How to determine which NAC solutions fits best to your needs

Network Access Control (NAC) is a powerful control used to regulate access to corporate network resources. Some of the goals of a NAC implementation are:

Mitigation of zero-day attacks: Devices without antivirus, Host IPS, patches, security baseline or specific software installed considered malicious or against security policies should not gain connection to the corporate network.
Policy enforcement: As NAC use 802.1X technology, it can be used to enforce a specific VLAN for the user and then the network firewall can further enforce access controls inside the corporate network.
Identity and access management: When used with strong authentication, it can enforce that only allowed computers and allowed users from specific computers can enter the corporate network and its resources.

I decided to implement this control inside my corporate network as it solves many of the risks that are affecting or can affect my company. I will tell you in this diary my experience with the implementation and how to determine which NAC solution fits best to your needs. To start, I designed the following test plan to ensure the NAC solution fits into my information security model:

Managed		Authentication		802.1X		MAC	Health		Result
Yes	no	User	Host	Yes	no		OK	Bad	VLAN	Network Access Zone (NAZ)
								x		Quarantine
x		x		x			x		Assigned VLAN to user
	x	x		x			x		Guest VLAN
	x		x	x			x		Guest VLAN
x			x		x	x	x			Pre - Admission VLAN
	x		x		x	x	x		VLAN redirection according to the registration. If MAC is not registered, access is denied.
	x	x		x				x		Quarantine

Let's talk about some definitions about the last table:

Managed: Means if the device is managed by the corporation. Examples are Windows Domain or devices managed by a mobile device management software.
Authentication: NAC authentication can be performed both for user and computer using 802.1X. If 802.1X is not available, MAC addresss is used.
Health: Set of predefined policies to enforce by checking the compliance of the device being authenticated to the network. Health is OK when the device is compliant with the defined policies and it's bad when one or more policies are not met.

NAC solution handles two portals:

Guest portal: Used to authenticate devices that are not managed but authorized to enter the network and external users owning or using those devices.
Remediation portal: When the device does not met the required policies, it's redirected to the remediation portal as a measure to achieve the non-compliant configurations or parameters inside the device.

Both of the portals implicates that any device authenticating to the network by them is always done manually and no servers or critical devices must authenticate this way.

My experience with NAC implementation goes with the purchase made by My company using Mcafee N-550 boxes. So far, we have had the following problems:

IP Phones must authenticate using 802.1X and voice VLAN must be set and different from the data VLAN. Link Layer Discovery Protocol (LLDP) must be enabled.Check http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swvoip.html for more information con such configuration in Catalyst 3750 switches and http://www.h3c.com/portal/Technical_Support___Documents/Technical_Documents/WLAN/Access_Controller/H3C_WX3000_Series_Unified_Switches/Configuration/Operation_Manual/H3C_WX3000_CG-6W103/201007/685276_1285_0.htm for H3C devices. Also, please keep in mind that the phone must support the configuration of voice VLAN and data VLAN for the computer device attached to it. Check your IP Phone documentation.
Guest portal does not work in Internet Explorer 8 and 9. It was solved by a patch released by de Mcafee NAC Developer Team.
Out-of-Band redundant configuration duplicates registers of authenticated devices when the redundant nodes activates. First answer we got from Mcafee was that the description of the redundant operation is expected and the only workaround was to place filters under the Threat Analyzer Console. I must admit I was suprised by that answer, because I cannot understand how Mcafee is officialy recommending a manual display filter to the logs loosing the real-time report capabilities to the security event correlator and therefore degrading my incident-response capabilities. I rejected that answer and as of today I am still waiting for a solution.
Authenticated devices with initial bad health state that get fixed won't get new ip address of the VLAN assigned to user because the Radius Change of Authorization (COA) somehow is not correctly working with the NAC solution. Still waiting for an official response for this issue.

So, how can you determine which NAC solution fits best to your needs?

Smooth network integration is SO important. Ensure that your test plan works within your network, that 802.1X operation works smoothly between your radius, switch, device and user. Don't forget to test RADIUS COA and ensure that VoIP devices support 802.1X and specifically voice and data dynamic VLAN configuration. Make sure to have support from your vendor because usually NAC troubleshooting is really low-level and the technical abilities of the support people must be really advanced.
Define your Network Security Policy and test if your NAC tool is able to validate each setting you need for your devices. If you have strange devices that cannot fit into a Windows Domain, ensure 100% that they support at least 802.1X. Otherwise, you will be in trouble by allowing exceptions that might be the start point of your future information security incidents. MAC authentication should not be an option as it can easily be faked.
Make sure the entire NAC process flows and no issues arises like no DHCP negotiation after changing health state from bad to OK.

What is the NAC solution you have found most valuable? Have you had smooth NAC implementations? Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler

We use Forescout CounterACT. After evaluating all the biggest names in the industry we went with them. One of our challenges was finding a NAC solution that was out of band and agent less. Expensive but makes NAC pretty simple compared to what our experiences have been over the years.

Anonymous

ForeScout was acquired by McAfee in order to have the best technology for the NAC, which has to integrate with McAfee ForeScout.
http://www.forescout.com/press-release/forescout-mcafee-partnership-delivers-best-in-class-nac-solution-for-continuous-monitoring-and-mitigation/
https://kc.mcafee.com/corporate/index?page=content&id=KB76610

Anonymous

Why not just use a VPN client and every port is guest? Most current VPN clients support health checks before the host can drop onto network. Further, they push onto the correct VLAN's as needed, per user and device rules. Couple this with a persistant VPN (like PAN Global Protect) and users only need to login to their host and not VPN as well.

Anonymous