posture is an important one,
this is a natural area for OS and antivirus software vendors and is
expected to mature quickly. A process that needs to be considered
even more heavily is that of enforcing the authentication decision
in a mobile network. Proper enforcement by the network is the
difference between simple Posture-based Access Control and more
flexible and secure Identity-based Access Control, where detailed
client based information such as user role and application usage
are tightly coupled with posture results to determine appropriate
access privileges.
Cisco Network Access
Control
Cisco Network Access Control is a posture-based Access Control
solution from Cisco that involves a variety of solutions
products/solutions. It should be noted that Cisco NAC is
effectively a closed solution that may introduce interoperability
issues with third party software and networking equipment.
Cisco offers two solutions that are most pertinent to the
discussion in this paper; an 802.1x-based solution and the Clean
Access solution.
Cisco 802.1x Framework for Network Access Control
In this mode, the authentication mechanism is 802.1x. Because
authentication occurs at Layer 2, this approach is inherently more
secure than the web-based authentication used in Cisco Clean
Access. Since 802.1x already is widely used in wireless, it is
likely that this will become the more common of the two
solutions.
The main elements in this solution are:
Cisco Trust Agent (CTA)
802.1x Supplicant
802.1x authenticator
ACS Radius server
Cisco Policy Server
Third-party client software and Policy Servers (optional)
The sequence of events when the client attempts to access the
network is:
1. Since the port and client are both configured for 802.1x
authentication, the port is logically “shut down” until the
client successfully authenticates.
2. The Cisco Trust Agent collects all health information from the
Cisco Security Agent and/or the various third-party plug-ins such
as anti-virus software (McAfee, Symantec etc,).
3. Using the Extensible Authentication Protocol (EAP) exchange
during 802.1x, the CTA provides this information to the Cisco
Access Control Server (ACS).
4. Cisco ACS passes this information to the Cisco Policy Server
which, in turn, passes information to third-party policy servers
when needed.
5. Depending of the result of the evaluation by the Cisco Policy
Server (and the third-party policy servers), the Cisco ACS either
returns a Radius Accept with the default VLAN or returns a Radius
Accept with a quarantine VLAN. This can be achieved through the use
of any of the
standard Radius attributes.
It should be noted that more secure alternatives of enforcement
exist if using a wireless overlay from Aruba networks, a WLAN and
wireless security vendor. When 802.1x-based network access controls
is used with network access control capabilities from Aruba
Networks, the procedure outlined above can be modified based on the
more flexible and secure concept of user roles.”
As an example, the Radius attribute “Tunnel-Pvt-Group-Id” can
be used to return the user role – quarantine or employee. Cisco
Clean Access
Cisco Clean Access is the solution that Cisco acquired from Perfigo
in 2004. This solution uses a dedicated appliance to provide the
capability to authenticate users by utilizing a web browser
(similar to the many vendors’ captive portal solutions) to
evaluate host compliance with security policies and regulate access
to the network for the hosts accordingly. There are three main
components to this solution:
1. Cisco Clean Access Server (CAS): This is the appliance that acts
as the authenticator using the browser-based authentication
mechanism.
2. Cisco Clean Access Agent (CAA): This agent is downloaded to the
client machine attempting to access the network to evaluate the
health and integrity of the host.
3. Cisco Clean Access Manager (CAM): This is the out-of-band
management server where security policies are configured.
There are two deployment modes for Cisco Clean Access: in-band and
out-of-band. The in-band deployment has the following process
flow:
1. Client attempts to access the network
2. CAS detects that the MAC address is not in the “approved”
list
3. CAS redirects the HTTP request to a login page (similar to a
captive portal)
4. Employee enters credentials; CAS authenticates the user through
the authentication server once the CAS identifies the user as an
“employee,” the employee is forced to download the CAA
6. CAA evaluates the posture of the host and forwards the result to
the CAS
7. CAS forwards the report to the CAM. If the CAM reports that the
client is not in compliance, the CAS places the user in a
quarantine VLAN/subnet.
8. The CAS sends the remediation steps to the CAA.
Since this deployment does not have any non-standard support
requirements from the network infrastructure and is
vendor-agnostic, this mode of deployment is supported on most
network infrastructures, including an Aruba mobile network. Note
that this is also the only mode that is supported on the Cisco
wireless infrastructure as well.
The out-of-band deployment model requires support for communication
between the switch and the Cisco CAM. This is supported only on
selected Cisco wired switches. The current documented list is:
Cisco Catalyst 2950, 3550, 3560, 3750, 4500, and 6500
switches.
Microsoft NAP
Microsoft has launched the Network Access Protection (NAP)
initiative with the Vista and Longhorn versions of the company’s
Windows operating system for hosts and servers, respectively. As
the developer of the client OS, Microsoft is in a very good
position to develop a strong posture-based solution. While the
basic concept of NAP is similar to the Cisco NAC initiative, the
approach and the underlying technologies are significantly
different.
The Microsoft NAP initiative is an open solution, comprised of
techniques based on 802.1x, IPSec and Dynamic Host Control Protocol
(DHCP). NAP is based on a framework that will accommodate for new
additional enforcement options as well.
802.1x-based Approach
This approach is similar to that used in the Cisco 802.1x-based
framework. The fundamental difference between the two solutions
relates to the endpoint software. With Microsoft, the endpoint
software is inherently coupled with the operating system and
therefore does not require the installation and management of an
additional piece of software such as the Cisco Trust Agent. This
approach provides a significant capital and operational cost
advantage for Microsoft customers who are looking to create an
802.1x-based framework for Network Access Control.
The main components in the 802.1x-based Microsoft NAP approach
are:
1. 802.x supplicant + Posture Validating software (included in the
Windows Vista client)
2. Network switches supporting 802.1x
3. Microsoft NPS (Network Policy Server)
4. Third-party Health Servers (optional)
IPSec-based
Approach
In the IPSec-based approach, the network is split into three zones:
secure, boundary and restricted. By default, a computer is in the
restricted zone. On entering the network, the computer sets up an
HTTPS channel with the Health Certificate Server (HCS) and uses
this channel to convey its user credentials and posture (called
Statements of Health) to the HCS which, in turn, passes these to
the Radius server and the Policy Server, respectively. If the
result of these checks is a success, the computer obtains a Health
Certificate. This certificate is used to authenticate the computer
when initiating communication with devices/computers in the secure
zone. If the checks fail, the computer is placed in the Restricted
Network.
The boundary network typically consists of remediation servers.
Computers that are in the restricted network can access these
servers without requiring a certificate – a capacity that is
usually used to download software/patches that bring the client to
compliance with policies. This approach is represented in a logical
diagram below.
DHCP-based
approach
The DHCP approach uses the same basic concepts as the 802.1x
approach. It is primarily implemented in circumstances where using
802.1x is not feasible. That situation typically occurs when 802.1x
is not supported at the network switch or because it is too costly
to upgrade to 802.1x across the network. While EAP is the protocol
used to convey the health of the device in an 802.1x-based
approach, this approach uses DHCP to convey that information.
Juniper UAC Juniper’s Unified Access Control (UAC) solution is
based on the Trusted Computing Group (TCG) Trusted Network Connect
(TNC) architecture. TCG intends to create a standards-based set of
API’s for NAC components. While most NAC solutions loosely follow
the TCG model, Juniper has taken a more active role in adopting and
promoting it. The basic model is similar to the others in that
there is posture assessment, using Integrity Measurement Collectors
(IMCs), which provides health related information to a server that
evaluates this data against Integrity Measurement Verifiers (IMVs)
which then determines how policy enforcement is carried out. One of
the primary issues with TCG-TNC today is industry adoption. Almost
no one else has demonstrated conformance with the standard,
providing a risky uphill battle for gaining market
acceptance.
In-Line Traffic Inspection
Approaches
A fundamentally different approach to protecting the network from
malware is to use network elements (usually switches and network
appliances) to inspect traffic to detect anomalies and signatures.
Because the two approaches differ in their technique, they will
often be deployed in parallel to ensure the ongoing health and
security of a network.
The different methods used to detect malware usually fall into one
of two categories: signature detection and anomaly detection.
Signature detection will detect known attacks by looking at network
traffic for established patterns. The obvious flaw in this approach
is the inability to detect Day Zero attacks that are new or attacks
that self-modify as they propagate. Anomaly detection should be
used in addition to signature detection to recognize attacks that
don’t have an existing signature. Anomaly detection looks for
deviations from baseline network behavior and intelligently
predicts which deviations are attacks requiring mitigation.
One of the major disadvantages of in-line traffic inspection is
that the device inspecting the traffic can be the bottleneck and
therefore fail to meet the performance requirements of network
applications. Different deployment models have been proposed to
overcome this problem. The most common workaround is to move the
inspecting device out of the data path by re-directing traffic from
a switch using port mirroring capabilities or by configuring a
device to do policy-based routing of specific “vulnerable”
applications to the inspecting device.
Among the vendors providing a solution in this category are
Consentry and FireEye.
Establishing Identity-based Access
Control
As discussed above, there are a variety of solutions for providing
Posture-based Access Control; however, one requirement that remains
consistently important across all solutions is to deploy a
sophisticated enforcement technique that supports Identity-based
Access Control. In order to achieve this, a good enforcement
technique should have the following characteristics:
1. Close proximity to the edge of the network - This is required
for enforcement to be truly effective
2. Firewall role-based enforcement - VLANs should not be used as a
security mechanism and should not be the sole mechanism for
protecting networks.
3. Simple to manage. The solution should be a manageable solution.
Any solution that increases the operational expenses of the network
effectively becomes an un-deployable solution.
The best enforcement solutions are characterized by uniform
policy-based access control across all entry points on a network.
Policy enforcement should not be based on a static point of entry.
The network elements that best satisfy these requirements typically
integrate authentication and firewall functionality. That approach
helps ensure that the network element can enforce the policy based
on both the user credential
and the health state/posture of the client.
The Power of Identity-based
Security in Mobile Networks
An interesting trend in enterprise networks is the consolidation of
requirements for mobility and security. While the growth of
wireless and remote access technologies is driving the requirement
for greater mobility, the same technologies also are triggering a
surge in the number of network vulnerabilities. This situation
forces network designers and administrators to consider mobility
and security requirements together, rather
than treating them separately. This has created the need to
establish an overlay architecture that enables mobility over
existing network infrastructures. An overlay infrastructure
provides a framework to support any of the network access control
solutions outlined in this whitepaper, including posture-based
solutions and solutions based on in-line packet inspection.
Solutions such as the Aruba Networks Mobile Edge, provide an
integrated user-based stateful firewall that ensures flexible and
secure enforcement of NAC policies.
An effective mobility overlay solution should have the following
characteristics:
Role- and User-based policy enforcement capabilities on the mobile
edge of the network
The ability to interoperate with any of the network access control
solutions outlined in this white paper
Centralized management and troubleshooting capabilities to provide
a reasonable operational expense model
The ability to differentiate between classes of users (such as
employee, guest, quarantined, infected, etc.), rather than
depending on VLANs for security
Figure 4 illustrates the various points of entry (and therefore the
required points of enforcement) in a mobile network. This is, in
fact, a simplified version of what exists in most large-scale
enterprise networks. Such networks are comprised of multiple WLAN
mobility controllers located on a single campus and sometimes also
in branch offices, which are usually managed separately. Typically,
such networks also have individually managed firewalls at each
location and a large number of access switches. The cost of
managing and updating security policy across all these access
mechanisms is a major barrier to the implementation of most of the
access control techniques discussed previously in this white paper.
There is a much better way to implement mobility with NAC.
Conclusion
Network access control initiatives are a
necessity for enterprise networks today to ensure that infected
devices don’t gain access to healthy networks. A variety of
solutions are available, the best of which use a combination of
tactics to provide defense-in-depth to the network. OS and
antivirus vendors are likely to be the natural choice for
determining posture, not networking vendors. However, to achieve
secure Identity-based Access Control in mobile networks,
enforcement technique by the networking vendor is arguably just as
important as the posture evaluation technique.
When designing a network access control initiative, it is important
to consider interoperability with network infrastructure and
mobility solutions. NAC initiatives place critical requirements on
the devices that constitute the mobile edge, and the mobile
infrastructure’s ability to support these requirements directly
determines a NAC solution’s effectiveness. Even a complete NAC
solution based on the ideal combination of components can be
undermined if the mobility infrastructure uses an unsophisticated
enforcement solution.
As it relates to mobile networks, a NAC implementation is typically
best deployed as a non-disruptive solution that creates a mobility
overlay on the existing wired infrastructure. This solution is
especially compelling as it provides powerful global policy
enforcement with centralized management.
