Network Access Control

from Wikipedia, the free encyclopedia

Network Access Control ( NAC ; German network access control ) is a technology that supports the defense against viruses , worms and unauthorized access from the network. With NAC, end devices are checked for compliance with guidelines during authentication . Is z. If, for example, the virus scanner is not up-to-date or the client operating system lacks the latest security patch , the end device concerned is placed in quarantine and provided with current updates until it again complies with the applicable security guidelines. Initially, the functions required for this were distributed across network components such as routers and switches . All functions can also be bundled on hardened appliances .

tasks

Core tasks are:

  1. clear identification and role allocation of users and devices
  2. Preservation of created security guidelines
  3. Quarantine and automatic recovery of non-compliant end devices
  4. Administration and creation of individual guidelines and roles for different user groups

conditions

Network Access Control basically fulfills two requirements:

Firstly, a complete overview of which devices are in the (company) network and where they are connected. The type of end device, such as clients, printers, production systems, ATMs, medical devices, tablets, smartphones, refrigerators, coffee machines, etc. must not play a role. This overview prevents foreign or unknown systems from gaining access to the (company) internal network simply by using the WLAN or a free network socket. This means that only your own and approved systems can be operated in the network.

The second requirement is a so-called compliance function. This is to check whether the terminals that are already in the network, the security requirements or security policies comply with the company. This usually affects properties such as the existing installation and the status of an anti-virus program or a desktop firewall . In addition, whether the latest Windows patches are installed and sometimes even more extensive checks for existing patches for common applications such as Firefox or Adobe, which can be exploited.

The aim is to only operate end devices within your own network that meet all of these requirements and thus the security guidelines. If a system does not withstand the review, appropriate countermeasures (quarantine and healing with patching; reconfiguring the system) are initiated.

There are also differences in the interpretation of the network access to be monitored ( LAN , WLAN , WAN ). There are various technical approaches and implementations as well as both commercial and open source products to meet this requirement .

history

In general, the control of network access is something that has been discussed since these very accesses existed. There were approaches and products that were more or less successful. Heterogeneous network infrastructures, insufficient network coverage, high complexity and high costs are the most common reasons for failed approaches. Most of the companies still have no solution for this. In addition, there is no clear definition of the term “network access control”, so that the associated offers also vary greatly. Other terms that have also contributed to confusion, since they basically concern the same topic, include “Network Admission Protocol” (NAP) and “Network Admission Control” (NAC).

Technologies

IP-based network scanning

With this technology, the network is scanned for the IP addresses used by pinging the address spaces or reading the routers' ARP caches . End devices recognized in this way are then usually identified more precisely by further scans in order to check whether they are known and approved devices.

If third-party devices are recognized, their communication is disrupted by various technologies or, for example, redirected to a guest portal. In some cases, ARP spoofing is even used, which is actually more of an attack technology.

Traffic analysis using gateway appliances

For traffic analysis, appliances have been created by various manufacturers that check the network traffic inline and thus also see every device that is communicating in the network. Data packets from undesired systems can simply be "dropped" , which means that intruders can no longer communicate unhindered in the network. The problem here is that these appliances have to be distributed throughout the network in order to be able to cover every sub-area. This means that there must be a sensor in each subnet and monitor the traffic. This usually makes these projects very time-consuming, complex and, above all, very expensive, since, depending on the size of the company, a large number of devices have to be purchased. The check must of course be done in real time, otherwise a bottleneck will be created that slows down communication in the network and thus disrupts daily work. Another weak point of this technology is that intruders who only listen and therefore do not send any data packets are not recognized. Spy through simple eavesdropping is still possible without restrictions.

However, even if corresponding appliances have been distributed everywhere, there are areas that cannot be recorded. The devices that are attached to a switch can usually communicate with one another without the data traffic running through an NAC appliance. This means that at least the direct neighbors can be attacked and also exploited in order to penetrate the wider network from these devices.

Agent based

Here an agent is installed on all end devices that ensures that the end devices can authenticate themselves against a central service in the network and that only the appropriately managed end devices (encrypted) can communicate with one another. External systems cannot connect directly to the company's own devices. The big challenge with this approach, however, is to provide agents for the many different operating systems and thus to cover the entire network.

In addition to proprietary approaches, this category also includes the IEEE 802.1X standard, which among other things is based on the use of agents (supplicants) already supplied by the operating system. Nevertheless, complete coverage of all network participants is usually not guaranteed - especially older end devices and switches often do not support this function.

802.1X is extensively described in a separate article - for the sake of completeness, however, it should be mentioned at this point that it is a proactive approach. If a device is connected to a switch or access point , it must authenticate itself with a suitable ID (e.g. user name & password or a certificate ). The switch or access point, in turn, has the validity of the ID checked by a RADIUS server which, in addition to an "Accept" or "Deny", can also transmit various other rules as a response, such as assigned VLANs or ACLs . The main complexity here is the administration of the RADIUS server and the identities.

Switch based

As a rule, the SNMP protocol is used for this , which offers the possibility of communicating with almost all switches, as almost every manufacturer of business switches supports this protocol. Depending on your needs, however, z. B. SSH or other (if possible encrypted) protocols can be used.

This communication can first be used to obtain a complete overview of the network, regardless of the size of the network. Every device that is connected to a switch port and communicating is recognized. As soon as a new device is connected, either the switch actively informs the NAC system via a trap or the NAC system regularly asks the switch about the currently connected devices.

The devices are identified via the MAC address , which is why this approach is often also called "MAC-based NAC". By maintaining a whitelist, you can define which devices are permitted in the company network and which are not. A switch can receive a command from the NAC system and reconfigure a network port via the same communication path as the detection. So if a foreign or unwanted system is connected and recognized accordingly, z. B. the network port can be switched off automatically - the device immediately loses the network connection - physically!

As this technology matures, more and more different options have been created in the switches that bring some advantages. Even in the smallest of networks, VLANs are already used today. The virtual networks offer a convenient way of segmenting the network regardless of the physical structure.

Since the VLANs are also configured on the switches, it is an obvious extension of Network Access Control not only to be able to block network ports, but also to be able to redirect them. External systems no longer have to be completely separated from the network, but can be switched to a separate guest area, where z. B. only Internet is offered.

The problem remains that the MAC address can be forged very easily. An intruder can choose any address - for example, copy it from the printer and type it in to gain network access.

For this reason, some professional solutions go a few steps further and compare many other system properties, such as the IP address, the host name , the operating system or open and closed IP ports . As a result, this means that an intruder not only has to forge the MAC address in order to gain access, but also all the other properties. If parts of the properties differ, the NAC system can trigger an alarm accordingly.

In addition to the security aspect, comfortable management of the VLANs can also be established in this way, in that the VLAN belonging to the end device is always automatically configured for each port. As a result, every employee, no matter where they join, always has their familiar environment and the resources they need available.

Identities

When controlling network access, it is basically a matter of determining and managing the identities of the network participants and granting or denying access accordingly. A distinction must be made between device identities and user identities, since the network access control is device-oriented in the first step. The users are controlled within the network by other systems, such as the authorization system in Active Directory or other directory services .

Nevertheless, the Active Directory or, in principle, LDAP services are also popular sources of identity, which can also be used for network access control. There are the following restrictions:

  • The mere consideration of the devices from the Active Directory is relatively simple and usually makes sense to simplify maintenance. It should be noted, however, that the definition of which AD device groups are to be controlled in which network segment or VLAN must be well planned and structured so that changes on one side or the other do not cause any difficulties.
  • Simply looking at the users from the AD is definitely not sufficient. With this method, every employee is able to bring any device with them and operate it in the network - real network access control is no longer possible because unsecured devices can gain full access at any time.
  • A combination of users and devices from the AD to determine the specific access rights is usually not very easy and creates a high level of complexity. However, if different accesses are actually to be granted for different users on the same terminal, these rules must be carefully planned and carefully implemented. Depending on the complexity of the wishes, this can mean a considerable effort, which should be analyzed beforehand to determine whether it is at all expedient and / or necessary.
    • The Active Directory itself controls exactly which employee has access to which servers and services in the company via the assigned authorizations. If a "normal" employee and later an IT administrator log on to one and the same device with his user account, this is used to control which accesses are allowed. Changing the network segment in which the terminal is located is therefore only necessary if the systems required by the administrator cannot be reached in the current network segment. However, this situation usually only occurs in very large and extensively structured networks. In addition, the BSI generally recommends not to carry out any administrative measures from a regular user system. Existing malicious code could otherwise receive administrative rights and cause considerable damage.
    • Consequently, in the vast majority of cases, the authorization of the end devices is sufficient, or the reduction of the rules to very special special cases.

In addition to the Active Directory and LDAP directories, there are various other sources of identity, such as various databases e.g. B. from help desk systems or CMDBs or mobile device management products. Basically, every directory with device identities can be used to simplify the introduction and maintenance of Network Access Control. The differences are that some “sources” can be authenticated live, while others can only be used to learn identities and have to be synchronized with the NAC system for this.

Temporary access for guests and other visitors

Since the network access is protected against access by "non-corporate devices" by Network Access Control, commercial NAC solutions are usually offered in conjunction with a guest portal. In this way, external devices and users can have temporary access to defined resources - the corresponding identity is temporarily tolerated in the network. The technical implementation of such a portal is described in detail in the separate article " Captive Portal ".

With the ever more diverse mobile systems, more complex access requirements by employees and the growing need to allow maintenance technicians to have dedicated network access, this requirement is increasing.

Driven by the topic of "bring your own device", guest portals are being expanded in some cases to give employees the opportunity to register their own devices and then operate them in the company network.

Compliance

In connection with Network Access Control, compliance generally refers to IT compliance, whereby a distinction must be made between the goal and the requirements. In this context, it is particularly interesting whether the end devices comply with the security guidelines and are "compliant" in this regard. The guidelines then primarily relate to security-relevant details such as the status of the antivirus program (version, active / inactive, age of the signatures ), status of the desktop firewall, patch level (operating system, browser , plug-ins and other applications), status the encryption etc.

This status can be determined remotely or based on agents. The end devices are scanned remotely mainly via WMI, SNMP or NMAP. Browser-based queries via ActiveX or JavaScript are also possible . With the appropriate local rights, agents have the option of checking significantly more in-depth and not just relying on registry keys or APIs from other manufacturers. So z. For example, file versions can be compared with target values using a hash value instead of just checking whether the installation of a patch was entered in the registration database while the installation actually failed.

In addition, there are different strategies with regard to the timing of the examination. While an agent can permanently check the status and If, for example, you already know about the status of the terminal device before the network connection, agentless tests must be carried out at certain times, in certain situations and / or cyclically.

The safest option is to take the exam before admission to the network, but this is often difficult to implement in practice. The checks are therefore often carried out afterwards and, if necessary, lead to a reactive lockout of the system.

In addition to the two variants described, some network access control solutions also offer the option of finding out the terminal compliance status from third-party products and processing it accordingly. So z. For example, a Microsoft WSUS server can serve as a source of compliance information regarding the patch status, antivirus solutions inform the NAC system about infected end devices, or SIEM solutions instruct the NAC system to isolate affected end devices in the event of a threat.

Network access control is therefore of central importance in security strategies, since the possibilities of the reaction are highly effective and can be implemented extremely quickly with direct coupling of security systems.

See also

Web links