Network Access Control (NAC)

(1)

Network Access Control (NAC)

Planning a Successful Rollout and Implementation

Whitepaper

(2)

Introduction

A primary security objective of any enterprise is to have com-prehensive knowledge and control of all users/devices that move in and out of the network, ensuring that these devices are in compliance with corporate security policies. Basi-cally, it is making sure that only the right users, with the right devices, gain access to the right resources on the network. By having this control, the rationale is that no device would be able to damage the network or sensitive data would not be compromised by unauthorized users. But with the vast complexity and unique nature of each enterprise, this goal of knowledge and control has been challenging and some would say unattainable.

With the emergence of Network Access Control (NAC) technologies, network administrators now have tools to gain this critical and powerful network understanding. However, care needs to be taken in selecting the right tool(s). A NAC solution will contribute significantly to an organization’s business objectives by automatically enforcing network and security policies, preventing network downtimes, maintaining network integrity and meeting federal and state compliance regulations. So with this in mind, it is important to look at what a NAC implementation would require and how this type of tool can be successfully rolled out to maximize business objectives.

To achieve successful results, from the conceptual stage through implementation, project leaders should have clear understanding of three key issues:

Project Goals

· What does a completed NAC roll out look like? · What business challenges are solved by the NAC roll

out?

Success Factors

· What key factors will play into the success of the project?

Rollout Strategies

· What is the best way to go from planning to implementation in order to ensure success without limiting productivity?

This document will cover the basic questions that need to be addressed before attempting to implement a successful NAC roll out. Every enterprise is different and will have differ-ent nuances to how a NAC implemdiffer-entation will work within the physical network and within the corporate culture of the organization. It is the goal of this document to provide several options of how to systematically and effectively institute ac-cess control policies and enforcement, while continuing to preserve uptime and productivity.

(4)

Lay the Foundation

There are several issues that need to be addressed at the conceptual stage in order to lay a solid foundation for a NAC project. Having a good understanding of how to answer the basic questions will provide the right base from which to guide NAC rollout decisions, and will help NAC project leaders gauge their progress. In general, when setting the groundwork for a NAC roll out, the following questions should be able to be answered in detail:

What are the main objectives of the NAC roll out? · Enforcing baseline security policy

· Access Control of network guest/contractors · Role based access

· Keep worms out What constitutes success?

· Meeting roll out time line · Enforcing policy

· Maintaining uptime Who is involved?

· Each stage of the roll out · Policy creation

· Employee notification

Know What the Objectives Are — Set Goals

Today’s network challenges have grown beyond dealing with traditional security threats (i.e., worms, viruses, spyware, etc). Now business leaders are also coping with issues such as end point compliance, network integrity and availability, legal compliance, WAP control, confidential customer data, protection against hardware theft, privacy and more. With appropriate planning, the right NAC tools can handle these issues, but it requires spending sufficient time formulating goals that meet specific business needs.

Some common goals include the following:

· Eliminate network access to non-corporate users and devices across all sites.

· Ensure all corporate devices have the necessary patches and software versions.

· Eliminate usage of non-compliant software on all end points.

· Achieve regulatory compliance (e.g. Sarbanes-Oxley). · Eliminating zero-day worm outbreaks.

· Detect and disconnect all rogue wireless access points. · Ensure that servers containing customer data are

properly patched and secured.

· Ensure that servers containing customer data are only access by credentialed users.

These policy decisions can not be made in a vacuum and must pull from a variety of corporate resources. Gathering information is critical to both understanding what the needs of the organization are and implementing a NAC solution that will contribute to the overall business goals.

(5)

Set the Standards for Success

A NAC project will excel when it is tied to a comprehensive list of business and technical success factors. In fact, these factors will be crucial when making decisions and measuring progress — at every stage of the project’s design and rollout. Making sure that NAC policies, procedures, strategies and related network processes meet the standards put forward here is essential to the success of the project.

Business Success Factors

Minimal Disruption to End-User Productivity: Polices should have minimal negative impact on enduser behavior, process-es and productivity. For example, policprocess-es should:

· Avoid rash sweeping sanctions that have the potential to disrupt business continuity.

· Pinpoint and manage non-compliant users/devices only, and ignore the remaining compliant enterprise.

· Ensure that NAC processes are transparent to end-users and don't change their work patterns. For example, when logging in, use existing authentication methods.

Education and Awareness First: When appropriate, NAC polices should first serve to raise awareness of security and compliance issues and only in the most critical circum-stances be used to impose immediate sanctions. Success-fully educating and training the enterprise about security and compliance will naturally reduce the number of policy viola-tions while still being able to take hard action when personnel do not comply with network policies.

Direct Personal Response: Verify that NAC policies and processes speak directly and personally to non-compliant network end-users in real-time, and automatically track the progress they make towards compliance. Each network user will be handled on the merit of their compliance status and addressed in direct response to specific violations they car-ried out.

Technical Success Factors

Intrusive Deployments vs. Minimal Impact Deployments: The ideal NAC solution would not slow down network re-sponse times, add latencies or drain network resources. The greater the impact of NAC technology on network opera-tions, the greater the resistance and delays in achieving full implementation.

Client Based vs. Clientless Deployment: The ideal NAC so-lution would not require any endpoint installations (i.e. agent, client, shim, etc.) to carry out a deep inspection of the con-necting device. Clientless deployment minimizes the IT and support effort required for end point installation/ maintenance and expands the flexibility of which devices can be inspected. Additionally, clientless NAC provides the ability to extend NAC functionality to non-user based networked devices (i.e. IP printers, fax, VoIP phones, etc.).

Rigid vs. Flexible Deployment: The ideal NAC solution can be deployed according to your networking needs, i.e. at the distribution switch level, access switch level or at the core switch, without requiring any change to the existing network configuration.

New Equipment vs. Working with Exiting Network Devices/Services: The ideal NAC solution integrates with existing infrastructure, rather than requiring changes to it. This means the NAC solution would work on top of existing net-work equipment, avoiding the need to update switches and other key network devices when deploying the NAC solution. Such changes to underlying infrastructure carry greater risks, significant expenses and drain the time of limited IT manage-ment resources. In addition to the physical infrastructure, the NAC solution should leverage existing application infrastruc-ture as well. For example:

· Identity Management Systems (LDAP/Active Directory) can be leveraged for obtaining user identity information. · Trouble Ticket Systems can be leveraged for tracking

detections of non-compliant users/devices.

· Authentication Services can be leveraged for performing authentication.

(6)

Cross Functional NAC Project Teams —

Who to Involve?

NAC projects require expertise from a variety of corporate resources. When setting objectives and goals for the NAC project, it will be important to get perspectives on what is important to the organization as a whole. Network security policy creation needs to be done with this perspective in mind. This input will make sure that all parties are well aware of the NAC initiative and give them the opportunity to voice concerns that are relevant to their role within the organization. Corporate resources that should be consulted in the process of building NAC policies are:

Network: For integration with the network infrastructure. Security: For defining and implementing information-security policies.

Legal: For understanding regulatory requirements and the impact of the project on compliance.

Helpdesk/IT: For desktop/laptop configurations and patch deployment.

Human Resources: For interacting with end-users and notifying them of corporate policies.

Operations: For handling response procedures and policy deployment scheduling.

Management: For prioritization, business impact decision-making and high-level budget issues.

In this process, broader input will improve the implementation effectiveness and thoroughness and helps ensure the suc-cess and buy-in of the entire corporation. This will be a key factor for success as the first stage of implementation begins and as sanctions start being applied.

Starting a NAC Deployment

As a first step, the NAC team should decide how to best translate goals into policy requirements. Writing policy re-quirements will likely involve reviewing IT processes, examin-ing regulatory and corporate policy requirements, identifyexamin-ing how to leverage network infrastructure, incorporating third party systems and more. Below are examples of common pol-icies and how they have been translated into NAC framework.

NAC Goal —

Control Non-Corporate Users and Devices

The goal is to control network access to non-corporate us-ers and devices across all campuses. To achieve this, the following illustrates how these policy requirements might be defined:

Policy Requirement 1: Visitor Access in Conference Rooms

Policy Action 1: Identify guest devices in specified IP Range When to Apply Policy 1: Upon connection to the network Policy definition: In conference rooms, automatically limit access to non-corporate users (visitors), allowing them Internet access only, while allowing full access to corporate employees. Policy Requirement 2: Visitor Access to the Production Network

Policy Action 2: Identify non managed devices

attempting to connect to the production network When to Apply Policy 2: Upon connection to the network Policy definition: When physically attempting to connect to the production network, nonauthenticated users will be denied access.

Policy Requirement 3: No Rogue Wireless Access Points (WAP)

Policy Action 3: Track down and remove Rogue WAP When to Apply Policy 3: At every first connection to the network Policy definition: Wireless Access Points are prohibited across all offices, including remote branches. Any discovered WAP must be automatically disconnected from the network.

(7)

NAC Goal —

Maintain Endpoint Compliance

Across the Enterprise

The goal is to constantly maintain compliance of network policies of all corporate hosts. To achieve this, the following illustrates how these policy requirements might be defined:

Policy Requirement 1: All Critical Vulnerabilities Must be Patched

This should be tested upon admission as well as on a regular basis. If not in compliance with an identified critical vulnerability, a suggested action would be to automatically isolate, patch and then release machines once remediation is complete.

Policy Requirement 2: All Machines Must Have Updated Anti-Virus Versions Within X Days

This should take place upon admission to the network as well as on a regular basis. If not in compliance, a suggested action would be to inform the end user that they are not in compliance. If the warnings are ignored, the NAC solution should allow for automatically isolation, and force remediation of the outdated anti-virus versions. Policy Requirement 3: Only Allow MSN Instant-Messaging on Corporate Hosts

Users may only work with the MSN instant-messaging service. All other IM applications may not be installed and if detected, the service will be blocked.

After Policy Creation is complete and enforcement actions have been decided upon, it is critical to individually test the policies to ensure complete understanding of estimated im-pact from imposing a rule — just in case the rule and related response for violation was written poorly OR the degree of noncompliance is so great that enforcement would bring the network to a halt. For NAC best practices, after the policy is implemented, rules should always be implemented in monitor mode (where the NAC administrator can see what impact the rules would have across the network without enforcing the rule in real-time). This will significantly help the NAC man-ager’s ability to assess the degree of compliance and/or the properness and effectiveness of the rule’s creation.

Once the policies have been written, tested, and reviewed over a reasonable period of time in monitor mode then formal rollout can begin. Implementing the rule in real-time would be phased in over time, rule by rule, as will be discussed in the next section. Rules should be enforced one at a time to ensure the viability of each rule. This allows the roll out to proceed with a full understanding of what the impact of each policy is, both individually and ultimately on the full network. See chart below.

WHITEPAPER PLANNING A SUCCESSFUL NAC ROLLOUT AND IMPLEMENTATION

After Policy Creation is complete and enforcement actions have been decided upon, it is critical to individually test the policies to ensure complete understanding of estimated impact from imposing a rule – just in case the rule and related response for violation was written poorly OR the degree of non-compliance is so great that enforcement would bring the network to a halt. For NAC best practices, after the policy is implemented, rules should always be implemented in monitor mode (where the NAC administrator can see what impact the rules would have across the network without enforcing the rule in real-time). This will significantly help the NAC manager’s ability to assess the degree of

compliance and/or the properness and effectiveness of the rule’s creation.

Once the policies have been written, tested, and reviewed over a reasonable period of time in monitor mode then formal rollout can begin. Implementing the rule in real-time would be phased in over time, rule by rule, as will be discussed in the next section. Rules should be enforced one at a time to ensure the viability of each rule. This allows the roll out to proceed with a full understanding of what the impact of each policy is, both individually and ultimately on the full network. See chart below.

Tips for Managing Policy Change

Predict how a new policy will affect users

- Have a complete understanding of what users will be required to do in order to comply with any new policy. Identify where potential problem areas/groups might be (i.e. remote or traveling users) and make a plan to address these areas/groups before implementation of the first policy.

Inform users of a policy change before it happens

- Make sure that all users who will be affected by the policy change are fully aware of the policy and the potential consequences of non-compliance.

Offer users ability to reach compliance before the policy is implemented

- As part of educating users on the policies that will be implemented, provide the appropriate links or directions as to how the user can become compliant before sanctions are imposed. This can be an integrated effort between IT and HR to ensure users have all the resources necessary to facilitate the change.

Automate the response to eliminate calls to the help desk

- As part of the network response to a violating user, leverage automated processes (e.g. automatically opening a trouble ticket or linking to the anti-virus server for definition update) to help bring end users into compliance without creating more work for the help desk.

(8)

Tips for Managing Policy Change

Predict how a new policy will affect users

· Have a complete understanding of what users will be required to do in order to comply with any new policy. Identify where potential problem areas/groups might be (i.e. remote or traveling users) and make a plan to address these areas/groups before implementation of the first policy.

Inform users of a policy change before it happens · Make sure that all users who will be affected by the

policy change are fully aware of the policy and the potential consequences of non-compliance.

Offer users ability to reach compliance before the policy is implemented

· As part of educating users on the policies that will be implemented, provide the appropriate links or directions as to how the user can become compliant before sanctions are imposed. This can be an integrated effort between IT and HR to ensure users have all the resources necessary to facilitate the change.

Automate the response to eliminate calls to the help desk · As part of the network response to a violating user,

leverage automated processes (e.g. automatically opening a trouble ticket or linking to the anti-virus server for definition update) to help bring end users into compliance without creating more work for the help desk.

Creation of a Phased Rollout Strategy

After determining policy requirements and deciding how to handle enforcement for non-compliant devices, a phased roll-out plan should be created. This process will help determine which of the rules should be implemented, one at a time, and in which order. Having tested the rule(s) in monitor mode, the implementation team will have sufficient knowledge to deter-mine which rules should be enforced and the type of enforce-ment that should be used. As a general rule, the phases of rollout are a judgment call by the organization. Consider that the policies most important (or simple) to rollout are the ones that will potentially deliver the greatest results.

There are several ways to approach a phased roll out, but all should generally fall under the banner of “Uptime Enforce-ment”. This focuses the attention of the team on the primary goal of a NAC implementation – secure the network, enable productivity.

Uptime Enforcement

Most NAC implementers consider two states: compliant devices are allowed on the network, noncompliant devices are blocked even if the policy violation is not critical. Often, blocking is premature and only causes disruption to business continuity and significantly impacts end-user productivity. Enforcing NAC polices through blocking mechanisms effec-tively holds back business operations or causes unnecessary downtime at the desktop.

“Uptime Enforcement” extends flexibility to the network ad-ministrator to act appropriately based upon the severity of the policy violation. For example, X is a policy that would most likely call for immediate compliance and work/connection to network resources must stop until the device is brought into compliance and only then can access be allowed. Y is a policy that might allow a few hours or days for compliance. In the mean time, users could continue to be productive without having to drop every thing to take care of the remediation. If the user does not comply with policy notification and warn-ings, at that time a more drastic sanction can be imposed. Uptime enforcement is a strategy that lets the network administrator maintain end-user uptime while simultaneously

(9)

ForeScout Technologies, Inc. Access ability. www.forescout.com Page 7 Uptime enforcement works because it addresses the source

of noncompliance before reacting to it with consequences. In general, the cause of non-compliance falls into three categories:

· Non-compliant IT process — for example, corporate anti-virus licenses that were not renewed and have expired. · Uneducated end-users — for example, employees that

are unaware of a company policy that prohibits them from using P2P applications. In general, this is the most common cause of non-compliance.

· Non-compliant end-users — for example, end-users that know about a company policy prohibiting the use of P2P applications, but still run them.

Typically, uneducated users comprise 60% - 70% of all network security policy violations. The uneducated user does not have malicious intent, but rather is unaware or chooses to ignore company mandates. For these users, the decision may not be to block access, but rather track and log activity keep-ing the end user productive.

Uptime Enforcement can be achieved by working with polices that push forward a logical process of elimination when deal-ing with the source of noncompliance. This can be achieved through a systematic approach:

Step one — discover and review non-compliance of de-vices, users, and user behavior.

Step two – launch education program of employees verify-ing that they understand the corporate network security policies.

Step three – address users who have been educated as to the security policy, but refuse to adhere.

Why is it important to work according to this process? Following this process ensures that you achieve compliance while minimizing the disruption to network users applying sanctions only when absolutely necessary and on a very well defined and typically relatively small group of users.

1. Evaluate Current Compliance of Network — The NAC solution should automatically locate noncompliant end-users and devices without imposing sanctions. This step is focused on eliminating any systemic problems (outside the control of the end user) which has made an unaware end-user noncompliant. Evaluating the nature of the problem will show if non-compliant devices or behaviors are the source of policy violations. Addressing these IT processes will significantly reduce the number of challenges in implementing NAC.

For example, if you find that that an extensive number of network machines don’t meet patch level requirements, it could indicate that:

· Desktop provisioning issues may need to be corrected.

· Patch management system may not be operating properly.

2. Educate the End User — Directly — After addressing/ eliminating any background IT problems, there should be a reduction in non-compliance levels. However, if the level of non-compliance is still high, it is indicative of users who are unaware that they have breached policies, or have not been taught how to comply with them. This can be addressed by a NAC powered educational policy.

What is the purpose of a NAC-powered Educational Policy?

· Directly and personally draw non-compliant end-users into the compliance process.

· Raise their awareness of compliance and security requirements.

· Help change behavior, forcing compliance, without reducing productivity.

How does it work?

· Non-compliant users are notified via automated, personal, directed e-mail and/or Web

· notifications. These notifications are delivered at the time the violation occurs.

Uptime Enforcement can be achieved by working with polices that push forward a logical process of elimination when dealing with the source of noncompliance. This can be achieved through a systematic approach:

Step one – discover and review non-compliance of devices, users, and user behavior.

Step two – launch education program of employees verifying that they understand the corporate network security policies.

Step three – address users who have been educated as to the security policy, but refuse to adhere.

Why is it important to work according to this process?

Following this process ensures that you achieve compliance while minimizing the disruption to network users applying sanctions only when absolutely necessary and on a very well defined and typically relatively small group of users.

1. Evaluate Current Compliance of Network -The NAC solution should automatically locate non-compliant end-users and devices without imposing sanctions. This step is focused on eliminating any systemic problems (outside the control of the end user) which has made an unaware end-user non-compliant. Evaluating the nature of the problem will show if non-compliant devices or behaviors are the source of policy violations. Addressing these IT processes will significantly reduce the number of challenges in implementing NAC.

For example, if you find that that an extensive number of network machines don’t meet patch level requirements, it could indicate that:

Desktop provisioning issues may need to be corrected. Patch management system may not be operating properly.

2. Educate the End User - Directly - After addressing/eliminating any background IT problems, there should be a reduction in non-compliance levels. However, if the level of non-compliance is still high, it is indicative of users who are unaware that they have breached policies, or have not been taught how to comply with them. This can be addressed by a NAC powered educational policy.

What is the purpose of a NAC-powered Educational Policy?

Directly and personally draw non-compliant end-users into the compliance process. Raise their awareness of compliance and security requirements.

Help change behavior, forcing compliance, without reducing productivity.

(10)

A NAC-powered educational policy can be as simple as roll-ing out a Web-based company reminder that informs network users when corporate policies are initiated or changed. For example, a policy informing users via the Web that only a spe-cific instant messaging system may be used in the enterprise or that P2P applications may not be used.

Additionally, the right NAC solution can:

· Further the educational process by delivering e-mail to non-compliant users with a URL link to the policy document, and request that they read the policy and select an ‘I agree’ button for confirmation. Reports can be generated periodically to keep track of and address users that have not confirmed.

· Setup a cleanup campaign with the Helpdesk to assist in uninstalling barred applications. The Helpdesk will be automatically provided contact information, lists of barred applications, and the IP/MAC address of detected machines.

· Temporarily hijack the non-compliant users Web sessions with a message indicating that blocking sanctions will be applied if barred applications are detected on their machines after a specific date.

Rolling out a NAC-powered education policy typically leads to a dramatic increase in compliance as it addresses the most common cause of non-compliance — Unaware/unin-formed users.

3. Enforce Policy on Non-Compliant Users — After NAC-powered educational polices have been rolled out, there should be a good understanding of the number/ percentage of non-compliant users. In all probability, the level of non-compliance at this stage will be quite low. By this time, the end user should be aware of the policies and if they choose to continue to violate the policy, then they will be subject to sanctions. But even in this case, the NAC solution needs to provide several graduated enforcement options and not simply deny access. At this

point, it needs to be very clear what sanctions will be used and how those actions should be carried out on users/ devices that do not comply with the NAC policy.

Some common examples include:

· Assign the device to VLAN (Quarantine VLAN, Guest VLAN or Remediation VLAN).

· Block the device at the switch. · Prevent Internet access.

· Prevent access to the corporate network or to segments of it.

· Prevent access to specific servers. Impact of an Uptime

Enforcement Deployment

Phasing in NAC policies will achieve a quicker mean time to compliance with minimal network/user disruption. The graph below illustrates how stepping through the Uptime Enforce-ment process will significantly reduce the number of non-compliant users without the need to impose hard sanctions. By the time sanctions are required, the focus will be on the small number of real policy violators.

Impact of an Uptime Enforcement Deployment

Phasing in NAC policies will achieve a quicker mean time to compliance with minimal network/user disruption. The graph below illustrates how stepping through the Uptime Enforcement process will significantly reduce the number of non-compliant users without the need to impose hard sanctions. By the time sanctions are required, the focus will be on the small number of real policy violators.

Audit: Understand the current state of compliance in the network. Use information to create policies.

Inform: Inform users of policy changes. Give users a chance to change behavior before imposing sanctions.

Educate/Train: Use “soft” enforcement and reminders to policy violators. Offer easy or automatic ways for a user to become compliant.

Enforce: Block or limit access to policy violators. Offer easy or automatic ways for a user to become compliant.

Two Methods for Uptime Enforcement

Site by Site Rollout

NAC project leaders are often tempted to rollout NAC policies across all enterprise sites

Audit: Understand the current state of compliance in the network. Use information to create policies. Inform: Inform users of policy changes. Give users a chance to change behavior before imposing sanctions. Educate/Train: Use “soft” enforcement and reminders to policy violators. Offer easy or automatic ways for a user to become compliant.

(11)

Two Methods for Uptime Enforcement

Site by Site Rollout

NAC project leaders are often tempted to rollout NAC policies across all enterprise sites simultaneously. How-ever, without first understanding the ramifications of a wide spread deployment, NAC project leaders should consider a phased implementation — even if the polices will eventually be deployed across the enterprise. Many sites operate under unique work procedures and site-specific requirements which may be unknown to the central administrator but critical for the site’s day to day operation. For example:

· At a remote site, a mission critical Web-based application only runs on a specific Internet Explorer version. However a corporate NAC policy prohibits the use of that version of IE. The policy may need to be adjusted to meet the specific site requirements.

· A NAC policy only allows the use of the MSN instant messaging service. Partners working with a support site however, only work with Yahoo instant messaging. The policy will have to be adjusted for the support site, or the site may be exempt from inspection for this policy.

· A NAC policy requires that all end-users work with a specific version of Windows Office. Marketing departments, however, require a higher version in order to create marketing documents. The marketing department cannot be inspected for this policy. Choosing the First Site

The first location for a site by site roll out is critical to the suc-cess of the overall NAC implementation. It is best to select a site that is well managed and the infrastructure is well docu-mented. Particular attention must be paid to understanding the network’s response to the policy enforcement, measuring how effectively non-compliant end-users comprehend policy changes, and the response to the policy and actions im-posed. When choosing the first site, it should be:

· Well-managed, i.e. documented and understood support infrastructure and an IT administrator.

· Physically close to your security and networking teams · Stable environment (network devices are not frequently

added, removed or updated)

_{A NAC policy only allows the use of the MSN instant messaging service. Partners working}

with a support site however, only work with Yahoo instant messaging. The policy will have to be adjusted for the support site, or the site may be exempt from inspection for this policy.

A NAC policy requires that all end-users work with a specific version of Windows Office.

Marketing departments, however, require a higher version in order to create marketing documents. The marketing department cannot be inspected for this policy.

Choosing the First Site

The first location for a site by site roll out is critical to the success of the overall NAC

implementation. It is best to select a site that is well managed and the infrastructure is well

documented. Particular attention must be paid to understanding the network’s response to

the policy enforcement, measuring how effectively non-compliant end-users comprehend

policy changes, and the response to the policy and actions imposed. When choosing the first

site, it should be:

Well-managed, i.e. documented and understood support infrastructure and an IT

administrator.

Physically close to your security and networking teams

Stable environment (network devices are not frequently added, removed or updated)

Site by Site Roll Out

Rolling out on a per site basis, allows for the fine tuning required to ensure no disruption to legitimate business processes. Each sit will have it own unique characteristics that will need to be understood and address. This methodology should be coupled with a policy by policy (see next section) practice to ensure maximum understanding of the impact NAC policies will have on the enterprise.

13

Rolling out on a per site basis, allows for the fine tuning required to ensure no disruption to legitimate business processes. Each sit will have it own unique characteristics that will need to be understood and address. This methodology should be coupled with a policy by policy (see next section) practice to ensure maximum understanding of the impact NAC policies will have on the enterprise.

(12)

Therefore, each policy review should answer following questions:

· Did the policy pinpoint the right users and devices? · Were network users responsive to the policy? · Were processes implemented effectively? Policy by Policy Rollout

It’s natural that NAC project leaders will want to implement all NAC policies as quickly as possible. However, rolling out too many polices concurrently, even within a single site, won’t give the network administrator enough time to evaluate the results of each policy, its accuracy , ability to be implemented, and to understand its impact on the network and network end-users. Time must be invested in fine-tuning each network policy before moving on to another. (see chart below)

Policy by Policy Rollout

It’s natural that NAC project leaders will want to implement all NAC policies as quickly as

possible. However, rolling out too many polices concurrently, even within a single site,

won’t give the network administrator enough time to evaluate the results of each policy, its

accuracy , ability to be implemented, and to understand its impact on the network and

network end-users. Time must be invested in fine-tuning each network policy before moving

on to another. (see chart below)

Policy by Policy Roll Out

Therefore, each policy review should answer following questions:

Did the policy pinpoint the right users and devices?

Were network users responsive to the policy?

Were processes implemented effectively?

Did the Policy Pinpoint the Right Users and Devices?

After running a policy, it is not unusual to discover that devices and users detected during the

inspection process should really have been kept out.

Polices should be run individually for the purpose of verifying that they inspect what needs

to get inspected. Following through with such fine-tuning will significantly reduce network

disruption and improve the effectiveness and value of the policy.

Did the Policy Pinpoint the Right Users and Devices? After running a policy, it is not unusual to discover that devices and users detected during the inspection process should really have been kept out.

Polices should be run individually for the purpose of verify-ing that they inspect what needs to get inspected. Followverify-ing through with such fine-tuning will significantly reduce network disruption and improve the effectiveness and value of the policy.

Policy by Policy Roll Out

· Security auditors and network administrators who will need access to all network resources and services, regardless of policies.

· The policy enforces patch level requirements on network devices at a local hospital. However, some medical devices prohibit the installation of patches. These devices should be excluded from the inspection.

(13)

ForeScout Technologies, Inc. Access ability. www.forescout.com Page 11 Does the NAC System Handle

Automatic Device Classification?

The NAC solution should support automatic classification of devices, which enables the ability to define device catego-ries only as a criterion for inspection or exclusion from the inspection process. For example, automatic detection and classification of network printers can be achieved by work-ing with NAC solutions that automatically recognize printers as they enter the network. Otherwise, the administrator has to create specific exception lists by extracting the informa-tion from inventory management systems and update them every time a new printer is installed.

No Hits?

After running the policies, it may be discovered that a relatively small number of detections were made. This may indicate that the policy inspection scope is too narrow, and is missing users and devices that should be inspected. If this is the case, the policy scope should be broadened. Were Network End-Users Responsive to the Policy? Corporate polices will often require that network end-users respond to a NAC-powered educational policy or perform a specific task - for example use self-remediation links or con-tact the Helpdesk. Verification should be checked to ensure end-users are responding to notifications and instructions as anticipated, and changing their behavior accordingly.

Were Processes Implemented Effectively?

Corporate polices are likely to include automated processes designed to bring about compliance faster and more effi-ciently. These processes may call specific departments into action, or generate important information about the violation event.

For example, the “No P2P” policy requires that the IT and helpdesk teams are automatically notified when a violation is detected. The notification they receive should include the contact and device details as well as information about the policy violation.

Lastly, it is important to verify that automated instructions to support or other teams reach their destination with the proper information, and that the end user knows what to do with it. And before dealing with a new policy, make sure to fine tune the automated process to maximize efficiencies.

(14)

Summary

NAC projects can deliver impressive results when backed by appropriate project goals, success factors that give compre-hensive direction and guidance, and a NAC team that knows how to get the job done. With this foundation set, project leaders are better equipped to design useful NAC polices and roll out the NAC project.

Ultimately the success of a NAC implementation will lie in the ability to gain a complete understanding of what is going on within the IT infrastructure. This means auditing the people and processes that are active on the network on a daily basis. It also means being able to use the information gained by NAC solutions like ForeScout’s CounterACT to inform and educate and bring non-compliant users and devices into compliance with corporate security policies.

It is essential that any solution leverage the current IT in-frastructure and existing security investments made by the enterprise to automate the process of remediation and have the ability to perform both soft and hard enforcement. But the NAC solution should also be able to look toward the future and provide a pathway to complete policy implementation and enforcement.

CounterACT delivers this in a single turnkey clientless security platform. The appliance does not require and in-line deployment and is vendor neutral allowing the ability to maxi-mize existing infrastructure and systems investments provid-ing a complete NAC solution. This fulfills a primary enterprise security goal: to have comprehensive knowledge and control of all users/devices that move in and out of the network, ensuring that these devices are in compliance with corporate security policies.

ForeScout’s CounterACT ensures that only the right users, with compliant devices, gain access to the right resources on the network.

(15)

ForeScout Technologies, Inc.

10001 N. De Anza Boulevard, Suite 220 Cupertino, CA 95014, USA Toll-free: 1.866.377.8771 (US)

Tel: 1.408.213.3191 (Intl.) Fax: 1.408.213.2283

www.forescout.com

Network Access Control (NAC)