WEBVTT

00:00.000 --> 00:01.755
>> One other service
on the network

00:01.755 --> 00:03.360
that we want to talk
about in relation

00:03.360 --> 00:06.735
to authentication access
is Network Access Control.

00:06.735 --> 00:08.925
Sometimes referred to as NAC.

00:08.925 --> 00:10.410
As we know, there are

00:10.410 --> 00:12.480
all sorts of algorithms
that sound the same.

00:12.480 --> 00:14.565
Don't confuse this with NAT.

00:14.565 --> 00:15.855
NAT, of course,

00:15.855 --> 00:17.745
Network Address Translation,

00:17.745 --> 00:20.265
we're on Network Access Control.

00:20.265 --> 00:23.010
The idea behind NAC and one of

00:23.010 --> 00:25.275
its primary uses
is to either allow

00:25.275 --> 00:27.990
or deny access to clients
based on their health.

00:27.990 --> 00:29.520
When we talk about client and

00:29.520 --> 00:31.015
think about how the VA system,

00:31.015 --> 00:32.790
things that make
a client healthy.

00:32.790 --> 00:35.360
They have anti-virus
and anti-malware.

00:35.360 --> 00:38.195
Are they running a firewall
or spyware protection,

00:38.195 --> 00:39.470
are the up-to-date or are they

00:39.470 --> 00:41.104
>> behind in their purchase?

00:41.104 --> 00:43.070
>> We can specify
various pieces of

00:43.070 --> 00:46.090
criteria to what we consider
makes a healthy client.

00:46.090 --> 00:49.070
Then we configure the policy
that essentially says,

00:49.070 --> 00:51.035
this is how we determine
what's healthy

00:51.035 --> 00:53.585
and if a client needs
our health requirements,

00:53.585 --> 00:57.000
then they're allowed
access to a resource.

00:57.910 --> 01:00.620
If they don't meet our
health requirements,

01:00.620 --> 01:02.930
then they're either
denied access or could

01:02.930 --> 01:05.795
even be potentially sent
to a remediation network.

01:05.795 --> 01:07.940
For instance, if I require

01:07.940 --> 01:09.980
my clients to have
an anti-malware and

01:09.980 --> 01:11.104
>> a client doesn't,

01:11.104 --> 01:13.880
>> then they could actually
be redirected to a segment of

01:13.880 --> 01:15.035
the network where they could

01:15.035 --> 01:17.530
download anti-malware
and try again.

01:17.530 --> 01:19.250
There's all sorts
of capabilities

01:19.250 --> 01:21.200
with Network Access Control.

01:21.200 --> 01:24.260
The idea is, as you
can see on the screen,

01:24.260 --> 01:26.150
we have the requestor
of services.

01:26.150 --> 01:28.520
In this instance, maybe
I'm at home and I'm

01:28.520 --> 01:31.130
trying to VPN into
my internal network.

01:31.130 --> 01:32.705
As I make my request,

01:32.705 --> 01:34.460
I would connect to a VPN server,

01:34.460 --> 01:35.750
or in this case, it looks like

01:35.750 --> 01:38.695
the axis requester's
connecting into a switch.

01:38.695 --> 01:41.060
At anyway what we see
is the request is

01:41.060 --> 01:43.565
actually being forwarded
to a radius server.

01:43.565 --> 01:45.979
We talked about radius
multiple times.

01:45.979 --> 01:48.380
It could be forwarded
to the NAC server.

01:48.380 --> 01:52.210
As you see, active directory,
firewall, whatever.

01:52.210 --> 01:54.280
We have three big pieces.

01:54.280 --> 01:56.660
We have the client that
initiates the request,

01:56.660 --> 01:59.225
the enforcement point,
and the decision point.

01:59.225 --> 02:00.950
If we were doing
this and trying to

02:00.950 --> 02:03.035
connect into the switch
with credentials,

02:03.035 --> 02:05.455
that request will be sent
to the decision point.

02:05.455 --> 02:07.035
The decision point asks,

02:07.035 --> 02:08.860
is that client healthy not.

02:08.860 --> 02:10.550
Here are the criteria to

02:10.550 --> 02:12.595
consider the client
a healthy client.

02:12.595 --> 02:15.220
That's passed back
along to the switch.

02:15.220 --> 02:17.495
The axis is either
denied or allowed.

02:17.495 --> 02:20.450
Ultimately, the axis is there
at the enforcement point.

02:20.450 --> 02:22.880
Yes or no. The real decision

02:22.880 --> 02:26.075
is made at the next level
at a policy decision point.

02:26.075 --> 02:28.565
It's the same way with radius,

02:28.565 --> 02:30.560
you connect to a VPN server and

02:30.560 --> 02:32.299
>> the VPN services hang on.

02:32.299 --> 02:34.340
>> Let me forward the
request to radius.

02:34.340 --> 02:36.620
Radius comes back with
the decision and then

02:36.620 --> 02:39.799
that enforcement point either
allows or denies access.

02:39.799 --> 02:43.160
It's the same idea here with
Network Access Control.

02:43.160 --> 02:45.620
This idea of having
the client verify and

02:45.620 --> 02:47.870
validate their health
to the health server is

02:47.870 --> 02:49.490
going to be really
helpful if I've

02:49.490 --> 02:50.990
laptop computers that come and

02:50.990 --> 02:52.669
>> go from our organization,

02:52.669 --> 02:54.410
>> and you may be
connecting to one network

02:54.410 --> 02:56.525
today and different
network tomorrow.

02:56.525 --> 02:59.450
That's one way that systems
can really become infected,

02:59.450 --> 03:01.130
it's because different
organizations

03:01.130 --> 03:03.440
have network security variances.

03:03.440 --> 03:05.090
Every time the client comes in

03:05.090 --> 03:06.544
>> to log onto your network,

03:06.544 --> 03:07.970
>> having to provide
a statement of

03:07.970 --> 03:09.920
its health is going
to go a long way,

03:09.920 --> 03:12.260
making sure you're
infected clients

03:12.260 --> 03:13.730
don't get on the network.

03:13.730 --> 03:15.860
That's going to require
that the client be

03:15.860 --> 03:18.200
capable of providing a
statement of health.

03:18.200 --> 03:20.090
Most operating systems that are

03:20.090 --> 03:21.815
current have that capability.

03:21.815 --> 03:23.330
But it's a service that is not

03:23.330 --> 03:25.310
turned on by default in Windows.

03:25.310 --> 03:27.800
It'll be something that
you'd have to enable.

03:27.800 --> 03:29.960
You'd have to enable it on
the enforcement point and

03:29.960 --> 03:31.100
configure the policy on

03:31.100 --> 03:33.155
the decision point
on the back end.

03:33.155 --> 03:35.360
Very frequently, stuff
like this is done in

03:35.360 --> 03:37.550
either radius or NAC or Windows,

03:37.550 --> 03:40.010
has a function called
Network Policy Server.

03:40.010 --> 03:42.500
That's where that
includes decisions or

03:42.500 --> 03:45.755
radius or for NAC or
any other element.

03:45.755 --> 03:48.080
The bottom line here is we can

03:48.080 --> 03:49.910
either allow or deny access to

03:49.910 --> 03:51.830
resources by
challenging the client

03:51.830 --> 03:53.690
or say prove to me
you're healthy.

03:53.690 --> 03:55.250
That client provides a statement

03:55.250 --> 03:56.240
of health based on what's

03:56.240 --> 03:59.180
allowed or what's configured
in the operating system.

03:59.180 --> 04:00.920
The statement of health provides

04:00.920 --> 04:03.680
the necessary security
stated by the NAC server,

04:03.680 --> 04:05.360
then the system is
allowed to connect

04:05.360 --> 04:07.700
in. It's a good feature.

04:07.700 --> 04:09.380
It helps us make
sure we don't have

04:09.380 --> 04:10.430
>> devices connecting to

04:10.430 --> 04:12.380
>> our network that
aren't as is updated

04:12.380 --> 04:13.884
>> as they need to be.

04:13.884 --> 04:16.660
>> Some key takeaways
from this section.

04:16.660 --> 04:19.180
We talked about the
benefits of single sign-on.

04:19.180 --> 04:21.575
Making it much
easier on our users,

04:21.575 --> 04:23.090
not weighing them
down and lots of

04:23.090 --> 04:24.520
passwords to keep up with.

04:24.520 --> 04:25.880
It also makes it easier

04:25.880 --> 04:27.230
on administrators
because they have

04:27.230 --> 04:28.970
a single directory
database that they

04:28.970 --> 04:31.115
have to monitor and control.

04:31.115 --> 04:33.680
It makes it easier to
secure the environment,

04:33.680 --> 04:36.515
and it makes it easier
to allow access.

04:36.515 --> 04:37.880
When we're looking at an

04:37.880 --> 04:39.664
>> internal network
infrastructure,

04:39.664 --> 04:41.160
>> it's often Kerberos, so we

04:41.160 --> 04:43.055
use to provide our
single sign-on.

04:43.055 --> 04:44.750
Once we want to extend beyond

04:44.750 --> 04:46.100
our domain and start sharing

04:46.100 --> 04:48.140
identity information
with other software

04:48.140 --> 04:50.375
as a service providers
or cloud providers.

04:50.375 --> 04:51.620
That's where we rely on

04:51.620 --> 04:54.485
our administrator creating
federated trust with them.

04:54.485 --> 04:56.585
Once the trust is established,

04:56.585 --> 04:58.850
we either allow SAML tokens or

04:58.850 --> 05:00.800
OpenIDConnect tokens to provide

05:00.800 --> 05:03.685
the authentication
information for our users.

05:03.685 --> 05:08.190
We also said, OAUTH 2.0 is
a part of OpenID Connect.

05:08.190 --> 05:10.830
That goes beyond
just authentication.

05:10.830 --> 05:13.835
That allows for the
delegation of services.

05:13.835 --> 05:15.710
Last but not least, we talked

05:15.710 --> 05:17.405
about Network Access Control.

05:17.405 --> 05:19.940
Network Access Controls
purpose is to prevent

05:19.940 --> 05:21.170
client systems that are not

05:21.170 --> 05:22.845
healthy from joining
the network.

05:22.845 --> 05:24.350
It's a network
administrator that

05:24.350 --> 05:26.630
determines what health
of a client should be.

05:26.630 --> 05:28.910
An AC puts a system in place,

05:28.910 --> 05:31.250
so the client verifies their
health and that it meets

05:31.250 --> 05:32.810
the minimum requirements to join

05:32.810 --> 05:35.910
the network or to
access the resource.