Long ago, 20 years, you had a terminal emulator such as 5250-emulator to connect to your system. Now-a-days you have so many devices that can be connected ranging from laptops, tablets, cellphones to printers and any endpoint that has an IP-address. How do you control so many devices that try to access the network from all types of network and places?
Well you have a solution called Network Access Control, or in short NAC, which shuts down the port in case of unsolicited access. This is done on layer 2 of the network.
You have many types of implementation of network control. Here I describe the Cisco implementation ISE, Identity Service Engine. This implementation gives you a broad range of functions to protect the organisation against not compliant devices either connecting to wired or wireless networks.
ISE Cisco contains several policies such as authentication -, authorization -, posture – and profile policies and executes context-aware assessments.
- The authentication policy supports MSCHAP, TLS / EAP, PEAP, Mac-address bypass called MAB and even old protocols such as TLS 1.0.
- The authorisation policy can direct a device to a special VLAN if the device is not compliant and must be sanitised or remediated.
- The posture policy is able to investigate any software on the device (or assess some files or the registry settings or some system settings) such as OS, antivirus or host-IDS software for deep host inspection. Even it monitors the licensing.
- The context-aware functionality assesses for attributes like type of user, logon time , logon on the day of the week/month, location and so on. You are creating a contextual identity.
ISE Cisco integrates with various other solution to protect the organisation from unwanted access such as:
- LDAP (AD from Microsoft) and is able to block devices who’s user account is disabled. Also ISE Cisco can deny access or allow access to user groups based on Role Based Access Control.
- PKI-server for deploying certificates CA or self signed to devices for web access.
- VPN-server for encrypted end-to-end connections between endpoint and servers.
- RADIUS-server (AAA) for authentication although ISE Cisco can be a Radius server itself.
- Various portals for dealing with Guest users either sponsored devices or not. These portals can be self service portals or sponsor portals or MDM-portals.
- Email server for sending alerts in case of denied devices.
One of the pretty nice features is sanitation or remediation. When a device connects to the network the ISE Cisco posture policy could assess many things like the level of your OS or Antivirus or if a system setting is set to true regarding updates. If the assessment fails the device is denied access and routed to a special VLAN for sanitation. This means that the device could get a complete new image or get updates of software depending on the nature of the non-compliancy. Ones the sanitation is done, the device is able to connect to the network after the posture policy has again been assessing the degree of compliancy.
Another nice functionality is reporting. ISE Cisco comes with a lot of standard reports which shows for instance the status of the endpoint (failed or granted). Reporting can be done on the Admin portal.
The list of features is long but here is a short high level set of features with thanks to Wikipedia:
- Mitigation of non-zero-day attacks
- Authorization, Authentication and Accounting of network connections.
- Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP.
- Role-based controls of user, device, application or security posture post authentication.
- Automation with other tools to define network role based on other information such as known vulnerabilities, jailbreak status etc.
- The main benefit of NAC solutions is to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of computer worms.
- Policy enforcement
- NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes.
- Identity and access management
- Where conventional IP networks enforce access policies in terms of IP addresses, NAC environments attempt to do so based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.
Herman Rensink, Cloud – and Security Architect.