Network Access Control Approaches

Transcription

1 Network Access Control Approaches Experiences Future Issues John Hayward Phd Wheaton College

2 No Access Control The good The Bradford and the ugly John Hayward Phd Wheaton College

3 Agenda Background Experiences o Blaster fall response o Network Registration Approaches to NAC o DHCP o Arp manipulation o Switch port manipulation Verifying Security Policies o Internal / External scans - Monitoring compliance o Quality of scan o Range of Policies Bradford Experiences o o Documentation, Support, Version, Wireless, etc Current and future issues o Virtualization, Non computer devices

4 Background Experiences - Fall 2003 Context Blaster just before Fall Term Aug 11 Sent notification to all students to get computer updated - MS had a patch available July 16 earlier Over 2000 computers owned and administered by students Registration system for students Students on different network than Employees Access to internet via IIS proxy server Flat network Results Good: o Employees unaffected o Students with patch could register (exceptions)

5 Background Experiences - Fall 2003 Results Bad : o Any unpatched computer in registration was nailed by the virus and became a carrier o Issue with proxy server or MS update server attacked with dos difficult to obtain update Ugly o So much traffic on our radio connections to some apartments they were effectively lost networking Response Student lab workers distributed CD with patch and removal tools Hand monitoring/shutdown ports which had malware Some students were not on network for 3 weeks

6 Background Experiences Design Goals (Spring) Require current patches Require Sophos Require Sophos Def current Require last scan current and no virus Allow Registration if requirements satisfied Registration machines should be isolated from each other Turn on Auto Updates Results - Good: Web registration site with security checks Shavlik command line check of patch levels bought by MS and available via MBSA Download bat to check - MBSA in command line, check sohpos status and return results

7 Background Experiences Results - Bad: MS unleashed SP2 Aug 6 - Blaster 2 Decided to require SP2 Problems with IIS proxy server or MS site Design linear - hard for users to follow Fall good security - rough user experience Fall 2005 redesign site After turning on updates One button CheckMe Results of success failure on same page Fall good security OK user experience Returning Great -Freshmen some challenges

8 Background Experiences Fall 2006 Fully implemented remote preregistration Fairly smooth Spring 2007 New Director of Computing Services Wanted professional support with lower internal resources to support home grown solution MBSA was taking longer - loosing command line facilities Vista was had come Many students had their own virus programs Read reports - seriously considered o Open source packet fence zero effort o Commercial Bradford Networks Bradford Selected - Experiences later in talk

9 NAC Approaches Getting Attention of User DHCP o Homegrown Network Registration o Clients use DHCP to get IP o Database keeps track of who is and is not registered - if not registered give IP and subnet for registration o After passing security Policy give production IP o What about hard coded IP??? Arp Manipulation o Packet Fence can use this o Server monitors apr announcements o If not registered poison arp to direct packets to server

10 NAC Approaches Getting Attention of User (cont) Port Vlan Switching o Bradford (and later Packet Fence) use this o Switch sends trap to server on linkup o Server asks switch for mac address o Server switches to correct vlan - if not registered then registration vlan o Server needs to know how to operate switch Inline server o Packet Fence can use this o Server acts a router to rest of network o Single point of failure? All approaches provide special DNS to achieve captive portal

11 NAC Approaches Verifying Security Policy Internal scanning o Registration Scans Bradford dissolvable agent home grown - batch file o Periodic scans - require software on client Bradford persistent agent - scheduled scans Patchlink - Bradford and homegrown External scans o Bradford can use nessus o Packet Fence can use snort o Can be independent of NAC

12 NAC Approaches Verifying Security Policy Scan quality o Light and quicker (Bradford) Check registry entires Check AV/AS def versions o Deeper (more intense) Homegrown Use MBSA Shavlik - use CAB/xml file to determine patches - check actual validity of patches Verify last AV scan had clean report Range of Security Policy Bradford 20+ AV, 20+AS Bradford individual registry keys Bradford check for software

13 NAC Bradord Experience Fall 2007 Preparation work started spring 2007 o All switches had to be adjusted for Bradford Traps programmed Self discovery help populate topology Orientation lab summer 2007 o Goal was to have network configure by end of lab o Problem we did not have network mapping finished before lab o Practiced examples on "practice lab" environment not our production network o Helped some but not effective as it could be

14 NAC Bradord Experience Fall 2007 Over 600 freshmen arriving Aug 2007 o Finally had networking mapped o Bradforized the dorm switches o Discovered scanning not working 1 week before bulk of freshmen arriving o Bradford support worked remotely - Networking staff put in lots of extra hours o Registration scanning issue resolved less than 30 minutes before Freshmen started to use network!

15 NAC Bradord Experince Scheduled scanning to require policy compliance o Put some machines in quarantine and then move them back to production o Some machines not being scanned o Quickly gave up on scheduled scans - no way to require compliance other than re-register! Discover High Availability fail over did not work Fall 2008 New 2.0.x client - support for more AV - transparent update Upgraded server 4.x shortly before fall Discovered transparent update did not work

16 NAC Bradord Experince Fall 2008 (cont) If more than 22 AV clients checked then old client reported inconsistent results - some passed without having required - others failed having all required - backed off on allowed AV Vista issues - eventually resolved 2009 AVG 8.0 definitions changed require upgrade to client AVG 8.5 definitions changed Bradford working on it ( ) Attempted upgrade client - proposed to be transparent failed Earlier fail over assumed both servers went down - seems to be resolved but db not synced

17 NAC Bradord Experience Support Now web interface - before phone call only Support people generally try to be helpful varying level of competency Support normally focus on configuration issues more complicated issues referred to engineers which you don't have direct access to Support thin during fall just before school starts Documentation Documentation looks nice Lacks conceptual model - says link goes to this page Lacks how to do x Rapid version changes - documentation not current Overloads terms - What is a scan? depends Command Line way out of date

18 NAC Bradord Experience Versions Large number of version started this fall we are at now upgrading to x Some required due to new mac addresses for non computer devices and new switches. Administration Organization of GUI non intuitive - Campus manager configuration in network topology. Requires more effort to support than home grown Up to x server only administrators could manually register problem machines - now operators can be granted that privilege. Massive number of number of alarms going off (apparently required to have an action associated with an event) - hard to see what is important

19 NAC Bradord Experince Broken Items Role based port mapping fails - work around Still don't have scanning working reliably Wireless Continuing issues with Meru wireless and Bradford related to registration -> production vlan switching - we tell users to reboot Support for other vendors hardware Supports an amazing number of switches Large number of AV/AS Many game controllers, other non computer IP devices - Need to keep versions current Trouble shooting Client cannot initiate scan - no information on client

20 NAC Future Issues Non Computer Nodes Existing facility to register devices by mac addr Only approved vendor mac prefix addresses allowed o Requires keeping server current version or o Requires manual entry of allowed mac prefix Some devices need generic USB Ethernet - These are not on vendor prefix list - how to know if device or computer?

21 NAC Future Issues Virtualization and Port Management vmware, xen, virtual box, virtual PC Networking - two approaches - Bridge - NAT Bridge - now multiple mac addresses from same port o New mac - port moved to registration - other VMs loose network access NAT - now possibly multiple OSs from same mac address o How do we know all VMs satisfy security policies? How to support Faculty with VMs who need to be on employee, student and lab vlans? Vlan switching needs to be on the node if at all.

22 Questions? Thank you!