Book Reviews

Book Reviews


Book Review - Cisco Network Admission Control


By Stephen Northcutt
Summary: Cisco press was kind enough to send me this book for review and what great timing, I have been thinking about NAC a lot lately. It puts a useful network device management control in the hands of an information security manager and Cisco really does lead the market with their implementation.

What is Network Admission Control?

Cisco would tell you it is a tool to Enforce Security Policy Compliance: " Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of noncompliant devices.[1] If you are an information security manager, enforcing security policy compliance has to sound good to you. Of course, for this to work, the endpoint device has to have some software to manage this compliance, Cisco calls this a NAC posture agent and such agents are not available for all of the devices that might be on your network, HVAC controllers (yes, your facilities people really do put them straight on your network), printers, copy and fax machines, IP telephones, latptops owned by contractors and guests. However, if the idea takes off and we either see open standards or if Cisco dominates the market[2] creating an industry standard then additional agents should become available.

What are the benefits to Network Admission Control?

According to the book[3] benefits include protection against business disruptions from malware infections. Another benefit is Return on Investment (ROI) if you are a Cisco shop since you can leverage more security out of devices you have already procured, and a reduction in operating cost due to reduced firefighting, essentially a restatement of the first benefit.

What are the Network Admission Control Framework Components?[4]

A posture agent is software that collects security state information from multiple NAC-enabled endpoint security applications, such as antivirus clients and communicates the endpoint device's compliance condition (I am Northcutt's desktop and my antivirus is up to date). The posture information is sent to Cisco Secure Access Control Server (ACS). Cisco calls this the Trust Agent and they have licensed this technology to their partners. The software makes a decision to report a state that could be healthy (antivirus up to date, personal firewall up and running etc), checkup (antivirus not up to date), and quarantine. This is where the systems starts to earn its paycheck; the system is referred to a remediation server to get up-to- date, infected (just what it sounds like), but includes suspected infected, for instance, if the firewall is not running. There are two other states transition, used when the system is booting, needs an IP address, but the posture agent is not yet operational and unknown, which would be the HVAC controllers, printers, copy and fax machines, IP telephones, latptops owned by contractors etc.

The network fabric, made up of Cisco routers, switches, wireless access points, and security appliances. Endpoint devices such as desktop computers must present security credentials and that data is sent to policy servers that make network admission control decisions. Then the network fabric will execute the admission control decision: which is generally one of permit, deny, quarantine, or restrict.

The policy server is called Cisco Secure ACS, and it responsible for authentication, authorization, and accounting and is based on RADIUS. According to Wikipedia "RADIUS was originally developed by Livingston Enterprises for their PortMaster series of Network Access Servers, but later (1997) published as RFC 2058 and RFC 2059 (current versions are RFC 2865 and RFC 2866). Now, several commercial and open-source RADIUS servers exist. Features can vary, but most can look up the users in text files, LDAP servers, various databases, etc.[5] In other words, RADIUS is a very well understood, widely implemented network access control protocol. However, it uses UDP, which means it is easy to spoof IP addresses, so in the future, the plan is to transition to DIAMETER, a TCP based authentication, authorization, and accounting (AAA) protocol.

If we have RADIUS, why do we need EAP?

EAP stands for the Extensible Authentication Protocol. It is end to end; the requests and replies are initiated by either the end point seeking authentication or the policy server. Everyone else is passing the information along or reacting to it in the case of policy enforcement such as quarantine. EAP packets are either a request, response, or they mark success or failure. Because EAP is extensible you can imagine they is supports a number of protocols including our friend RADIUS.

The best writeup on the Internet on Cisco's implementation of EAP callled EAP-FAST and the ramifications thereof is a paper by Interoplabs, if you are serious about NAC you should read this series of papers. Here is one of the key points: "There is a serious and critical difference between the 802.1X and UDP versions of Cisco's EAP, though. In the 802.1X case, EAP includes both authentication and end-point security assessment information. When used with UDP, Cisco's NAC no longer does authentication. Instead, the user has to be authenticated via some other mechanism, and the authentication and user credentials are no longer tightly tied to the security policy for that user. The access control is simply tied to the end-point security assessment information. This lack of symmetry between 802.1X versions of Cisco's Network Admission Control and UDP versions means that the attractive idea of a single enterprise policy server handling access control on the LAN, the WLAN, and over the IPsec and SSL VPNs is not part of Cisco's current architecture. A further symptom of this is the lack of wireless support in the free Cisco Trust Agent. If you want wireless 802.1X, you'll have to replace the freeware Cisco Trust Agent 802.1X with a different 802.1X supplicant. The real focus of the current version of Cisco's Network Admission Control is end-point security assessment---the authentication that comes out of the an 802.1X dialog is really a side effect and not a core aspect of the entire system."[7]

Despite concerns that EAP-FAST might not really become a true standard, I think we can assume it will, Microsoft has stated they will support it. "Computers running Windows Vista or Windows Server "Longhorn" will include the NAP Agent component as part of the core operating system, which will be used for both NAP and NAC. In addition to the native Extensible Authentication Protocol (EAP) methods and the 802.1X supplicant that are included with the Windows Vista and Windows Server "Longhorn" operating systems, an additional EAP-FAST method and EAPoverUDP supplicant will be provided to enable interoperability between NAC and NAP. The EAP-FAST method and EAPoverUDP supplicant will be developed by Cisco and distributed by Microsoft with Windows Update and Windows Server Update Services (WSUS) through the EAP Certification Program. Using 802.1X, EAPoverUDP, and EAP-FAST provides agent transparency for the NAC network infrastructure."[8]

What about the book, is it any good?

Yes, it is. Network Admissions Control states everything very clearly and shows what it looks like on Cisco gear. Chapter 5 is an excellent write up on 802.1x, as well done as any I have seen and is probably available to read on Safai if you type " NAC layer 2 operations" into google, or here is the link I got.[9] I think the authors have done an outstanding job of giving a computer security manager the information they need to understand the technology in a clear approachable manner. Take a look at chapter 5 and let me know what you think! Also, if you have insights, corrections, observations on Network Admission Control please drop me a note, stephen@sans.edu.

Where can an IT manager go to get more information about the application of Network Admissions Control?
This is discussed in the SANS Future Vision and Decisions[10] core slide deck, including other implementations than Ciscos and should be in any up to date networking course.

1. http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
2. http://www.checkpoint.com/products/enterprise/approach_policy_enforce.html
3. Cisco Network Admission Control Volume 1 by Helfrich, Ronnau, Frazier, Forbes
4. http://www.ciscopress.com/articles/article.asp?p=662903&seqNum=3&rl=1
5. http://en.wikipedia.org/wiki/RADIUS
6. 802.1X notes
7. http://www.interop.com/lasvegas/exhibition/interoplabs/nac/CISCONAC.pdf
8. http://www.microsoft.com/presspass/events/ssc/docs/CiscoMSNACWP.pdf
9. http://safari.ciscopress.com/1587052415/ch05
10. http://www.sans.org/visionsdecisions07/