Software-Defined Network Access Control Requirements Part 1

Here are some of the compliance requirements for a Software-Defined enterprise NAC solution:

The NAC solution should provide visibility, which helps the IT administrator determine the types of devices on the network and how to provide them with the right level of permissions. Basic asset visibility profiles endpoints by matching their network attributes to known profiles. Advanced asset visibility performs deeper analysis of the different conversations that applications on these devices have with other endpoints and servers on the network through Deep Packet Inspection (DPI).

The NAC solution should provide different options for deployment which include hardware and virtual with support for large, medium, and small enterprises.

The NAC solution should support a distributed architecture where multiple NAC engines can be centrally managed and configured from the NOC: There are two types of deployment architectures – standalone and distributed. In the latter architecture, multiple NAC engines are deployed across mission critical locations to provide location survivability and less dependency on a centralized NOC.

The NAC solution should support central licensing where licenses are applied to the Primary Administrative Node in the distributed architecture which means multiple NAC engines can be deployed across mission critical locations without additional licenses for the appliances in each location.

The solution should manage the end user connection experience and control network access based on a variety of criteria including authentication, username, MAC address, time of day and location. It should support the management of who, what, where, when, and how based on a variety of criteria which includes authentication, username, MAC address, time of day and location.

The solution should gain complete contextual knowledge from your network – see exactly who’s on your network, their location and their device type. The NAC solution should support the management of who, what, where, when, how, posture, threat, and vulnerability so that network management teams are able to gain complete contextual knowledge from your network – see exactly who’s on your network, their location and their device type.

The solution should provide Authorization, Authentication and Accounting (AAA) of network connections. Authentication, Authorization and Accounting are core functionalities of a NAC solution where each session begins with authentication, whether to a user or to a device. Authentication can be active authentication or passive authentication (not including 802.1x session).

Authentication is done using 802.1x when the NAC solution authenticates the user against an Identity Source, while in passive authentication (used in Easy Connect), a NAC solution learns about the user after the user authenticates against the Identity Source like Microsoft’s Active Directory (AD) and the AD notifies NAC. Authorization is then done to enforce appropriate access control policies to each connection. Finally, an account is kept as an audit of a user’s or device’s footprint when connected to the network.

The solution should support BYOD onboarding, NAC provides multiple elements that help automate the entire onboarding aspect for BYOD. This includes a built- in Certificate Authority (CA) to create and help distribute certificates to different types of devices. The built-in CA provides a complete certificate lifecycle management. It also provides a My Devices Portal, an end user facing portal, that allows the end user to register their BYOD endpoint as well as mark it as being lost to blacklist it from the network.

BYOD on boarding can be accomplished either through a single SSID or through a dual SSID approach. In a single SSID approach, the same SSID is used to onboard and connect the end user’s device while in a Dual SSID approach a different open SSID is used to on board the devices but the device connects to a different more secure SSID after the onboarding process. For use cases that need provision of a more complete management policy, BYOD can be used to connect the end user to the MDM onboarding page as well.

The NAC solution should have Built-in device profiling. It should support Endpoint Analytics designed to improve endpoint profiling and its fidelity. It should provide fine-grained endpoint identification and assigns labels to a variety of endpoints. This is done by analyzing endpoint attributes through Deep Packet Inspection (DPI) and other probes aggregated from different sources such as SD-AVC, and other third-party components. It uses Artificial Intelligence (AI) and machine learning to intuitively group endpoints that have common attributes and helps IT admins in providing suggestions to choose the right endpoint profiling labels. Multifactor classification classifies endpoints using label categories for flexible profiling. These endpoint labels can then be used to create custom profiles that form the basis of providing the right set of access privileges to endpoints/endpoint groups via an authorization policy.

Sources:

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-guide-og.html

https://irp.cdn-website.com/1db26910/files/uploaded/81604009214.pdf

https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/discussions-network-accesscontrol/562265/1/Cisco%20ISE%20Ordering%20Guide%20June%202020.pdf/