Network Access Control (NAC) and Authentication Wrap-Up

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 49 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:00
>> One other service on the network that we want to talk
00:00
about in relation to authentication access,
00:00
is network access control,
00:00
sometimes referred to as NAC.
00:00
As we know, there are
00:00
all sorts of acronyms that sound the same.
00:00
Don't confuse this with NAT.
00:00
NAT of course, network address translation,
00:00
we're on network access control.
00:00
The idea behind NAC and one of
00:00
its primary uses is to either allow
00:00
or deny access to clients based on their health.
00:00
When we talk about client and
00:00
think about health of a system,
00:00
things that make a client healthy.
00:00
They have anti-virus and anti-malware,
00:00
are they running in a firewall or spyware protection,
00:00
are they up-to-date or are they behind in their patches?
00:00
We can specify various pieces of
00:00
criteria to what we consider makes a healthy client.
00:00
Then we configure the policy that essentially says,
00:00
this is how we determine what's healthy
00:00
and if a client meets our health requirements.
00:00
Then they're allowed access to a resource.
00:00
If they don't meet our health requirements,
00:00
then they're either denied access or could
00:00
even be potentially sent to a remediation network.
00:00
For instance, if I require
00:00
my clients to have anti-malware and a client doesn't,
00:00
then they could actually be redirected to a segment of
00:00
the network where they could
00:00
download anti-malware and try again.
00:00
There's all sorts of capabilities
00:00
with network access control.
00:00
The idea is, as you can see on the screen,
00:00
we have the requestor of services.
00:00
In this instance, maybe I'm at home and I'm
00:00
trying to VPN into my internal network.
00:00
As I make my request,
00:00
I would connect to a VPN server,
00:00
or in this case, it looks like
00:00
the access requestors connecting into a switch.
00:00
At any rate, what we see is the request is
00:00
actually being forwarded to a radius server.
00:00
We've talked about RADIUS multiple times.
00:00
It could be forwarded to the NAC server,
00:00
as you see, Active Directory, firewall, whatever.
00:00
We have three big pieces.
00:00
We have the client initiates the request,
00:00
the enforcement point, and the decision point.
00:00
If we were doing this and trying to
00:00
connect into the switch with credentials,
00:00
that request will be sent to the decision point.
00:00
The decision point asks,
00:00
''Is that client healthy or not?''
00:00
Here are the criteria to consider the client
00:00
a healthy client that's passed back along to the switch.
00:00
The access is either denied or allowed.
00:00
Ultimately, the access
00:00
is there at the enforcement point.
00:00
Yes or no? The real decision is made at the next level,
00:00
at a policy decision point.
00:00
It's the same way with radius,
00:00
you connect to a VPN server and the VPN services hang on.
00:00
Let me forward the request to RADIUS.
00:00
RADIUS comes back with the decision,
00:00
and then that enforcement point
00:00
either allows or denies access.
00:00
It's the same idea here with network access control.
00:00
This idea of having the client verify and
00:00
validate their health to the health server is going to
00:00
be really helpful if I've
00:00
laptop computers that come and go from
00:00
our organization and you
00:00
may be connecting to one network today,
00:00
a different network tomorrow.
00:00
That's one way that systems can really become infected,
00:00
is because different organizations
00:00
have network security variances.
00:00
Every time a client comes into log onto your network,
00:00
having to provide a statement of
00:00
its health is going to go a long way,
00:00
making sure you're infected clients
00:00
don't get on the network.
00:00
That's going to require the client be
00:00
capable of providing a statement of health.
00:00
Most operating systems that are
00:00
current have that capability.
00:00
But it's a service that is not
00:00
turned on by default in Windows.
00:00
It'll be something that you'd have to enable.
00:00
You'd have to enable it on the enforcement point and
00:00
configure the policy on
00:00
the decision point, on the backend.
00:00
Very frequently, stuff like this
00:00
is done in either RADIUS or
00:00
NAC or Windows has
00:00
a function called network policies server.
00:00
That's where that includes decisions for
00:00
RADIUS or for NAC, or any other element.
00:00
The bottom line here is we can either allow or deny
00:00
access to resources by challenging a client or saying,
00:00
''Prove to me you are healthy.''
00:00
That client provides a statement
00:00
of health based on what's
00:00
allowed or what's configured in the operating system.
00:00
The statement of health provides
00:00
the necessary security stated by the NAC server,
00:00
then the system is allowed to connect in.
00:00
It's a good feature and it
00:00
helps us make sure we don't have devices
00:00
connecting to our network that aren't
00:00
as updated as they need to be.
00:00
Some key takeaways from this section.
00:00
We talked about the benefits of single-sign-on,
00:00
making it much easier on our users,
00:00
not weighing them down with lots
00:00
of passwords to keep up with,
00:00
it also makes it
00:00
easier on administrators because they have
00:00
a single directory database that they
00:00
have to monitor and control,
00:00
it makes it easier to secure the environment,
00:00
and it makes it easier to allow access.
00:00
When we're looking at
00:00
an internal network infrastructure,
00:00
it's often Kerberos that were
00:00
used to provide a single sign-on.
00:00
Once we want to extend beyond
00:00
our domain and start sharing
00:00
identity information with other software
00:00
as a service providers or Cloud providers,
00:00
that's where we rely on
00:00
our administrative creating federated trust with them.
00:00
Once the trust is established,
00:00
we either allow SAML tokens or OpenID Connect
00:00
tokens to provide that authentication information
00:00
for our users.
00:00
We also said OAuth 2.0 is a part of OpenID Connect.
00:00
That goes beyond just authentication,
00:00
that allows for the delegation of services.
00:00
Last but not least,
00:00
we talked about network access control.
00:00
Network access control's purpose is to prevent
00:00
client systems that are not
00:00
healthy from joining the network.
00:00
It's a network administrator that
00:00
determines what health of a client should be.
00:00
NAC puts a system in place,
00:00
so the client verifies their health and that it meets
00:00
the minimum requirements to join
00:00
the network or to access the resource.
Up Next