Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

Transcription

1 Implementing NAP and NAC Security Technologies The Complete Guide to Network Access Control Daniel V. Hoffman m WILEY Wiley Publishing, Inc.

2 Contents Acknowledgments Introduction XIII XV Chapter 1 Chapter 2 Understanding Terms and Technologies Who Is the Trusted Computing Group? Is There a Cisco NAC Alliance Program? NAC-Certified Shipping Product Developing NAC Solutions Understanding Clientless and Client-Based NAC Clientless NAC Client-Based NAC Pre-Admission NAC Post-Admission NAC Summary The Technical Components of NAC Solutions Analyzing the Security Posture What to Analyze? Does Your Company Have the "Strength"? Patch Analysis Best Practices How the Analysis Takes Place Utilizing APIs for Analysis Monitoring Processes Monitoring for Unwanted Processes and Applications Setting Policy for Device Analysis The Need for Different Analysis Policies Communicating the Security Posture of the Device Communicating with NAC/NAP-Specific Software Components VII

3 viii Contents Communicating the Security Posture to Third-Party Applications 38 Communicating with Network Devices 40 Cisco Trust Agent 43 Understanding TCG IF-TNCCS and Microsoft IF-TNCCS-SOH 45 Taking Action Based on the Security Posture 47 Mobile NAC Action 47 LAN-Based NAC Actions 49 Remediating the Security Deficiency 50 Remediation Actions 50 The Reporting Mechanism 53 Knowing the Current State of Devices 53 Helping with Audits and Compliance Standards 56 Reports Help Find the Problem 58 Summary 59 Chapter 3 What Are You Trying to Protect? 61 LAN-Based NAC 62 Sedentary Desktop 62 Laptops Used on and off the LAN 63 Mobile-Only Laptops 64 Employee-Owned Home Computers 64 Unknown Devices 67 PDAs and Other Devices 69 Mobile NAC 69 Dangers of Mobility 70 Sedentary Desktop 70 Laptops Used on and off the LAN 70 Mobile-Only Laptops 72 Employee-Owned Home Computers 73 Pros 74 Cons 74 Unknown Devices 74 PDAs and Other Devices 74 Summary 75 Chapter 4 Understanding the Need for LAN-Based NAC/NAP 77 The Security Reasons for LAN-Based NAC 78 Unintentional LAN-Based Threats 79 The Pros and Cons of a Guest Network 80 Pro 81 Con 82 The Pros and Cons of Assessing Each Device 82 Pro 82 Con 83

4 Contents ix Real-World Example of an Unintentional Threat 83 Infecting by Transferring Files 86 How Files Really Get Transferred 89 Infecting via Worms 91 System Changes 98 Registry 99 Does LAN-Based NAC Protect against Infection? 101 Intentional LAN-Based Threats 103 Exploitation by Authorized Access and Malicious Use 105 Exploitation by Authorized Physical Access and Unauthorized LAN Access 110 Exploitation with Unauthorized Physical Access and Unauthorized LAN Access 112 Exploitation from Unauthorized Wireless and Remote Access Connectivity to the LAN 124 Does LAN-Based NAC Protect against Intentional Threats? 124 Summary 125 Chapter 5 Understanding the Need for Mobile NAC 127 What's the Primary Need? 127 Why Companies Look to Mobile NAC 129 Mobile NAC and Compliance Regulations 130 Mobile NAC and Direct Attacks 132 Exploiting Laptops with Direct Attacks 132 View a Web Page for Two Seconds and Get Hacked! 133 Protecting against AP Phishing and Evil Twin 140 Using Mobile NAC to Protect against Attacks 143 Why Proxy Settings Don't Offer Robust Security 146 Mobile NAC and the Wireless Threat 148 Public Wi-Fi Hotspot Risks 149 The Risky Home Office 153 Wireless Attacks When There's No Wireless Network 158 Mobile NAC and the Mal wäre Threat 162 How Old Should Antivirus Definitions Be? 163 Adware Isn't Your Biggest Problem 163 Encryption Isn't All You Need to Protect Data 164 Summary 165 Chapter 6 Understanding Cisco Clean Access 167 Deployment Scenarios and Topologies 168 Cisco Clean Access 168 The Cisco NAC Guest Server 170 The Technical Components of Cisco Clean Access 171 Analyzing the Security Posture of a Device 172 Setting Policy for Device Analysis 173 Communicating the Security Posture of the Device 176

5 x Contents Chapter 7 Taking Action Based on the Security Posture 176 Remediating the Security Deficiency 178 The Reporting Mechanism 180 The Cisco NAC Profiler 183 The Purpose of Cisco Clean Access 184 Unauthorized Users 185 Authorized Users with Deficient Security Postures 185 Mobile Users 185 Summary 186 Understanding Cisco Network Admission Control Framework 189 Deployment Scenarios and Topologies 190 Network Admission Control Framework 190 The Technical Components of the Cisco NAC Framework 191 Analyzing the Security Posture of a Device 192 Setting Policy for Device Analysis 194 Communicating the Security Posture of the Device 195 Taking Action Based on the Security Posture 198 Remediating the Security Deficiency 199 The Reporting Mechanism 200 The Purpose of Cisco NAC 202 Unauthorized Users 202 Authorized Users with Deficient Security Postures 202 Mobile Users 203 Summary 203 Chapter 8 Understanding Fiberlink Mobile NAC 205 Deployment Scenarios and Topologies 205 Fiberlink Mobile NAC Components 206 The Technical Components of Fiberlink Mobile NAC 206 Analyzing the Security Posture of a Device 207 Setting Policy for Device Analysis 208 Communicating the Security Posture of the Device 210 Taking Action Based on the Security Posture 213 Remediating the Security Deficiency 216 The Reporting Mechanism 218 The Purpose of Fiberlink Mobile NAC 222 Unauthorized Users 222 Authorized Users with Deficient Security Postures 223 Mobile Users 223 Summary 224 Chapter 9 Understanding Microsoft NAP Solutions 225 Deployment Scenarios and Topologies 226 Network Access Quarantine Control 227 Microsoft 802.1x 231 NAP 232

6 Contents The Technical Components of Microsoft NAP 234 Analyzing the Security Posture of a Device 234 Setting Policy for Device Analysis 236 Connection Request Policies 237 Health Policies 237 Network Access Protection Policies 237 Network Policies 239 Communicating the Security Posture of the Device 240 Taking Action Based on the Security Posture 243 Remediating the Security Deficiency 245 The Reporting Mechanism 246 The Purpose of Microsoft NAP 246 Unauthorized Users 247 Authorized Users with Deficient Security Postures 247 Mobile Users 248 Summary 248 Chapter 10 Understanding NAC and NAP in Other Products 251 NAC-Like Functionality in Non-NAC Technologies 251 NAC Functionality in IPSec VPN 252 NAC Functionality in SSL VPN 253 NAC and NAP Solutions from Other Vendors 255 What to Look for in a NAC /NAP Solution 255 Other NAC /NAP Vendors 256 Summary 257 Appendix A Case Studies and Additional Information 259 Cisco Clean Access 259 McAfee NAC 259 Bradford Networks 259 Juniper Uniform Access Control 260 Bibliography 260 Index 261