A security domain is used to group network areas, host types, and locations under a common host security policy. The goal of creating security domains for a NAC Appliance solution is to define which networks and locations will require hosts to use the NAC Appliance solution and which locations will not. It is also necessary to define the devices that will require exemption from the NAC Appliance solution within a given security domain. Figure 6-2 shows an example of security domains.
Figure 6-2 Sample Security Domains
Internet Security Domain
Figure 6-2 Sample Security Domains
Internet Security Domain
Most organizations will need to define the security domains that are depicted in Figure 6-2. Almost all organizations have an Internet connection, use VPN, have a WAN and campus LAN, and use wireless. Each one of these network access types or locations usually requires its own unique host security policy and thus should be its own security domain. The separating of these areas into unique security domains allows you to create unique host security polices for each. The more compartmentalized your HSP is, the more granular and targeted it can be. This results in a more locked-down host security policy for your organization. To make the point, if you had an HSP that did not use security domains and treated all hosts the same no matter what, you would be forced into using a global policy based on those hosts that required the weakest security policies. That said, however, sometimes it makes more sense to keep your security policy as simple and global as possible. This could be for political reasons or business reasons. As long as it meets your security objectives and is effective, go with it. Again, there is a trade-off: a comprehensive multidomain policy versus a simple global policy. A multidomain policy should be inherently more secure, but a simple global policy could be easier to manage and maintain.
Here are some commonly used security domains:
• Remote Access This domain includes any host that is accessing the network remotely via VPN or dial-up modems.
• OOB Management This domain includes any host that resides on the out-of-band network management network. This is typically a highly secured domain.
• Internet This domain includes any host that accesses the Internet. A sample policy here could be the following: Before a host is allowed to access the Internet, its operating system and antivirus software must be up to date.
• Guest This domain includes any host that is a guest on the network. Many times this domain is segmented into access types as well, such as guest wireless, guest VPN, and guest LAN domains. This allows for the creation of granular host security policies for guests.
• Campus LAN This domain includes any host that connects to the network via a wired switch port. It is common to separate security domains by virtual LAN (VLAN) or location at the LAN level. This allows the HSP to have policies for specific VLAN and locations instead of one generic policy for all wired hosts.
• Wireless This domain includes any host that uses wireless to access the network. It is common for the wireless domain to be separated by VLAN or location, such as a guest wireless security domain or a Denver campus wireless security domain.
This is by no means a comprehensive list, but it should serve to give you a good start in the creation of your own security domains.
Here is a list of devices that are commonly exempted from the NAC Appliance solution in all security domains. If a device resides on an untrusted domain and is not capable of authenticating itself and running through the remediation process, it must be exempted. A device exemption is made up of either a device's MAC address or its MAC and IP address pair. It is possible to use wildcards and ranges for MAC addresses. An exemption can also be defined using IP subnet and mask values.
• IP phones Phones do not have the capability to participate in the NAC process today. A best practice is to segment voice onto its own VLAN and make sure that VLAN never passes through NAC Appliance. With Out-of-Band mode, make sure that the MAC addresses of all phones are put into the exemption list.
• Printers Printers do not have the capability to participate in the NAC process today. However, they can still be subjected to the network access controls. This can be effective in limiting the ports and protocols that can reach your printers.
• Network-attached fax machines Same as printers.
• Servers Given that nobody sits at the console of servers, and servers are usually in a secure area, NAC Appliance should be bypassed for servers. However, network access controls can be used if necessary to control what traffic can flow to and from servers. Bandwidth rate-limiting can also be used if applicable.
• Wireless access points If wireless access points are permitted, they should bypass NAC Appliance. The clients that connect to them, however, will not be exempt.
• Routers and routing protocols When deploying NAC Appliance in Virtual Gateway L3 In-Band mode, it is possible to have routers present on the untrusted side. In this case, they should be exempt and their routing protocols should be allowed to pass.
• Switches Same as for routers.
• Game consoles Given that game consoles do not have the capability to participate in the NAC process today, they should be exempt. However, it is a best practice to deploy bandwidth rate-limiting and tight network access control rules on this device type.
This is by no means a comprehensive list, but it should serve to give you a good start in the creation of your own exempt device list. It should be noted that several non-Cisco products are available that can auto-discover exempt devices for NAC Appliance; Great Bay Software has such a product.
Was this article helpful?