now our next concept is going to be our network access control network Access control comes in two main forms. We have our posture assessment, and we also have our 802.1 x. So what is network access control? Well, network access control is a system which allows us to permit or deny just general access to our network
rather than actually going in and letting people connect to our network
and then later running scans on them running malware scans on them. That's the first thing that we do when they connect to our network. We make sure that this person is allowed on our network. We make sure that they meet our criteria and we can. We can control, not just the access to Some of the resource is in our network,
but we control can control access to our network at all.
our first type of network access control is something called called Posture Assessment. Now, posture assessment is going to check our machines against a set of rules or set of requirements for what we want them to look like when they're on our network. Maybe we want to make sure that all the machines that are connected to our network haven't updated anti virus.
Maybe we want to make sure that they all had the latest security updates.
Posture assessment lets us do that. We can take a look at the machines before they connect to our network and weaken. Have them tell us, and we can check and see if they are meeting the requirements for being on our network. So
in our example here for posture assessment,
we have our client computer.
Now our client computer is just connecting into our network, and we have our switch here, which is going to perform a pot, which is going to start our posture assessment.
our computer connects to the switch, and the first thing that our switch does before it even gives our computer and I p address and allows it to start transmitting traffic on our network. Is this going to go out to a server, which gives it gives it the list of requirements and checks? The computer's current standing assesses the computer's current standing
inmates again, and they check things like current anti virus updates, may check and see
if we have all the latest security updates that may see if our anti viruses on, if we have an active firewall, things that would make sure that we have a computer which is secure in our network because we want that we want all the computers that are connecting to our network to be secure against other threats if they may have been outside of our network.
So we run all these checks against them and they're good, they pass all of the checks.
So then once we verify that they pass all of the checks, they can access our network. Resource is
now, let's say this computer does not pass this these checks. Let's say our server comes back and it record it realizes that our computer does not have the latest couple of anti virus updates or hasn't run anti virus. Scan it all. It can do a couple of things. The first thing it can do is it can go back to the computer and just say you're not allowed on the network.
It can also go back to the computer and say you're not allowed on the network
until you do these things or it can come back to the computer and say that you're not allowed on this network, but I'm going to allow you and on Lee allow you access to something called our remediation Network Now are remediation. Network is going to be a
very, very small sub net
or very, very small section of our network, which is segmented off from the rest of our network. Maybe by doing something such a sub netting or setting up a V land so that our computer can now on Lee talk with the devices, which are on our remediate remediation network. Whatever mediation network does is it brings our computer
into compliance with our posture assessment.
If our computer is missing a couple of anti virus updates, if our computer is missing a couple of security updates, then we aren't able to access our main network. But we still need to be able to get those updates so well when we connect to the switch, we are able to access our mediation network. Maybe it's just one of two servers
that all they do is they provide anti virus updates.
They provide all the latest anti virus updates. They provide all of the latest security updates they give the computer everything it needs in order to come into, Ah, good enough standing so that it can it can connect to our network. And once we've connected to over mediation Network wants all those updates have finished. Then we'll have our we'll get our
posture reassessed and then we'll be allowed access to the main network to the rest of the network.
Now, in addition to posture assessment, we also have something called a 22.1 X now 802.1 x is an IEEE standard for a network access control to a network. And this is a standard which which allows us to have a 22.1 ex switches
and a 22.1 ex switches and routers and devices on our network,
which actually authenticate the device before it's even allowed to connect to our network at all. So before our device can even connect to our servers before about device can even get an I p address or go on the Internet or anything, it has to be authenticated through 802.1 ex. So
three main components. We have the supplicant,
the authenticator and the authentication server.
Now you go to that one. X also utilizes some sort of triple A server, our authentication, accounting and authorization server. And so it can either use radius or tax. Plus, we'll use the example of radius here, So we have our radius example.
So we have our Radius
Triple A server right here. So we have our client computer connect to the network, and our client computer is going to be our supplicant, and the subsequent connects to our switch. And this could be either a wired or a wireless switch. This could be a wireless access point. Wireless access points can also be compatible with a 22.1 X.
When we connect to the wireless access point, the wireless access point before it allows us to connect to the network, is going to check and pass our credentials on to the radius server. So the wireless access point or the physical switch is the authenticator.
But the switch or the violence access point does not actually have a store of our credentials.
We don't store all of our active directory credentials, all of our user names and passwords to check against on our switches and our wireless access points. That would be very that would be a bit insecure because all it would also would need in order to pull that record would just be to walk into our environment and steal a switch or steal a wireless access point.
And it's a lot harder to secure those
then then to secure our our servers and in order to secure our triple A servers. So, authenticator, in this case, I will say, this is our wired switch is going to pass those credentials to the radius server are off server authentication server.
And when it does, our radius server is going to now
check and see if we can pass those credentials. Now, remember, this is, uh we were talking earlier about triple A servers. We mentioned that radius. We have the Radius server and the Radius client because the switch is the
essentially the device that is directly communicating with the radius server,
then the switch is the radius client. Even though the radius client, even though it's not the actual person that's being authenticated, it's the device that's passing credentials directly to the Radius server. Our client computer are supplicant, does not talk directly to the radius server
and does not have a direct point to point connection between that
between itself and that radius server. Because if it did, it would leave it more vulnerable to intrusion. If we could pass code and we could pass commands directly to that radius server by being directly connected to it, it wouldn't. That wouldn't That wouldn't be very, very secure environment
because right now we don't trust this client. We don't trust this supplicant.
So we want to very strictly limit what they could do on our network. And at this point, the only thing we allow them to do is to pass credentials to the authenticator to the switch. And that switch now becomes of the radius client who will then forward those credentials to our authentication server, the Radius server.
The radius server checks in its store.
It checks in its authentication and it says OK, yes. This person, this supplicant is allowed on the network so it will pass that back to the switch. The switch will sit, will receive the will receive the green light, will receive the message that says they're good
and now the switch will allow. The authenticator
will allow the supplicant on the network. So now the supplicant can access. The resource is on our network.
NATO 2.1 x and posture assessment can both be implemented in the same network. We are limited to one or the other. We could have an 802.1 ex compatible network that also performs posture assessment. So as we're going in and we're connecting to our authenticator and we're passing our credentials,
we're not on Lee. First, we passed out credentials and we get authenticated so that we have
network access at all. But then we also pass our health report. We pass a health report that says, OK, here's my current health status. Check this and see if my posture if my security updates if my malware scans, meet your requirements, and then if we meet not only
the 22.1 ex requirements. If we not only are properly authenticated,
meet our posture assessment, then we're now allowed on the network and we're allowed to our network resources. And that's how our network access control can give us a better, better control and better, better security standing over who is allowed to connect to our network
and who was allowed to utilize our network Resource is.