| Nowadays, wireless network access, mobile devices and VPN-based remote access are widely used in legacy enterprise intranet. Host machines, once used only in intranet environment and protected by all kinds of security devices, have more chances being exposed to threats from a unprotected outside network. Thus, attackers can infiltrate a host machine when the computer user is using internet for mobile office or remote access to the intranet, and use this controlled zombie computer in further infiltration of the entire enterprise intranet. A network access control system can scan and evaluate the security protection level of all host machines connected to the intranet, allowing only the well-protected host machine, which implies less possibility to be a controlled zombie machine, to access the intranet, and on the other hand, limiting the accessibility of those not-so-safe host machines. In this way, the potential threats from zombie machines can be reduced and it is most useful for VPN-enabled intranet, because all remote hosts use internet for VPN connection and security scan and evaluation are most neededIn this paper, we design and implement a NAC system aim for VPN-enabled network. This NAC system use a 3-layer protocol to evaluate host security posture, each named as posture attribute protocol, posture broker protocol and posture transport protocol. In this system, a host's security posture information is collected by multipule posture collector, encapsulated intoa posture broker message,and tranported to corresponding posture validators on validations server for evaluating. The host's overall security posture is determined by considering every posture validator's result, and then its access ability will be determined and managed by the validation server. The posture validation server controls both kinds of host with according technologies: for local host, validation server dictates a VMPS server to assign dynamic VLAN to the hosts; for VPN-dial-in hosts, validation server dynamically configures the access control policy on VPN server. Also in this paper, we bring forward several suggestions in evaluation protocol design , point out that trust model and user privacy protection are two important concerns in NAC system implementation.In this paper, we establish a simple VPN-enabled network environment to test the effectiveness of NAC system's control and isolation mechanism over local hosts and VPN hosts. We prove that the NAC system designed in this paper can evaluate both local hosts and VPN hosts, can restrict those hosts' network access ability through according methods. |
PDF Full Text Request