Network Access Control (NAC)

Network Access Control (NAC) is an important component of a comprehensive security management solution. NAC protects your network from unauthorized access, malicious intrusions, and external security exposures introduced by vulnerable or corrupted devices that can infect and damage your network.

LANDesk Security Suite offers an 802.1X NAC tool designed to support and extend the security of an existing 802.1X Radius server implementation on your network. LANDesk 802.1X NAC support adds authentication and compliance capabilities to basic 802.1X access control functionality.

IMPORTANT: Technical knowledge and expertise required for setting up Network Access Control
This section describes all the concepts and procedures necessary to install, configure, and use LANDesk 802.1X NAC support. Note that NAC requires additional hardware and software configuration beyond the basic core server installation. Because of the technical nature of this additional setup work, this guide assumes you are familiar with 802.1X Radius server configuration, 802.1X authentication and health posture validation, and advanced networking infrastructure design principles and administration. You should recognize that in order to set up NAC you may need to consult with support representatives and/or affiliated system engineers.

The LANDesk User Community has user forums and best known methods for many LANDesk products and technologies. To access this valuable resource, go to: http://community.landesk.com

This introductory section gives a basic overview of NAC technology and services, and describes relevant prerequisites and tools.

Read this section to learn about:

Network Access Control overview
- Understanding the basic NAC components
- Role-based administration with LANDesk 802.1X NAC
Implementing LANDesk 802.1X NAC support

Network Access Control overview

Network Access Control (NAC) adds an extra layer of protection to your network by letting you prevent vulnerable or corrupted devices from gaining network access, as well as protect critical network resources from connected systems that become corrupted.

NAC enforces endpoint perimeter security by using industry standard security technologies and systems. Network Access Control provides flexibility in implementing network access control functionality on your network by supporting common industry standards and methodologies, such as IEEE 802.1X.

With NAC, you can define custom baseline security policies, scan devices (both managed and unmanaged) for security policy compliance, verify the health status (posture) of connecting devices, and deny or allow access to your critical network resources based on the device's compliance to your security policy. Healthy devices are granted full network access. If a device is determined to be unhealthy, it is blocked from accessing the network and remains in a virtual quarantine area where it can either be repaired with Security Suite remediation capabilities or be allowed limited network access.

With NAC, you can evaluate the security credentials of any device as soon as it attempts to connect to your network by comparing it to custom security policies, monitor the security state of devices that are already connected, allow or deny network access, quarantine devices that fail to meet the security policy requirements, and remediate vulnerable devices so they can be rescanned for security policy compliance and allowed network access once they are deemed healthy.

Network Access Control benefits and features

With NAC, you can:

Create and enforce customized compliance security policies
Implement stronger, around-the-clock, enterprise security
Assess the security credentials (health status) of connecting devices
Prevent infected or corrupted systems from accessing the network
Quarantine non-compliant devices in a secure area
Remediate infected devices to bring them into compliance
Reduce downtime due to infections from malicious intrusions
Protect your network, systems, applications, and data from external threats
Extend existing security technologies and standards

Compliance security policies

Compliance security policies are comprised of rules that verify the health state of a device by checking for vulnerabilities (in the form of missing or obsolete OS and application patches), software updates, antivirus engine and signature files, firewall presence and settings, and spyware.

For more information on defining a compliance security policy in the Patch and Compliance tool in the console, see Defining compliance security criteria and publishing NAC settings.

Understanding the basic NAC components

The sections below describe the basic components of a NAC implementation and the function of each component and how they interact.

Basic NAC components descriptions

Component	Description
Devices attempting to access the network	Includes occasionally connecting or mobile laptops, visiting contractors and guest users, as well as regular network users that attempt to access the corporate network. Devices with a trust agent installed can communicate with the policy server or posture validation server in order to send and receive health credential information, and can be repaired by the remediation server if vulnerabilities are detected during the security scan. Without a trust agent, a device can't communicate with the posture validation server and can't be remediated. When a device without a trust agent is scanned for the first time, the device is directed to a Web page with links to install the appropriate trust agent.
Network access control device	The network access control device functions as the "first hop" network device from the supplicant/requesting device perspective and begins the posture validation and authentication process.
Policy server / posture validation server (network access decision point)	A dedicated back-end server also known as the posture validation server that evaluates the posture credentials (state of devices requesting access) based on the compliance rules (security policy published to it from the core server). Sends a validation response (healthy, unhealthy, etc.) via the network access control device.
Corporate network	Critical network area and resources that NAC protects from unhealthy, infected, or otherwise vulnerable devices.
Quarantine VLAN	Virtual safe network area where non-compliant devices can be secured and either remediated, rescanned, and then granted full access to the corporate network, or retained with restricted access to network resources such as the Internet.

Basic NAC components and process flow


Devices attempting network access:	Network access control device:	Network access decision point / policy server:	Corporate network:
(Managed and unmanaged network user devices and/or visitor devices)	(Network router or switch)	(Posture validation service, that evaluates and enforces compliance security policies)	(Network access granted to compliant, healthy devices)
Quarantine VLAN: (Virtual safe network area to secure and/or remediate non-compliant, unhealthy devices)

Security Suite prerequisites

In order to use the NAC feature, you must have a valid Security Suite license (core server activation).

NAC requires not only the scanning and remediation capabilities of the Patch and Compliance tool, but Security Suite content subscriptions in order to download the vulnerability, system configuration threat, and spyware definitions, and virus pattern files, that are used to create custom compliance security policies.

A group named Compliance has been added to the Patch and Compliance tool's tree view. Users with the Patch and Compliance right can add and remove security type definitions into and from the Compliance group. Security definitions contained in the Compliance group comprise the compliance security policy, and are scanned for on connecting devices in order to determine their health status.

For more information on Security Suite content subscriptions, see Security content types and subscriptions.

Supported device platforms for compliance scanning

NAC services works on the Management Suite supported device platforms, including the following operating systems:

Windows NT (4.0 SP6a and higher)
Windows 2000 SP4
Windows 2003
Windows XP SP1
Windows Vista
Macintosh (10.2 and higher)

Role-based administration with LANDesk 802.1X NAC

Network Access Control relies on the following role-based rights.

Patch and Compliance right

This right is required to see and access the Patch and Compliance tool, and download security content updates need to define compliance rules. This right is required to add or remove security definitions from the Compliance group.

Administrator right

This right is required to configure devices with trust agents for compliance scanning, and to configure NAC services in the console.

NOTE: The LANDesk Administrator right implies all other rights, including the two security-related rights mentioned above.

Implementing LANDesk 802.1X NAC support

LANDesk 802.1X NAC enhances network access control by requiring the proper authentication credentials as well as an active standard agent on the device. You can also validate device health compliance with your custom security policy, and quarantine and remediate unhealthy devices.

LANDesk 802.1X NAC works with all major switching vendors supporting the 802.1X standard. A 802.1X Radius proxy can participate with an existing AAA (authentication, authorization, and accounting) identity-management architecture authenticating users and endpoints, or act as an independent Radius for environments only requiring endpoint compliance validation. Radius Proxy provisions switch port access dependant upon authentication results for connected endpoints.

To learn how to set up, configure, and use LANDesk 802.1X NAC support, see Using LANDesk 802.1X NAC.