21 August 2009

Secure Network Access

NAC stands for Network Access Control.
802.1X is the IEEE standard for port-based network access control.

NAC provides Endpoint security. The end point device can be a Laptop connected to a corporate network or a VPN client.
Depending on the security policy NAC will do user authentication, periodic health checks and policy enforcement.

-> User authentication can be by portal login, 802.1x etc.
-> Health check is done by a custom made Java applet, which runs on client, collect useful device information. Microsoft’s built-in NAP client also does the same job.
-> Policy enforcement, the most important part in a NAC, is done by SSCP, SSCPLite (Nortel proprietary), 802.1x etc.

=> NAC creates database with the information forwarded by NAC client. The policy decision is made based on corporate policy and database information. NAC server is also known as Policy Decision Point.

=> Policy enforcement point can be Switch, router, VPN gateway or firewall. Most commonly used access control techniques are VLAN segregation and packet filtering ACLs.

Future of NAC:
Some NAC policy servers are:
1. Cisco's Access Control Server (ACS)
2. Juniper's Unified Access Controller (UAC)
3. Microsoft's Network Policy Server (NPS)
4. Nortel's Secure Network Access (NSNA)
5. Trusted Computing Group's Trusted Network Connect (TNC)

IF-MAP is a standard client/server, XML-based SOAP, protocol for accessing a Metadata Access Point. The IF-MAP server has a database for storing information about network security events and objects (users, devices, etc.). The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers, and data types.





=> Integrity measurements are carried between the TNC Client and TNC Server on a protocol called IF-TNCCS (Trusted Network Connect Client-Server).
=> For communication with NAP Client and NAP Server Microsoft used protocol called System of Health (SoH). Later donated to TCG as IF-TNCCS-SOH.

=> Consolidated IF-TNCCS enables Client-Server interoperability between NAP and TNC.
=> industry has agreed on TNC standard for NAC, except Cisco.

Reference:
White Paper - 1
http://features.techworld.com/networking/4073/microsoft-gets-nac-act-together
http://www.isp-planet.com/technology/2007/nac_3c.html
http://www.trustedcomputinggroup.org/developers/trusted_network_connect

No comments:

Post a Comment