NAC Solution Overview
1-2 Overview
Assessment
Determineifthedevicecomplieswithcorporatesecurityandconfigurationrequirements,suchas
operatingsystempatchrevisionlevelsandantivirussignaturedefinitions.Othersecurity
compliancerequirementsmightincludethephysicallocationofthedeviceandthetimeofdaythe
connectionattemptismade.
Authorization
Determinetheappropriatenetworkaccessfortheconnectingdevicebasedontheauthentication
and/orassessmentresults,andenforcethisauthorizationleveltotheend‐system.The
authorizationlevelcanbedeterminedbasedonthedeviceʹslocation,MACaddress,andsecurity
posture(asdeterminedbytheassessmentresults),inadditionto
theidentityoftheuser/device
validatedthroughauthentication.
Theend‐systemcanbeauthorizedfornetworkaccessusingdifferenttechniques,suchas
reconfiguringaccessedgeswitchesorleveragingaspecializedNACappliancedeployedinthe
transmissionpathofend‐systemdatatraffic.Inlineandout‐of‐bandNACimplementationsuse
differenttechniquesforauthorizingend‐systemsonthenetwork,eachwithuniqueadvantages
anddisadvantagesasdiscussedlaterinthischapter.
Remediation
Enableenduserstosafelyremediatetheirnon‐compliantend‐systemswithoutimpactingIT
operations.Withremediation,userscanbenotifiedwhentheirsystemisquarantinedfornetwork
securitypolicynon‐compliance,andtheycanbedirectedtoperformself‐serviceremediation
techniquesspecifictothe detectedcomplianceviolation.Notificationmethods
includeweb
redirectionviaacaptiveportal,emailnotification,pop‐upmessages,andmessengerservice
integration,amongothers.
Theremediationprocessincludesupdatingthedevicetomeetcorporatesecurityrequirements
(forexample,updatingoperatingsystempatchesandantivirussignatures)and reinitiatingthe
networkaccessprocess.Networkresourcescanbeautomaticallyreallocated
toend‐systemsthat
havesuccessfullyperformedtheremediationsteps,withouttheinterventionofIToperations.
Deployment Models
ThefivekeyNACfunctionsdescribedabovedonotneedtobeimplementedconcurrentlyina
NACdeployment.Forexample,tosupportMACregistrationfor guests andotherusersonthe
network,thedetection,authentication,andauthorizationfunctionalitiescanbeimplemented
withouttheassessmentfunctionality.ThisallowsanITdepartmentto
gainvisibilityintowhois
usingwhichdevicesonthenetworkwhileallowingonlyvaliduserstoenterthenetwork.
Asanotherexample,theassessmentfunctionalitycanbeaddedtothedetection,authentication,
andauthorizationofend‐systemswithouttheremediationfunctionality,allowingfortheauditing,
butnotquarantining,ofconnecting
end‐systems.Thisprovidesvisibilityintothesecurityposture
andconfigurationofconnectingend‐systemswithoutimpactingdevicenetworkconnectivity,and
canbeusedforauditingandsoftwareupdatepurposesbytheITdepartment.
ThefourNACdeploymentmodelsdescribedbelowbuildoneachotherbyimplementingsubsets
ofthe
fivekeyNACfunctions.EachmodelprovidesparticularaspectsofNACfunctionality,
supportingtherequirementsofdiverseenterpriseenvironments.Witheachsubsequentmodel,
theadditionalNACfunctionalitycanbeenabledwithouttheneedtoreplacepiecesofthe
EnterasysNACsolution.