Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020

Network Access Control
Reference Architecture
Rick Leclerc
Solutions Architect
January 29, 2020
Network Access Control Reference Architecture
Network Access Control solutions have been around for 20+ years
delivering endpoint host integrity checking, BYOD and guest onboarding,
pre-connect role-based network access, intent-based segmentation, IoT
device management, post-connect security automation, and more recently
Zero Trust.
Knowing which users and what endpoint devices are connecting to the
network, and accurately controlling these
x wired and wireless connections, is
a key factor in providing a safe, secure, and highly functioning network for a
successful business.
Balancing security with ease of use is a tricky task, requiring a platform that
has the flexibility to allow a customer to focus in one direction without
sacrificing the other too much. When this type of balance can be achieved
in a multi-vendor environment, this solution will be widely accepted by
customers.
On Premise

Remote
Workforce
Depending on a company’s infrastructure and requirements, Cloud Access
Branch
Office(s)
one Network Access Control architecture/deployment might fit VPN
better than another. Branch offices should have the ability to VPN
SD-WAN
mirror security controls required at main campus and data
center locations.
x
Network Access Control Architectures:
HQ DR
Primary DC Backup DC
• Traffic-based (SPAN / TAP)
• 802.1X / Authentication Approach
• Integrated Fabric Approach
• Scalable Centralized Deployment

• - On Premise (3)
Public Cloud

Remote
Workforce
Depending on a company’s infrastructure and requirements, Cloud Access
Branch
Office(s)
one Network Access Control architecture/deployment might fit VPN
better than another. Branch offices should have the ability to VPN
SD-WAN
mirror security controls required at main campus and data
center locations.
x
Network Access Control Architectures:
HQ DR
• Traffic-based (SPAN / TAP)
• 802.1X / Authentication Approach
• Integrated Fabric Approach

• - On Premise (3) / Public Cloud (4)
Network Infrastructure

Remote
Workforce
Branch
The integrated fabric approach, which works with any Cloud Access
Office(s)
VPN
vendor’s switches and wireless infrastructure, leverages
the customer’s existing investment to see and control VPN
SD-WAN
“who” and “what” is connecting to all parts of the network.
Large multi-site environments as well as remote branch
x
offices, can be managed from a single NAC appliance,
either from a corporate data center or from the public
cloud. HQ
Primary DC
DR
Backup DC
Infrastructure
Network
Switch Router Access Firewall • Network Infrastructure Visibility (5)
Point
SNMP, CLI, RADIUS, syslog, API

Users & Endpoint Devices

Remote
Workforce
Branch
If the NAC solution has IP-connectivity to the network Cloud Access
Office(s)
VPN
infrastructure, all users and endpoint
x devices can be
managed from a single location. VPN
SD-WAN
HQ DR
Infrastructure
Network
Point • Full Endpoint Visibility (6)
SNMP, CLI, RADIUS, syslog, API
Users & Endpoint

Devices
Network Services

Remote
Workforce
Branch
Cloud Access
Office(s)
VPN
Identity / Network Services integrate into the
network segmentation,x
helping to restrict VPN
SD-WAN
network services and sensitive data to only
those who need it.
HQ DR
Infrastructure
Network
Internal Services • Internal Services (7)
• DHCP SNMP, CLI, RADIUS, syslog, API
• Directory / LDAP
• Email
Users & Endpoint

Devices
Segmentation

Remote
Workforce
Network segmentation is the process of sectioning off Cloud Access
Branch
Office(s)
one network into smaller segments, or “subnetworks”. It's a VPN
key security practice for any merchant that wants to protect VPN
their cardholder data and reduce their PCI scope. Trusted SD-WAN
areas restrict network servicesx and sensitive data to only

those who need it. Untrusted areas isolate “rogue”, non-
compliant, and disabled endpoint devices from the production
network, but allow access to onboarding or remediation DR
services. Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
- IoT Network Access Control
Infrastructure
• Untrusted
Network
- Registration • Scalable Centralized Deployment
- Quarantine • - On Premise (3) / Public Cloud (4)
- Dead-End Switch Router Access Firewall • Network Infrastructure Visibility (5)
• Network Segmentation (8)
• DHCP SNMP, CLI, RADIUS, syslog, API
• Email
Users & Endpoint

Devices
Identity & Authorization

Remote
Workforce
Branch
Cloud Access
Office(s)
VPN
Identity and authorization features are
leveraged to track whox is requesting access VPN
SD-WAN
and what kind of device is in use.
HQ DR
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
• DHCP FortiAuthenticator/Token
SNMP, CLI, RADIUS, syslog, API • “Who” – Identity & Authorization (9 & 10)
• Email Identity & Authorization
• X.509
• LDAP
• RADIUS
• SAML
• Multi-Factor Auth
Users & Endpoint
Devices
Trusted Endpoints

Remote
Workforce
Branch
Cloud Access
Office(s)
Trusted user-based devices are identified through MDM VPN
integration, installation of the NAC persistent agent, GPO VPN

SD-WAN
integration, or FortiClient EMSxintegration
DR
Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
• Email Identity & Authorization
Endpoints
• X.509
Trusted
• LDAP
• RADIUS
• SAML
Users & Endpoint MDM, CMDB, Agent
Devices
IoT & OT Endpoint Devices

Remote
Workforce
Branch
Cloud Access
Office(s)
Trusted IoT devices are identified through profiling rules that VPN
include a combination of active & passive profiling methods. VPN

x SD-WAN
Devices are also identified through the FortiGuard IoT Device
Service.
DR
Backup DC
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
• Directory / LDAP • “What” – Endpoint Device Classification
• Email Identity & Authorization - IoT, OT, IoMT (11)
• Role Based Segmentation (11)
Endpoints
Endpoints
• X.509
IoT & OT
Trusted
• LDAP
• RADIUS
• SAML
Users & Endpoint MDM, CMDB, Agent IEEE, Fingerprint, FortiGuard, Sensor
Devices
Endpoint Compliance

Remote
Workforce
Branch
Cloud Access
Office(s)
Endpoint Compliance Scans can be implemented VPN
SaaS Services available to the remote workforce,
through a permanent agent,xdissolvable agent, or VPN
should be monitored and controlled in a manner SD-WAN
through directory-based scans (agentless).
consistent with cloud data and physical datacenters.
Endpoint Compliance
• Agentless HQ DR
• Dissolvable Agent Primary DC Backup DC
• Permanent Agent
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
Endpoints
Endpoints
• X.509
IoT & OT
• Endpoint Compliance (12)
Trusted
• LDAP
• RADIUS
• SAML
Devices
Remote
Workforce
BYOD, guest, and contractor onboarding services are Cloud Access
Branch
Office(s)
hosted
SaaS by FortiNAC
Services through
available to thea remote
network-based portal that
workforce,
VPN
work for
should bewired, wireless,
monitored andx VPN connections.
and controlled in a manner VPN
SD-WAN
Onboarding Portal consistent with cloud data and physical datacenters.
• BYOD
• Guest / Contractor
Endpoint Compliance
• Agentless HQ DR
• Permanent Agent
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
Endpoints
Endpoints
• X.509
IoT & OT
Trusted
• LDAP • Onboarding Portal (13)

• RADIUS - Guest / Contractor
• SAML
Devices
Remote
Operations Center
(NOC) (SOC)
Security Operations Centers rely on tools to analyze log Workforce
Branch
Cloud Access
• Firewall data and monitor for anomalies / IOCs. These tools can VPN
Office(s)
• SIEM SaaS Servicestrigger
automatically available to theresponse
incident remote workforce,
actions on the
• IOC VPN
• Threat Feed should beendpoint
affected monitored
at and controlled
the accessx layerin a manner
switch or AP, SD-WAN
Onboarding Portal consistent with cloud data and physical datacenters.
reducing the overall risk level of the endpoint and
• BYOD
• Guest / Contractor ecosystem by stopping any lateral spreading of
Endpoint Compliance malware.
• Agentless HQ DR
• Permanent Agent
Segmentation
• Trusted √√
- Corporate / Guest
Infrastructure
• Untrusted
Network
Endpoints
Endpoints
• X.509
IoT & OT
Trusted

• SAML • Post-Connect Automated Quarantine
(14)
Devices
Remote
Operations Center
Workforce
(NOC) (SOC)
FortiNAC Reports are available
x through FortiAnalyzer Cloud Access
Branch
Office(s)
• Firewall VPN
• SIEM
• IOC VPN
• Threat Feed SD-WAN
Onboarding Portal
• BYOD
• Guest / Contractor
Endpoint Compliance
• Agentless HQ DR
• Permanent Agent
Reporting
Segmentation
√√
• Event Log Export
• Trusted • FortiAnalyzer
- Corporate / Guest
Infrastructure
• Untrusted
Network
Endpoints
Endpoints
• X.509
IoT & OT
Trusted

• SAML • Post-Connect Automated Quarantine
(14)
• Reporting (15)
Devices

Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020

Uploaded by

Copyright:

Available Formats

Network Access Control