Network access control Implementation strategy

shared network means the risk: virus intrusion, data theft and network paralysis, etc., the use of network access control technology can effectively prevent, ensure network security. Now that data has been stolen, worms and viruses are rampant, it is necessary to choose Network access Control (NAC) technology to build a network in order to adapt to network security. However, network access control is not simple, it means profound and contains a whole set of methods.

Policy execution on network access control is closely related to the company's business processes. For example, the wireless network of some restaurants is the simplest network access control system, customers must accept the relevant protocols before accessing the network. This is simply the simplest example of network access control, which offers the simplest value-added services-the Internet. But for other environments such as hospitals, such agreements are too simple.

To choose the right type of network access control for your network, you need to know two prerequisites. First, it is necessary to understand the services provided by network access control, how to provide these services, and how to integrate these services into the network. The 2nd is to have a clear, enforceable security access policy. Network access control is not the creation of policies, but the implementation of policies. Without these two points, corporate cybersecurity will still be considered just the responsibility of the IT department (which is never a good thing).

Is the connection open or closed?

Limited access prior to network access authorization is often referred to as "locked". It's not that all the gateways are blocked, for example, it allows you to download new antivirus software to upgrade. Therefore, before planning to introduce network access control settings, to understand and match the access of the lock machine method.

Early shared networks used artificial methods to restrict sharing through access routes and gateways, including starting and terminal IP addresses, TCP protocols, user data ports, IP ports, and MAC addresses. From the network construction point of view, this requires a complete set of implementation methods, network access control method will automatically complete a series of access procedures. Another method is to allocate the actual lan/vlan to separate the computer locked in the entire network, relatively simple is to use DHCP (that is, Dynamic Host Configuration Protocol) to allocate. This method can not only restrict the setting of the machine to the 3 VLAN, but also set up other customer information such as DNS. For example, all pages can be released through a "accept" button on the Web server.

In some of the more advanced switch settings, the Network access control system can dynamically control the VLAN with those switches. By default, all Web site ports that are under Network access control are automatically locked and have limited access rights. Only when the system detects that the machine meets network access control requirements will the instructions be transferred to unlock these ports. The network access control device is installed at a switch point (similar to a span port), and the ARP transmission signal is required to pass through the gateway. Network access control injects the MAC address into the user's ARP registry as a gateway, forcing customers to transfer all non-local traffic to network access control. Once the machine accesses the control parameters through the network, it is allowed to pass through the correct gateway.

Each method is protected differently. In a DHCP method, a sensible user is assigned a valid static IP address, which is also authenticated by VLAN. If you know the correct MAC address of the gateway, you can get rid of ARP poisoning by artificially creating ARP bypass via Gateway. However, most network access control systems have specific measures to address these behaviors.

The distance between the access network should also be the key consideration. Different from the network access control method of the port control, the online network access control has strict control over the company Wan Line and network, but the same direction clearance is unrestricted. Simply put, if A and B are both on the same side of the network access control gateway, they can enter each other.

Evaluate the safety of the terminal

Verifying the user ID is a very stringent step in the network access control system. The simplest example, like a wireless internet in a café, is authorized to access the Internet only when the user complies with the relevant association.

In a simple authentication environment, the Network access Control Challenge RADIUS server determines whether the user has access to the corporate intranet and the wireless network. If the user password is correct, then can complete customs clearance, in contrast to the default state only open ordinary ports (such as HTTP, HTTPS, etc., according to the Internal network security policy recognition.) For those complex verification environment, such as senior managers into the ERP system, webmaster access to the server, insurance mediators into the database, there will be a dedicated user authentication policy. An LDAP interface or a dynamic IP server terminal user can authorize the user to enter the application system.