Technical Note CounterACT: 802.1X and Network Access Control CounterACT : 802.1X and Network Access Control Technical Note Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is 802.1X? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Key Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Protocol Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What is NAC?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Key Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 NAC Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Role of 802.1X in NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Advantages of 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Disadvantages of 802.1X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 How ForeScout helps Implement 802.1X within a NAC Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Verifying 802.1X Readiness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Supplicant Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Hybrid Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Automated Exception Process for non-802.1X endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 When to Use 802.1X and When Not to. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Organizational Needs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Use Case: Secure Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Use Case: Endpoint Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Use Case: Secure BYOD Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Network Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Use Case: Exception Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Other Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 About ForeScout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 CounterACT : 802.1X and Network Access Control Technical Note Introduction In an era of mobile devices and IT consumerization, Network Access Control (NAC) has emerged as a popular solution for network and security managers to mitigate risk and retain control of the network. NAC provides the capability to authenticate users and devices when they connect to the network, assess the security posture of a device, and enforce security controls while the device is connected to the network. There is often confusion about the relationship between 802.1X and NAC, i.e. whether they are competing or complementary technologies. This paper will help to clarify the issues and resolve this confusion. The following technical note provides the reader a basic understanding of 802.1X and NAC, the advantages and disadvantages of using 802.1X authentication within a NAC implementation, and guidance on which solution set is better suited for different use cases and network environments. It describes the capabilities of ForeScout CounterACT™ and the unique features it provides to overcome some of the challenges of using 802.1X within a NAC implementation. ..................................................................................................................................................... What is 802.1X? IEEE 802.1X is a standard for port-based network access control. It provides an authentication mechanism for devices wishing to attach to a wired or wireless LAN. It does not address other security controls that may need to be enforced when a device connects to a network (discussed later in this technical note). The 802.1X standard was first published in 2001 (IEEE 802.1X-2001) and later updated in 2004 (IEEE 802.1X-2004) and in 2010 (IEEE 802.1X-2010). 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over LAN, or EAPoL, which allows a number of different authentication methods to be used. EAPoL was originally designed for 802.3 Ethernet in the 2001 standard, but was extended to other IEEE 802 LAN technologies such as 802.11 wireless in the 2004 specification. The EAPoL protocol was modified in the 2010 update to address vulnerabilities in the previous specifications by using optional point to point encryption over the LAN segment. Key Concepts 802.1X authentication involves three components that communicate using EAPoL: the supplicant, the authenticator, and the authentication server. •• The supplicant is an endpoint device (such as a laptop) attempting to connect to a wired or wireless network. The term “supplicant” is also used interchangeably to refer to the software that is required on the endpoint (or client) to provide credentials to the authenticator. Credentials can include username/password, digital certificate or other methods. •• The authenticator is a network device, such as an ethernet switch or wireless access point that acts like a security guard to a protected network. It facilitates authentication by relaying the credentials between the supplicant and authentication server, and allowing the supplicant access to the network only after successful authentication occurs. •• The authentication server is typically a host running a RADIUS server that validates the credentials of the supplicant and authorizes access. 3 CounterACT : 802.1X and Network Access Control Technical Note Figure 1: 802.1X authentication components Protocol Operation 802.1X provides port-based access control and as such ties authentication and admission to the point of connection to the network — a network port. In an 802.1X environment, all network ports default to “unauthorized” state prior to authentication. Upon successful authentication a port is dynamically changed to the “authorized” state. Control is enforced at each switch port for wired LANs, and each wireless access point for wireless LANs. EAPoL operates at the network layer on top of the data link layer. In unauthorized state, the port is allowed to transmit and receive EAPoL messages; other traffic, such as DHCP or HTTP, is not allowed. The typical authentication process is as follows: 1.Initiation — The port on the authenticator starts in the “unauthorized” state. To initiate authentication the authenticator periodically transmits EAP-Request Identity messages. On receipt of this message, the supplicant responds with an EAP-Response Identity message containing an identifier such as a username. The authenticator forwards this message on to the authentication server. The supplicant can also initiate or restart authentication by sending an EAPOL-Start message to the authenticator, which then replies with an EAP-Request Identity message. 2.Negotiation — The authentication server sends a reply to the supplicant (via the authenticator), containing an EAP request specifying the EAP method (the type of EAP based authentication it wishes the supplicant to perform). At this point the supplicant can start using the requested EAP method, or do an NAK (“Negative Acknowledgement”) and respond with the EAP methods it is willing or able to perform. 3.Authentication — Once the authentication server and supplicant agree on an EAP method, EAP requests and responses are sent between the supplicant and the authentication server (proxied through the authenticator) until the authentication server responds with either an EAP-Success or an EAP-Failure message. If authentication is successful, the authenticator sets the port to the “authorized” state and normal traffic is allowed; if it is unsuccessful the port remains in the “unauthorized” state. 4.Termination — When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator. The authenticator then sets the port to the “unauthorized” state, once again blocking all non-EAPoL traffic. 802.1X authentication can be a one-time process (once a connection is authorized it remains authorized until the connection is terminated by the supplicant), or re-authentication may be required after a specified time interval. Network connections can also be configured to time out and then force re-authentication for any new connections. What is NAC? NAC controls access to a network based on adherence to security policies including authentication of users, pre-admission endpoint security compliance checks, and post-admission controls over where users and devices can go on the network and what they can do. Unlike 802.1X, NAC provides the ability to enforce security controls based on the security posture of the device and/or the user’s role in the organization. Commercial NAC solutions incorporate quarantine and remediation capabilities (fixing non-compliant endpoints before allowing access). Some advanced NAC solutions also include the ability to automatically profile and classify endpoints when they connect to the network, and subsequently make policy decisions based on device type and other granular profiling data. NAC often incorporates post-admission functions, further differentiating 4 CounterACT : 802.1X and Network Access Control Technical Note it from 802.1X which provides pre-connect authentication only. Basic post-connect functions may include periodic re-authentication and monitoring for changes in device posture, with more advanced solutions providing capabilities for monitoring changes in device behavior and/or malicious activity, and enforcing post-connect security controls. Key Objectives With an exponential increase in the number of mobile devices that are connecting to corporate networks, the focus of security controls has shifted from the perimeter (via firewalls and IPS devices) to the internal network. Best practices now require that each endpoint be inspected to ensure that it is compliant with security standards before the endpoint is permitted access to the network. The definition and capabilities of NAC are still evolving, but as of this writing its primary objectives are: •• Network visibility — In order to provide secure access and prevent unauthorized connections to the network, a NAC solution must be aware of all users and devices that attempt to connect to the network. It can create a database of network users and a hardware and software inventory of network endpoints. •• BYOD and mobile device management — NAC provides the foundation for implementing a “bring your own device” (BYOD) environment without compromising network security. This enables access while providing control over personally owned mobile devices such as laptops, smartphones and tablets. •• Role-based access — NAC ensures that only the right people with the right devices gain access to the right network resources. For example, a guest may only be allowed access to the internet. An employee in the shipping department should not be allowed access to the company’s financial systems. •• Endpoint compliance — Unlike 802.1X, a primary objective of NAC is to manage endpoint compliance. Endpoint posture checks are required to ensure a security baseline for any and all types of devices connecting to the network, and in some environments may be needed to demonstrate compliance to industry or government regulations. •• Network security — A key goal of NAC is to mitigate security risks within the network. Infected mobile devices, misconfigured endpoints, rogue wiring devices and wireless access points are sources of threats and data loss, and can be identified, quarantined and remediated by NAC. NAC Capabilities Commercial NAC solutions vary widely in terms of the functions they provide. The list below is indicative of the functions that most large enterprises are looking for. Authentication: Authentication in NAC is conceptually similar to 802.1X, in that it occurs when an endpoint first attempts to connect to a network. Commercial NAC solutions can leverage 802.1X as well as other standard means of authentication such as a guest registration databases, MAC address bypass lists, or existing directory systems such as Active Directory, OpenLDAP etc. Security Posture Assessment: Unlike 802.1X, NAC products are able to assess the security posture of each endpoint. This assessment may include: •• checks for operating system versions and patch levels •• presence of anti-virus and other security software with latest updates •• required and prohibited applications (such as P2P software) •• active and prohibited ports •• configuration settings for various applications •• custom registry checks Endpoint Profiling and Classification: Some NAC solutions provide the capability to automatically profile and classify endpoints by type. Policies and access control can be tailored based on the device type. An effective device profiling capability also allows exceptions to be automatically created for devices such as printers, phones, security cameras, healthcare and manufacturing equipment, none of which support standard authentication mechanisms such as 802.1X. Access Control: NAC can implement access control in a number of ways, ranging from simply enabling or disabling physical switch ports and wireless connections (which is included in the 802.1X standard) to the ability to enable very granular access using VLANs, Access Control Lists (ACLs), virtual firewalls and other mechanisms. Access policies can be tied not just to authentication, but also to endpoint security posture, the user’s role, device type, location, connection method and other factors. 5 CounterACT : 802.1X and Network Access Control Technical Note Quarantine and Remediation: Quarantine and remediation is another important function of NAC. In the event that an endpoint is found to be noncompliant with security policies — for example, not having the latest security patches for its operating system — the device can be isolated on the network. In this state, network access is significantly restricted and typically includes access to only remediation resources such as patch servers, antivirus update websites, virus cleansing applications etc. Post remediation, the endpoint is allowed to re-enter the production network. NAC solutions that automate the remediation process by integrating with existing IT systems (e.g. patch management) reduce IT overhead costs and increase user productivity. Post-connect Controls: Some NAC solutions provide post-connect controls in addition to pre-connect authentication and security posture validation. Post-connect functions can include continuous monitoring of security posture changes and network activity to maintain real-time awareness of device behavior (anomalous or threat activity). For example, if a device originally appeared to be a printer, but then starts reading documents from a file server, the NAC system can take appropriate action based on policy. The best NAC solutions include both pre-connect and post-connect functions, in order to first ensure that network access is limited to only users and devices that are authorized and compliant with security policies, and then to ensure that users and devices stay compliant while connected to the network. The Role of 802.1X in NAC There is often some confusion between 802.1X and NAC. Because the 802.1X specification also uses the term “network access control” there is uncertainty whether these are competing or complementary technologies. By itself, 802.1X is simply an authentication solution. It is adequate at providing reasonable assurance that the connected user and device belong on the network purely from an authorization standpoint.NAC is much more. In addition to authentication, it includes device profiling, endpoint compliance validation, enforcement capability to limit access, remediation mechanisms to bring endpoints into compliance, and post-connect monitoring to ensure devices stay compliant. 802.1X is not required for a NAC implementation. However, network access control solutions can leverage 802.1X for authentication. In this section we’ll discuss the advantages and disadvantages of using 802.1X authentication. Advantages of 802.1X IEEE standard: 802.1X is an IEEE standard originally published in 2001, and as a result it is has been universally adopted (to varying degrees) by most network infrastructure vendors. Similarly, most laptops, tablets and smartphones available today feature embedded 802.1X supplicants. While there are some inconsistencies among different vendors’ networking products, and supplicant support for non-mobile operating systems may be lagging, an organization purchasing network infrastructure and endpoint devices today can be reasonably confident that they are 802.1X-capable. Though interoperability in a multi-vendor environment can be tricky, 802.1X is well suited to a homogenous network environment. Layer 2 approach: 802.1X requires successful authentication before layer 3 network access is permitted by the authenticator. EAPoL operates once a layer 2 connection is established obviating the need for an IP address during the authentication process. Since the 802.1X conversation between the supplicant and the authenticator is done without an IP address, there is no potential for the endpoint to attack the network prior to network admission. This advantage may be useful in high-risk environments. Disadvantages of 802.1X Reliance on supplicants: 802.1X requires supplicant software on endpoints for authentication. While newer laptop and mobile device operating systems include supplicants, many legacy endpoints do not and therefore cannot participate in the 802.1X authentication process. Additionally, printers, IP phones, physical security devices (surveillance cameras, card readers, entry keypads etc.), manufacturing, healthcare and a variety of industry-specific equipment do not support supplicants. In many environments, non-802.1X endpoints far outnumber 802.1X-capable ones. Managing network connectivity for non-802.1X endpoints can require a great deal of manual configuration (managing MAC authentication exception lists) as well as potential security tradeoffs. Simply put: many IT managers don’t want to put “yet another agent” on the endpoint, so this is a major disadvantage compared to the NAC products that can work without agents. Complexity in Wired LANs: While 802.1X is well-suited to wireless LANs, adoption has lagged in wired LANs due to a number of challenges that make deployment complex and costly. Legacy switches or other network infrastructure devices may lack 802.1X support. Additionally, switches from different manufacturers are inconsistent in the manner they support 802.1X. Unlike wireless LANs which are predominantly used by newer mobile devices with built-in supplicants, wired LANs tend to have a greater variety of legacy endpoints, many of which do not support 802.1X supplicant software. Also, it is challenging to configure different switches in a multi-vendor environment to handle a mix of 802.1X and non-802.1X endpoints. 6 CounterACT : 802.1X and Network Access Control Technical Note Architectural limitations: By itself, the 802.1X standard does not address exceptions that abound in most business environments. It assumes that all legitimate devices in an organization will always have properly configured supplicants. The authentication result is binary – allow or deny. There are no considerations for guest or contractor devices with supplicants configured for a different 802.1X environment, remediation actions upon failure, or tolerances for configuration errors. Lack of resiliency or graceful failover means that a failure in any part of the process usually requires manual IT intervention – a major challenge for any organization. Commercial NAC solutions sometimes extend and/or complement 802.1X with additional capabilities to address these architectural shortcomings. Lack of security posture validation: Pre-connect security posture validation and post-connect compliance monitoring of endpoints are outside the scope of the 802.1X standard. In addition to authenticating the endpoint and/or its user before allowing access, it is important to determine whether the endpoint is safe and in compliance with an organization’s security policies. Even authorized users can unknowingly bring “unsafe” devices onto the network, which can place the entire network and the organization at risk. As a standalone solution, 802.1X wraps up after authentication is completed and does not monitor the compliance posture of the device or behavior of the user post-admission. By itself, it is essentially a one-trick pony – other solutions are required, either in addition to, or in place of 802.1X in order to address pre-connect and post-connect endpoint compliance. How ForeScout helps Implement 802.1X within a NAC Framework If you have determined that 802.1X is the right authentication technology for your organization, you then need to decide how to implement 802.1X. You could “roll your own” and work directly with the protocol and its components, but case studies published by analysts such as Gartner have shown that such implementations often take a long time – months or even years – and require a large Forescout CounterACT Functions amount of administrative overhead. Alternatively, you could purchase a turnkey solution such as ForeScout CounterACT which makes rollout much easier. CounterACT provides all of the network access control features and functions described above in this technical note. ForeScout CounterACT allows enterprises to use multiple authentication methods (including 802.1X) and access control enforcement techniques. It includes a built-in RADIUS server to make rollout of 802.1X easy. Alternatively, it can function as a RADIUS proxy and leverage existing RADIUS servers. CounterACT provides a number of unique features to help customers implement network access control while leveraging 802.1X authentication. We illustrate some of these features below. ☑☑ Pre-Connect Authentication ☑☑ Profiling and Endpoint Classification ☑☑ Security Posture Assessment ☑☑ Access Control Enforcement ☑☑ Quarantine and Remediation ☑☑ Guest Registration and Enablement ☑☑ BYOD Provisioning and On-Boarding ☑☑ Post-Connect Monitoring and Controls Verifying 802.1X Readiness An 802.1X-based NAC deployment has a lot of moving parts and is dependent on multiple elements of the IT infrastructure being 802.1X-capable and ready. Because the 802.1X architecture is not very forgiving or resilient, it behooves IT security managers to verify that all aspects of their environment are properly configured before enforcing access control. ForeScout CounterACT includes built-in visibility tools to verify that all your participating switches and endpoints are correctly configured for 802.1X authentication. This helps identify and solve problems before they become disruptive. Authentication Access Control •• 802.1X •• Allow/deny •• LDAP directory systems •• VLAN assignment •• MAC address bypass list •• ACL management •• Guest registration database •• Virtual firewall •• External authentication repositories 7 CounterACT : 802.1X and Network Access Control Technical Note Figure 2: Verifying 802.1X readiness using CounterACT CounterACT provides 802.1X policies to verify •• Network infrastructure readiness •• Client readiness (details in the supplicant remediation section) •• End-to-end authentication communication from client (via switch) to RADIUS sever and directory (see Figure 2). These policies can be run in monitor mode to identify potential issues before enforcing 802.1X access control (see Figure 3). This helps avoid business disruption and help-desk calls. After turning on 802.1X, these policies can be used to identify problems as they occur and take corrective action. Figure 3: CounterACT policies for 802.1X switch readiness and monitoring 8 CounterACT : 802.1X and Network Access Control Technical Note Supplicant Remediation 802.1X requires supplicant software on endpoints for authentication. Supplicants must be properly configured for the specific 802.1X environment. Often times, supplicants are not installed or enabled on guest or BYOD endpoints, or the supplicant may be incorrectly configured for the particular corporate environment. For example, a common issue with guest or BYOD devices is that the supplicant is configured by default to use the windows login and password for authentication. Since these credentials may be for a different domain, they do not travel well, and the user will not be able to get onto another 802.1X network. ForeScout CounterACT solves this problem because of its ability to allow all users, even those that fail 802.1X authentication, to register for network access. CounterACT provides built-in remediation tools to identify when an endpoint does not have a properly configured supplicant (see Figure 4). Policies are provided to identify common supplicant issues for Windows, Mac OS, Linux and mobile platforms such as iOS and Android. When such issues are found, CounterACT can automate the remediation process through scripts to install and/or configure a supplicant. Figure 4: Supplicant remediation policies in CounterACT 9 CounterACT : 802.1X and Network Access Control Technical Note Hybrid Mode By itself, the 802.1X standard is not resilient or fault tolerant. It assumes that all legitimate devices in an organization will always have properly configured supplicants. The authentication result is binary — allow or deny. Lack of resiliency means that there are typically many failures, and 802.1X’s inability to gracefully failover creates a heavy helpdesk load and places a heavy toll on end user productivity. CounterACT includes a hybrid mode which lets you utilize 802.1X and/or other authentication technologies within the same network environment. In addition to 802.1X, CounterACT supports authentication against LDAP directories such as Active Directory, authentication against a built-in guest registration database or MAC address bypass list, or authentication against other external databases that house guest, BYOD or contractor authorization information. Using CounterACT’s hybrid mode, any device that fails 802.1X authentication can be placed in a lobby VLAN. If the device is a computer, CounterACT can give the user an opportunity to authenticate via another method, such as by entering his/her Active Directory credentials. If the user is a guest, CounterACT can give the user the opportunity to register for guest access on the network. Hybrid mode provides two benefits: 1. Allows organizations to roll out NAC quickly and completely in an environment that does not support 802.1X in every location 2. Provides a redundant authentication mechanism for endpoints that fail or are unable to use 802.1X authentication Figure 5: Configuring Hybrid mode using CounterACT policies Automated Exception Process for non-802.1X endpoints ForeScout CounterACT automates the MAC exception process for non-802.1X endpoints (printers, phones, etc.) using its built-in endpoint profiler (see Figure 6). CounterACT automatically identifies such devices, and based on the device type and associated policy, CounterACT adds the device’s MAC address to an exception list and then places the device on the production network. Subsequent connections are automatically allowed as long as the device profile stays consistent. 10 CounterACT : 802.1X and Network Access Control Technical Note In addition, ForeScout CounterACT continuously monitors every endpoint in order to prevent MAC address spoofing (see Figure 7). For example, if a device originally appeared to be a printer (based on profiling) and was allowed network access, but then starts reading documents from a file server, CounterACT can detect this change in device profile and can remove the device from the network and the MAC exception list. This provides a fully automated, closed-loop exception management process and alleviates security concerns related to MAC authentication in high-risk environments. Figure 6: Automating exceptions for non-802.1X endpoints Figure 7: Detecting MAC address spoofing and Impersonation using CounterACT 11 CounterACT : 802.1X and Network Access Control Technical Note When to Use 802.1X and When Not to As described above, 802.1X has some advantages and disadvantages, and addresses only a subset of security controls. It can be deployed as a standalone network access control solution, or it can be used to provide authentication within the broader context of a commercial NAC solution. Since 802.1X is a standard that is supported by most networking devices and operating systems, some may perceive it as “free” and pursue the path of implementing a NAC solution using stand-alone 802.1X. However, deploying 802.1X requires integrating multiple components; it is not a turnkey solution. Interoperability of devices, or lack thereof, can prove challenging. And by itself, it doesn’t solve the problem of non-802.1X-capable devices, which often exceed 802.1X-capable ones. In this section we’ll examine a few use cases for implementing network access control. We’ll provide guidance on when to consider using 802.1X as a stand-alone solution, and when to consider deploying a commercial NAC solution, such as ForeScout CounterACT. Organizational Needs Begin by considering your current needs. Do you simply want to separate guests from employees and place all guests in a different VLAN which only provides internet access? Or do you want the ability to control guests, find out who they are, selectively approve each guest’s request for access, and control how long they can connect to the network? Also consider future goals and objectives. Do you think you will want to control network access on the basis of device type, security posture, user role and other factors? Are there other needs such as integration with MDM systems or SIEM solutions lurking around the corner? Let’s take a look at a few use cases to provide additional clarity. Use Case: Secure Guest Access Consultants, contractors, business partners and other guests bring their own personal devices and request internet connectivity so they can work on site. To remain productive they may need access to basic services such as printing, or broader access to specific corporate applications and data. Providing them unlimited access to the production network can expose you to malware and possible data loss. Based on your specific needs, you may choose to implement some or all of the following capabilities: •• User authentication to delineate between employees and guests •• Provide different levels of network access (limit access to specific resources) based on user role •• Automate guest provisioning through the use of captive portals and self-registration techniques •• Sponsorship capability to allow non-IT employees to create and manage guest accounts based on IT policies, in external databases, utilized by a NAC solution to authenticate guests By itself, 802.1X can provide authentication for employees and VLAN segmentation for guests. You need a commercial NAC solution like ForeScout CounterACT to implement the remaining functionality. Capability 802.1X ForeScout CounterACT ✓ User Authentication ✓ Guest Registration (Captive Portals etc.) ✓ Non-IT Sponsor Support ✓ Access Control Options VLANs Various Granular Options Deployment Multiple Components, External RADIUS Server Fully Integrated, Turnkey Solution 12 CounterACT : 802.1X and Network Access Control Technical Note Use Case: Endpoint Compliance Mobile devices that connect to corporate and public networks can become infected or non-compliant over time. Endpoints can become misconfigured. Security agents can be disabled. Antivirus software can fall out-of-date. Unauthorized software can be unknowingly installed by employees. To control risk, the security posture of all devices must be verified before and after they’re allowed on the network. Based on your specific needs, you may choose to implement some or all of the following capabilities: •• Identify and authenticate a user and endpoint •• Assess an endpoint against a security policy, such as verifying the device configuration or the status of antivirus •• Contain or limit access to resources for endpoints that fail to meet security policy requirements •• Remediate endpoints that do not meet security policy requirements so they can be made compliant and allowed access to the network •• Post-connect monitoring of device behavior to detect malicious activity or failure of one or more of the onboard security controls Endpoint compliance is outside the scope of 802.1X. To implement the above functionality you need a commercial NAC solution like ForeScout CounterACT. Capability 802.1X ForeScout CounterACT ✓ ✓ User/Device Authentication Security Posture Validation ✓ Mobile Device Configuration Checks ✓ Custom Policies and Checks ✓ Quarantine and Remediation ✓ Post-Connect Monitoring ✓ Compliance Reporting ✓ Use Case: Secure BYOD Access With the proliferation of mobile devices, employees are increasingly looking to use their own personal devices at work. A Gartner survey reveals that U.S.-based CIOs expect 38% of mobile devices used within the enterprise will be employee owned by 2014. BYOD policies are required because employee owned devices may present risks to the network such as propagation of malware, network instability and potential data loss. Based on your specific needs, you may choose to implement some or all of the following capabilities: •• Profile and identify endpoints by type when they connect to the network •• Assess BYOD endpoints against a security policy, such as verifying the device configuration or the endpoint security posture •• Provide different levels of network access and limit access to specific resources based on user role, device type and security posture •• Automate provisioning of BYOD devices through the use of captive portals and other techniques •• Remediation capability such as downloading mandated device configuration, endpoint protection agents, operating system security updates etc. so that BYOD endpoints can be made compliant and allowed access to the network 13 CounterACT : 802.1X and Network Access Control Technical Note 802.1X can provide authentication for BYOD endpoints, however to do so requires properly configured supplicant software on all endpoints. A commercial NAC solution like ForeScout CounterACT provides the most flexible approach to securing a BYOD environment because CounterACT does not require BYOD devices to contain configured 802.1X supplicants. Also, ForeScout CounterACT can provide more granular control over which types of devices are granted access to the network, and to limit access based on the user’s role. Capability User/Device Authentication 802.1X ForeScout CounterACT ✓ ✓ Profiling and Endpoint Classification ✓ Security Posture Validation ✓ Mobile Device Configuration Checks ✓ Quarantine and Remediation ✓ Role-Based Access Control ✓ MDM Integration ✓ Client Software Dependency Supplicant Required None Required Network Environment Another important consideration is your enterprise network environment. Do all your switches and wireless access points support 802.1X? Is most of your network infrastructure from a single vendor or do you have a multi-vendor environment? Do most of your endpoints have 802.1X supplicants built-in? Or do you have a large number of legacy endpoints and/or other non-802.1X capable devices and equipment? 802.1X authentication is well suited to a homogenous network environment, and is easier to implement in wireless LANs than in wired LANs. In large and complex heterogeneous environments, using 802.1X authentication can be challenging and costly — the overhead of using 802.1X can be far greater than using alternate authentication methods. Let’s take a look at a use case for managing non-802.1Xendpoints. Use Case: Exception Management Endpoints such as printers, IP phones and physical security devices cannot respond to requests for identification, nor do they support authentication agents such as 802.1X supplicants. Various industryspecific equipment such as machines on a manufacturing floor, cash registers in a retail store, and healthcare devices in hospitals are business critical and need network access. MAC authentication is probably the best alternative for handling such endpoints, but maintaining static MAC exception lists requires significant ongoing manual configuration and potential security tradeoffs. •• Based on your specific needs, you may choose to implement some or all of the following capabilities: •• Authenticate an endpoint using its MAC address •• Profile and classify endpoints by type when they connect to the network •• Dynamically create MAC exception lists for specific types of devices •• Post-connect monitoring of device behavior to detect MAC address spoofing/impersonation and dynamic removal of endpoints from MAC exception lists 14 CounterACT : 802.1X and Network Access Control Technical Note Capability MAC based authentication 802.1X ForeScout CounterACT ✓ ✓ ✓ Endpoint profiling MAC exception lists Manual Automated ✓ Detect MAC address spoofing MAC exception lists can be implemented within an 802.1X environment as a way of admitting devices that don’t support 802.1X supplicants. However, these exception lists are static and have to be maintained manually. A commercial NAC solution like ForeScout CounterACT can complement 802.1X and automate the exception management process. Other Considerations There may be other factors to take into consideration when selecting an authentication mechanism for network access control. Government organizations and a number of industry verticals are subject to various regulations, some of which may mandate the use of 802.1X or other authentication techniques. In high-risk environments or classified networks there may be a legitimate requirement for all devices to use 802.1X supplicants with certificates. Budget is always a factor in any decision making process. Upgrading vast amounts of legacy network infrastructure can be a showstopper for 802.1X. An organization may choose to use 802.1X for the wireless infrastructure while using other authentication methods on wired LANs. Conversely, if an organization has newer homogenous network infrastructure, there may be cost savings to be had in deploying a stand-alone 802.1X solution, especially if the IT staff can create additional home-grown tools for visibility, emediation, resiliency and automation of manual processes. Conclusion 802.1X can be implemented as a stand-alone port-based access control solution, or it can be used as an authentication mechanism within the broader context of a commercial network access control (NAC) solution such as ForeScout CounterACT. The decision of whether to use 802.1X or another authentication mechanism rests on the specific needs of the organization and consideration of the advantages and disadvantages of 802.1X within a given network environment. Most organizations find that 802.1X by itself does not provide enough security controls, and it is too challenging to deploy. There are tremendous benefits of using commercial solutions such as CounterACT to augment and overcome 802.1X challenges. CounterACT greatly enhances network visibility and security, and provides additional functions such as endpoint profiling, security posture validation, quarantine and remediation, advanced guest management and BYOD provisioning. CounterACT also includes a complete set of troubleshooting and remediation tools that speed the deployment of any 802.1X solution and makes 802.1X more resilient and more accommodating to unknown or misconfigured endpoints, such as often happens in a BYOD situation. ..................................................................................................................................................... About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company’s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com. ..................................................................................................................................................... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 408-213-2283 www.forescout.com ©2013 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2013.0057 15