Extend NAC Measures to network security devices (on)

Now you can extend the Network Access ControlNAC measure tool to many Network security devices and Network management tools. Extending the NAC policy measures to these devices can enhance access control while still allowing users and host identities to be used as part of every security and management tool.

Integrating user and host identifiers into security and management points means creating firewall facilities that can identify, using identity detection and blocking or intrusion prevention systems (IPS) in access control) monitors, applies enterprise anti-virus tools to devices that access the network, and reinforces NAC policies for remote users.

Extended NAC

Because NAC in the market is mature and new APIs and standards have been released, you can choose from many possible measure models.

Some potential policy implementation points will be discussed below, which can be used in an NAC environment that contains the current leading NAC solution. You cannot use all of these Implementation points in all NAC schemes, and not all implementation points suppliers support the standards and APIs required to achieve this goal. However, we will introduce the possibility of NAC deployment before you proceed, in this way, you can determine whether your organization's network and security goals need a solution that integrates other security devices in the security policy.

Some of these Implementation points have different performance factors. Multi-functional network and security devices have become popular in recent years-in many cases, they include all the implementation models discussed below.

Note: The logical implementation module is described below, instead of completely independent devices and devices.

Firewall measures

Maybe your organization has deployed many firewalls in different areas of the network, such

Network entry and exit

Before the data center

Independent location and Department

As a result of these policies, the firewall is logically a point where you can expand the implementation of NAC.

Tip: in fact, some NAC solutions have used firewalls as an implementation point. However, for other NAC solutions, extending NAC to the firewall requires integration through APIs and standards.

The firewall also provides good NAC Implementation points, because the Organization may set some policy types based on each user or role. For example, a firewall that is placed before an enterprise data center and integrated with the NAC solution allows organizations to define very fine-grained role-based policies for each group of users on the network. This organization may allow all employees to access, such as email servers and share certain files, but it can use firewall policies to only allow financial personnel to access sensitive financial data and applications.

This concept is now more called "authenticated firewall identity-aware firewalling)" and is increasingly popular among organizations in all industries-not just those that comply with regulations, such as Sarbanes-Oxley (SOX), The Health Insurance Portability, and Accountability Act (HIPAA). It also includes any organizations that need to divide networks and perform information access control based on user functions. In terms of adaptability, the firewall can now see that users not only allow organizations to implement fine-grained access control, but also can test audit and other report requirements that have been implemented.

In the current mobile world, users from multiple locations and devices may appear anywhere on the company's network at any time. As a result, some static defined source and target IP addresses-Based on firewall policies-are no longer accurate. By activating the NAC firewall policy, you do not need to rely on the static firewall policy to allow the firewall to track users who have to move on different locations and devices. This policy is more consistent with the method and starting point for policy formulation. The firewall security policy does not need to be applied until the user physically connects to the Ethernet port on the office. The firewall can now implement policies based on users and user groups.

IDP/IPS measures

You can use intrusion detection and blocking IDP) or Intrusion Prevention System IPS (IPS) devices as a mechanism to monitor the final user behavior of the enterprise network. It provides a feedback loop, your NAC solution can be used to modify access control decisions based on end user behavior.

These same systems can identify all the traffic that passes. In many cases, organizations have deployed IDP/IPS so that they can determine not only whether a specific traffic is malicious, but also which application is using the traffic. These systems can restrict access to specific applications based on this technology.

For example, an organization may not want users to use point-to-point applications or unapproved instant messaging applications on the network, therefore, the correctly deployed IDP/IPS system can help implement application-level control by discarding traffic that is not within the scope specified by the policy.

By extending this type of system to NAC, these policies can now become role-based. For example, users in a specific group may have valid reasons to use specific point-to-point applications. By extending NAC to IDP/IPS, you can allow specific users to use these applications and completely restrict other users.

Because end users connect many of their own devices to the enterprise network, therefore, the implementation of this policy can block the network access of undesirable applications-you can set the time limit for users to install these applications from managed laptops and PCs.

Integration makes your current NAC policies more fine-grained-at the application layer, rather than at the network layer-to give you control levels that are not available in many standard NAC solutions.

Table 1 lists only the policies that you may apply to your organization. In fact, if you have an IDP/IPS solution with these features, you may have used these types of policies. However, if you include NAC in an IDP/IPS policy, you can select or modify the policy type based on a specific user or user group, instead of setting policies based on the source and target IP addresses. This type of policy is suitable for applications in the Organizations of mobile users with different roles.

1. Cisco NAC solution core: Trusted proxy
2. Cisco nac and CAS technical materials
3. Network Access Control (NAC) is deployed now?