100% NAC

deanwebb · February 12, 2015, 05:38:35 PM

My backfill is here, so now I'm 100% on the NAC project where I work. That can be good... cool toys to play with...

It can also be bad... I'm a single point of blame, now...

What's the worst that can happen? Only the network blowing up...

All in all, though, I'm overall stoked. I'm a FTE that gets to do consulting stuff, and I have a job (operations and engineering) when I go "back on the bench" when the project is over.

icecream-guy · February 13, 2015, 07:17:26 AM

NAC project over???

hahahahah. it'll be ongoing forever, the project ends when you turn NAC off.

you = Homer
NAC = Bart

deanwebb · February 13, 2015, 08:49:52 AM

It means that, basically, they just told me that I have a job for life there.

Part of what I enjoy about NAC is how interdisciplinary it becomes, and very quickly at that. If it's taken as a switch question of just putting in something at the port level that checks a cert and then accepts/denies on that criteria and possibly others, even then it's a project that involves the switch team and the desktop team. (Or guys, if your firm is small or medium sized.) But because NAC products are sold with more than just an Identify Friend or Foe (IFF) system, it will have connections to the teams or guys that do desktop updates, anti-malware, threat detection/threat response, help desk, routing (VLAN harmonization, anyone?), firewalls, PKI, Active Directory, and various production/lab/high-risk/high-security environments.

I've always enjoyed being able to be a generalist, and this role is a great fit for me. Yes, the work is very complicated and I've made more than one manager's head spin when he said, "I'm fairly technical. Go ahead and give me the details."

I do prefer project work to operational "My Internet needs rebooting" issues, so this promises to be a rich experience for me. It will mean that I will be trading vendor lunches that the rest of the team gets to head out on for more "We'll order in" situations, but that's not all that bad.

We are using ForeScout CounterACT as our NAC solution, which we chose after a head-to-head comparison with Cisco ISE. I know there's people in the world that make their bread-and-butter from ISE, so I'm not going to vendor bash. In fact, a good comparison is important so that a person can make an informed decision about what NAC product is the best fit for their firm. There is a lot of cool stuff in ISE, and there's a lot of cool stuff in CounterACT.

Of course, I'll be writing about NAC a lot, and I plan to keep it vendor-neutral. NAC project work has a lot of stuff that has to happen, regardless of which vendor you choose. You will be touching the switches. You will be touching the clients. You will be having meetings with people that are concerned because they heard of NAC going in at another company and, right after that, the machines rose up to kill their human masters. (I am convinced that the trigger for the Terminator series was a NAC deployment gone horribly, horribly wrong. Same for The Matrix. Be cool if there was a Terminator vs. The Matrix movie. But I digress.)

NAC means having the right kinds of meetings with the right kinds of people in order to meet the needs and goals of the project. If you want to learn how everything connects to everything else in a company, start a NAC project.

icecream-guy · February 13, 2015, 11:00:48 AM

Quote from: deanwebb on February 13, 2015, 08:49:52 AM
If you want to learn how everything connects to everything else in a company, start a NAC project.

This is the Federal Government boyah, no oneknows how anything is connected to anything else.
other than "through a firewall".

So yer doing NAC native IPv6? or is that next week's project?

deanwebb · February 13, 2015, 11:07:53 AM

Hey, we just had a meeting that cut our paperwork in half, when everyone agreed that half the forms didn't apply to this instance. Score!

LynK · February 13, 2015, 12:56:51 PM

Dean,

I am looking at a NAC project Q4 of this year or so. Do you have some documentation in which you used for the deployment. This will be my first time. deploying...

deanwebb · February 13, 2015, 01:02:26 PM

I don't have any internal docs that I can share, but I can get into theory and practice stuff here. First question, how many endpoints are in your network? Include wireless, guest systems, desktops, laptops. And phones. And printers. Also badge readers/cameras/network-enabled coffee brewers. Just an estimate is good.

Then the next question is how many sites do you have? Those two questions help to guide you towards a centralized or decentralized approach.

LynK · February 13, 2015, 01:22:17 PM

Quote from: deanwebb on February 13, 2015, 01:02:26 PM
I don't have any internal docs that I can share, but I can get into theory and practice stuff here. First question, how many endpoints are in your network? Include wireless, guest systems, desktops, laptops. And phones. And printers. Also badge readers/cameras/network-enabled coffee brewers. Just an estimate is good.

Then the next question is how many sites do you have? Those two questions help to guide you towards a centralized or decentralized approach.

Tricky question because Most of end devices are not even on our domain, they are thin clients either connecting to VDI/Citrix.. if that mkes a difference.

If you count every piece of equipment... maybe 5k computers. 500 or so printers. 200 routers, 200 or so switches, 300 or so APs

deanwebb · February 13, 2015, 02:39:42 PM

One site? If so, then that's a slam-dunk for "centralized".

How many systems on wired? Wireless? Do you have a guest network?

Seittit · February 13, 2015, 02:48:10 PM

One of my personal favorite things to do is blame NAC for every anomaly on the network.

Can't ping host? - NAC
Can't nslookup host? - NAC
Host can't route out? - NAC

deanwebb · February 13, 2015, 03:50:35 PM

Quote from: Seittit on February 13, 2015, 02:48:10 PM
One of my personal favorite things to do is blame NAC for every anomaly on the network.

Can't ping host? - NAC
Can't nslookup host? - NAC
Host can't route out? - NAC

Stop it. We're in monitor mode. We haven't done anything to impact that, yet.

And the easiest way to see if NAC has borked a box is to hit the NAC console to see if there are any authentication failures, blocked devices, or the like. If so, well, there's your problem. If not, hahahahaha it's not the NAC, suckers!

Seittit · February 13, 2015, 04:40:01 PM

Quote from: deanwebb on February 13, 2015, 03:50:35 PM
Stop it. We're in monitor mode. We haven't done anything to impact that, yet.

And the easiest way to see if NAC has borked a box is to hit the NAC console to see if there are any authentication failures, blocked devices, or the like. If so, well, there's your problem. If not, hahahahaha it's not the NAC, suckers!

Yeah, but, what if NAC was NAC'ing itself!?!

deanwebb · February 13, 2015, 08:18:03 PM

Quote from: Seittit on February 13, 2015, 04:40:01 PM
Quote from: deanwebb on February 13, 2015, 03:50:35 PM
Stop it. We're in monitor mode. We haven't done anything to impact that, yet.

And the easiest way to see if NAC has borked a box is to hit the NAC console to see if there are any authentication failures, blocked devices, or the like. If so, well, there's your problem. If not, hahahahaha it's not the NAC, suckers!

Yeah, but, what if NAC was NAC'ing itself!?!

That's why one always excludes the IP range of the NAC devices from NAC.

deanwebb · February 28, 2015, 07:01:44 PM

Here's my intro to NAC video: https://www.youtube.com/watch?v=_HNPVCqJihk

deanwebb · March 07, 2015, 04:48:50 PM

How NAC could have saved the Death Star: http://youtu.be/nhLUVg7pqNM