The Projects within the Project
The Network access control project is actually a sub-project of network segmentation. As a joint project between ISPO and EI, Segmentation and NAC will be used to enhance campus security and set the stage for additional security upgrades in the future.
Why is the University moving forward with NAC?
The ability to improve identification of network end devices and control access to network resources is critical to enhance the security posture of the University's network in the face of increasing threats. Network Access Control (NAC) identifies, classifies, and authorizes users and devices trying to connect to the UI network edge (wired or wireless).
Currently, it is common that a device on campus can "talk" to nearly any other device on campus. This "flat network" design presents multiple security and regulatory issues, such as PCI, NIST 800-171 Research grant concerns.
Audits of our environments have frequently identified the need for network segmentation in addition to firewall isolation. Some devices have support challenges but still have key use cases. This includes research equipment, research gear, and infrastructure control systems. Another example would be older versions of Windows or Linux.
NAC allows us to "categorize" devices in an automated way and treat them in similar ways from a network and security perspective. Examples might include mobile devices, security cameras and door access, PCI devices, and research gear with specific regulatory requirements. Without NAC, this would be a manual process for well over 50,000 devices across the wired campus network (always changing and growing).
Network Access Control terminology & examples
Network Access Control (NAC)
Identifies, classifies, and authorizes users and devices trying to connect to the UI network edge (wired or wireless).
NAC revolves around 3 major principles: Authentication, Authorization, and Policy enforcement
Virtual Local Area Network (VLAN)
A VLAN is a logical subnetwork of devices in a broadcast domain that acts as its own LAN. Because VLANs are based on logical instead of physical connections, they are extremely flexible.
Virutal Routing and Forwarding (VRF)
VRF (Virtual Routing and Forwarding) is a technology that allows having more than one routing table on a single router. The concept of VRFs on routers is similar to VLANs on switches.
Authentication and Authorization
Authentication: Users typically verify their identity by entering a password. To enhance security, many organizations also require additional verification through a device (such as a phone or token) or biometric data (such as a fingerprint or facial recognition). Commonly referred to as Multifactor authentication (MFA) or Two factor authentication (2FA)
Authorization: The system verifies that the users have permission to the system that they’re attempting to access.
Combined, Authentication and Authorization ensure end users and devices have the proper level of network access.
Segmentation Policy Examples
Centrally managed domain-joined devices (primarily desktops)
Authenticated based on Active Directory Certificates
Can reassign based on AD groups for specific use cases
Centrally managed IOT devices
Authenticated based on MAC address of device
Centrally managed Printers
Authenticated based on MAC address of device
Key items to understand about implementing NAC
All devices will get fresh IP addresses
The majority of devices will be converted from static IPs to DHCP MAC reservations
The use of static IPs will be reduced
Wired device deployment will be a per port configuration on the network access switch, or 1 device per port.
Extending the network with unmanaged switches will no longer be an option. NES Managed switches will be required for NAC Security features to work properly.
Wireless will need to move to certificate-based authentication or 802.1x (using HawkID)
Network traffic will be isolated by VRFs
Defined VLANs will be assigned into VRFs
NAC uses this information to assign segmentation via VLAN / Network
Devices will be assigned into VLANS by NAC
Firewall rules will be used to allow VRFs to interact.