PACE-IT: Network Access Control
Download as PPTX, PDF0 likes783 views
The document outlines network access control (NAC) concepts, focusing on the use of 802.1x for authenticating client devices to secure networks. It describes the posture assessment process, which evaluates devices before granting access, and details the roles of persistent and non-persistent agents during this evaluation. Additionally, it emphasizes the importance of NAC in complementing traditional edge access control methods provided by firewalls, particularly as network complexity increases.
PACE-IT: Network Access Control
- 2. Page 2 Instructor, PACE-IT Program – Edmonds Community College Areas of expertise Industry Certifications PC Hardware Network Administration IT Project Management Network Design User Training IT Troubleshooting Qualifications Summary Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
- 3. Page 3 PACE-IT. – Edge vs. access control. – Access control concepts.
- 4. Page 4 Network access control.
- 5. Page 5 When access to network resources is granted or denied by a firewall, it is considered to be at the edge of the network. While this may work well in smaller and simpler networks, it can become very complicated and cumbersome as the network grows. Through implementing other access control measures, these complications can be reduced, while at the same time, the security of the network may be increased. This is called network access control. These access control measures do not replace the need for firewalls. They do, however, allow the firewalls to concentrate on controlling the network traffic into and out of the network—which is what they do best—and not be concerned about who or what type of devices can connect. Network access control.
- 6. Page 6 Network access control.
- 7. Page 7 Network access control. – Authentication via 802.1x. » A popular method of authenticating client devices and users on 802.3 (Ethernet) and 802.11 (wireless) networks. • When a client device—called the supplicant—attempts to join a network, an authenticator—usually a switch or wireless access point (WAP)—requests the client’s credentials. • The authenticator forwards the client’s credentials to an authentication server—typically running software such as RADIUS (Remote Authentication Dial In User Service). • The authentication server evaluates the credentials and either informs the authenticator to allow or deny the supplicant device access to the protected network. • If the credentials are validated, the authenticator grants the supplicant access to the protected network.
- 8. Page 8 Network access control. – Posture assessment. » The process of evaluating more than just the client’s credentials. • Commonly used to evaluate the type of device (e.g., a tablet or PC). • Commonly used to evaluate the type of anti-malware software on the device and how updated that software is (also a check is performed at this time to determine if malware is present on the device). • Commonly used to evaluate the operating system (OS) and how updated the OS is; it will also evaluate the registry settings of the OS at this time. » If the client passes the assessment, it is allowed onto the protected network. » If the client does not pass the assessment, usually one of two actions are taken: • The client is notified of the rejection and what has to occur before it can pass the posture assessment. • The client is passed on to a remediation server, which will attempt to resolve the cause of the failed posture assessment, with no user interaction required.
- 9. Page 9 Network access control. – Posture assessment process. » One of two types of agents (software code) is used on client devices during the assessment process. • A persistent agent is permanently loaded on the device and starts when the OS loads. This type of agent can provide more functionality than the other version (e.g., system alerts and auto remediation). • With a non-persistent agent, when the client device attempts to access the network, the agent is loaded onto the device to help in the assessment process. Once the assessment process is completed—pass or fail—the agent is removed from the device. • When the device attempts to connect to the protected network, it is placed on a guest network with very limited access—until the assessment process is completed. • In some cases (e.g., the client fails the antimalware check), the client device may be placed in a quarantine network with access to a remediation server—until the client device can successfully pass the posture assessment.
- 10. Page 10 Network access control. When a firewall is used to control access to a network, it is considered edge access control. While this works with simpler networks, it can become complicated and cumbersome as a network grows. One solution is to implement different network access control measures. This can be used to increase the security of the network and let the firewall concentrate on doing what it does best. Topic Edge vs. access control. Summary Access control can be implemented through 802.1x, in which a device—the supplicant—requests access to a network via an authenticator. The authenticator relies upon the services of an authentication server to receive permission to allow the supplicant access to the network. Posture assessment uses either persistent or non-persistent agents to help evaluate client devices for common criteria. During the assessment process, the client device is placed in a limited capability guest network. In some cases, when a client device fails the posture assessment, it may be placed in a quarantine network until a remediation server can resolve the issue causing the failed assessment. Access control concepts.
- 12. This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.