Things to add to a NAC RFI/RFP

Recently I have been answering several NAC RFIs/RFPs. To my surprise I have found that some important questions were missing from many of them.

I will highlight those questions I feel must be included in any RFI/RFP.

Question N.0: Definition
The first question is how does the vendor define NAC. A related question is what threats the NAC product is designed to mitigate.

Because NAC is such a hot concept, all kinds of products are using the term to get visibility. The answers to these questions will help you decide if the vendor’s products are focusing on the issues you are trying to resolve.

Question N.1: Pre-Requisites
The second question I find missing is: List your NAC solution’s prerequisites. The prerequisites are those tasks that must be performed and expenses that must be incurred in order for the solution to operate as advertised. A solution’s prerequisites would expose implementation issues, hidden costs (setup, operational, etc.), and the complexity associated with implementing the solution.

Here are specific detailed questions:

  • Does the solution require network architecture changes?
  • Does the solution rely on specialized networking gear? – i.e. networking equipment from the vendor itself or a third party vendor.
  • Does the solution require the networking equipment to be upgraded or replaced?
  • Does the solution require the installation of software agents?
  • How are admission checks are performed?

The answers to these questions will enable you to calculate the total cost of ownership of the NAC deployment including labor, hardware (upgrades, replacements, number of appliances or servers needed, etc.), and complexity.

Question: Solution Architecture
You should ask a vendor to describe the architecture of its NAC solution. Requesting a general description of the NAC architecture and then asking specific questions regarding the various techniques, methods and technology would help you determine the strengths and weaknesses of the solution.

Question N.2: Element Detection
Another question I find missing is: Describe how your NAC solution performs element detection.

Element detection is a core feature that must be supported by a NAC solution. It is the ability to detect, in real-time, a new element attempting to be attached to the network. If a NAC solution cannot perform element detection in real-time then it can be easily defeated (i.e. you cannot defend against something you are not aware of its existence).

Questions that can be listed under this part of the RFP:

  • How does the solution detect the presence of a new element?
  • Does the solution use agents for element detection? – If the answer is yes then not everything can be detected. Elements on which you cannot install an agent will have to have their MAC addresses white-listed. This leaves you open to MAC spoofing-based attacks, where, for example, a white listed printer is detached and a laptop spoofing the MAC address of the printer is attached, all without the NAC system’s knowledge, or yours.
  • Does the solution use the switch for element detection? – Not all switches support this feature. Relying solely on the switch capabilities to provide with information regarding new elements connecting to the switch is generally not a good thing.
  • Is element detection performed in real-time? – If element detection is not being performed in real-time then there will be a time interval during which a malicious insider would be able to freely operate on the network without being detected.
  • Does the element detection include hosts other then Microsoft Windows-based elements? – If not then a malicious insider using an OS other then a Microsoft Windows-based OS might be able to freely operate on the network without being blocked.
  • How does the information regarding the elements residing on the network stays current?
  • Does the solution utilize DHCP for element detection? – If answered yes, the there may be other elements operating on the network that may not make use of DHCP. Any element, which is configured with a static IP address, may not be detected by the NAC solution.
  • Does the solution utilize 802.1x for element detection? – If so it means the networking equipment must support 802.1x, and there may be other pre-requisites such as agent software installed on elements. Again, you may need to white list non 802.1x compatible devices and expose your network to the risk of MAC spoofing-based attacks (see above for explanation of MAC spoofing)

Question N.3: Compliance & Compliance Checks
Questions that can be listed under this part of the RFP:

  • What are the parameters that can be checked when an element is being admitted to the network?
  • Does a software agent is required when performing compliance checks? If answered yes this would complicate the deployment of the NAC solution. As the number of systems that an agent should be installed on increases, so does the complexity of the deployment.
  • What operating systems are supported with compliance checks?
  • To what degree can the NAC solution assist the organization in meeting the requirements of compliance regimes like Sarbanes-Oxley, GLBA, PCI, and HIPA
  • Can custom compliance checks can be defined?

Question N.4: Quarantine
Describe the quarantine mechanism the solution uses.

There are a variety of quarantine methods being used with varying strengths and weaknesses. You need to understand whether the quarantine method can be bypassed and whether a quarantined element can infect other quarantined elements.

Questions that can be listed under this part of the RFP:

  • Does the quarantine method rely on specialized hardware or software?
  • When an element is quarantined is it possible for it to become infected by other quarantined elements? You need to evaluate whether the quarantine area is shared between the quarantined elements. If so, they are able to infect and penetrate each other.
  • When an element is quarantined is it possible for other quarantined elements to try to penetrate into it? An attacker might use a shared quarantine area as its entry point to the organization infecting quarantined elements with 0-day Malware. Once re-admitted to the network these elements may allow the attacker access to other parts of the network and to information it should not access.
  • Is the quarantine performed at Layer-2 or Layer-3? Layer 3 is problematic because elements would still be able to interact with other devices on the local subnet. It would allow the local infection of quarantined elements by another quarantined element, and the ability of a quarantined element to directly attack another quarantined element trying to abuse a certain vulnerability to gain unauthorized access.
  • Can the quarantine mechanism isolate virtual machines? – As virtualization becomes an integral part of the data center as well as R&D and QA environments this is an important feature to note.
  • Can elements connected to a non-managed switch or to a hub be put into quarantine?

Question N.5: Enforcement
How does the NAC solution provide enforcement?

  • How is enforcement performed?
  • Is the enforcement is being done at Layer-2 or Layer 3? Layer 3 is problematic because elements would still be able to interact with other devices on the local subnet.
  • Does the enforcement involve the networking gear? If so, how? – The answer to this question may unveil hidden costs, ways to circumvent the solution, etc.
  • Does the enforcement depend on specialized hardware? If answered yes it may unveil hidden costs.
  • Does the enforcement depend on specialized software?
  • Can you enforce your NAC policy on individual virtual machines (specifically against virtual guests)?

Analyzing the vendor’s responses
The answers to the RFI/RFP questions would allow you to analyze the technology of the NAC solution, its time-to-value, and its total cost of ownership. All of which you must take into consideration when making a buying decision.

Analyze N.1: Technology
Evaluate the Security Strengths and Weaknesses of the Offered Solution
Learn whether the offered NAC solution meets your security requirements. Evaluate the weaknesses of the offered solution, and determine if the NAC solution may be easily bypassed.

Analyze N.2: Time to Value
One of the important aspects of deploying a NAC solution is how long will it take to deploy the solution throughout the enterprise? It is an important consideration when deploying a NAC solution.

Analyze N.3: Cost
Calculate the Total Cost of Ownership
You should calculate the total cost the implementation. For each NAC solution you evaluate, take into consideration the costs associated with deployment, as these may be much higher than the cost of the product. The overall cost should include the product, any networking gear upgrade and/or replacement, servers needed for the solution, and the cost of labor, which will be required to implement and manage the solution.

Conclusion: A NAC solution that provides you with a strong technology, a short time to value period, with a reasonable total cost of ownership should be the one you should choose.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: