NAC access control: A multi-dimensional puzzle
No shortage of approaches to achieving access control via NAC products
为了理解访问控制是如何在NAC产品完成后,你必须从三个方面看:其中访问控制强制执行,访问控制是如何沟通和访问控制的粒度。
But first you need to decide if you want to enforce access control at all. There are two reasons why you might not want to.
One, actual enforcement may not be a goal. For example, if you just want to know your level of compliance with end-point security policies, NAC can help you detect and report on that, even if you don't want to kick someone off the network for being out of compliance.
你可能会认为你已经遵守已经覆盖,因为从理论上讲,在你的台式机和笔记本电脑上运行的端点安全产品已经做到这一点时,钩回中央管理控制台。
But because NAC actually checks the compliance of everyone who wants to connect to the network, the reality is that you can find systems using NAC that the enterprise consoles don't know about.
The second reason not to enforce NAC is if your plans call for an initial "report-only" phase, prior to moving to enforcement. All the products we tested will let you operate in "report-only" mode.
在我们测试的产品,执法是不是一个很大的红色开关,你翻转。相反,通常有选择不发送的指令执行到网络,这可能需要一点点的挖掘寻找。
Of course, depending on the type of NAC deployment you have, even "non-enforcing" NAC may be intrusive to network operations. For example, if you are planning on using 802.1X for authentication and enforcement, you have to get the basics of 802.1X right, or people won't necessarily be able to get on the network.
If you are very concerned about interfering with network traffic, you may want to look at布拉德福德网络哨兵,ForeScout的CounterACT, andTrustwaveNAC, all of which have an exceedingly light touch on the network when used in "observe only" mode.
执法场景
比方说,你决定要强制执行访问控制。有四种方法可以这样做:边执法,深线执法,基于协议的执行和执法混合。
边缘执行,这是一个型一字形执法,使用设备在网络的边缘。在切换接入的情况下,边缘交换机端口。边缘执行也可以在无线控制器和VPN集中器使用的,在执行与网络连接的访问点。许多NAC厂商称之为“带出”执法,因为他们的硬件没有强制访问控制 - 你的优势的硬件。但它仍然是非常的“带”的执法。
Most products we tested support edge enforcement as an option, with the exceptions being Trustwave andMcAfee.
If you move enforcement deeper into the network, that's "deep in-line" enforcement. Sometimes it's done at Layer 2 (the Ethernet layer) by a device that looks like a transparent bridge; other times at Layer 3 (the IP layer) by a device that looks more like a router or a firewall.
Alcatel-Lucent, Avenda, Cisco, Enterasys, Juniper, McAfee, and Symantec offer in-line devices that sit between the user and some part of the network to enforce access controls. For each of these products, deep in-line enforcement is an option, not a requirement.
Hybrid enforcement combines edge-based and deep in-line enforcement. The general idea is that the NAC device starts in-line with user traffic, and then at some point gets "out of the way" by reconfiguring the network to use edge enforcement. The best example of this is in McAfee's N-450 NAC Appliance.
Because hybrid enforcement is, well, a hybrid, not every NAC product works the same way as the McAfee N-450 NAC Appliance when in hybrid mode. Some NAC products reserve hybrid mode for users who are authenticating via Web browsers, a more intrusive way of controlling access, but a common model for guest users.
Many products offer multiple types of hybrid operation as well, depending on whether they are sitting as a Layer 2 or Layer 3 device. If you do choose hybrid or deep in-line operation, make sure you're buying enough boxes. Some products, such as Cisco NAC Appliance and Symantec NAC Enforcer 6100, can operate in one mode or the other, but not both, so if you want to use both in your NAC deployment, you may need to buy additional hardware.
Protocol-based enforcement is an option in Alcatel-Lucent SafeNAC, ForeScout CounterACT, Microsoft NAP and Trustwave NAC. In this model, the actual enforcement depends on devices playing by the rules of the protocol, because there is no real enforcement actually happening.
A good example is DHCP-based enforcement, which is an option with Alcatel-Lucent SafeNAC and Microsoft NAP. With DHCP-based enforcement, end devices are given an IP address that somehow restricts where they can go, such as by manipulating the subnet mask or the default gateway.
只要设备播放的规则,听取他们通过DHCP获得告知,NAC将“强制执行”的访问控制。如果设备开始作弊,也许首先不DHCPing,那么NAC不能强制执行访问控制。
基于协议的执行是最合适的在你是不是想避开恶意用户环境。例如,如果你在你的建筑具有良好的物理安全性,你的主要目标NAC可能是端点安全合规性,不验证。
ForeScout的and Trustwave strongly encourage you to use protocol-based enforcement for part of your deployment. Both use more sophisticated mechanisms than simply playing with DHCP. For example, Trustwave NAC poisons ARP caches to redirect traffic to the Trustwave NAC appliance, which then sits in-line during initial authentication and end-point security checks.
Several NAC products also support something we call Host-based Access Control. We didn't test this because it seems to be a different product category, but it is an option in products including Alcatel-Lucent SafeNAC, Juniper UAC, Microsoft NAP and McAfee ePolicy Orchestrator NAC. In host-based access controls, the enforcement is pushed to the end devices.
如果你正在寻找的产品,最大的灵活性,阿尔卡特朗讯安全NAC,Avenda NAC,思科NAC设备,Enterasys公司NAC,瞻博网络NAC和Symantec NAC是我们列表的顶部,因为他们让你选择你想要的东西:在 -线或边缘。
When you're only looking at users on switches, that flexibility may not seem all that important, but our experience with real networks and their myriad installations of hidden switches (like that one on your desk that isn't managed or even official), wireless networks, and VPNs to branch offices and remote users has taught us that flexibility counts for a lot.
通信的接入控制:获取传达的信息
一旦你决定了访问控制策略的设备,你怎么把它搬进执行点?这一点是有争议的,因为它结合了各种各样的问题,从技术,到政治,甚至是宗教。
有three approaches: proprietary,802.1X和“任何工作。”
The proprietary case is easy to understand. When a NAC vendor both sells an enforcement device and a NAC solution, there is often a proprietary API that lets the NAC part of the product talk to the enforcement part of the product. For example, Juniper's UAC can talk to Juniper firewalls to push out access control rules. Alcatel-Lucent switches can query Safe NAC CyberGatekeeper servers for end-point status information.
有时执法设备被嵌入到NAC产物,如与McAfee的N-450,策略通信是不可见的。缺点是,你可能不能够混合和匹配不同的执法设备,但大多数供应商专有的执法设备已经通过包括其他的沟通方式执行相关规则,工作这一点。
802.1X factor
当使用802.1X,所述NAC产品有机会推送访问控制信息向下到边缘设备作为802.1X协议的一部分。它是标准化的,更多或更少,并且其提供的设备尝试连接和访问控制策略之间牢固和安全联动。这使得使用802.1X技术上优雅的解决方案,安全意识的网络用户等。
Unfortunately, there are significant problems when using 802.1X, most of which come down to a single point: 802.1X access controls are easy at the moment of authentication, but difficult any other time. For example, if the NAC solution suddenly decides that someone is no longer compliant, or if the NAC manager changes the access control policy in the management system, there is no easy way to get that information out to all 802.1X-authenticated ports.
Standards writers have proposed a solution, called Change of Authorization (usually abbreviated COA), that lets access control changes be sent asynchronously from authentication responses. There are a couple of problems with that: first, most switches don't support COA, and second, most NAC products don't support it either. We found support in some Cisco, Enterasys, HP and Juniper switches, and Enterasys' and Juniper's NAC products, but that was about it.
链接NAC策略通信认证有vexes NAC厂商的另外一个问题,因为它需要端点安全先计算当用户连接。NAC厂商并不总是这样的,有两个原因。其中之一是,它可以采取显著时间来验证端点安全合规性,可延迟登录,这使得最终用户不满。另一个原因是,它需要在NAC供应商到第一端点安全扫描紧密链接的认证,这使得NAC厂商不高兴。
The solution that pragmatic NAC vendors have come up with is what we call "whatever works:" a combination of SNMP operations and command-line commands sent down either via Telnet or SSH that can be used to push access control information into switches at any time: before, after and during authentication.
布拉德福德,思科,ForeScout的和McAfee都使用这个策略作为其阻力最小的路径:如果你把自己的产品开箱即用,这是最初的战略,他们鼓励,即使802.1X是一个选项。
The NAC vendors that strongly encourage 802.1X, including Avenda, Enterasys, HP, Juniper, Microsoft and Symantec, may also support other approaches, but when you select edge enforcement, you're initially pushed towards 802.1X access controls.
与许多技术参数,这个人们可以归结为偏好和经验,而不是技术理由。从安全角度看未来,我们的偏好是使用802.1X的访问控制,它提供了比为SNMP接近这样更强大的安全性。然而,这并不总是安全驱动NAC项目,所以这种观点并不总是适用。使用SNMP时,我们的测试还发现兼容性问题。NAC厂商们很快解决的事情后,我们指出他们出去,但不保证这些问题不会在每次开关重新出现固件升级。
Many of the vulnerabilities associated with the "whatever works" strategy have been identified and compensating controls are in place. For example, since the SNMP trap that identifies a new system could be lost, many SNMP-focused products periodically scan media access control tables within switches to see if new MAC addresses have shown up that need to be authenticated and checked.
Similarly, the 802.1X issues also have solutions. For example, when the Microsoft NAP client detects that end-point security has changed and the device must be re-assessed, they force a quiet re-authentication that gives their server a chance to change access controls in the background without the user having to re-enter their username and password.
Granularity of controls
NAC访问控制的最后一部分,可能意味着你的一切 - 或者可能并不意味着什么。这一切都取决于你为什么这样做NAC和您的访问控制策略是什么。NAC项目集中端点安全性可能会发现只有最简单的访问控制是必需的。如果你的NAC项目更集中在差异化的用户,你可能想要访问控制的更大的粒度。
The NAC products we tested fall into every step of the spectrum, from virtually no controls, such as in Trustwave NAC, all the way up to fine-grained stateful firewall access controls, as in Juniper UAC.
出于可伸缩性方面的原因,大多数南京汽车厂商尝试push the job of controlling access out to existing infrastructure. For example, if you have divided your network into different security areas using virtual LANs, and then used firewalls to provide access controls between the VLANs, the NAC vendors would prefer to simply move users from one VLAN to another, and make use of your existing security plan.
随着边执法,你只限于任何访问控制是在边缘设备可用。二NAC厂商,Consentry和尼维斯,双双消失殆尽试图建立复杂的访问控制到边缘交换机,这让网络管理员只有两个选择:在不同的VLAN将用户,或者使用在基本无状态的访问控制列表(ACL)开关。