Network Security
How to keep endpoints honest
NAC combined with IDS/IPS examines pre- and post-connect behavior to protect the network from noncompliant devices.
by Alan Shimel
The fundamental premise behind network access control (NAC) - the network must be protected from dangers introduced by endpoints - is well accepted and understood. With NAC, the health of endpoints is assessed as users attempt to log on the network, with access denied unless the endpoint tests compliant with established policy. In this way, noncompliant machines are prohibited from connecting and, therefore, cannot cause harm.
Pre-connect testing alone, however, is not enough to protect organizations from untrusted users, compromised endpoints and unauthorized access to network resources. To keep the network secure, the NAC system should be able to identify this noncompliant post-connect behavior and take action to isolate the offending device, as well. Complete network access control should include: pre-connect testing, post-connect monitoring, identity-based management controls and remediation of noncompliant machines.
Post-connect monitoring, when properly implemented, provides real-time defense against dangerous endpoint behavior. An active way to monitor post-connect behavior is to integrate a signature-based intrusion-detection/intrusion-prevention technology (IDS/IPS) with the NAC.
Traditionally, IDS/IPS functions as a perimeter defense that guards against incoming attacks. Signature-based IDS/IPS systems examine every packet moving across the monitored network segments. Commonly placed inside the DMZ, behind the primary firewall, on segments connecting to partner networks and branch offices, and other choke points where it is imperative that attacks do not gain entry, IDS/IPS systems conduct a thorough evaluation of the traffic stream. IDS/IPS systems maintain a large and ever-growing library of attack signatures, against which every incoming packet is compared.
This technology can be configured to detect incoming attacks, where it will trigger alerts to administrators, who can then evaluate the level of danger and configure firewalls to block the attack. The system also can prevent attacks from getting inside the network by instantly terminating the attack stream or automatically inserting rules into the firewall. In IDS deployments, the sensor is installed externally to the main data pathway; in IPS deployments, the sensor is installed inline so that attacks can be blocked.
Although IDS/IPS has traditionally served as a perimeter defense, it is suited to serve as a post-connect NAC sensor, monitoring traffic that originates from inside the network. IDS/IPS products that have multi-segment capabilities, where a single sensor can monitor traffic on multiple network segments, can do double duty, serving in both the traditional perimeter defense role and post-connect NAC sensor.
NAC solutions have the ability to enforce security policy by restricting the network access of noncompliant devices, and typically offer a range of enforcement options, from full quarantine, to Internet-only access for self-remediation, to limiting access to select portions of the network. The level of enforcement can be driven by a number of considerations, such as the type of device that is noncompliant (e.g., Mac, Windows, IP phone), the category of user (e.g., in-house, guest, remote, wireless), and/or the severity of the policy violation.
Integrating an IDS/IPS into the NAC implementation expands enforcement options, especially when deployed as an IPS. The system’s ability to block or drop bad traffic adds to the NAC system’s access-restricting enforcement capabilities.
For example, a student on a university network who, after testing compliant to achieve access, begins downloading pirated music - a clear violation of policy for which the school could be held liable. The IPS detects the packet from the high-risk P2P protocol and automatically terminates the stream for a predefined period of time.
The IPS also sends a notification to the NAC system, conveying the pertinent information - the IP address of the offending device, the nature of the violation and the destination IP. The NAC system can then restrict that device’s access, allowing it to connect to on-campus services and resources so the student may complete class work, but prohibit general Internet access where further copyright violations might occur.
Shimel is chief strategy officer,
StillSecure, Superior, Colo.
For more information
(click here)