The healthcare industry is security challenged for any number of reasons: the vast amount of personal and medical data it holds (and its high value on the black market); the number of third-party partners that interact with each other; and the increasing number of medical devices that are now connected to the internet – and connecting to the network from all over the world. BYOD is a growing concern in healthcare, too.
However, the healthcare industry is lagging in network scans. Deploying NAC solutions in healthcare could improve overall security, but it could also keep healthcare providers in compliance with HIPAA regulations. Medical personnel must have access to patient information quickly and easily, as it could be critical in a life or death situation. But while patient information needs to be immediately accessible for medical personnel, employees who do not need access should be restricted. That’s where NAC could help with regulatory compliance.
How to set up network access control
IT teams should have a good understanding of their corporate user and device access and compliance policy. For example, do they want to deploy an agent on every laptop or desktop in the network for compliance checks? Do they want NAC just to alert and report, or actively enforce policies?
Typically, NAC is a control plane solution and can be deployed anywhere in the network, explained Anand. “In most cases, it is deployed in the data center or close to the Active Directory or other identity source that is being used in the network,” he said. “In the most basic use case, NAC will intercept DHCP requests from devices connecting to the network to profile the users and devices, and authenticate them against the identity source.”
In addition, depending on the use case, NAC may require access to switches for enforcement via 802.1x or SNMP.
If enforcement is important, users should choose between 802.1x or SNMP as a means to configure the switch ports for policy enforcement, Anand added. While 802.1x is the secure approach, many of the older switches either don’t support this mechanism or don’t have this configured. In such cases, they can use SNMP.
In its NAC Framework Configuration Guide, Cisco shows that there’s a lot of details, nuances, and various configuration parameters that need to be set. A very high level overview of setting up a NAC framework includes:
- Install the NAC server and configure all wireless access points and switches to use the NAC server for authentication.
- Define basic profiling and authentication rules on the NAC server. This determines which resources certain users and devices have access to.
- Define inspection and compliance policies. These dictate the security posture checks.
- Test and fine-tune your rules and policies.
- Define alerts and reports, such that failed authentications are logged and sent to your security team for analysis. Weekly reports are useful to see trending data.
- Go live. After you are confident that your rules, policies, and alerts are all functioning as intended, roll out the NAC solution for a subset of your users (i.e., for a certain department or branch office location). This “canary” group will validate your newly deployed NAC solution before broader rollout.
The VirtualArmour team broke down the basic functions of network access control this way:
- The NAC server: this is the link between your user database and your enforcement points and ties it all together with security policies.
- The enforcement points: your network devices, such as routers, switches, firewalls, SSL VPN gateways, and wireless access points. These devices ultimately allow or don’t allow a user to access your network.
- The user database: this contains a list of all your authorized users and the various groups they belong to (often times grouped by company departments). This can be your Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) server. This could also be a cloud/SaaS based single-sign on (SSO) solution, such as Okta or Ping, which is responsible for identity management (IdM) for your environment.