NAC Project Guide

deanwebb · January 08, 2015, 03:44:27 PM

Network Access Control (NAC) is not a system one installs, turns on, and has working on day one. NAC involves extended periods of profiling and monitoring network activity prior to undertaking enforcement actions. This is because NAC projects reveal just how much variety and lack of compliance exists on the network and that variety and lack of compliance means that too-soon enforcement actions can result in network outages instead of enhanced security. Let's look at the phases of a NAC project in closer detail.

(more to come... I just wanted to start things off...)

deanwebb · December 10, 2016, 04:04:43 PM

Time to gravedig...

Still on NAC, almost 2 years later. It is DEFINITELY very complicated. Some important things:

1. Have all the gear ready to go for monitoring, then start getting switch and WLC config commands ready for the monitoring phase.
2. There is a ton of tweaking and tuning with a NAC system to keep it stable.
3. Most people I talk to say that, if a NAC project goes anywhere, it usually goes to monitoring and stays there. Very few shops have actually gotten to real enforcement.
4. It is a waste of a NAC project to not share the information the system collects with as many other groups as possible. This is a real goldmine, and people can find uses for the information for their own purposes that you may not be able to see.
5. The heart of information security is information. NAC will gather that information, and much of it. Security without NAC is like trying to play tennis blindfolded. Not easy, and you could make some grave mistakes without vital sources of information.

icecream-guy · December 12, 2016, 06:35:48 AM

Quote from: deanwebb on December 10, 2016, 04:04:43 PM
Time to gravedig...

Still on NAC, almost 2 years later. It is DEFINITELY very complicated. Some important things:

1. Have all the gear ready to go for monitoring, then start getting switch and WLC config commands ready for the monitoring phase.
2. There is a ton of tweaking and tuning with a NAC system to keep it stable.
3. Most people I talk to say that, if a NAC project goes anywhere, it usually goes to monitoring and stays there. Very few shops have actually gotten to real enforcement.
4. It is a waste of a NAC project to not share the information the system collects with as many other groups as possible. This is a real goldmine, and people can find uses for the information for their own purposes that you may not be able to see.
5. The heart of information security is information. NAC will gather that information, and much of it. Security without NAC is like trying to play tennis blindfolded. Not easy, and you could make some grave mistakes without vital sources of information.

Thanks, we got out NAC kickoff meeting this afternoon.

deanwebb · December 12, 2016, 08:30:13 AM

Awesome / oh noes, depending.

Have you done vendor selection yet?

icecream-guy · December 12, 2016, 08:37:09 AM

Quote from: deanwebb on December 12, 2016, 08:30:13 AM
Awesome / oh noes, depending.

Have you done vendor selection yet?

will find out at the presentation this afternoon

deanwebb · December 12, 2016, 08:53:11 AM

Well, whoever it is, good luck. You're gonna need it!

Monitor everything before enforcing anything. Repeat that over and over. Be sure you have an accurate inventory of all switches and WLCs, including what OS they're on, so you know which ones need upgrades and which ones are just fine.

I'd recommend having all NAC appliances spun up and ready before starting monitoring so that you can include all their IP addresses in access lists and SNMP communities.

802.1X is gonna happen for Wireless at the very least: get Edwin Lyle Brown's "802.1X Port-Based Authentication" if you haven't already. That book has saved my caboose numerous times.

Wireless is the first, easy win for enforcement. VPN can be second. Wired enforcement really should be last.

Otanx · December 12, 2016, 10:25:26 AM

Quote from: deanwebb on December 10, 2016, 04:04:43 PM
3. Most people I talk to say that, if a NAC project goes anywhere, it usually goes to monitoring and stays there. Very few shops have actually gotten to real enforcement.

This is very true. A local company here has tried enforcement three times and broke stuff. They also had an issue doing user based vlan assignment with dot1x. I haven't heard from my friend over there for awhile so I don't know if they ever got enforcement working or not. I am guessing not.

-Otanx

icecream-guy · December 12, 2016, 12:25:48 PM

Quote from: deanwebb on December 12, 2016, 08:30:13 AM
Awesome / oh noes, depending.

Have you done vendor selection yet?

all Cisco, and mostly done, and the engineers did all the heavy lifting, just gearing us up for the operations management part of it and deploying for the wired connections.

deanwebb · December 12, 2016, 01:50:39 PM

Quote from: ristau5741 on December 12, 2016, 12:25:48 PM
all Cisco, and mostly done, and the engineers did all the heavy lifting, just gearing us up for the operations management part of it and deploying for the wired connections.

"Deploying for the wired connections"... be ready for the IOS upgrades and mandatory equipment refreshes.

Do all the Windows clients have AnyConnect on them? I'd consider that a must-have to avoid meltdowns.

Ctrl Z · December 12, 2016, 11:59:34 PM

My biggest headache with NAC has been trying to get the first levels of support to go through their checklists before kicking it up to me.

Did you verify the Zero Wired Autoconfig service is running? Nope.
Did you check that the machine has the correct 802.1x configuration settings applied? Nope.
Is the printer configured with the settings required to pass profiling? deer in headlights look.
Where's your checklist? What checklist?

deanwebb · December 13, 2016, 09:04:35 AM

^^^ THIS

Every issue becomes an engineering issue because it is NAC and people are afraid of it. In truth, nearly all the issues are client issues. Bad certs, misconfigured dot1x settings, sleep/hibernation mode...

And that last one is a real beatdown. Windows comes out of sleep/hibernation and says it's ready to take on the world, but...

It is not. It is still waking up, so it winds up having problems both with pre-connection (dot1x) and post-connection authentication.

icecream-guy · December 13, 2016, 10:41:47 AM

Quote from: deanwebb on December 13, 2016, 09:04:35 AM
^^^ THIS

Every issue becomes an engineering issue because it is NAC and people are afraid of it. In truth, nearly all the issues are client issues. Bad certs, misconfigured dot1x settings, sleep/hibernation mode...

And that last one is a real beatdown. Windows comes out of sleep/hibernation and says it's ready to take on the world, but...

It is not. It is still waking up, so it winds up having problems both with pre-connection (dot1x) and post-connection authentication.

I don't mean to profess myself as a NAC expert here, since I just got involved in the NAC project yesterday.

but shouldn't it be "problems with both pre-connection authentication (dot1x) and post-connection authorization?
there should only be 1 authentication (who), then authorization for the what and where

deanwebb · December 13, 2016, 12:10:45 PM

You are correct, Ristau. My distinction was between vendors, some of whom will to pre-connection auth and some do post-connection (non-dot1x) auth.

And Windows waking up can screw them both up, big time.