There are many visitors and employees holding meetings in the meeting rooms in your company. Oftentimes, they need to plug their laptops to the Ethernet ports in the meeting room or connect to the wireless access points to get access to the internet for business purpose. You are evaluating the Network Access Protection (NAP) solutions. Which of the following is the least feasible?
A. Maintain a white list for MAC filtering
B. Implement 802.1X or EAP over LAN
C. Enable DHCP snooping
D. Use VLAN to isolate traffic
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Maintain a white list for MAC filtering.
Network Access Protection (NAP)
This question treats NAP and NAC equivalent. It defines Network Access Protection (NAP) in a more generic way as “a mechanism to control clients access to the network to protect assets and comply with the security policies.”
Protection of resources against unauthorized access; a process by which use of resources is regulated according to a security policy and is permitted by only authorized system entities according to that policy. [RFC2828]
NAP and NAC
The following are the definitions of NAP and NAC defined by Wikipedia and the NIST respectively:
- Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. (Wikipedia)
- Network Access Control (NAC) is a feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device. (NIST)
All The Four Options are Feasible
- “Maintain a white list for MAC filtering” is common for small business. There are some downsides, for example:
- It’s quite cumbersome to add MACs on demand.
- The MAC can be forged.
- It’s not scalable enough.
- “Implement 802.1X or EAP over LAN” enables authentication. The clients can connect to the network after logging in with credentials from the directory. Guests can apply for a temporary account through self-service if implemented. It’s not uncommon for the guests to share a guest account, even though it’s not a good practice.
- “Enable DHCP snooping” prevents malicious or intentional clients from installing rogue DHCP servers.
- “Use VLAN to isolate traffic” separates the traffic of the meeting rooms from the intranet.
The Least Feasible
“Enable DHCP snooping” and “Use VLAN to isolate traffic” are common and almost required.
Both EAP over LAN (802.1X) and “Maintain a white list for MAC filtering” are about authentication. The former can authenticate users and devices, while the latter is limited to the devices only. EAP over LAN (802.1X) is more feasible than”Maintain a white list for MAC filtering” in terms of:
- Administration overhead
- Security vulnerability
However, cost/benefit can not be compared in this question because of insufficient information.