Network Access Control and Authentication Wrap-Up

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> One other service on the network
00:00
that we want to talk about in relation
00:00
to authentication access is Network Access Control.
00:00
Sometimes referred to as NAC.
00:00
As we know, there are
00:00
all sorts of algorithms that sound the same.
00:00
Don't confuse this with NAT.
00:00
NAT, of course,
00:00
Network Address Translation,
00:00
we're on Network Access Control.
00:00
The idea behind NAC and one of
00:00
its primary uses is to either allow
00:00
or deny access to clients based on their health.
00:00
When we talk about client and
00:00
think about how the VA system,
00:00
things that make a client healthy.
00:00
They have anti-virus and anti-malware.
00:00
Are they running a firewall or spyware protection,
00:00
are the up-to-date or are they
00:00
>> behind in their purchase?
00:00
>> We can specify various pieces of
00:00
criteria to what we consider makes a healthy client.
00:00
Then we configure the policy that essentially says,
00:00
this is how we determine what's healthy
00:00
and if a client needs our health requirements,
00:00
then they're allowed access to a resource.
00:00
If they don't meet our health requirements,
00:00
then they're either denied access or could
00:00
even be potentially sent to a remediation network.
00:00
For instance, if I require
00:00
my clients to have an anti-malware and
00:00
>> a client doesn't,
00:00
>> then they could actually be redirected to a segment of
00:00
the network where they could
00:00
download anti-malware and try again.
00:00
There's all sorts of capabilities
00:00
with Network Access Control.
00:00
The idea is, as you can see on the screen,
00:00
we have the requestor of services.
00:00
In this instance, maybe I'm at home and I'm
00:00
trying to VPN into my internal network.
00:00
As I make my request,
00:00
I would connect to a VPN server,
00:00
or in this case, it looks like
00:00
the axis requester's connecting into a switch.
00:00
At anyway what we see is the request is
00:00
actually being forwarded to a radius server.
00:00
We talked about radius multiple times.
00:00
It could be forwarded to the NAC server.
00:00
As you see, active directory, firewall, whatever.
00:00
We have three big pieces.
00:00
We have the client that initiates the request,
00:00
the enforcement point, and the decision point.
00:00
If we were doing this and trying to
00:00
connect into the switch with credentials,
00:00
that request will be sent to the decision point.
00:00
The decision point asks,
00:00
is that client healthy not.
00:00
Here are the criteria to
00:00
consider the client a healthy client.
00:00
That's passed back along to the switch.
00:00
The axis is either denied or allowed.
00:00
Ultimately, the axis is there at the enforcement point.
00:00
Yes or no. The real decision
00:00
is made at the next level at a policy decision point.
00:00
It's the same way with radius,
00:00
you connect to a VPN server and
00:00
>> the VPN services hang on.
00:00
>> Let me forward the request to radius.
00:00
Radius comes back with the decision and then
00:00
that enforcement point either allows or denies access.
00:00
It's the same idea here with Network Access Control.
00:00
This idea of having the client verify and
00:00
validate their health to the health server is
00:00
going to be really helpful if I've
00:00
laptop computers that come and
00:00
>> go from our organization,
00:00
>> and you may be connecting to one network
00:00
today and different network tomorrow.
00:00
That's one way that systems can really become infected,
00:00
it's because different organizations
00:00
have network security variances.
00:00
Every time the client comes in
00:00
>> to log onto your network,
00:00
>> having to provide a statement of
00:00
its health is going to go a long way,
00:00
making sure you're infected clients
00:00
don't get on the network.
00:00
That's going to require that the client be
00:00
capable of providing a statement of health.
00:00
Most operating systems that are
00:00
current have that capability.
00:00
But it's a service that is not
00:00
turned on by default in Windows.
00:00
It'll be something that you'd have to enable.
00:00
You'd have to enable it on the enforcement point and
00:00
configure the policy on
00:00
the decision point on the back end.
00:00
Very frequently, stuff like this is done in
00:00
either radius or NAC or Windows,
00:00
has a function called Network Policy Server.
00:00
That's where that includes decisions or
00:00
radius or for NAC or any other element.
00:00
The bottom line here is we can
00:00
either allow or deny access to
00:00
resources by challenging the client
00:00
or say prove to me you're healthy.
00:00
That client provides a statement
00:00
of health based on what's
00:00
allowed or what's configured in the operating system.
00:00
The statement of health provides
00:00
the necessary security stated by the NAC server,
00:00
then the system is allowed to connect
00:00
in. It's a good feature.
00:00
It helps us make sure we don't have
00:00
>> devices connecting to
00:00
>> our network that aren't as is updated
00:00
>> as they need to be.
00:00
>> Some key takeaways from this section.
00:00
We talked about the benefits of single sign-on.
00:00
Making it much easier on our users,
00:00
not weighing them down and lots of
00:00
passwords to keep up with.
00:00
It also makes it easier
00:00
on administrators because they have
00:00
a single directory database that they
00:00
have to monitor and control.
00:00
It makes it easier to secure the environment,
00:00
and it makes it easier to allow access.
00:00
When we're looking at an
00:00
>> internal network infrastructure,
00:00
>> it's often Kerberos, so we
00:00
use to provide our single sign-on.
00:00
Once we want to extend beyond
00:00
our domain and start sharing
00:00
identity information with other software
00:00
as a service providers or cloud providers.
00:00
That's where we rely on
00:00
our administrator creating federated trust with them.
00:00
Once the trust is established,
00:00
we either allow SAML tokens or
00:00
OpenIDConnect tokens to provide
00:00
the authentication information for our users.
00:00
We also said, OAUTH 2.0 is a part of OpenID Connect.
00:00
That goes beyond just authentication.
00:00
That allows for the delegation of services.
00:00
Last but not least, we talked
00:00
about Network Access Control.
00:00
Network Access Controls purpose is to prevent
00:00
client systems that are not
00:00
healthy from joining the network.
00:00
It's a network administrator that
00:00
determines what health of a client should be.
00:00
An AC puts a system in place,
00:00
so the client verifies their health and that it meets
00:00
the minimum requirements to join
00:00
the network or to access the resource.
Up Next