Network Access Control (NAC) is hot in Enterprise environments. NAC offers an excellent mechanism to (safely) allow various devices network connectivity and staying in control as a network administrator. There are numerous ways to allow iOS devices, BYOD, CYOD, Corporate laptops onto your network without compromising valuable corporate resources.
In my line of work I deal with several vendors / solutions to create these NAC protected environments. The most popular at the moment are;
- Identity Service Engine (ISE) from Cisco
- Junos Pulse Access Control (UAC) Service from Juniper
Both solutions have their pro's and cons. Juniper has an excellent client for the desktop to safely connect to the network, and an integration with their SRX firewalls to (dynamically) enforce firewall policies on a per user basis. Cisco on the other hand has a more flexible way of creating access policies, and the use of so-called downloadable Access Lists (dACL).
is not as easy (of funny) as it might sound.
Last weekend we a dinner celebrating the 12.5 years of marriage of my sister-in-law. Our gift was a gazillion envelops filled with;
- useless paper
- 10 euro bill
- .....
This way they had something to do when they came home from the dinner. The fourth option was supposed to be funny money; scanned and severely altered euro billet.
The initial idea was to create a euro bill for 12.5 euro's, but that would take too much work, so I opted for a 55 euro bill (just clone the existing 5 on the 5 euro bill).
The last couple of years, we've had two ISP's on premise. One (XS4ALL) for basic Internet Access via VDSL, and one our (VoIP) phone provided by Ziggo.
The Ziggo phone services includes free (and ultra lite) Internet access
through the use of their cable modem. It's ultra-lite, since it's only
256kbps. More than enough for VoIP, but not nearly enough for modern
basic Internet access.
Having
these two ISP's means that I should be able to provide some redundancy
in case my primary DSL connection fails (for whatever reason).
Preferably an automated fail-over of some kind. Since there are no
dynamic protocols available from either ISP (the Internet service is
consumer-grade), I have to find some work-around.
When you have a registered Juniper UAC / IC appliance, you have to option to download a VMWare version of the system. This is called a DTE appliance (Development and Test Environment). With this you have a full-blown UAC at your disposal for testing and development. Only downside is that it's limited to 5 connected users. Apart from that, it's just like the real-deal.
A while back I wrote a blog post about enabling global logging on security rules. This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.
Instead
of adding ping as a host-inbound-traffic system-service to all zones,
and if you have a couple this means some configuring, you can solve this
by adding just 3 (three) lines of config to the firewall.