NAC
(Network Access Control)
Is
used by a multitude of users and devices
Desktops,
Workstations, Laptops, Tablets, Printers, IP Phone, Switches, Access Point
Employees
laptops and tablets, Smartphones, Tablets
User
+ Device + Situation = Access
Concepts
Pre-admission
& Post-admission
Two prevailing design philosophies
in NAC
Pre-admission: Hosts are inspected
prior to being allowed on the network
Post-admission: NAC makes
enforcement decisions based on user actions, after those users have been provided
with access to the network
Agent
versus Agentless
A key difference among NAC is
whether they require “Agent Software” to report end-system
characteristics or whether they use “Scanning and Network Inventory
Techniques”
Note: Microsoft provides NAP(network
access protection) agent as part of Windows
Out-of-band
versus Inline
Out-of-band systems : agents
are distributed on end-stations(host) and report information to a central
console
Inline : Can be single-box solutions
(Act as Internal firewall) (Easy to deploy on new network)
Remediation,
quarantine and captive portals
Quarantine: A Quarantine
network is a restricted IP Network that provides user with routed access only
some applications or hosts, When a NAC product determines that an end-user is
out-of-date, their switch port is assigned to a VLAN that is routed only to
patch and update servers.
Captive portals: Intercepts HTTP
access to web pages, redirecting users to a web application that provides
instructions and tools for updating their computer. Until their computer passes
automated inspection, no network usage besides the captive portal is allowed.
This similar to the way paid wireless access works at public access points.
Thanks
