Embedded Files
Introduction
Introduction
Laymen explanation
Laymen explanation
Network access control solutions enable organizations to implement policies for controlling device and user access to corporate networks.
As shown in above diagram, Network consists of
1. End user devices. for example laptop, mobile handset
User accesses website etc using such devices.
2. Infrastructure device. For example, wifi router, modem, firewall
This device provides network access to end-user device.
Assume that your Desktop is infected by virus. In case, it is connected to other devices, then it will spread virus to them as well. In real-life, to prevent spread of epidemic diseases(for example, swine flu), as a policy, healthy people are instructed to avoid contact. Same applies for infected device (computer in this case). In summary, infected device should not allow to access other devices. To enforce such policy, NAC device is needed which controls access of network for each device. NAC stands for Network Access Control.
Technical explanation
Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.
Any serious attempt to manage security risk must start with knowledge of who and what is on your network, including visibility into whether the devices on your network are compliant with your security standards. Traditional host-based IT security and management systems are blind to unmanaged devices (eg. BYOD systems). For intelligence about the endpoint risks on your network, NAC device comes into picture. It acts as PDP. Based on its instructs, wifi access point opens network for the end-user. Similar is the case for resources protected behind firewall.
Any component or endpoint attempting to access the network is designated an Access Requestor (AR). To gain access to the network, the AR must be evaluated and approved by the Policy Decision Point (PDP). The PDP's evaluation generally includes user authentication, device authentication, and integrity checking of the AR, comparing the results of this evaluation against the organization's policies for authorized users, acceptable device identity and configuration, etc. Once the PDP decides what access should be granted, it sends its decision to the Policy Enforcement Point (PEP), which can be a switch, firewall, virtual private network (VPN) gateway, or other networking component.
Lying End user device Problem
Lying End user device Problem
An infected or compromised endpoint may provide unreliable information regarding its status during a health check. This problem is especially troubling in light of the increasing popularity of Rootkits. Most Rootkits modify the operating system so that the files containing the Rootkit are not visible to other software running on the endpoint. This prevents endpoint security software from detecting them.
Once a machine is infected with a rootkit, the attacker has complete control over the system and can steal data from it, use it as a launching pad for infecting other machines, cause it to lie about its health, or perform any other nefarious deeds.
Network devices supporting NAC device to make decision
Network devices supporting NAC device to make decision
Network analyser/profiler
Network analyser/profiler
Network profiler reveals the network. It provides information about end user devices connected to network. It reports on where users and devices connect to your network.
The system uses your network switches, routers and firewalls as the primary data source, regularly collecting information using SNMP and DNS. In addition to networking data, device can collect UserID information via Active Directory and LDAP and relate it to the end user devices. This data is processed by NAC to decide.
MDM/ Enterprise Mobility Manager
MDM/ Enterprise Mobility Manager
It monitors security health of BYOD devices. NAC device processes this info to decide.
IDP device
IDP device
NAC device processes Intrusion detection data and can move the enduser to quarantine mode.
TCG TPM
TCG TPM
The TPM's role in detecting a lying endpoint starts with the boot process. Whenever an endpoint with a TPM initiates a trusted boot sequence, the TPM measures (hashes) all the critical software and firmware components, including the BIOS, boot loader, and operating system kernel before they are loaded. Since these measurements are made and stored on the TPM before the software runs, they are secure from subsequent attempts to modify them.
When the endpoint connects to the network, the stored measurements are securely sent (includes TPM sign) from the TPM on that endpoint to the TNC server and checked at the TNC server against the server's list of acceptable configurations. A non-match is identified as a possibly infected endpoint and can be quarantined for remediation.
Reference
Reference
https://esj.com/articles/2007/11/27/preventing-nac-attacks.aspx
https://en.wikipedia.org/wiki/Network_Access_Control
Page updated
Google Sites
Report abuse