Network Access Control (NAC)

Transcription

1 Network Access Control (NAC) Planning a Successful Rollout and Implementation Whitepaper 2011 ForeScout Technologies, Inc. All rights reserved. Call Toll-Free:

2 Table of Contents Introduction... 1 Lay the Foundation... 2 Know What the Objectives Are Set Goals...2 Set the Standards for Success...3 Cross Functional NAC Project Teams...4 Starting a NAC Deployment... 4 NAC Goal Control Non-Corporate Users and Devices...4 NAC Goal Maintain Endpoint Compliance Across the Enterprise...5 Tips for Managing Policy Change...6 Creation of a Phased Rollout Strategy... 6 Uptime Enforcement...6 Site by Site Rollout...9 Policy by Policy Rollout Summary ForeScout Technologies, Inc. Access ability.

3 Introduction A primary security objective of any enterprise is to have comprehensive knowledge and control of all users/devices that move in and out of the network, ensuring that these devices are in compliance with corporate security policies. Basically, it is making sure that only the right users, with the right devices, gain access to the right resources on the network. By having this control, the rationale is that no device would be able to damage the network or sensitive data would not be compromised by unauthorized users. But with the vast complexity and unique nature of each enterprise, this goal of knowledge and control has been challenging and some would say unattainable. With the emergence of Network Access Control (NAC) technologies, network administrators now have tools to gain this critical and powerful network understanding. However, care needs to be taken in selecting the right tool(s). A NAC solution will contribute significantly to an organization s business objectives by automatically enforcing network and security policies, preventing network downtimes, maintaining network integrity and meeting federal and state compliance regulations. So with this in mind, it is important to look at what a NAC implementation would require and how this type of tool can be successfully rolled out to maximize business objectives. To achieve successful results, from the conceptual stage through implementation, project leaders should have clear understanding of three key issues: Project Goals What does a completed NAC roll out look like? What business challenges are solved by the NAC roll out? Success Factors What key factors will play into the success of the project? Rollout Strategies What is the best way to go from planning to implementation in order to ensure success without limiting productivity? This document will cover the basic questions that need to be addressed before attempting to implement a successful NAC roll out. Every enterprise is different and will have different nuances to how a NAC implementation will work within the physical network and within the corporate culture of the organization. It is the goal of this document to provide several options of how to systematically and effectively institute access control policies and enforcement, while continuing to preserve uptime and productivity. ForeScout Technologies, Inc. Access ability. Page 1

4 Lay the Foundation There are several issues that need to be addressed at the conceptual stage in order to lay a solid foundation for a NAC project. Having a good understanding of how to answer the basic questions will provide the right base from which to guide NAC rollout decisions, and will help NAC project leaders gauge their progress. In general, when setting the groundwork for a NAC roll out, the following questions should be able to be answered in detail: What are the main objectives of the NAC roll out? Enforcing baseline security policy Access Control of network guest/contractors Role based access Keep worms out What constitutes success? Meeting roll out time line Enforcing policy Maintaining uptime Who is involved? Each stage of the roll out Policy creation Employee notification Know What the Objectives Are Set Goals Today s network challenges have grown beyond dealing with traditional security threats (i.e., worms, viruses, spyware, etc). Now business leaders are also coping with issues such as end point compliance, network integrity and availability, legal compliance, WAP control, confidential customer data, protection against hardware theft, privacy and more. With appropriate planning, the right NAC tools can handle these issues, but it requires spending sufficient time formulating goals that meet specific business needs. Some common goals include the following: Eliminate network access to non-corporate users and devices across all sites. Ensure all corporate devices have the necessary patches and software versions. Eliminate usage of non-compliant software on all end points. Achieve regulatory compliance (e.g. Sarbanes-Oxley). Eliminating zero-day worm outbreaks. Detect and disconnect all rogue wireless access points. Ensure that servers containing customer data are properly patched and secured. Ensure that servers containing customer data are only access by credentialed users. These policy decisions can not be made in a vacuum and must pull from a variety of corporate resources. Gathering information is critical to both understanding what the needs of the organization are and implementing a NAC solution that will contribute to the overall business goals. ForeScout Technologies, Inc. Access ability. Page 2

5 Set the Standards for Success A NAC project will excel when it is tied to a comprehensive list of business and technical success factors. In fact, these factors will be crucial when making decisions and measuring progress at every stage of the project s design and rollout. Making sure that NAC policies, procedures, strategies and related network processes meet the standards put forward here is essential to the success of the project. Business Success Factors Minimal Disruption to End-User Productivity: Polices should have minimal negative impact on enduser behavior, processes and productivity. For example, polices should: Avoid rash sweeping sanctions that have the potential to disrupt business continuity. Pinpoint and manage non-compliant users/devices only, and ignore the remaining compliant enterprise. Ensure that NAC processes are transparent to end-users and don't change their work patterns. For example, when logging in, use existing authentication methods. Education and Awareness First: When appropriate, NAC polices should first serve to raise awareness of security and compliance issues and only in the most critical circumstances be used to impose immediate sanctions. Successfully educating and training the enterprise about security and compliance will naturally reduce the number of policy violations while still being able to take hard action when personnel do not comply with network policies. Direct Personal Response: Verify that NAC policies and processes speak directly and personally to non-compliant network end-users in real-time, and automatically track the progress they make towards compliance. Each network user will be handled on the merit of their compliance status and addressed in direct response to specific violations they carried out. Technical Success Factors Intrusive Deployments vs. Minimal Impact Deployments: The ideal NAC solution would not slow down network response times, add latencies or drain network resources. The greater the impact of NAC technology on network operations, the greater the resistance and delays in achieving full implementation. Client Based vs. Clientless Deployment: The ideal NAC solution would not require any endpoint installations (i.e. agent, client, shim, etc.) to carry out a deep inspection of the connecting device. Clientless deployment minimizes the IT and support effort required for end point installation/ maintenance and expands the flexibility of which devices can be inspected. Additionally, clientless NAC provides the ability to extend NAC functionality to non-user based networked devices (i.e. IP printers, fax, VoIP phones, etc.). Rigid vs. Flexible Deployment: The ideal NAC solution can be deployed according to your networking needs, i.e. at the distribution switch level, access switch level or at the core switch, without requiring any change to the existing network configuration. New Equipment vs. Working with Exiting Network Devices/Services: The ideal NAC solution integrates with existing infrastructure, rather than requiring changes to it. This means the NAC solution would work on top of existing network equipment, avoiding the need to update switches and other key network devices when deploying the NAC solution. Such changes to underlying infrastructure carry greater risks, significant expenses and drain the time of limited IT management resources. In addition to the physical infrastructure, the NAC solution should leverage existing application infrastructure as well. For example: Identity Management Systems (LDAP/Active Directory) can be leveraged for obtaining user identity information. Trouble Ticket Systems can be leveraged for tracking detections of non-compliant users/devices. Authentication Services can be leveraged for performing authentication. ForeScout Technologies, Inc. Access ability. Page 3

6 Cross Functional NAC Project Teams Who to Involve? NAC projects require expertise from a variety of corporate resources. When setting objectives and goals for the NAC project, it will be important to get perspectives on what is important to the organization as a whole. Network security policy creation needs to be done with this perspective in mind. This input will make sure that all parties are well aware of the NAC initiative and give them the opportunity to voice concerns that are relevant to their role within the organization. Corporate resources that should be consulted in the process of building NAC policies are: Network: For integration with the network infrastructure. Security: For defining and implementing informationsecurity policies. Legal: For understanding regulatory requirements and the impact of the project on compliance. Helpdesk/IT: For desktop/laptop configurations and patch deployment. Human Resources: For interacting with end-users and notifying them of corporate policies. Operations: For handling response procedures and policy deployment scheduling. Management: For prioritization, business impact decision-making and high-level budget issues. In this process, broader input will improve the implementation effectiveness and thoroughness and helps ensure the success and buy-in of the entire corporation. This will be a key factor for success as the first stage of implementation begins and as sanctions start being applied. Starting a NAC Deployment As a first step, the NAC team should decide how to best translate goals into policy requirements. Writing policy requirements will likely involve reviewing IT processes, examining regulatory and corporate policy requirements, identifying how to leverage network infrastructure, incorporating third party systems and more. Below are examples of common policies and how they have been translated into NAC framework. NAC Goal Control Non-Corporate Users and Devices The goal is to control network access to non-corporate users and devices across all campuses. To achieve this, the following illustrates how these policy requirements might be defined: Policy Requirement 1: Visitor Access in Conference Rooms Policy Action 1: Identify guest devices in specified IP Range When to Apply Policy 1: Upon connection to the network Policy definition: In conference rooms, automatically limit access to non-corporate users (visitors), allowing them Internet access only, while allowing full access to corporate employees. Policy Requirement 2: Visitor Access to the Production Network Policy Action 2: Identify non managed devices attempting to connect to the production network When to Apply Policy 2: Upon connection to the network Policy definition: When physically attempting to connect to the production network, nonauthenticated users will be denied access. Policy Requirement 3: No Rogue Wireless Access Points (WAP) Policy Action 3: Track down and remove Rogue WAP When to Apply Policy 3: At every first connection to the network Policy definition: Wireless Access Points are prohibited across all offices, including remote branches. Any discovered WAP must be automatically disconnected from the network. ForeScout Technologies, Inc. Access ability. Page 4

7 Industry Whitepaper NAC Goal Maintain Endpoint Compliance Across the Enterprise The goal is to constantly maintain compliance of network policies of all corporate hosts. To achieve this, the following illustrates how these policy requirements might be defined: Policy Requirement 1: All Critical Vulnerabilities Must be Patched This should be tested upon admission as well as on a regular basis. If not in compliance with an identified critical vulnerability, a suggested action would be to automatically isolate, patch and then release machines once remediation is complete. After Policy Creation is complete and enforcement actions have been decided upon, it is critical to individually test the policies to ensure complete understanding of estimated impact from imposing a rule just in case the rule and related response for violation was written poorly OR the degree of noncompliance is so great that enforcement would bring the network to a halt. For NAC best practices, after the policy is implemented, rules should always be implemented in monitor mode (where the NAC administrator can see what impact the rules would have across the network without enforcing the rule in real-time). This will significantly help the NAC manplanning SUCCESSFUL ROLLOUT AND IMPLEMENTATION ager s abilityato assess thenac degree of compliance and/or the properness and effectiveness of the rule s creation. WHITEPAPER Policy Requirement 2: All Machines Must Have Updated Anti-Virus Versions Within X Days This should take place upon admission to the network Once the policies have been written,upon, tested, and reviewed After Policy Creation is complete and enforcement actions have been decided it is critical to as well as on a regular basis. If not in compliance, a over understanding a reasonable period of time in monitor mode then formal individually test the policies to ensure complete of estimated impact from imposing a suggested action would be to inform the end user that rule just in case the rule and related response for can violation written poorly ORinthe degreewould of nonrollout begin.was Implementing the rule real-time they are not in compliance. ignored, would bring the network to a halt. For NAC best practices, complianceifisthe sowarnings great thatare enforcement be phased in over time, rule by rule, as will be discussed in the NAC solution should allow for automatically after the policy is implemented,isolation, rules shouldthe always be implemented in monitor modeone (where next section. Rules should be enforced at a the time to and force remediation of the outdated anti-virus versions. NAC administrator can see what impact the ensure rules would have across the network without enforcing the the viability of each rule. This allows the roll out to rule in real-time). This will significantly help the NAC manager s ability to assess the degree of Policy Requirement 3: Only Allow MSN Instantproceed with a full understanding of what the impact of each compliance and/or the properness and effectiveness of the rule s creation. Messaging on Corporate Hosts policy is, both individually and ultimately on the full network. Users may only Once work with the MSN instant-messaging See reviewed chart below. the policies have been written, tested, and over a reasonable period of time in monitor service. All othermode IM applications may not be installed then formal rollout can begin. Implementing the rule in real-time would be phased in over time, and if detected, rule the service by rule,will as be willblocked. be discussed in the next section. Rules should be enforced one at a time to ensure the viability of each rule. This allows the roll out to proceed with a full understanding of what the impact of each policy is, both individually and ultimately on the full network. See chart below. Tips for Managing Policy Change Predict how a new policy will affect users ForeScout Technologies, Inc. - Have a complete Access understanding to do in order to comply with any new ability. of what users will be required Page 5 policy. Identify where potential problem areas/groups might be (i.e. remote or traveling users) and

8 Tips for Managing Policy Change Creation of a Phased Rollout Strategy Predict how a new policy will affect users Have a complete understanding of what users will be required to do in order to comply with any new policy. Identify where potential problem areas/groups might be (i.e. remote or traveling users) and make a plan to address these areas/groups before implementation of the first policy. Inform users of a policy change before it happens Make sure that all users who will be affected by the policy change are fully aware of the policy and the potential consequences of non-compliance. Offer users ability to reach compliance before the policy is implemented As part of educating users on the policies that will be implemented, provide the appropriate links or directions as to how the user can become compliant before sanctions are imposed. This can be an integrated effort between IT and HR to ensure users have all the resources necessary to facilitate the change. Automate the response to eliminate calls to the help desk As part of the network response to a violating user, leverage automated processes (e.g. automatically opening a trouble ticket or linking to the anti-virus server for definition update) to help bring end users into compliance without creating more work for the help desk. After determining policy requirements and deciding how to handle enforcement for non-compliant devices, a phased rollout plan should be created. This process will help determine which of the rules should be implemented, one at a time, and in which order. Having tested the rule(s) in monitor mode, the implementation team will have sufficient knowledge to determine which rules should be enforced and the type of enforcement that should be used. As a general rule, the phases of rollout are a judgment call by the organization. Consider that the policies most important (or simple) to rollout are the ones that will potentially deliver the greatest results. There are several ways to approach a phased roll out, but all should generally fall under the banner of Uptime Enforcement. This focuses the attention of the team on the primary goal of a NAC implementation secure the network, enable productivity. Uptime Enforcement Most NAC implementers consider two states: compliant devices are allowed on the network, noncompliant devices are blocked even if the policy violation is not critical. Often, blocking is premature and only causes disruption to business continuity and significantly impacts end-user productivity. Enforcing NAC polices through blocking mechanisms effectively holds back business operations or causes unnecessary downtime at the desktop. Uptime Enforcement extends flexibility to the network administrator to act appropriately based upon the severity of the policy violation. For example, X is a policy that would most likely call for immediate compliance and work/connection to network resources must stop until the device is brought into compliance and only then can access be allowed. Y is a policy that might allow a few hours or days for compliance. In the mean time, users could continue to be productive without having to drop every thing to take care of the remediation. If the user does not comply with policy notification and warnings, at that time a more drastic sanction can be imposed. Uptime enforcement is a strategy that lets the network administrator maintain end-user uptime while simultaneously enforcing NAC policies. Uptime enforcement means that when swift, aggressive action is not essential, NAC policies should give the enterprise a chance to catch up to compliance demands, without enforcing harsh sanctions, or any sanctions at all. ForeScout Technologies, Inc. Access ability. Page 6

9 Uptime enforcement works because it addresses the source of noncompliance before reacting to it with consequences. In general, the cause of non-compliance falls into three categories: Non-compliant IT process for example, corporate antivirus licenses that were not renewed and have expired. Uneducated end-users for example, employees that are unaware of a company policy that prohibits them from using P2P applications. In general, this is the most common cause of non-compliance. Non-compliant end-users for example, end-users that know about a company policy prohibiting the use of P2P applications, but still run them. Typically, uneducated users comprise 60% - 70% of all network security policy violations. The uneducated user does not have malicious intent, but rather is unaware or chooses to ignore company mandates. For these users, the decision may not be to block access, but rather track and log activity keeping the end user productive. Uptime Enforcement can be achieved by working with polices that push forward a logical process of elimination when dealing with the source of noncompliance. This can be achieved through a systematic approach: WHITEPAPER Step one discover and review non-compliance of devices, users, and user behavior. PLANNING A SUCCESSFUL NAC ROLLOUT AND IMPLEMENTATION Step two launch education program of employees verifying that they understand the corporate network security policies. Uptime Enforcement can be achieved by working with polices that push forward a logical process of elimination when dealing with the source of noncompliance. This can be achieved through a systematic approach: Step one discover and review non-compliance of devices, users, and user behavior. Step three address users who have been educated as to the security policy, but refuse to adhere. Step two launch education program of employees verifying that they understand the corporate network security policies. Step three address users who have been educated as to the security policy, but refuse to adhere. Why is it important to work according to this process? Following this process ensures that you achieve compliance while minimizing the disruption to network users applying sanctions only when absolutely necessary and on a very well defined and typically relatively small group of users. 1. Evaluate Current Compliance of Network - The NAC solution should automatically locate noncompliant end-users and devices without imposing sanctions. This step is focused on eliminating any systemic problems (outside the control of the end user) which has made an unaware end-user noncompliant. Evaluating the nature of the problem will show if non-compliant devices or behaviors are the source of policy violations. Addressing these IT processes will significantly reduce the number of challenges in implementing NAC. Why is it important to work according to this process? Following this process ensures that you achieve compliance while minimizing the disruption to network users applying sanctions only when absolutely necessary and on a very well defined and typically relatively small group of users. 1. Evaluate Current Compliance of Network The NAC solution should automatically locate noncompliant endusers and devices without imposing sanctions. This step is focused on eliminating any systemic problems (outside the control of the end user) which has made an unaware enduser noncompliant. Evaluating the nature of the problem will show if non-compliant devices or behaviors are the source of policy violations. Addressing these IT processes will significantly reduce the number of challenges in implementing NAC. For example, if you find that that an extensive number of network machines don t meet patch level requirements, it could indicate that: Desktop provisioning issues may need to be corrected. Patch management system may not be operating properly. 2. Educate the End User Directly After addressing/ eliminating any background IT problems, there should be a reduction in non-compliance levels. However, if the level of non-compliance is still high, it is indicative of users who are unaware that they have breached policies, or have not been taught how to comply with them. This can be addressed by a NAC powered educational policy. What is the purpose of a NAC-powered Educational Policy? Directly and personally draw non-compliant endusers into the compliance process. Raise their awareness of compliance and security requirements. Help change behavior, forcing compliance, without reducing productivity. How does it work? Non-compliant users are notified via automated, personal, directed and/or Web notifications. These notifications are delivered at the time the violation occurs. For example, if you find that that an extensive number of network machines don t meet patch ForeScout level requirements, Technologies, it could indicate Inc. that: Access ability. Page 7 Desktop provisioning issues may need to be corrected.

10 A NAC-powered educational policy can be as simple as rolling out a Web-based company reminder that informs network users when corporate policies are initiated or changed. For example, a policy informing users via the Web that only a specific instant messaging system may be used in the enterprise or that P2P applications may not be used. Additionally, the right NAC solution can: Further the educational process by delivering to non-compliant users with a URL link to the policy document, and request that they read the policy and select an I agree button for confirmation. Reports can be generated periodically to keep track of and address users that have not confirmed. Setup a cleanup campaign with the Helpdesk to assist in uninstalling barred applications. The Helpdesk will be automatically provided contact information, lists of barred applications, and the IP/MAC address of detected machines. Temporarily hijack the non-compliant users Web sessions with a message indicating that blocking sanctions will be applied if barred applications are detected on their machines after a specific date. point, it needs to be very clear what sanctions will be used and how those actions should be carried out on users/ devices that do not comply with the NAC policy. Some common examples include: Assign the device to VLAN (Quarantine VLAN, Guest VLAN or Remediation VLAN). Block the device at the switch. Prevent Internet access. Prevent access to the corporate network or to segments of it. Prevent access to specific servers. Impact of an Uptime Enforcement Deployment Phasing in NAC policies will achieve a quicker mean time to compliance with minimal network/user disruption. The graph below illustrates how stepping through the Uptime Enforcement process will significantly reduce the number of non- WHITEPAPER compliant users without the need to impose hard sanctions. Impact of an Uptime Enforcement Deployment By the time sanctions are required, the focus will be on the small number of real policy violators. PLANNING A SUCCESSFUL NAC ROLLOUT AND IMPLEMENTATION Phasing in NAC policies will achieve a quicker mean time to compliance with minimal network/user disruption. The graph below illustrates how stepping through the Uptime Enforcement process will significantly reduce the number of non-compliant users without the need to impose hard sanctions. By the time sanctions are required, the focus will be on the small number of real policy violators. Rolling out a NAC-powered education policy typically leads to a dramatic increase in compliance as it addresses the most common cause of non-compliance Unaware/uninformed users. 3. Enforce Policy on Non-Compliant Users After NAC-powered educational polices have been rolled out, there should be a good understanding of the number/ percentage of non-compliant users. In all probability, the level of non-compliance at this stage will be quite low. By this time, the end user should be aware of the policies and if they choose to continue to violate the policy, then they will be subject to sanctions. But even in this case, the NAC solution needs to provide several graduated enforcement options and not simply deny access. At this Audit: Understand the current state of compliance in the network. Use information to create policies. Audit: Understand the current state of compliance in the network. Use information to create policies. Inform: Inform users of policy changes. Give users a chance to change behavior before imposing sanctions. Educate/Train: Use soft enforcement and reminders to policy violators. Offer easy or automatic ways for a user to become compliant. Inform: Inform users of policy changes. Give users a chance to change behavior before imposing sanctions. Enforce: Block or limit access to policy violators. Offer easy or automatic ways for a user to become compliant. Educate/Train: Use soft enforcement and reminders to policy violators. Offer easy or automatic ways for a user to become compliant. Two Methods for Uptime Enforcement Site by Site Rollout NAC project leaders are often tempted to rollout NAC policies across all enterprise sites simultaneously. However, without first understanding the ramifications of a wide spread deployment, NAC project leaders should consider a phased implementation - even if the polices will eventually be deployed across the enterprise. Many sites operate under unique work procedures and site-specific requirements which may be unknown to the central administrator but critical for the site s day to day operation. For example: Enforce: Block or limit access to policy violators. Offer easy or automatic ways for a user to become compliant. At a remote site, a mission critical Web-based application only runs on a specific Internet Explorer version. However a corporate NAC policy prohibits the use of that version of IE. The policy may need to be adjusted to meet the specific site requirements. 12 ForeScout Technologies, Inc. Access ability. Page 8

11 Two Methods for Uptime Enforcement Site by Site Rollout WHITEPAPER NAC project leaders are often tempted to rollout NAC policies across all enterprise sites simultaneously. However, without first understanding the ramifications of a wide spread deployment, NAC project leaders should consider a phased implementation even if the polices will eventually be deployed across the enterprise. Many sites operate under unique work procedures and site-specific requirements which may be unknown to the central administrator but critical for the site s day to day operation. For example: Choosing the First Site At a remote site, a mission critical Web-based application only runs on a specific Internet Explorer version. However a corporate NAC policy prohibits the use of that version of IE. The policy may need to be adjusted to meet the specific site requirements. PLANNING A SUCCESSFUL NAC ROLLOUT AND IMPLEMENTATION A NAC policy requires that all end-users work with a specific version of Windows Office. Marketing A NAC policy only allows the use of the MSN instant departments, messaging however, service. require Partners a higher working version in with a support site however, only work with Yahoo order instant to create messaging. marketing The documents. policy will The have marketing to be adjusted for the support site, or the site may be department exempt from cannot inspection be inspected for this for policy. this policy. A NAC policy requires that all end-users work with a specific version of Windows Office. Marketing departments, however, require a higher Choosing version the in First order Site to create marketing documents. The marketing department cannot The be inspected first location for for this a policy. site by site roll out is critical to the success of the overall NAC implementation. It is best to select a site that is well managed and the infrastructure is well documented. Particular attention must be paid to understanding The first location for a site by site roll out is critical to the success of the overall NAC implementation. It is best to select a site that is well managed and the infrastructure is well the network s response to the policy enforcement, measuring documented. Particular attention must be paid to understanding the network s response to how effectively non-compliant end-users comprehend policy the policy enforcement, measuring how effectively non-compliant end-users comprehend changes, and the response to the policy and actions imposed. When choosing the first site, it should be: policy changes, and the response to the policy and actions imposed. When choosing the first A NAC site, policy it should only allows be: the use of the MSN instant messaging service. Well-managed, Partners working i.e. documented with a support and site understood Well-managed, support infrastructure i.e. documented and and IT understood support however, only administrator. work with Yahoo instant messaging. The infrastructure and an IT administrator. policy will have to be adjusted for the support site, or the Physically close to your security and networking site may be exempt from inspection for this policy. Physically teamsclose to your security and networking teams Stable environment (network devices are not frequently added, removed or updated) Stable environment (network devices are not frequently added, removed or updated) Site Site by by Site Site Roll Rollout Out Rolling Rolling out out on on a a per per site site basis, basis, allows allows for for the the fine fine tuning tuning required required to to ensure ensure no no disruption disruption to legitimate to business legitimate processes. business Each processes. sit will have Each it sit own will unique have it characteristics own unique characteristics that will need tothat be will understood need to and address. be understood This methodology and address. should This be methodology coupled with should a policy be coupled by policy with (see a policy next section) by policy practice (see to ensure next section) maximum practice understanding to ensure of the maximum impact understanding NAC policies will of the have impact on the NAC enterprise. policies will have on the enterprise. ForeScout Technologies, Inc. Access ability. Page 9

12 WHITEPAPER Policy by Policy Rollout PLANNING A SUCCESSFUL NAC ROLLOUT AND IMPLEMENTATION It s natural that NAC project leaders will want to implement Therefore, each policy review should answer following all NAC policies as quickly as possible. However, rolling out questions: too many polices Policy concurrently, by Policy Rollout even within a single site, won t Did the policy pinpoint the right users and devices? give the network It s natural administrator that NAC enough project time leaders to evaluate will the want to implement all NAC policies as quickly as results of each possible. policy, However, its accuracy rolling, ability out to be too implemented, many polices concurrently, Were network even users within responsive a single to site, the policy? and to understand won t give its impact the network on the network administrator and network enough time to evaluate the results of each policy, its Were processes implemented effectively? end-users. accuracy Time must, be ability invested to be in fine-tuning implemented, each network and to understand its impact on the network and policy before network moving end-users. on to another. Time (see must chart below) invested in fine-tuning each network policy before moving on to another. (see chart below) Policy by by Policy Policy Roll Roll Out Out Therefore, each policy review should answer following questions: Did the Policy Pinpoint Did the the policy Right pinpoint Users and the Devices? right users and devices? After running a policy, Were it is network not unusual users to discover responsive that to the policy? Security auditors and network administrators who will devices and users Were detected processes during the implemented inspection process effectively? need access to all network resources and services, should really have been kept out. regardless of policies. Did the Policy Pinpoint the Right Users and Devices? Polices should be individually for the purpose of verifying that they The policy enforces patch level requirements on network After running a policy, it is not unusual to discover that devices and users detected during the inspection what process needs should to get inspected. really have Following devices at a local hospital. However, some medical been kept out. through with such fine-tuning will significantly reduce network devices prohibit the installation of patches. These disruption Polices and improve should the effectiveness be run individually and value for of the purpose of devices verifying should that be they excluded inspect from what the needs inspection. policy. to get inspected. Following through with such fine-tuning The policy will requires significantly that every reduce device network must authenticate at Some common disruption examples and of improve users and the devices effectiveness that should and be value of network the policy. admission. Network printers and other network excluded from policy inspections are as follows: equipment should be excluded. Some common examples of users and devices that should be excluded from policy VIP users. inspections These users are should as follows: always have full network access regardless of any policy requirements. ForeScout Technologies, Inc. Access ability. Page 10 14

13 Does the NAC System Handle Automatic Device Classification? The NAC solution should support automatic classification of devices, which enables the ability to define device categories only as a criterion for inspection or exclusion from the inspection process. For example, automatic detection and classification of network printers can be achieved by working with NAC solutions that automatically recognize printers as they enter the network. Otherwise, the administrator has to create specific exception lists by extracting the information from inventory management systems and update them every time a new printer is installed. No Hits? After running the policies, it may be discovered that a relatively small number of detections were made. This may indicate that the policy inspection scope is too narrow, and is missing users and devices that should be inspected. If this is the case, the policy scope should be broadened. Were Processes Implemented Effectively? Corporate polices are likely to include automated processes designed to bring about compliance faster and more efficiently. These processes may call specific departments into action, or generate important information about the violation event. For example, the No P2P policy requires that the IT and helpdesk teams are automatically notified when a violation is detected. The notification they receive should include the contact and device details as well as information about the policy violation. Lastly, it is important to verify that automated instructions to support or other teams reach their destination with the proper information, and that the end user knows what to do with it. And before dealing with a new policy, make sure to fine tune the automated process to maximize efficiencies. Were Network End-Users Responsive to the Policy? Corporate polices will often require that network end-users respond to a NAC-powered educational policy or perform a specific task - for example use self-remediation links or contact the Helpdesk. Verification should be checked to ensure end-users are responding to notifications and instructions as anticipated, and changing their behavior accordingly. ForeScout Technologies, Inc. Access ability. Page 11

14 Summary NAC projects can deliver impressive results when backed by appropriate project goals, success factors that give comprehensive direction and guidance, and a NAC team that knows how to get the job done. With this foundation set, project leaders are better equipped to design useful NAC polices and roll out the NAC project. Ultimately the success of a NAC implementation will lie in the ability to gain a complete understanding of what is going on within the IT infrastructure. This means auditing the people and processes that are active on the network on a daily basis. It also means being able to use the information gained by NAC solutions like ForeScout s CounterACT to inform and educate and bring non-compliant users and devices into compliance with corporate security policies. CounterACT delivers this in a single turnkey clientless security platform. The appliance does not require and in-line deployment and is vendor neutral allowing the ability to maximize existing infrastructure and systems investments providing a complete NAC solution. This fulfills a primary enterprise security goal: to have comprehensive knowledge and control of all users/devices that move in and out of the network, ensuring that these devices are in compliance with corporate security policies. ForeScout s CounterACT ensures that only the right users, with compliant devices, gain access to the right resources on the network. It is essential that any solution leverage the current IT infrastructure and existing security investments made by the enterprise to automate the process of remediation and have the ability to perform both soft and hard enforcement. But the NAC solution should also be able to look toward the future and provide a pathway to complete policy implementation and enforcement. ForeScout Technologies, Inc. Access ability. Page 12

15 ForeScout Technologies, Inc N. De Anza Boulevard, Suite 220 Cupertino, CA 95014, USA Toll-free: (US) Tel: (Intl.) Fax: ForeScout Technologies. All rights reserved. ForeScout Technologies, Inc. Access ability.