Network Access Control Models – CompTIA Network+ N10-006 – 3.6

We control the access to our networks in many different ways. In this video, you’ll learn about access control basics, 802.1X NAC, posture assessment, and guest networks.
<< Previous: Firewall ConfigurationsNext: Basic Forensic Concepts >>

There are many different ways to provide access control of who’s on your network at any particular time. In this video, we’ll look at a number of different techniques to provide network access control. One common place to control access is right at the edge of your network, right through your firewall. This is usually where you’re connecting to the internet. And you’re setting up access control lists or rules inside of your firewall that are determining who can come into the network and who can leave the network.

Other types of access control might be more formalized. You may have access control that is able to allow or disallow traffic depending on anywhere you might happen to be. It can be based on rules if you’re a particular user or a member of a particular group, we can allow or disallow access that way. This access control is usually managed from a central point and it can change or modify what your access control might be at any time. It can examine the security posture of your device.

And if your disk encryption was disabled or your anti-virus was disabled, it can change your ability to access different parts of the network. We’ve discussed 802.1X as an access control method in previous videos. This is the port-based network access control that you might run inside of your switch. This is one where you can connect to a wireless network or connect to a wired network but you don’t get access to the network unless you first authenticate. This usually works in conjunction with some type of access database on the back end.

You might be communicating through RADIUS or TACACS+ or using LDAP as a way to determine if their credentials are correct for that particular user. It’s becoming increasingly common to perform posture assessments of the devices we’re using on our network. This is because we’ve started to bring in our own devices, our own tablets, our own phones, and we’re connecting them to our internal corporate networks. These devices might be infected with malware. They may not be even running anti-virus or anti-malware software and they might have applications loaded on them that have unpredictable results when you’re running them on a corporate network.

So before this device can gain access to the network, we perform a posture assessment. We check the health of this device to see is it a trusted device? Is it running anti-virus? What type of anti-virus is it running? Has it been updated with the latest anti-virus signatures?

Are the proper applications loaded on this device so that they can work properly inside the corporation? Is it a mobile device? Does it have disk encryption enabled on it? All of these criteria can be used together to create a posture assessment of this device so that the administrator of the network can make a determination on whether it’s OK for this device to be on the network or not.

And it doesn’t matter what operating system you’re running. You can perform posture assessments on Windows, on Mac on Linux, on iOS, on Android, and any other device that you can think of connecting to the corporate network. To properly perform this posture assessment, we need software to check out the device. This might be a persistent agent that is always installed on these particular systems. These may also require periodic updates so that the devices have the latest signatures and the latest information about anti-virus and anti-malware and disk encryption and all of those other criteria we use to determine if this is a safe device or not.

Some posture assessment software doesn’t require that it be installed into the operating system. This is a non-persistent agent. So it starts up, it runs its process, checks the health of the system, and then it terminates and is no longer loaded on that particular device. So now that you’ve gone through this process of checking the device, you know exactly what operating system it’s running, you know if it’s running anti-virus or if it has disk encryption enabled. Now you get to make a decision on whether this device is allowed on the network or not.

But what if it fails this posture assessment? What if one of those criteria is not matching what is required for your network? One option is to quarantine the device. You can move it off to a separate VLAN, automatically transfer it over to a place on the network where it can’t cause any harm. But perhaps it has just enough access to download and install the software that it needs.

Your posture assessment software might also contact the administrator so they can see what user trying to connect what device to the network, and then they can reach out to determine what needs to be changed so that this device can properly pass our posture assessment. If you’re walking into a building for a meeting or you’re shopping at a very large store, you may find there is a guest network available for use. This is a network that commonly allows you access to connect to the internet but it does not allow you access to connect to the corporate network.

This can be a wired connection in a conference room, but more often it’s one that is wireless. You can connect any of your devices over the wireless network and you don’t need to worry about where you’re going to connect into the network physically. This access can be very open or very closed. In some organizations, you simply connect to the guest network and you’re on the internet, where other organizations might have to provide you with a username and password just so you can gain access to that guest network.