How to Set up a Successful NAC Project
If you can’t beat them, join them. At least when it comes to employees bringing their own device onto the network or IoT (Internet Of Things) devices on the network. In this piece we detail six typical generic steps network administrators can take to ensure a fast and effective installation of their NAC (Network Admission Control or Network Access Control) project. However, the order of these steps will depend on the individual project, so remember to adjust your process accordingly.
- Server installation and initial configuration with switching and networking infrastructureImplementing a Network Admission Control project involves the initial installation and configuration of the server. This is usually installed in two tiers with a separate database layer. Before installing the server, you should double check that the hardware and network requirements are met. The entire networking infrastructure that the NAC system monitors will then be defined and configured. This is based on the characteristics of the network topology and architecture and the type and spread of the devices and endpoints. In many cases the customer network will have several different geographical sites which requires additional planning and administration delegation capabilities which can be achieve by by categorizing into different groups (though this excludes backbone switches and servers).
- Defining basic profiling and authentication rules
Here, the profiling and authentication rules for all the devices monitored by the NAC server are defined. This step typically starts with the largest population of devices in the NAC project and works its way down the list:
- Desktops and laptops are inspected for a domain membership of the appropriate VLAN association
- Printers and VoIP devices are defined using SNMP or TCP/IP fingerprint for each type of device. VoIP devices have an additional verification with the IP/PBX
- Resident Definition: Devices that do not fall into any of the above categories are remembered by the NAC according to their location and identity
- IoT ( Internet Of Things) devices and endpoints: Create a unique fingerprint for those devices and when possible, use a third party source to validate the device identity such as management server or database.
- Try to avoid MAC address based authentication wherever possible, this is the weakest potential authentication profile
This is a crucial part of the implementation – plan ahead and make sure you recognize all devices you configure authentication rules for, so that you will not have unsecured devices on your network right from the beginning.
- Defining inspection and compliance policies
This step involves defining a compliance inspection policy (posture assessment) for all devices that connect to the network, which follows these guidelines to determine the appropriate action for each device. For instance, Windows client devices that are verified with domain membership are inspected for various compliance aspects such as verification that both Symantec Antivirus SEP11 and Checkpoint PointSec are installed and running. This process can be adapted to suit MacOS, Linux and other platforms.
- Testing and fine tuning of rules and policies
After defining policies, it is important to check whether they are valid for the majority of clients on the network. On an ever changing network, especially when BYOD and IoT are becoming a crucial part – being able to monitor the network and adjust policy quickly is crucial. Testing the environment also enables network administrators to handle exceptions and fine tune the rules to accommodate every type of device in their workplace. By enabling more switches, the NAC server will discover additional devices, such as desktops, that are not associated with any specific domain or that do not adhere to standard NAC policies. The security officer will have to redefine NAC policies so that any specific device’s MAC address is tied to a specific port or location and they are allowed access to the network.
- Defining alerts and reports
Report and alerting features are a critical part of a successful NAC project. These facilitate early problem detection and faster turnaround for an increased uptime. Alerts and reporting settings are defined so organizations can reduce false-positives. The NAC server delivers alerts and reports in different formats including SMS, email, SOC integration and SNMP traps based on customer infrastructure settings and preferences.
A successful NAC project will consist of well defined alerting configuration to allow a quick detection of a security incident while avoiding overflowing the administrators.
- Graduating to ‘enforcement’ mode
Graduating the deployment to an enforcement mode is a big step in the NAC installation process. This is where the system automatically makes decisions to block or quarantine new devices or users or apply actions on existing devices users based on the chosen policies. Graduating to this enforcement mode is normally done when all the previous steps have been reviewed and verified. The most extreme policy this enforcement mode possesses is for the server to lock down a port in response to any breach attempt: at even the slightest whisper of a threat, the port will shut down immediately. A more typical configuration would be to switch devices to a different VLAN based on their characteristics and allow automatic or manual remediation.
While there are a number of alternatives available, we particularly love Portnox Network Access Control (Network Admission Control), which is unlike other NAC products in that it doesn’t come with heavy-handed controls. It is agentless, software only, flexible and easy to use and especially suitable for an heterogeneous network with IOT (Internet Of Things) devices. It traverses across all layers, including physical, virtual and the Cloud, to provide a secure and reliable virtual representation of the network for organizations of all sizes. Portnox NAC project is easy to deploy on both corporate and operational networks.
Contact us to learn more about how Portnox NAC can help your organization secure its network.