Creating a Host Security Policy for NAC

By Jamey Heary

This article is a synopsis of the Building a Cisco NAC Appliance Host Security Policy chapter in the Cisco Press book Cisco NAC Appliance: Enforcing Host Security with Clean Access by Jamey Heary. Some of the lists, tables, and figures have been quoted from the book.


Let's face it, creating a host security policy (HSP) is no fun and hard work. Nevertheless, the success of any network admission control (NAC) deployment relies heavily on the quality, and existence, of a solid host security policy. This HSP should be specific to NAC, so if you already have a generic one just rework it for NAC. Either way, your host security policy will serve as a guide for how you configure your NAC policies, where you place NAC in the network, and how you approach NAC's ongoing maintenance. To be most effective, a NAC HSP should be created before NAC is deployed.

Tips on Creating a Host Security Policy for NAC

To give you a start on the creation of your company's unique host security policy, here are some things that should be completed:

  • Obtain buy in from senior management and all stake holders affected by a NAC deployment. This step is critical to the success of the completed host policy and ultimately to the NAC deployment in general. Find an executive-level project sponsor that will support you through the creation of, and subsequent enforce of, the host security policy. Document the 10,000ft goal(s) that your HSP should focus on or accomplish. Be sure to include a representative from all relevant departments to help with goals creation. An example of a high-level goal could be, "All company owned PCs must be running an up-to-date version of the corporate Anti-virus software." Another could be, "User authentication must be enabled on all active switch ports in the university dorm buildings."
  • This brings me to another point; it works best if you break up your company into separate NAC security domains. A NAC security domain can best be described as a group of network areas, host types, and/or locations that fall under a common host security policy. An example domain might be "guest access" or "VPN users."
  • Establish an acceptable use policy (AUP) for hosts in your network. Decide what security domains will be required to accept the AUP upon network login.
  • If your NAC solution is user role or group based, like Cisco NAC Appliance, then you need to determine what role types are needed. An example role might be, "guests" or "employees."
  • Determine what access rights each individual user role or group has on the network. Additionally, consider if these rights need to change based on the clients location.
  • Define what host security posture checks and subsequent remediation options should be applied to each user role or group.
  • Finally, make sure you document and have agreement on how the HSP document itself will be kept current. A stale, never-looked-at-again HSP is of little value. It is critical you ensure that your HSP is as living a document as is practical. For some, this might me an annual review. For others, it might mean updating it each time a new security check is added to a NAC policy.

Now let's drill down into the details of some of the more critical bullet points above.

Creating and Using Security Domains

Many security solutions can benefit from the use of security domains and NAC Appliance is no different. A security domain is used to group network areas, host types, and locations under a common HSP.

Figure 1 provides an example of different security domains. Each one of these security domains typically requires its own NAC host security policy.

Figure 1 Example of Security Domains

Once your network is broken up into multiple security domains, you can then use these domains to do the following:

  • Define which networks and locations will require hosts to use the NAC Appliance solution and which locations will not need NAC.
  • Define unique NAC HSPs for each security domain or groups of domains.
  • Define sub-security domains for device types that fall into a larger security domain, but should be exempt from NAC themselves. For example, a sub-domain called non-user devices might be made up of printers, faxes, and card swipes that will be exempt from NAC inspection. For additional security, these sub-domains could be mapped to their own user role and/or VLAN where they can be protected appropriately.

Creating and Using User Roles

The effective use of user roles is critical to the successful deployment of NAC Appliance. NAC Applia nce is very much role based. A user role defines the HSP checks that will be required for its members. User roles are analogous to groups in Active Directory (AD). Like AD groups, users and devices are assigned membership to a specific user role. Unlike gr oups, however, users can only be a member of one user role. Your HSP should include your NAC user roles and the security policies associated with each.

There are several criteria that can be used for determining what user role a client should be put into. They are listed here in order of importance:

  1. MAC address of the host or device. This could be an exact match or a partial wildcard match of the physical host MAC address.
  2. Subnet/IP address of the host or device.
  3. User login credentials or attributes. The username or an attribute associated with that user is used for user role assignment. An example attribute could be a radius group name or AD MemberOf value.

The following NAC functions are configured on a per user role basis. All client members will be subjected to the user roles security requirements. Below are the highlights (not a complete list):

  • Dynamic VLAN assignment if user out-of-band mode
  • User authentication method
  • Bandwidth restrictions
  • Traffic policies or access-lists
  • Host posture assessment checks, rules, and requirements like AV software up-to-date.
  • Network scanner policy

NAC Appliance comes with three built-in, or default, user roles and one user role type. The three default user roles are:

  • Unauthenticated The Unauthenticated user role is the only user role that must be used and cannot be deleted. As soon as a new client is detected by NAC Appliance, it is put into this role. A client remains here until successfully passing authentication or exemption.
  • Temporary If a client that uses the Clean Access Agent successfully authenticates but fails any security requirements, they are moved into this role. They remain here until they pass all security requirements. This is the quarantine role for Clean Access Agent enabled hosts.
  • Quarantine If a client that uses Web Login successfully authenticates but fails any security requirements, they are moved into this role. They remain here until they pass all security requirements.

Normal Login Role

The built-in, or default, user role type in NAC Appl iance is called the Normal Login Role. The user role that a client is moved to when it has passed authentication, scanning, and posture assessment is always of type normal login role. The final or desired user role a client should ultimately be in is alway s of type Normal Login Role. A user role of type Normal Login Role should have its own NAC host security policy section to define the rights and privileges a client will have after it passes authentication and posture assessment. The number of user roles o f this type will vary based on your environment but here are some common examples to include in your HSP:

  • Guest role
  • Employee role
  • Contractor role
  • Student role
  • Faculty role
  • Non-user devices role
  • Job based roles such as sales, engineering, accounting, etc.

Determining the Network Access Rights of User Roles

Each user role has an assigned network access rights policy. This policy can consist of one or more enforcement methods. Table 1 lists the various network access enforcement mechanisms available in NAC A ppliance. Additionally, Table 1 lists each method's support for out-of-band (OOB) mode and In-Band mode.

Table 1 Network Access Control Methods

Enforcement or Control Method Description Supported in OOB mode? Supported in In-Band mode?
Traffic Control Rules
The equivalent of network access control lists (ACLs). They permit and deny traffic like a Firewall does.
Partial Support.Only supported while client is in a quarantine or temporary user role and going through NAC Appliance Server.
Allowed Hosts
A list of DNS resolvable hostnames of permitted hosts. Useful for allowing access to websites that have multiple or changing IP addresses. For example * allows access to any host with a suffix.
Partial Support.Only supported while client is in a quarantine or temporary user role and going through NAC Appliance Server.
VLAN Segmentation
Dynamically changing the access port's layer 2 VLAN based on the user role of the connected client. The authentication VLAN type is used for new or non-compliant hosts. The access VLAN type is reserved for authenticated and compliant hosts. The authentication VLAN type is forced through NAC Appliance and all of the accompanying enforcement while the access VLAN type bypasses NAC Appliance.
Bandwidth Control
Ability to rate limit the amount of data a client or group of clients can send. The bandwidth rule includes the upstream Kb/S, downstream Kb/s, and burst rate fields. Bandwidth control is set per user role. The bandwidth limits are either shared by all clients in the user role or are granted to each client in the user role.
Partial Support.Only supported while client is in a quarantine or temporary user role and going through NAC Appliance Server.
Session Timer
The session timer serves as an absolute time limit for a client in a given user role. Once the timer is expired the client is kicked off the network and must re-authenticate. The user will be dropped regardless of their connection status or activity. This enforcement method is used to force clients to pass authentication and posture assessment again.


Defining Clean Access Agent Security Posture Checks, Rules, and Requirements

To really obtain fine grained host security posture data you must use the Clean Access Agent software. Host security posture requirements are mapped to user roles so be sure your host security policy includes them. Before creating your host security policy for NAC Appliance, it is important to understand the process that NAC Appliance goes through for posture assessment. This process uses a combination of checks, rules, and requirements that are then applied to user roles and optionally operating system types.

Each posture assessment process is described here in order:

  1. Checks are condition statements that examine the client to find the state or presence of a file, service, application, or registry key.
  2. Rules are made up of one or more checks that can be combined into an expression using the Boolean operators and "&", or "|", not "!", and evaluation priority parentheses "()". If the result is true, the client passes the rule.
  3. Requirements are made up of one or more rules. A requirement can specify that a host must pass any selected rule, all selected rules, or no selected rules in order for the host to pass the requirement.
  4. Requirements also define the mechanism to use and the instructions that will allow the client to remediate any failed rules. For example, distribute a file or link with the instructions "Click the link and download, install, and run the XYZVirus cleaning tool." Or more commonly, "click here to update your AV software automatically."
  5. Requirements are then mapped to user roles and/or operating system types.

Figure 2 depicts the Clean Access Agent posture assessment process

Figure 2 Checks, Rules, and Requirements

Common Host Security Posture Requirements

Here are some common host security posture requirements that should be included in most NAC Host Security Policy documents:

  • An Anti-Virus program must be installed, running, and up-to-date.
  • An Anti-Spyware program must be installed, running, and up-to-date.
  • All Windows XP clients must be running service pack 2.
  • All Windows clients must be running the Windows auto-update service.
  • All Windows clients must have the latest security hot fixes installed.

In Closing

Hopefully, this article will help you on your journey to creating your own unique host security policy for NAC. In my book, Cisco NAC Appliance, I devote a whole section to creating a NAC host security policy. If you would like more details, you can find them there.

About the author:

Jamey Heary, CCIE No. 7680, is currently a security consulting systems engineer at Cisco. He leads their Western Security Asset team and is a field advisor for their global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access . His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.

Cisco NAC Appliance: Enforcing Host Security with Clean Access
Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal
ISBN-10: 1-58705-306-3
Pub Date: 8/6/2007
US SRP: $60.00
Publisher: Cisco Press
Read Chapter 3 * of this book.