Network Access Control For Dummies docx

327 7,065 12
  • Loading ...
    Loading ...
    Loading ...

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Tài liệu liên quan

Thông tin tài liệu

Ngày đăng: 07/03/2014, 04:20

IntroductionWelcome to Network Access Control For Dummies. It's a scary networking world out there, and this book provides you with a working reference for understanding and deploying what type of network access control (NAC) is best suited for your network and you.Because you're holding this book, you already know that security issues exist out there — and you've probably, maybe frantically, attempted to protect the network you're responsiblefor from the scenarios that get printed on the front page.See whether you can identify with any of the follow scenarios:• Authentication nightmare: You just put in a system to authenticate users who log on to your network, and everyone is hissing at you like snakes. They hate it. They hate you. They claim productivity is down, and the VPs are writing vicious e-mails to your boss.• VPN for more than VPs: Everybody wants to work from home once or twice a week, and you have more and more remote employees working from their home offices around the world. Guess what? You're having a really hard time figuring out who's who and what they should have access to. Complaints about missing files and mission-critical info that's available to all have replaced your bagel with your morning coffee.• Portable hi-jinks: You have absolutely no control over what devices people use to log on to your network, and after they log on, you have no control over what storagedevices they can use as peripherals, or what they can take away. HR is investigating people who have left the company with complete DVDs full of trade secrets.• Breaches: You've had breaches, but you can't tell how the attackers accessed the network. Malware may be the culprit, but how do you accuse a trusted user who has a company-issued device? And, at lunch, you hear other people talk about what theydownloaded for their kids to play with on their laptops.• Productivity slippage: Your management says that 50 percent of employees are spending 15 percent of their time doing personal shopping on the Internet, surfing, or even playing online games. Oddly enough, you're to blame, not them.• Quarantine quagmire: You created a great way to monitor network devices and put those that don't comply into quarantine. You just don't have a great way to get them out. Some devices seemingly sit for weeks because their owners don't know how to update and you don't have the time to tweak every laptop in the world.• Wireless is less: The employees love the open nature of WLAN access, and wirelessaccess makes meetings more productive. But without the proper credentials, security, and controls in place, you're just a nose hair away from being snooped or having data stolen, even after a trusted user connects to the WLAN.This book helps you with all these scenarios and a whole lot more. We purposely made this book a fast and easy way to understand, deploy, and use NAC, and we provide benchmarks for you to judge the merits and capabilities of the many NAC solutions that you can find for sale.Here's the biggest tip in this book — plan! You can't plan enough when deploying a NAC solution for your network and organization. Take it from our combined 30 years of security work and access control. For every hour you spend planning and testing your NAC implementation, you can save days or weeks trying to fix what you hurriedly deployed. Plan it, then plant it.About This BookWe fly around the world and say the same things about NAC that we say in this book. If youread it, we help you to• Understand what NAC is and what it can do for you.• Realize the breadth and scope of NAC, as well as how to plan and adapt all these facts into a custom solution.• Home in on what makes the best NAC sense for your organization and how to extendit to fit every nook and cranny in your network(s).• Leverage, repurpose, or reuse your organization's existing network infrastructure to deliver NAC.• Save time, money, and labor in selecting and deploying a NAC solution fit for you.Something You Should Know About This BookAll three authors are employees of Juniper Networks, which actively markets and sells its own NAC solutions (under the UAC acronym, for Unified Access Control). We try to keep theinformation in this book as straightforward and unbiased as mere people can, but we admit that sometimes we might go into detail about an issue or feature that we know intimately which some vendors of NAC solutions don't have or implement differently. We're not apologizing. Not one iota. It's just something you might want to know.What You're Not to ReadWe place text you don't need to read in self-contained sidebars or clearly mark them with a Technical Stuff icon. You can skip these items if you're in a hurry or don't want to lose your train of thought. You may decide to browse through the book some day during lunch and read up on all the technical details. They're good preparation for a cocktail party with networking engineers.Foolish AssumptionsWhen we wrote this book, we made a few assumptions about you:• We assume that you're a network professional, although you don't have to be one. Because our objective is to get you up and running, and you might be reading this book in order to understand what your engineers are telling you, we include only a few basics about how it actually implements NAC and try not to discuss the operations in detail.• You may design or operate networks.• You may be an IT manager, or a manager who supervises IT managers, or a manager who supervises managers who supervise IT managers.• You may procure networks or otherwise work with people who plan and manage networks.• You may be a student of NAC or even just entering the networking profession.How This Book Is OrganizedThis book is divided into four parts.Part I: Unlocking the Mysteries of NACImagine Sherlock Holmes examining your network with a magnifying glass. That's NAC. Read this part, and you qualify to be Dr. Watson.Part II: NAC in Your NetworkThis part gets personal and brings in all the variations that can enable a NAC solution to fit your network needs. A NAC solution can really do a lot for you, after you realize the scope of its capabilities.Part III: NAC in the Real WorldThis part reveals what you really need to know about NAC architectures, standards, and extensions. It's like the form you have to fill out for eHarmony before you get to the dating process. Read carefully, or you may waste your time with several dates from hell.Part IV: The Part of TensThis part offers quick references to the top-ten most helpful stuff on the planet about NAC. You can find help on topics ranging from key definitions, to planning your implementation, to where to go for more info.Icons Used in the BookWe use icons throughout this book to key you into timesaving tips, information you really need to know, and the occasional interesting backgrounder. Look for them throughout thesepages.This icon highlights helpful hints that save you time and make your life easier.Be careful when you see this icon. It marks information that can keep you out of trouble.NOTEWhenever you see this icon, you know that it highlights key information that you'll use often.NOTEIf you're in a hurry or aren't interested in the details, you can skip the text marked by this icon.Where to Go from HereIt's a big, bad networking world out there, and 99 percent of the people who use your network don't really understand the security concerns. If you do your job right, they don't have to worry about these concerns. That's the point of this book. Browse through the Tableof Contents to find a starting point that sounds like you, and then just dip in. Test the NAC waters. You can skip around like a stone on water, or start with Page 1 and read to the end.Just remember that you can control who's on your network and what they have access to. This book is about how to do that.Chapter 1. Developing a Knack for NACIn This Chapter• Approaching network access control (NAC)• Selecting the best approach• Using your existing network infrastructureBecause you're looking at this book, you've probably heard or read all the hoopla about network access control (NAC). You've likely heard or read reports that NAC is the best thing since sliced bread, the be-all-and-end-all solution for network security or access control, and the best solution for network and device security since antivirus software and two-factor authentication.Have you also heard that NAC isn't all it's cracked up to be? That it's costly, it takes a lot of time and labor to deploy, working with it can be trying, users don't like it, and it doesn't alleviate every network security and access control issue? Or perhaps that NAC doesn't provide you with a good return on your network security and access control investment?You probably have at least one peer who told you that NAC isn't the only solution for all thatails networks and network security. And maybe you read or heard about the demise of the NAC market or product category — reports which have been greatly exaggerated.Boy howdy, is this book for you!In this chapter (and the whole book), you can discover• What network access control (NAC) is — at least, according to many smart people and organizations• The breadth of NAC• How to home in on what makes the best NAC approach for your organization• How some NAC solutions can enable you to leverage, repurpose, or reuse your organization's existing network infrastructure to deliver network access control, saving your organization time, costs, and labor — not to mention stress, sleepless nights, and gray hair!1.1. NAC's Evolving DescriptionSo, what's this network access control thing that you've been hearing and reading about?First, NAC isn't the cure-all for whatever security or access control issues and challenges confront an organization and their network. But the right NAC solution, deployed appropriately, can deliver significant protection for• Your network, its applications, and sensitive data• Your users and their endpoint devicesThe right NAC solution for your organization can protect against many (if not most) dangerous malware, nefarious hackers, and any malcontent users that the fast-paced, always connected, always on(line) networked world can throw at you.So, NAC controls access to a network. Unfortunately, that simple definition and description is only partially right.Many pundits, experts, and vendors find defining, or (more correctly) describing, NAC very difficult and elusive. You can find almost as many different descriptions of and meanings for NAC as organizations that have or want to deploy NAC, or vendors who produce or produceda NAC solution. But a definition exactly fits your network needs — you just need to figure out which definition works for you.To really understand how NAC works, consider this common — albeit painful, for some — metaphor to describe network access control: the airport!The steps involved in operating network access control are, in many ways, similar to what happens when you go to an airport to board a plane for a trip:1. You first stop at the ticket counter or self-service kiosk, where you need your confirmation number or a government-approved ID (such as your driver's licenseor your passport) so that the airline can authenticate your identity and confirm your reservation. You need to confirm who you are and that you're authorized totravel to your destination. A NAC solution does the same basic verification: It authenticates the user or device, and then checks the user's or device's authorization level to see whether that user or device has authorization to accessthe network. If your ID is valid, you have a confirmed reservation, and your name matches the name on the reservation, you receive a boarding pass, which means that you're authorized to travel on that flight. Similarly, NAC solutions match the user or device ID — such as a login user name and password, two-factor authentication (which might include a token), or a smart card — to the authentication database or data store on the network to authenticate the user. Ifthe NAC solution authenticates the user or device, that user or device receives the appropriate keys and credentials to access the network. If NAC doesn't authenticate, the user or device isn't allowed onto the network.2. After the ticket counter, you have to go through a security checkpoint, including an x-ray machine and metal detector, before you're allowed into the secure area of the terminal gates. This is comparable to a NAC solution's endpoint integrity assessment or host check. In the same way that airport security checks you and your carry-ons for forbidden and dangerous items, NAC checks your endpoint device for any dangerous malware and potential vulnerabilities that hackers and other miscreants could exploit. If you or your baggage set off the metal detector at the airport, security may conduct a further search by hand or wand, if necessary. That extra search is like NAC's host checking of an endpoint device. Ifa NAC solution detects something amiss in the malware protection of your device, or detects an infection, it may instruct the network to quarantine your device until it can assess and address the anomaly or cure the infection. Then, the NAC solution's host checking can reassess your device before it allows or instructs an enforcement point to allow that device network access. Also, at the airport security checkpoint, security rechecks your ID and boarding pass, which is similar to a NAC solution rechecking authentication while it assesses (and, if needed, reassesses) your device's security state and integrity.3. After you reach the secure zone at the airport, security can recheck you and your baggage for various reasons, including random security checks, if you're behaving strangely, or if you leave your suitcase unattended. Well, NAC solutionsoperate in the same way. Even after network admission — which is comparable to being allowed into the secure area — NAC can still conduct random assessment checks on you and your device to determine whether you still meet the organization's requirements to be on their network; or the NAC solution can recheck and reassess you or your device if it uncovers a state change in the security of your device while you're on the network. And, just like at the airport, if everything checks out okay, you and your device can remain in the secure area — or on the network. If the check finds something suspicious, then security (or NAC) may eject you from the secure zone (or deny you access to the network), subject to re-examination.4. If an authority figure at the airport — a police officer, security agent or guard, orairline employee — feels that you're acting strangely or inappropriately, he or she may stop you and request your ID. He or she can even eject you from the secure zone or request a recheck on you and your carry-on luggage. On a NAC-equipped network, some NAC solutions can interoperate with existing network components, such as intrusion prevention systems (IPSs), intrusion detection systems (IDSs), unified threat management (UTM)-enabled firewalls, or other network security components. And, if these devices deem that you or your device are exhibiting anomalous or bad behavior, they can signal the NAC solution. NAC can force you and your device into quarantine until you or your device stop the behavior, it addresses and solves the issue automatically (using automated remediation), or it is cured manually. NAC can also force you off the network in mid-session, not allowing you back onto the network until it clears you and your device.5. The last step in your airport sojourn is the final check by an airline representative at the gate leading to the aircraft. The gate attendant checks yourboarding pass and, in some cases, rechecks your ID to make sure that you're who you say you are (authentication), that you have a boarding pass (credentials), that your boarding pass matches the flight number and destination(authorization), and that your name on your ID matches the name on your boarding pass. This process is a lot like application access control on a network. Some NAC solutions can deliver applications access control, in which a NAC solution can recertify a user and device before that user and device can gain access to specific applications and servers, ensuring that only the properly authorized users can access certain specific, sensitive applications and data. For example, an air traveler named Adam may be authorized to take a particular flight to New York, but another flyer, Eve, has a boarding pass for a different flight number, so she can't board that particular flight to New York. A NAC solution delivers application access control in a similar way — only the correct users can access the applications and data.1.1.1. What NAC is and what it doesVendors, industry experts, and you may have difficulty in coming up with a common definition and description for NAC because a NAC solution has so many different components. Organizations have a tendency to focus on what problems NAC solves for themor why they want to deploy NAC. And the concept of network access control can include many different pieces of a network environment, or touch many different network entities ororganizational departments.[...]... 1.1.3 Control freak Control is a vital part of network access control Controlling admission to a network and controlling access while a user is on the network require similar but different capabilities For instance, controlling admission to a network may be based on authentication, while controlling application access can be based on identity, authorization, and user roles The ability to control the access. .. that NAC is the acronym for network access control, but you may be wondering why someone's network access needs to be controlled Like with any business operation, technological and market drivers influence the need for network access control or limitations Also, the number of network users, the information they use, and the type of work they do affect the frequency and level of access they need In this... enforcement points within the network environment The enforcement points enforce the access control policies applied to users and devices, both pre- and post-admission to the network 1.1.4 Evolving on the job NAC needs to do more than just control network access While threats evolve, NAC needs to adapt and evolve to protect against them For example, NAC solutions need to address application access control. .. connect to a network a different type of access than employees who access the same network So, although an employee who accesses the network may have access to specific areas of and resources on that network, the guest user may receive access only to the Internet, not to any other region or resource on the network Some experts, vendors, and others define NAC by how NAC apportions access But, access apportionment... inline NAC appliance fails, so does network access control — because it's an inline appliance, it's applied to all network traffic So, a failed inline NAC appliance could either create a roadblock that restricts access to your network or allow access to all who attempt to sign in to the network, without applying the appropriate policy and access control checks • Performance: Particularly in situations... transfer of information between network components (The IEEE 802.1X industry standard for port-based network access control also operates at Layer 2 Many Ethernet switches and wireless access points deployed in networks around the world today support the 802.1X industry standard.) Many NAC solutions use Layer 2 as a key enabling technology and the standard for policy enforcement on NAC enforcement points,... on a network, what applications that user may have access to, and how he or she can access protected resources based on a user's role By identity-enabling application access, you can ensure that only the appropriate, approved users can access sensitive, critical applications and data on your network You can accomplish application access control by defining and enforcing access policies on the network. .. authentication, such as the Trusted Platform Module (TPM), which the Trusted Computing Group (TCG) specified and standardized The act of authentication is a must in today's networked world Wherever you go, whatever network you attempt to access, that network needs to authenticate you The network needs to know who you are before it grants you any level or form of network access So, identity plays a vital... negative, such as o Hackers : Hacker o Information poachers : Thông tin bị mất cắp o Identity thieves : Nhận dạng kẻ trộm o Data-nappers : ??? Both reasons for NAC dictate greater control over networks, access to those networks, and who requires network access Other grounds for deploying NAC might be completely business- or market-driven, such as to address • Guest access • Outsourcing • Business continuity... control Application access control is the ability of an organization to define policies that enable certain network users, and not others, to access specific, protected applications on their network In effect, you can segment your network by using NAC You can base such access policies on user or device identity Some NAC solutions can grant a specific user access to specific applications on a network based . freak Control is a vital part of network access control. Controlling admission to a network and controlling access while a user is on the network require similar. IntroductionWelcome to Network Access Control For Dummies. It's a scary networking world out there, and this book provides you with a working reference for understanding
- Xem thêm -

Xem thêm: Network Access Control For Dummies docx, Network Access Control For Dummies docx, Network Access Control For Dummies docx, Chapter 1. Developing a Knack for NAC, Chapter 2. Knowing Why You Want NAC, Chapter 8. Identifying Who's On My Network, Chapter 9. Verifying that a PC Is Safe, Chapter 10. Deciding Where to Enforce, Chapter 13. The Role of Standards, Chapter 16. Ten Steps to Planning Your NAC Implementation, Chapter 17. Ten Online Information Sources

Mục lục

Xem thêm