Burning NAC questions

Take a look at important questions surrounding Cisco, NAC implementation and NAC policies.

What is the best method of enforcing NAC policies?

Nothing's perfect, NAC enforcement included.

There are a variety of methods to choose from, with the choice dependent on how much effort, cost and disruption are acceptable and whether the method is deemed secure enough.

NAC policies can be enforced at the edge of networks by access switches, firewalls and VPN gateways and inside the network also by using firewalls as well as in-line appliances between access and distribution switches. They can also be enforced by manipulating DHCP IP address assignments and by resetting a device's ARP tables to block network access.

A critique of enforcement methods presented at a Black Hat conference by the CTO of Innsightix helped put the security of these methods in perspective.

For instance, in the case of DHCP, proxying DHCP servers to enforce security policy cannot address devices that somehow obtain static IP addresses and therefore don't need to deal with the DHCP server. That can makes significant portions of some networks free of NAC enforcement, Arkin said.

In another example, enforcing NAC policies via switches relying on 802.1X can provide tight policy controls but only for devices that support 802.1x via client software. Devices that don't - such as printers an phones - could be spoofed, circumventing NAC altogether and giving access to an unauthorized machine that can then do damage.

The critique was meant as a heads-up to potential NAC users so they are aware of possible vulnerabilities and can take steps to fill whatever gaps exist, he says. "As long as users understand these solutions are not perfect and take other measures, then I've done my job right," Arkin says.

Users should balance the security of the enforcement method of NAC products with the amount of money and time they will take to implement. For instance, if the best method for a customer is 802.1X authentication, that requires an 802.1X client on every device that will be screened. Users have to ask whether distributing the clients and upgrading the switches that will enforce the policies are worth it.

Read Part 1, 'Who Needs NAC Anyway?'

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?