Getting the knack of NAC
Getting the knack of NAC
De-perimeterisation, wireless, mobility and sophisticated threats have rejuvenated the adoption of network access control (NAC) technologies.
NAC is employed to ensure that only acceptable and trusted devices can appropriately access network resources as per policy.
Even though NAC tools have evolved and more than 25 per cent of global enterprises are using it, there still exists modest trepidation towards deployment. After going through the entire process of researching, evaluating and selecting a NAC product, you're now faced with actually deploying the solution in-house.
If you're in charge of the deployment there are steps you can take to make the entire process flow easier and be less stressful for everyone involved:
Identify the project owner and success criteria: Most successful IT projects require a champion; someone to remove internal roadblocks that emerge as an organisation works through the deployment process. In order to report progress, some success criteria need to be assembled for each phase of the implementation.
Create a cross functional NAC deployment team: NAC, like any security tool, can and will affect employees, guests and other departments in an organisation; working with the project owner, select key individuals from each department to participate in a deployment team.
Develop NAC use cases: The deployment team should be leveraged to create use cases for NAC, spanning topics including: employee device and security configuration requirements, how guests and their devices will be registered and segregated, how contractor devices will be managed and how to manage the use of corporate-provisioned and personal mobile devices. The use cases should be ranked according to need/risk and could be put into main issue categories.
Agree upon key security issues to be addressed by NAC: These items should be formally documented now that use cases have been identified and prioritised. Key security issues can include endpoint compliance, guest management, wireless access, mobile security, inventory, internal and governmental compliance requirements and bring your own device (BYOD).
Develop policies to address these security concerns: Review how these security issues are currently being addressed (or not). For example, what anti-virus product is required on all of the endpoints and how current do signature files need to be? How will non-compliant endpoints be handled? Should the incidents be logged and should an internal department be notified? During this stage internal deployment obstacles will be identified, and can include: poor processes, lack of cooperation between internal departments, refinement of corporate politics and, possibly, additional network equipment or changes.
Determine the deployment timeline and milestones: Identify how the NAC solution will be rolled out internally. This includes planning installation and activation by location, ownership or segment, and allowing time to assess the success of the rollout before moving to the next location. To avoid impact on user experience, identify exceptions and security gaps, NAC should initially be deployed in an audit-only mode with enforcement and remediation actions disabled.
Inform IT staff and end-users of NAC deployment and policy: Given added technical controls to discover and classify endpoints, identify violations and enforce policy. It is imperative to notify all departments of any new or changed policies and any changes to operations. Also, interface with HR and legal to relay acceptable use policy that may be enforced using NAC. For different IT departments, relaying the potential access to NAC capabilities may also expand tool use and value. For example, help desk staff may consider using NAC to facilitate incident response and resolve IP, Mac and location of a given endpoint under investigation.
Audit the internal network with the NAC solution using the agreed upon policies to assess compliance: NAC is able to provide real-time security posture assessment of all endpoints. By providing audit data, all members of the deployment team can gain a clear view of what needs to be done to meet agreed-upon compliance levels. Once endpoint exceptions and reasonable compliance has been reached, more advanced enforcement and automated remediation options are available through the NAC solution.
Refine NAC policies, procedures and operations: NAC offers very powerful and useful features to identify all devices – managed and unmanaged, wired and wireless, PC and mobile – attempting to access network resources. Once NAC has been deployed and activated, most organisations will identify additional policy and procedures that need to be refined, including: infrastructure integration, upgrading, exceptions, remediation and reporting. These can be documented, reviewed, phased-in and adjusted on a frequent basis.
Monitor and report on the deployment results: The NAC deployment team should meet regularly to assess the success of the deployment and evaluate how the security concerns and compliance requirements are being addressed. By reviewing the success criteria, performance metrics can be more easily shared and new policies, exceptions and initiatives can be discussed and agreed upon.
Toni Buhrke is a systems engineer at ForeScout
Forescout is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk