Network Access Control (NAC): everyone wants to do it, and the goals for most programs are noble.
It goes like this: By ensuring only authorized users and devices connect to the network, IT can help alleviate the risk of an intruder bringing a rogue device onto the corporate network, or avoid people connecting their personal devices riddled with malware to the corporate network and infecting corporate-managed devices. Sounds perfectly simple and reasonable, right?
Not quite. The BYOD trend means NAC is no longer a clear-cut issue. Because most IT departments don’t support or keep tabs on users’ personal electronic devices, they need to limit the amount of access users on their own devices have to the environment in order to protect the rest of the network. Users, in turn, argue that limiting their ability to use their own devices on their employer’s network limits the productivity gains made possible by BYOD.
Traditional NAC employs several technologies working in tandem to provide a solution. A NAC server is deployed that will house the policies, while an agent is deployed on BYOD devices for integrity profiling. If there is a setting or software on a computer, NAC can interrogate the device and report back to the server. The routers will need to be set up with at least a couple of networks: one for fully compliant devices and another for guests. The access switches will be configured to send authentication requests to the NAC server when a device connects. Based on the results of the integrity checks on the host, the NAC server will configure the switches to connect the user either to the fully compliant network or the guest network.
Most NAC deployments fail. We are used to a networking environment where you connect your device and have full access to the network. When NAC is deployed the opposite is true; when your device connects to the network it usually has little to no access by default. Once the device has been interrogated and is compliant with the NAC profile, it may be granted more access.
For example, a NAC policy will often be configured to require specific anti-virus software running and up-to-date on the device, and if someone brings his or her personal computer to work it will be deemed non-compliant by NAC. The moment someone with enough clout can’t get on the network because of this, a flood of the exceptions to the NAC policy start to roll in to IT. The project soon fails.
NAC is yet another “firewall helper” – something to be added on next to a traditional firewall, similar to how standalone URL filtering or Intrusion Prevention Systems are. It is a complicated and expensive proposition to keep adding devices to the network when NAC policies are so easily discarded.
GlobalProtect from Palo Alto Networks offers a simpler approach that can more easily attain the same results leveraging existing infrastructure. GlobalProtect is the remote access VPN client with both SSL and IPSEC connectivity options. GlobalProtect can also be used to perform Host Integrity Posture (HIP) checks.
- You can ensure groups of users are properly defined in your directory server. The more levels of access you want to define, the more groups will need to exist on the directory server. The security appliance obtains the user and group information from the directory server for use in access control policy so it’s important to get this where you want it. This step is true for all NAC deployments.
- You can decide on what “compliant” means. For example,
- Fully compliant may mean the user is authenticated to the directory server, the device is connected to the directory server, the device has a certificate, and the device has your standard endpoint protection software running.
- Partially compliant may mean the user is authenticated to the directory server and has the GlobalProtect software running. These will likely be users on their personal devices who installed GlobalProtect by visiting the VPN portal.
- Non-compliant users will be users who are not authenticated and do not have the GlobalProtect software installed.
- You can decide on the levels of access users will get depending on their endpoint posture. Much of this may already be accomplished if you are using User-ID in your Palo Alto Networks security policies. You may have three security policies, as in this basic example;
- Access for authenticated and compliant users may include typical web browsing and full intranet access with email, file shares, CRM, and development systems.
- Access for authenticated non-compliant users may include web-browsing and DNS to the Internet and email access internally.
- Access for unauthenticated non-compliant users may include web-browsing and DNS to the Internet only.
When devices connect from outside the physical walls of the organization, or from inside one of the offices, the network will adapt to the user and device based on what it observes (or doesn’t observe).
This is a clear departure from deploying another NAC server firewall helper that needs to communicate and make dynamic changes to the switching infrastructure to be effective. In this use case we are using a centralized security platform with a single policy engine to identify users and devices and provide appropriate levels of access depending on who they are and what device they are on.
To learn more about how GlobalProtect can help you enable a NAC policy that gives users the freedom to use their own devices, yet still protects your network, please visit our GlobalProtect technology page.
[Palo Alto Networks Blog]