Here are some examples of host security goals that are frequently instituted in organizations that deploy a NAC Appliance solution. These examples are meant to be a sampling and not a comprehensive list.
•
Protect the network from unauthorized access, both internally and externally originated.•
Authenticate all users attempting access to the network.•
Authorize all users attempting access to the network. Restrict access for nonemployees and guests.•
All users must acknowledge an acceptable use policy before being granted network access.•
All hosts must be running an approved antivirus program that is up to date.•
All hosts must be running an approved antispyware program that is up to date.•
All hosts must be running an approved operating system that is up to date.•
All hosts must pass a network scan for virus and worm activity before being granted network access.•
Any host found running banned software applications will be denied network access.•
All hosts must be running an approved personal firewall or Host Intrusion Prevention System before being granted network access.•
All guest hosts will be granted access only to the Internet and not internal resources.•
All guest hosts will be bandwidth limited to 256 kbps.It is common for an organization to modify its host security goals based on a specific network location or access type. For example, an organization might have a policy that states all hosts connecting through wireless in the Denver data center must be running an approved antivirus program that is up to date in order to gain network access.
Many organizations choose to gradually enforce their host security policies and the deployment of a NAC Appliance solution. Initially, host security policy enforcement is instituted at the highest risk areas of the network. This would include virtual private network (VPN) or remote access, wireless, conference rooms, guest access, and common areas. Then, as the adoption of the NAC Appliance solution grows, the host security policy enforcement is spread ubiquitously throughout the organization.
Figure 6-1 summarizes the process for determining the exact host security policy that will be enforced for a given host or in a given network location.
Figure 6-1 Host Security Policy Decision Matrix
Here is the explanation of the host policy decision steps shown in Figure 6-1. Following this list are several sections that will describe these decision steps in greater detail.
1 The host connects to a location of the network.
2 The host is determined to be a member of a certain security domain. The HSP must define what the security domains are for the organization.
3 The HSP must define one of three choices for each unique security domain.
a Which security domains will not have NAC Appliance deployed, thus allowing unrestricted network access. The host security policy for this security domain states that no host security policies are to be enforced in this domain.
Security Domain Role Security Requirements User Authentication User Role Yes No Exempt Device Network Access Privileges
Does Client Meet Requirements?
Remediation and Quarantine No NAC Appliance
b Which hosts or devices will be a member of the exemption list and thus will be able to bypass the NAC Appliance authentication and posture assessment phases.
c Which security domains will force hosts to comply fully with the NAC Appliance solution.
4 If the host is a member of the exemption list, it will flow directly to the network access privileges. The remaining steps in this list are bypassed. The HSP must define exactly what the network access privileges will be for each type of exempt host. It is possible to have different network access policies for different types of exempt devices. For example, you can have an exempt host security policy that allows IP phones to access the network unrestricted, but exempt printers are restricted to communicating using TCP port 9100 only.
5 If the host is part of a security domain that requires full compliance with the NAC Appliance solution, the client is forced to authenticate. The HSP should determine exactly how the user’s credentials are authenticated and verified.
6 After successfully authenticating, the client is then moved to the user role it is a member of. The HSP should identify how user roles are defined and which users are members of which user roles.
7 The host is checked to make sure that it meets all the host security requirements defined for that user role. The HSP should define what the security requirements are for each user role.
8 If the host complies with all of its security requirements, it is moved to the network access privileges. The HSP should define the type of network access that should be granted to clients. This is typically defined per user role.
9 If the host fails to meet its security requirements, it is moved into network quarantine. Typically, self-remediation functions are also provided here. The HSP should clearly specify what network access privileges, remediation functions, and time limits should be imposed on quarantined hosts.