3 in a Series
If you’d like to implement Network Access Control, no matter what architecture you select, you definitely want to start by building a small interoperability lab. In this white paper, we’ll give you some advice on what to think about before you get started, and outline what resources you’ll need to have in place in order to begin testing. Any NAC deployment must start by answering three critical questions: 1) What is my access control policy? 2) What are the access methods (such as LAN, wireless, or VPN) I want to protect? 3) How will this integrate with my existing infrastructure? Once you answer these questions, you can begin to gather test lab resources, such as servers ...view middle of the document...
Instead, they tend to use very coarse control, such as a “go/no-go” decision (all access or no access) or one based on VLANs. With VLAN-based access controls---the most common strategy we saw in the iLabs product testing---the NAC product is not really providing full control, but defers to your existing infrastructure, such as firewalls sitting between VLANs, to limit access between networks. The idea here is that if someone is placed on the “remediation VLAN,” for example, there will be a firewall elsewhere on that VLAN which prohibits that user from wandering further into the network. While this very coarse control is not elegant, it is very common. You will probably find that casting your access control policy in these kinds of coarse terms will give you the greatest flexibility in choosing available products and in integrating them with your current architecture. In other words, don’t expect NAC products to provide full firewalling processes at the policy enforcement point (even if that’s what you want) until this market niche has matured significantly. If you do need that level of access control, as defined by your policy, be sure to define it early so you don’t go down a path of testing that won’t meet your needs.
What access methods do I want to protect?
When thinking about NAC, you need to qualify what kinds of access methods you want to protect. Most networks have three main access methods: (1) wired and wireless LANs IPsec; (2) SSL VPN remote access connections (e.g., a single user running an IPsec or SSL VPN client), and (3) VPN-connected branch offices (a special case of the wired/wireless LAN connection, but important enough and different enough from local LAN connectivity that you may want to give it special consideration).
Network Access Control Interoperability Lab Getting Started with Network Access Control Page 1 of 2 May, 2006
3 in a Series
Your NAC strategy may cover one, two, or all three of these access methods, but you should decide early which ones you care about and focus your testing on those. You should also think about whether you want a unified strategy (i.e., the same components are used, no matter what the access method) or whether you want to create your own silos based on different user communities or varying access methods. NAC became a very hot button several years ago as SSL VPN vendors realized the dangers of letting outside PCs have access to internal networks without knowing anything about the end-point security of those PCs. In the world of SSL VPN, this usually goes by the term “End Point Security,” or “Client Integrity,” but the concept is really just NAC, as applied to SSL VPNs. With SSL VPN vendors firmly footed on the NAC bandwagon, IPsec vendors have also been adding NAC features to their products. Sometimes, this means simply recasting existing capabilities with a new name to make them fit the new buzzwords, and in other cases, this meant adding entirely new features. The relative maturity...