Chapter 5: Network Access Control and Cloud Security

Question 1

What does network access control mean (NAC)?

Answer 1

It’s an umbrella term for managing access to a network.

Question 2

What three categories of components does NAC systems deal with?

Answer 2

1. Access requestor (AR): the node attempting to access the network, can be any device that is managed by the NAC system. AKA, supplicants, or clients.
2. Policy server: determines what access should be granted. Often relies on backend systems, including antivirus, patch management, etc, to help determine the host’s condition.
3. Network access server (NAS): an access control point for users in remote locations connecting to an enterprise’s internal network.

Question 3

What are 4 common NAC enforcement methods and what is an enforcement method?

Answer 3

Enforcement method: the actions that are applied to the AR to regulate access to the enterprise network.

1. IEEE 802.1X
2. VLANs
3. Firewall: a form of NAC
4. DHCP management

Question 4

What is the extensible authentication protocol?

Answer 4

It acts as a framework for network access and authentication protocols. It provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server.

Supports multiple authentication methods.

Provides a generic transport service for the exchange of authentication information between a client system and an authentication server.

Question 5

Shortly describe how the network access server (NAS) works?

Answer 5

ARs seek access by applying to some type of NAS.

1. Authenticate the AR. This usually involves some sort of secure protocol and usage of cryptographic keys. Authentication helps in determining access privileges (and more)
2. The policy server performs checks on the AR. The checks verify the users compliance with certain requirements from the organisations secure configuration baseline.
3. When the AR is cleared it can access the enterprise network within its authorised level.

Question 6

What is the IEEE 802.1X enforcement method

Answer 6

Link layer protocol that enforces authorisation before a port is assigned an IP address. Used EAP for authentication.

Question 7

Describe the VLAN enforcement method

Answer 7

The network (set of interconnected LANs) is segmented logically into a number of VLANs. NAC decides which of the VLANs an AR will connect to, depending on if the AR needs security remediation, internet access, or some level of network access to enterprise resources.

Question 8

Describe the DHCP management enforcement method

Answer 8

Dynamic Host Configuration Protocol. An internet protocol that enables dynamic allocation of IP addresses to hosts. A DHCP server intercepts DHCP requests and assigns IP addresses instead. NAC enforcement occurs at the IP layer based on subnet and IP assignment.

Limitations:
IP spoofing, thus providing limited security.

Question 9

What 3 components exist in a typical EAP arrangement?

Answer 9

1. EAP peer: client computer attempting to access a network
2. EAP authenticator: access point or NAS that requires EAP authentication prior to granting access.
3. Authentication server: a server computer that negotiates the use of a specific EAP method with and EAP peer, validates the peer’s credentials and authorises access to the network.

Question 10

How does the EAP authentication exchange work?

Answer 10

The authenticator sends a request to the peer to request and identity and the peer sends a response with identity information.

This request-response continues until (1) the authenticator determines that it cannot authenticate (EAP Failure) or that it can (EAP Success)

Question 11

Describe the IEEE 802.1X Port-Based Network Access Control

Answer 11

It was designed to provide access control functions for LANs.

Until the authentication server authenticates a peer (supplicant) only control and authentication messages are sent between the peer and the AS on the control channel.

When the peer is authenticated and has provided keys, data can be forwarded from the peer to the network on the data channel.

Question 12

What is the difference between the 802.1X channel and the 802.11 channel?

Answer 12

The 802.1X is the control channel and it is unblocked, only used for control and authentication messages

The 802.11 is the data channel and it is blocked until a peer has been authenticated.

Question 13

What is EAPOL?

Answer 13

EAP over LAN. It operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level.

It enables a peer to communicate with an authenticator and supports the exchange of EAP packets for authentication.