I. Introduction
When providing network technology consulting services before, an intern classmate asked me about the relevant scenarios of network access. Let’s give a simple theoretical explanation of access technology, which is the same as the explanation of the information. This article will also be described in five parts according to the overview of network access control, user authentication technology, user authorization and offline, NAC configuration implementation, and policy linkage . Of course, a brief summary will be given at the end.
2. Overview of network access control
Network access control takes "only legitimate users and safe terminals can access the network" as the leading idea, and improves the overall terminal security protection capability of the enterprise network through user authentication, authority management, security inspection, repair and upgrade and other means.
——Huawei HCIE-datacom official document
Network admission control is a protection mechanism designed to ensure that only legitimate users and secure terminals can access the network. Its main goal is to improve the overall terminal security protection capability of the enterprise network through various measures, including user authentication, authority management, security inspection, repair and upgrade.
First, network admission control relies on user authentication. Through user authentication techniques, such as username and password, two-factor authentication, or certificate authentication, only authenticated legitimate users can successfully access the network. This authentication process ensures the legitimacy of the user's identity and prevents unauthorized access and potential security threats.
Second, rights management is a key component of network access control. By assigning appropriate permissions and access levels to different users or user groups, you can ensure that users only have access to the network resources and functions they need, and limit access to sensitive data and system settings. The careful configuration of rights management can improve the confidentiality and data security of the network.
In addition, network access control also involves security checks on terminal devices. This includes conducting security assessments, vulnerability scanning, and security policy compliance checks on terminal devices to ensure the security status and compliance of terminal devices. Repairing and upgrading devices with security risks can prevent security vulnerabilities from being exploited and improve overall network security.
The comprehensive implementation of network access control can effectively reduce the network risk faced by the organization and improve the overall terminal security protection capability of the enterprise network. Through key measures such as authenticating user identities, managing access rights, conducting security checks, and repairing upgrades, organizations can establish a safe and reliable network environment that protects sensitive data, prevents unauthorized access, and reduces the risk of cyber threats.
3. User Authentication Technology
User authentication technology is the core component of network access control, which is used to verify and confirm the identity of users, and grant them corresponding access rights. User authentication technology covers a variety of ways and methods, the following are some common user authentication technologies:
① Username and password
This is the most common and basic way of user authentication. The user provides a unique username and corresponding password, and the system verifies the user's identity by verifying these credentials. However, this approach is not the most secure, as passwords can be guessed, stolen, or cracked. For added security, users can use complex passwords and change them periodically.
② Two-factor authentication
Two-factor authentication requires users to provide two different credentials for authentication at the same time. Often a combination of a password and another factor, such as an SMS verification code, fingerprint recognition, hardware token, or biometric identification (such as facial recognition or fingerprint recognition). Two-factor authentication provides a higher level of security by introducing a second factor, even if the password is compromised, an additional authentication path is still required to access network resources.
③ Certificate authentication
Certificate authentication is a method of authenticating using digital certificates. A digital certificate is issued by a trusted certificate authority (CA) and contains the user's public key and identity information. When a user authenticates to the system, the system verifies the validity and integrity of the certificate to confirm the user's identity. This method is usually used in environments with high security sensitivity, such as e-commerce and financial fields.
④ Single sign-on (SSO)
SSO technology allows users to use one set of credentials (such as username and password) to access multiple applications or systems without requiring individual authentication for each application. Users only need to log in once, and the system will automatically pass their authentication information to other related applications. While SSO improves user experience, it also simplifies authentication management. This technology is often used in conjunction with standard protocols such as SAML or OAuth.
⑤ Multi-factor authentication
Multi-factor authentication is a way to further strengthen user authentication by requiring users to provide multiple independent authentication factors. In addition to passwords, authentication can be combined with multiple factors such as biometrics, location information, time stamps or security questions. This approach provides extremely high security, but may increase the complexity and cost of user authentication.
It is important to note that user authentication techniques should be selected and implemented based on the organization's security needs and resource availability. According to different application scenarios and user needs, multiple authentication technologies can be combined to provide a more comprehensive and flexible authentication solution. At the same time, authentication technology should also be regularly reviewed and updated to adapt to new threats and security standards to ensure network reliability and security.
3. User authorization and logout
In Huawei's official documents, the description of user authorization and user logout is as follows:
① User authorization
Authentication is used to confirm whether the identity of the user trying to access the network is legitimate, while authorization is used to specify the network access rights that the legitimate user can have, that is, which resources the user can access. Taking RADIUS server authorization as an example, common authorization information includes:
VLAN: In order to isolate restricted network resources and unauthenticated users, usually the restricted network resources and unauthenticated users are divided into different VLANs. After the user is successfully authenticated, the authentication server authorizes the specified VLAN to the user.
ACL: After the user is successfully authenticated, the authentication server will authorize the specified ACL to the user, and the device will control user packets according to the ACL.
UCL group: UCL (User Control List, user control list) group is a collection of network members. Members in the UCL group can be network terminal devices such as PCs and mobile phones. With the help of UCL groups, administrators can divide a class of users with the same network access policy into the same group, and then deploy a set of network access policies for them to meet the network access requirements of all users of this class. Compared with deploying network access policies for each user, the UCL group-based network control solution can greatly reduce the workload of administrators.
——Huawei HCIE-datacom official document
② User goes offline
When the user is offline, but the access device, RADIUS server, and Portal server do not perceive that the user is offline, the following problems will occur: The RADIUS server will still charge the user, resulting in incorrect charging. There is a risk that illegal users may forge legitimate users' IP addresses and MAC addresses to access the network. When there are too many offline users, the device user specification will be occupied, which may prevent other users from accessing the network. Therefore, the access device must be able to detect that the user is offline in a timely manner, delete the user entry, and notify the RADIUS server to stop accounting for the user. User logout methods include active client logoff, access device-controlled user logoff, and server-controlled user logoff.
——Huawei HCIE-datacom official document
User authorization and logout are two important aspects of network access control. They ensure that only authorized users can access the organization's network resources, and disconnect from the network in time when access is no longer needed, thereby enhancing network security. sex.
Authorization is to determine the resources and operations a user can access based on the user's identity, role, and authority. Through authorization policies, organizations can define precisely the scope of sensitive data, critical systems, and network resources that users can access. By assigning roles and permissions, organizations can restrict user access according to different needs and responsibilities. For example, senior managers can be granted higher-level permissions, while ordinary employees can only access specific resources. Authorization policies should be based on the organization's security policies and business needs, and should be regularly evaluated and updated to ensure that only legitimate users can access network resources.
User logoff is another key aspect, ensuring that users are disconnected from the network when they no longer need access to network resources. User logout can be realized through automatic logout or timed logout from the system. The purpose of this is to prevent unauthorized access for a long time and reduce security risks. For example, the system can automatically log employees offline when they leave the work area or exceed a certain time frame to protect the organization's sensitive data and resources. For emergency offline under special circumstances, such as lost or leaked user credentials, the organization should take timely measures to suspend the user's access rights to prevent unauthorized access and data leakage.
User authorization and logout need to be combined with other security controls to provide stronger network security protection. For example, when a user is successfully authenticated, their access rights should match firewall policies and only have access to resources that match their roles and permissions. When a user goes offline, the system should notify other security devices and systems in a timely manner to ensure that the user's access rights are fully terminated.
It should be pointed out that user authorization needs to be coordinated with the principle of privacy protection. Organizations should abide by relevant laws and regulations, properly handle users' personal information during the authorization process, and ensure that users' privacy is protected.
To sum up, user authorization and logout are key steps in network access control. By ensuring that users can only access the resources they are authorized for, and promptly terminating user access when it is no longer needed, organizations can reduce the risk of unauthorized access and data leakage, and enhance the security and reliability of the network. User authorization policies should be formulated according to the organization's security needs and business processes, and coordinated with other security measures to provide comprehensive network security protection.
Fourth, NAC configuration implementation
In Huawei's official documents, this part is mainly about the configuration process. When the user accesses the authentication configuration, the configuration idea is as follows:
After searching for information on the Internet, etc., the summarized theory is as follows:
NAC configuration implementation is the core component of network access control. It ensures that only legal and authorized users can access the organization's network resources by defining and managing network access policies. NAC configuration includes multiple aspects of settings and configurations, aiming to provide efficient network access control and security guarantee, among which NAC exists in the following forms:
① Authentication server
In the implementation of NAC configuration, the setting of the authentication server is very important. The authentication server is responsible for managing and verifying the user's identity credentials, ensuring that the user name and password provided by the user are valid. Authentication servers can also support other authentication methods, such as two-factor authentication or biometrics. By properly configuring the authentication server, organizations can implement strong user authentication and enhance network security.
② Access Control List (ACL)
The configuration of access control list (ACL) is also a key part of NAC configuration implementation. ACL is a way to set and manage network traffic, which is used to restrict specific users or devices from accessing network resources. By properly configuring ACLs, you can control the network resources and operations that users can access according to their identities, roles, and permissions. ACL can be set on network devices, firewalls or routers to ensure that only authorized users can access specific network resources.
③ Intrusion Detection and Prevention System (IDS/IPS)
The configuration of the intrusion detection and prevention system (IDS/IPS) is also part of the NAC configuration implementation. IDS/IPS monitor network traffic and detect and block potential intrusions. Through the integration with the NAC system, IDS/IPS can automatically adjust its behavior and rules according to the user's identity and authority to provide a higher level of intrusion detection and defense. Proper configuration of IDS/IPS can provide real-time threat awareness and response, and enhance the ability of network access control.
④ Other security measures
NAC configuration implementation may also include setting and configuration of other security measures. For example, an organization can configure a log management system to monitor and record network access events for auditing and investigation purposes. Network traffic analysis tools can also be used to identify and isolate anomalous network traffic for additional security.
It should be noted that the implementation and management of NAC configuration requires certain professional knowledge and skills. Organizations should rely on professional network security personnel or partners to ensure correct and effective NAC configurations. Additionally, NAC configurations should be regularly reviewed and updated to adapt to changing cyber threats and business needs.
To sum up, the implementation of NAC configuration is the key link of network access control. By configuring security measures such as authentication servers, ACLs, and IDS/IPS, organizations can define and manage network access policies and ensure that only authenticated and authorized users can access network resources. The implementation of NAC configuration requires professional knowledge and skills, and should be coordinated with other security measures to provide comprehensive network security protection.
5. Strategic linkage
Policy linkage is a solution to solve the contradiction between the strength and complexity of large-scale campus policies by uniformly managing user access policies on the gateway device and implementing user access policies on the gateway device and access devices.
——Huawei HCIE-datacom official document
In Huawei's official documents, the overall overview of strategy linkage is as follows:
Policy linkage is an important aspect of network access control. It provides comprehensive network security protection and response capabilities by cooperating with other security policies and technologies. Policy linkage ensures that network access control is consistent with other security measures to provide a higher level of security. Policy linkage can mainly be linked with policies in several other aspects.
① Linkage with firewall
First, policy linkage can be combined with firewall policies. As the first line of defense for network security, a firewall can limit network traffic and block abnormal connections. After a user is successfully authenticated, his access rights should match the firewall policy, and he can only access resources that match his role and rights. This reduces unauthorized access and potential network threats, improving overall network security.
② Linkage with IDS and IPS
Policy linkage can be combined with intrusion detection system (IDS) and intrusion prevention system (IPS). IDS/IPS can monitor and detect intrusion behavior in network traffic, and take corresponding defense measures. The linkage with the NAC system can automatically adjust the behavior and rules of IDS/IPS according to the user's identity and authority, so as to provide a higher level of intrusion detection and defense. For example, when a user behaves abnormally or involves sensitive data, the NAC system can immediately notify the IDS/IPS system to trigger corresponding defense measures.
③ Linkage with SIEM
Policy linkage can also be combined with a security information and event management system (SIEM). The SIEM system is used to centrally manage and analyze network security events and log information. Through the integration with the NAC system, the SIEM system can obtain relevant information about user authentication and access, and perform real-time threat analysis and incident response. This can strengthen the supervision of network access control.
6. Summary
To sum up, network access control is a protection mechanism to ensure that only legitimate users and secure terminals can access the network through means of user authentication, authority management, security inspection, repair and upgrade. Its core goal is to enhance the terminal security protection capabilities of enterprise networks and prevent unauthorized access and potential security threats. By authenticating user identities, managing access rights, conducting security checks, and repairing and upgrading, organizations can establish a safe and reliable network environment, protect sensitive data, prevent security loopholes from being exploited, and reduce network risks faced by the organization. Network access control is an important measure to ensure network security, and it should be comprehensively implemented according to the organization's security needs and resource availability.
Finally, to quote a passage from Huawei's official document:
User access control is the first "gate" of the network. In order to guard this door well, user authentication protocols such as 802.1X authentication, MAC authentication, and Portal authentication can be deployed in the network. The implementation methods and application scenarios of these technologies are different, and they need to be selected and deployed according to the characteristics and requirements of the network.