This is my first of what’s set to develop into a helpful series of postings from me on our communications practice here at Right! Systems. Having been involved with communications and the evolution of voice over IP since the late 90’s, embracing and experimenting with the introduction of video and texting to our daily interactions in the mid 2000’s, and over 20 years of engineering solutions for an amazing variety of projects and customers I have been blessed to be able do to something that I love for the majority of my career. I have the pleasure of developing and managing the communications practice here at Right! Systems. For those of you who know me, like any personal project I undertake, I put my heart all in it. I believe if you are going to do something, you had better do it Right!, or not at all. It has been a fantastic experience and an incredible opportunity for my professional growth. Going on my fifth year with RSI and in the Pacific Northwest (originally a Rocky Mountain transplant) I have the pleasure of working with some of the greatest engineers and people in the industry. I find myself employed by a solid company who understands the most important assets they have are their relationships. It’s our job to demystify and translate all the ever evolving technologies, marketing, sales, and geek speak into an understandable and beneficial solution that meets your ever growing company requirements for technology and communication. Even more importantly, to keep you, our customer, informed on the developments and application that can be implemented to benefit and improve your business, its flow, customer interactions, and as always grow relationships. I am working on a series of posts designed to cover the ever changing world of communications, share helpful experiences that helped me earn a few gray hairs, and ideas on where the projects that fall under my care can benefit and your company. Until next time…
1. Version HistoryColin Doyle 6/18/16 1.0 Initial document creation Colin Doyle 6/23/16 1.1 Final edits and submission
2. Executive SummaryAt the epoch of enterprise computer networking, the primary focus for data and systems security was on the internal devices themselves. Corporate networks were comprised of locally managed personal computers, and servers used information sharing and storage. The introduction of wireless networks, the widespread adoption of laptop and mobile devices, and the emergence of the remote employee, has brought with it a shift in how the enterprise must secure itself. The traditional methods for securing the internal network still apply, but new methods for controlling access to the network are now more important than ever. Enter NAC. Network Access Control (NAC) does not describe software or hardware per se. Rather, NAC describes a suite of policy-based detection and remediation tools used to secure an enterprise network. Once considered conceptually feasible, but technically impractical, the development of complimentary policy engines and network protocols has legitimized NAC to a point of broad adoption. NAC is a compliance-based network access solution. Compliance metrics are defined as policy on the system (or systems) used to centrally manage and implement NAC. When a host connects to the network, it is checked for compliance. If the system is found to be in compliance with the policies its connection type and/or authentication defines, then the system is granted access. If the system is found not to be in compliance, then it is subject to a variety of remediation and/or isolation options. The greatest vector for network exposure to a malicious attack is a BYOD, or “Bring Your Own Device” hardware. This term covers non-enterprise- owned hardware, as well as some non- standard enterprise-owned hardware. On a contemporary network, it is not uncommon for these BYOD’s to outnumber the enterprise-owned equipment. It is for this reason, and others discussed in this roadmap, that a comprehensive NAC solution for the enterprise should beseen as critical-path.
3. The NAC ProcessEvery NAC solution, at its core, will have three main components. Because of the many different terms used in NAC by vendors, and to avoid confusion, this roadmap will use the terms defined by the Trusted Computing Group’s (TCG) Trusted Network Connect (TNC) working group.
3.1. Host Assessment PhaseWhen a device connects to the network, NAC will attempt categorize it based on pre-defined criteria. This check is used to determine if the device requires further compliance inspection, or if it is subject to automatic enforcement and/or exclusion. Remember, not all hosts are PC’s, and in some cases, these non-PC hosts are essential. Devices such as security camera’s, printers, and IP phones lack the software architecture to support any higher-level NAC enforcement. A NAC solution must be flexible, offering different pathways for onboarding (the term used for bringing a host onto a network using NAC) different hosts. Once the device has been identified, it can be assigned to a policy-defined security zone and have device-specific network policies applied. NAC security zones are meant to isolate, or “quarantine” hosts during the evaluation and remediation phase of network onboarding. As such, these security zones are unique to the NAC environment itself. The number of security zones used during NAC onboarding, and the role of each zone will vary depending on the NAC solution that is implemented. 3.2. Evaluation/Remediation Phase If a device is found to not be subject to categorical enforcement and/or exclusion, it must be validated. Validation includes two components. First, authentication is used to grant or deny access to the physical network. Successful authentication results in limited network access, or quarantine, allowing the process to proceed to step two. They type of access granted to a host depends on the security zone that host was placed in during the assessment phase. Second, the host system is checked for compliance as defined by the NAC solution. This is commonly referred to as a “posture check”. A client running on the host system performs this posture check. Two types of clients can be used for this posture check: dissolvable and persistent. A dissolvable client exists for the initial check and is then removed when the system moves to the remediation phase. A persistent client is installed on the local machine and provides ongoing posture checks of specified compliance points while the system is connected to the network. As a rule, persistent clients offer better security as they will continue to run on the host system and enforce policy throughout the network session. Compliancy points within a system typically include, but are not limited to, antivirus software, anti-spyware software, firewall rules, software patches, and application versions. In fact, the utility of NAC can extend beyond security considerations by ensuring that endpoints meet functional requirements for accessing certain network resources. An example would be ensuring that the type and version of the web browser installed on a host system would support enterprise-provided content (think distance-learning). Remediation is the process by which systems that are evaluated and found to be out of compliance are managed. Remediation can be performed in a number of ways, with the appropriate method being defined by the type of device connecting (laptop/desktop/mobile/server/etc…) and the method in which it has connected (wired/wireless/VPN). In some cases, the software responsible for remediation will simply list what the user must do to come into compliance. In other cases, the software can offer to facilitate remediation by automatically installing software and updates. Remediation should be viewed and managed as cycle, with systems being quarantined for evaluation, remediated, evaluated, and so on until posture requirements are met and access is granted.
3.3. Enforcement PhaseUp to this point, the host system that is attempting to connect to the network has only been granted quarantine access to the network. The enforcement phase is the gateway to the network, granting access to systems that have met compliance criteria, while denying access to systems that have not. This is the most binary example of policy enforcement. Enterprise NAC solutions employ a number of different access and remediation policies. In fact, there will almost always be connection pathways built into the solution so that critical systems do not cease to function if they are out of compliance and remediation cannot be automated or performed immediately. This flexibility highlights the need for well-constructed security requirements and policies as small network holes can become quite large when left unchecked.
4. NAC RoadmapThe implementation of NAC extends far beyond the evaluation and selection of a commercial product. For NAC to be effective, a combination of network and systems security must be defined, adopted, and integrated into a comprehensive NAC solution. The network must be just as ready as the enterprise for a NAC implementation. The value of defining the requirements for NAC prior to vendor selection cannot be understated. All NAC solutions are not created equal, and the process of implementing a NAC solution is long and expensive. In short, you really want to get it right the first time around.
4.1. Secure the NetworkIn order for a NAC solution to be effective, the network must be designed in a way that separates and isolates internal, secure network resources, from external and internal insecure resources. This is done through definition and creation of network zones. These zones create logical network boundaries between systems, allowing for the creation and enforcement of access policies. Networks should also be designed for ease of monitoring and management. While not directly related to network security, the simplification of tasks such as IP addressing and VLAN assignment can greatly simplify the creation of network access policies, reducing the likelihood of policy errors and/or policy circumvention.
4.2. Define System Posture PoliciesSoftware vulnerabilities present a real and present threat to network systems, not just from compromised BYOD’s, but also from worms and viruses that are able to penetrate the network. The advent of crypto-viruses and ransom-ware only serves to amplify these concerns. In order to protect against a wide range of vulnerabilities, NAC-based policies should be defined. These policies should define requirements for:
- Antivirus software o Vendor compliance o A/V signature file compliance
- Anti-malware software o Vendor compliance o A/V signature compliance
- Critical vulnerability software patches
- PC Operating systems
4.3. Restrict Access to the NetworkThe network should be secured at the access-layer using directory-based authentication and cooperative enforcement. Cooperative enforcement integrates authentication into both wired and wireless connections. Simply put, no matter how a system makes a connection to the network, that connection should be authenticated. Policies should be created defining access methodologies for:
- Wired systems o Servers and Data Center systemso Employee systems o Student/Guest systems o Non-PC wired systems (security cameras, printers, voice, teleconferencing, etc…)
- Wireless Systems o Employee laptopso Mobile phones o Tablets
- VPN connections o Employeeo Guest/3 rd -party o Site-to- Site (when applicable)
4.4. Define Remediation MethodsThe handling of non-compliant systems must be defined in a way that balances the security of the network against the need to provide access to secured resources. It is not hard to envision a scenario where a system is out of compliance, but still needs access to the network. If the NAC remediation process fails or is impossible (perhaps a user does not have sufficient permissions to install required updates), but the user still needs access to the network, what is the solution? Are they simply denied access to the system? Do they call a helpdesk? Are they granted temporary, limited access? The first tenant of network security is that the effort used to secure a system should never exceed the value of that system should it become compromised. Remediation polices should take into account who the user is (based on directory authentication) and what they are trying to access (zone membership). Once these policies are defined, they can be expanded on to allow/deny granular access to internal resources based on compliance and remediation.
5. ConclusionThe modern enterprise network stores personal, private information for employees, corporate IP, trade secrets, and other high-value data. Every enterprise must consider whether its current network security position must be improved to protect these (and other) assets from being compromised. NAC adoption and implementation should be considered a high-priority.
6. Contact InformationColin Doyle Project 5038102129 Colin.Doyle@Rightsys.com Network Practice Lead Services 7. Reference Documentation and Links Gartner Strategic Roadmap for Network Access Control http://www.arubanetworks.com/pdf/Gartner-Roadmap- for-NAC.pdf Interop Labs - NAC http://www.opus1.com/nac/
What’s New from Citrix Synergy 2016XenDesktop 7.9 was announced, including:
- Federated Authentication Service - Citrix touted this a few years ago, and then never documented how to do it. Even their SE’s had reach out to partners to see if anyone had figured out how to make it work. They eventually said, “Don’t bother”. Well, it’s BACK baby! And this time it’s going to be different!
- Citrix MCS and Nutanix integration - In the past, Acropolis has had interoperability with XenDesktop via PVS, and some light power management within Studio. Now we can support a direct connection to Acropolis Hypervisor and true MCS support.
- Intel Iris Pro graphics technology – It’s not just Nvidia anymore. Once again, this is a XenServer play. ...Read Full Article
What’s New in Citrix Xenapp/Xendesktop 7.9Citrix continues to deliver on their promise to offer industry-leading capabilities, superb user experience, lower total cost of ownership and easy administration. At Citrix Synergy 2016, Citrix announced XenApp and XenDesktop 7.9, which includes a number of notable enhancements that demonstrate Citrix’ clear leadership in workspace delivery. Central Image Management for Nutanix Acropolis Hypervisor Citrix and Nutanix have been working together to ensure easy, cost effective access to virtual app and desktops. The 7.9 XenApp and XenDesktop can provision virtual machines on the Nutanix Acropolis hypervisor using Machine Creation Services directly from Citrix Studio. As the leader in hyperconverged infrastructure, Nutanix offers a compelling solution for delivering apps and desktops via Citrix. ...Read Full Article
Updating Your Boot Device Manager (BDM) Partition with Provisioning Services 7.9Provisioning Services has included support for a Boot Device Manager (BDM) Partition since version 7.0. There are some use cases where it is preferable to choose the BDM partition, and it is simple to do when provisioning machines using the XenDesktop Setup Wizard within the Provisioning Services Console. One limitation the partition had, however, is that after the initial provisioning, there was no built in way to modify it, leaving you to have to provision a new machine, or provision a new machine, copy the BDM hard disk, and use the hypervisor tools to script a replacement. It could get messy and time consuming. Unfortunately, the BDM creation utility itself creates a boot device manager that relies on Two-Stage Boot, so that option isn’t always desirable either. For more information on the boot process, see CTX136378 Citrix recognized the limitations and introduced the ability to update the boot partition for any machines that have been provisioned with BDM using the XenDesktop Setup Wizard. ...Read Full Article
802.11ac Wave 2 builds upon capabilities that were introduced in 802.11ac to yield even higher performance. As a refresher, 802.11ac (“Wave 1”) introduced the following:
- 256 QAM modulation
- 80 MHz channel support
- Improved transmit beamforming
- Multi-user MIMO (MU-MIMO)
- Up to 4 spatial streams
- 160 MHz channel support, including 80 MHz + 80 MHz channel bonding ...Read Full Article