Start Here: openNAC Overview

Welcome to openNAC documentation

1. What is openNAC?

openNAC is a network access control platform for LAN/WAN environments that allows corporations to authenticate, authorize and audit all access based on a set of rules or policies.

OpenNAC is a software solution that Increases network security by giving organization 100% visibility and control of assets (devices + identities) connected to the network (Cable, Wi-Fi & VPN).

OpenNAC Enterprise is the only EU vendor to be mentioned in Gartner`s two previous NAC (Network Access Control) Market Guides and the only Modular Approach solution.

• With the all or nothing approach most organizations cannot buy a full solution only to use 20%
• Invest ONLY in the modules that respond to your needs today.
• Gain quick wins and reduce financial and operation risk by reducing the scope of each phase

openNAC Key Benefits

openNAC Enterprise helps organizations gain up to 60%+ more visibility and full control of their assets to mitigate the impact of IoT, business disruption attacks & auditing pressure.

So the main benefits for our customer are mainly:

Visibility, A software solution that Increases network security by giving organization 100% visibility

Control of assets (devices + identities) connected to the network

Modularity, Use your security depend on your needs (si considerais incluir de nuevo la rueda de modulos aquí)

Efficient:

o Unique Solution

o centralized management

o visibility automation

o policy application

openNAC Key Functionalities

The main functionalities of openNAC are the following:

Authentication:	It allows checking the identity of the entities (users and/or devices) that access the corporate network. The identity can be validated against several repositories of information (eg Active Directory), through digital certificate, or MAC address, among others
Authorization:	It offers the possibility to assign specific privileges to each entity that connects to the corporate network, for example assigning a certain VLAN
Audit:	It allows collecting, grouping and evaluating access events or attempts to access the corporate network and thus have a history of the activity on the network
Inventory:	The solution has a configuration management database (CMDB) that gathers the details of each identity that connects to the network
Profiling:	It provides the ability to establish and check a profile of a specific state for an identity, which can also be determined to be obligatory to access the network. For example, a particular version of an operating system, a particular level of update, antivirus presence, or similar might be required.
Posturing:	It allows to evaluate in real time the behaviour of each of the devices connected to the network and to determine if that behaviour is within the expected parameters, taking corrective measures otherwise.
Remediation:	Linked to the previous point, this functionality offers the possibility of executing the necessary actions to remediate, or at least minimize, the detected threat. Examples of remediation may be to isolate the compromised entity from the corporate network.
Double Authentication Factor (2FA):	This functionality is specially designed to complement access control through VPNs with a second factor of authentication. The technology that supports this second factor of authentication can be Mobile Connect or Google Authenticator among others.
Native Agent:	Installed in the device (Windows / Linux / Mac) allows to extract information from the connected entity in a more agile way and respond more quickly to detected anomalies and threats.
Integration with SIEM:	It allows to integrate openNAC with a third-party SIEM, and to send and concentrate the NAC logs with the rest of corporate information systems.
Orchestration Security:	It allows to use openNAC as a security orchestration element, thanks to the communication with other security elements in the network (next generation firewalls, antivirus, IDS probes, MDM, …). These integrations are bidirectional, ie, on the one hand, openNAC can supplement its CMDB with information received from third parties and thus take more informed decisions. On the other hand, openNAC can provide information to those same third parties so that they can make decisions based on more complete information.
Sensor:	This module allows to complement the vision of the behaviour of the entities through the inspection and classification of the network traffic arriving at the application level (layer 7). It also allows visibility over network segments that are not managed by the NAC.

2. openNAC Scenario

openNAC is a suitable solution for large corporations with the need to limit access to network resources according to devices and user’s identity. The network infrastructure can be wired or wireless, and the network devices (switches and access points) may support 802.1x protocol, but it is not mandatory.

The basic components of the network are:

• openNAC Core
• openNAC Analytics
• openNAC Sensor
• Radius Server
• DNS Server
• DHCP Server

• Network devices:

  • Switches and Access Points, VPNs

• User devices: PCs, Laptops, Smartphone, voIP Phones, Printers, Tablets and others

In case the corporate network has no Radius Server, DNS Server, or DHCP Server, openNAC itself can provide them.

In addition, a directory server can be added to authenticate users.

The graphic above depicts a typical architecture, where openNAC establishes three subnets to provide a secure access to resources:

1. Registry VLAN: openNAC assigns the new network users to the Registry VLAN so that they can register from there

2. Quarantine VLAN: User devices that don’t comply with the policies configured in openNAC are allocated to the Quarantine VLAN, until they are updated in order to comply with the policies.

3. Service VLAN: The Service VLAN is the network that provides corporate resources to the user device. There may be one or more service VLANs depending on the number of the user devices and on the access rights to these resources.

Note

openNAC assigns user devices to the different service VLANs based on policy compliance defined by the administrator, you can go to the Sample LAB Chapter to deeply understand this common scenario.

3. Choose Your Use Case

One of the most important steps in the process of selecting a security tool, or any kind of business tool for that matter, is the understanding and definition of the use cases that the tool should cover.

Examples of use cases covered by openNAC are described in openNAC Design Chapter Use cases. Needless to say, this is a non-exhaustive high-level description list of common use cases. When defining your own Use Cases there are a few questions you should be asking yourself, like for example:

• Currently, do I have visibility over users and devices accessing my network? How?

• What connection methods do I offer my users? (WiFi, Cable, VPN?)

• Are users authenticated when accessing my network?

• Are there external/guest users in my network?

• What type of devices are accessing my network?

  • Only corporate devices or also external non-managed devices?
  • How do I define a corporate device?
  • What is my BYOD policy?
  • What about IoT devices?

• Is my network segmented? If so, is the segmentation dynamic and efficient? What happens when a user changes location? Do I need to manually reconfigure the network?

• What other security solutions do I have in place? Are they working in a collaborative and orchestrated manner?

At Opencloud Factory, we would love to hear your answers and any other questions you may have and help you to evaluate how a network access control solution could enhance visibility, control and security of your network.

4. Design openNAC Deployment

4.1. Understand the Network Architecture

In order to provide Network access control services, frist at all we have to consider openNAC as a flexible technology, being able to adapt to your current network design, topology and communications vendor. Depending on the Network Access services that are required to be provided, Layer2, Layer3 and Layer4 Network requirements must be cleary understood and considered.

In order to understand how openNAC is flexible and very adaptive to you current network infrastructure, please:

Note

Please review the following section regarding Network Requirements.

• As soon as you have a clear network Knownedge/Design:

  • Layer 2 Requirements:

    Ensure that VLANs avaible and deployed to be used by the solution.

  • Layer 3 Requirements:

    Ensure that IP connectivity between openNAC Nodes, Roles (Core, Sensor, Analytics), communication devices (Switches, AP, Printers, Video conference, IOT….) and if requirered End users (Captive Portal).

  • Layer 4 Requirements:

    Ensure that not Firewall or Next Generation Firewall is filtering TCP/UDP network traffic.

4.2. openNAC Infrastructure Sizing

As every Network Access control providers, infrastructure must be sized properly in order to feet at least the minimal requirements, openNAC Core, openNAC Analytics and openNAC Sensor, all different roles have different hardware sizing requirements. Next you can find the sections created to understand hardware requirements:

• Go to openNAC Core Harware Sizing section
• Go to openNAC Sensor Hardware Sizing section
• Go to openNAC Analytics Hardware Sizing section

In order to define the scope, understand customer requirements and which use cases fits better we have create a bundle of questions to be used at the beginning of new projects:

Note

Project Qualification is a key factor to be understood in order to carry out and success network Access control solution at Enterprise Networks. Project Qualification is a document that consolidates all deployment customer requirements. Grouping by general requirements and by each openNAC Use Case.

5. openNAC Technical Key Features

• Authentication based on 802.1x Suplicant, UserName/Password, Computer, Certificates,Users, MAB, Captive Portal, Web Service, 2FA Supports (Gauth, MConnect..others)
• Authentication backend based on LDAP, Active Directory, BBDD, and others.
• Strong and Flexible Network Access solution without Agent dependency.
• Easy Policy Engine to improve Security Operation, time, users, groups, devices, tags, network devices, type of authentication and others can be used.
• Actions: VLAN Dynamic assigment, Layer2,Layer3 and Layer 4 Access-Lists, Plugins support, Custom paramenters allowed and status and assets tagging.
• Policy grouping throught Business Profiles.
• Flexible supporting any type of devices such as PCs, Laptos, SmartPhones, Tablets, voIP Phones, IOT, Videconferecen Systems, Applications…
• Flexible Proxy Radius capabilities included.
• Guest Access Network solution based on sponsorization and flexible workflow.
• Includes Multi-Platform openNAC Agent, this includes plugins that provide additional capabilities.
• Network Devices vendor agnostic.
• Based on a dynamic CMDB Attributes and Tags
• Powerful Assets Discovery and automatic clasification
• Health and Security Posturing Services.
• Thread Detection capabilities throught Denylisted sources.
• Events Geolocation Support
• Support to detect rogue devices using 802.1x or SNMP traps
• Bulk configuration of network devices using module onNetConf
• Bulk backup of configuration of network devices using module onNetBackup
• Detection of os, antivirus, firewall and os updates of devices conected to enforce an access policy
• In bound and out bound advanced network visibily based on protocol decodification.
• API Rest system that improve ecosystem integretabilty
• Thrid Party Integration support, NGFW, AV, Patching using push and pull methods.
• SIEM Integration supporting Syslog, CEF, LEEF and JSON output messages.
• Administration portal is compatible for any Device and Browser.