Enterasys Network Access Control

Transcription

1 There is nothing more important than our customers Enterasys Network Access Control ČIMIB konference 11.2 Praha

2 What is NAC? A User focused technology that: - Authorizes a user or device (PC, Phone, Printer) and - Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time - The parameters are set in the so called Pre-Connect Assessment (aka Health Check), i.e. before connecting to the infrastructure - However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment 2

3 NAC Why care? Network usage Who is using the network infrastructure? Are these users authorized? Does access correspond to organizational role? Workstation security Does system have up-to-date OS patches? Does every system conform to corporate security standards? Guest users Does a guest system contain threats? Can I limit access for guest users? Non-workstation end systems Corporate & regulatory compliance Is this device what it claims to be? Can I assess its security posture? Can I locate rogue access points, hijacked print servers etc? Can I enforce these regulations prior to granting network access? Do I have reporting and auditing tools to verify compliance? 3

4 NAC continuous business protection Ensures health and compliance prior to allowing network access - Agent and network based assessment Provides appropriate access (to assets and QoS) based on organizational role - Policy or VLAN assignment options Supports guest access, sponsored access and end system / user tracking - Track user name, IP, MAC, location, etc. Ensures continuing health and compliance after connection - Continuous monitoring with IDS, NBAD, SIEM Automatically contains detected threats 4

5 NAC Business Drivers/Trends A Leading sales door opener, Big Hype! Drivers: Compelling! Compliance Security/risk mitigation Guest access Trends: Confusion! 1.Trusted Network Computing/Trusted Network Group (TNC/TNG) 2.Cisco Network Admissions Control (C-NAC) 3.Microsoft Network Access Protection (MS-NAP) 4.IETF-NEA (International Engineering Task Force Network Endpoint Assessment 5

6 Policy Enforcement Options Switch-based (with true Out-of-Band Appliance): the best solution for NAC in a LAN is implementation of access switches that support 802.1x authentication and policies Inline-Appliance: Achieve a faster implementation of a NAC solution; often a transition solution to a switch based NAC solution. The access switches can continue to be used; in very heterogeneous environments which might contain older switches this a very good solution Out-of-band Appliance: This method initially Policy Assignment 6. appears to be very attractive but it has its difficulties, User Client System particularly in the following areas: - Recognition of new end systems - Reconfiguration of access switches in assessment and quarantine - Granularity in assessment and quarantine - Scalability Software-based: Enforcement at the agent level permits very precise control in quarantine cases. These solutions can easily be combined with network based solutions DHCP, IPSec based Access 3. Policy Role Creation 1. VLAN Creation (3rd Party) 1.1 New security layer in the core Userland Access Device Network Infrastructure Scan/Authentication Request 4. Kernel NetSight Policy Manager /NAC Manager NAC Gateway Configuration 2. Syscall Table 1) sys_open() 2)... NAC Gateway RADIUS (Proxy RADIUS 3)... Server / Directory, out of band) 4)... 5)... Threat Assessment 6) )... 8)... 9)... 10)... 11)... 12)... 13)... 14)... 15)... 6

7 NAC take End System Diversity into account Legend Production Systems RFID Inventory Security Video Building Control Multi-Modal Devices IP Phones Office Productivity Conferencing Server PC Desktop Laptop

8 Example 802.1X Enterprise user VoIP phone I need to access our assets Let s put it into a different VLAN Mh, it doesn t speak 802.1x Uh-oh! How do we destinguish Mh, what to do about them? all those different devices? Important assets Enterprise user 1X, MAC, WEB PEP Policy Enforcement Point Free for all (Internet) Guest user? Enterprise devices (printers, cameras...) May I use your Hey, we both Uhm, Internet don t know what I what? connection? am, but people want to talk to me.. RADIUS ADS 8

9 Example Solution We implement - Multi-user authentication (allows multiple devices per port) - Multi-method authentication (Web, MAC, 802.1x, Kerberos snooping..) - Port based policies - Role based policies PEP Policy Enforcement Point 1X, MAC, WEB We get... - Vendor independency - Client capability independency - Precise communication restrictions (guest and enterprise use) - Preserve device mobility where needed - Central management - Device/User inventory data VoIP Phone? Guest User Enterprise Devices (printer, cameras...) 9

10 The Solution - NAC Enterasys NAC solutions will fit the following topologies: - LAN - WLAN - VPN - Remote Branch Enterasys focus is on pre-connect and post-connect NAC solutions - Switch based - Inline Appliance based NAC Controller - True out-of-band Appliance based NAC Gateway Enterasys will leverage standards and provide open API s whereever possible, whenever necessary Enterasys Provides Choice 2008 Enterasys Networks, 10 Inc.

11 The Solution How We Position Ourselves HEALTH CHECK Directory PEP and PDP Policy Enforcement Point Policy Decision Point XML_API LDAP 802.1X 1X, MAC, WEB Enterasys NAC Controller Enterasys NAC Gateway MS-NPS MS AGENT Location XML API Policy provisioning and assignment EAP-PEAP [TNCCS-SOH] EAP-TLS 802.1X Enterasys AGENT IF-MAP RADIUS Kerberos SIEM Asset Management 2008 Enterasys Networks, 11 Inc.

12 NAC/VOIP Integration via SOA The solution developed by Siemens Enterprise Communications and Enterasys is an important component to protect real-time applications, like voice and video, over a converged IT infrastructures. Features supported: Automatic Inventory Reduces risk of operation of non-compliant end-devices with invalid configuration or software release. Automatic Adaptation Location-based configuration of end-devices and usage of special functionalities (e.g. configuration of speed dial button) IP Phone monitoring Detecting non-compliant and compromised end-devices Automatic fault-alerting & error-correction Automatic generated fault information and notification for fast and effective error-correction Automatic authorization Warranty of secure, reliable and high-quality operation of real-time applications through automatically assigned QoS-parameter and security mechanism Finally the use of this solution provides the following value add: Reduces administrative effort and costs Increases protection and reliability of real-time applications Minimizes the risk of attacks and the probability of outage Increases compliance to enterprise s security policies 12

13 Enterasys NAC / Siemens HiPath Database with physical infrastructure / cabling - wall-socket - Building - Room wired LAN NAC Manager Enterasys NAC Appliance Event-based synchronization of databases via API: IP phone, phone number, switch, switch-port, building, room Siemens HiPath DLS HiPath Platform Phone number Phone IP Address Phone MAC Address Switch IP Address Switchname Switchport Building Room Wall jacket Phone Software Phone Configuration xx-xy-yy-yz-zz-az Access fe.0.15 B. A aa-bb-cc-dd-ee-ff Access fe.1.8 B. B ab-cd-ef-gh-ij-kl Access fe.2.21 B. A

14 NAC Controllers Wired LAN Inline NAC Appliance Enterprise Network Provides Network Access Control in any 3 rd party environment - No replacement of existing infrastructure required - Not dependent on 3 rd party switch capabilities Wireless LAN Wireless Switch Inline NAC Appliance Remote Access (VPN) Enterprise Network Implements NAC for any access method - Wired LAN switch deployments Within layer 2 domain Across layer 3 boundary - Wireless - VPN (e.g. IPSec, SSL) Pre and post assessment capabilities in a single appliance with dragon integration Enterprise Network VPN Concentrator Inline NAC Appliance

15 NAC in Any Environment Hybrid deployment - Best of both models for mixed environments - Single, integrated solution seamless management from single system Non-intelligent Wireless Enterprise Network NAC Gateway Core NAC Manager NAC Controller Distribution VPN Non-intelligent edge switches Shared Access LAN Enterasys Policy capable switch RFC3580 capable switch RFC3580 capable Wireless Access Point Edge 2008 Enterasys Networks, 15 Inc.

16 Multi-user user Authentication and Policy Up to 2000 user per system Different authentication methods (in random combination per port/user) x, PWA (Web), MAC authentication, Radius, Kerberos, Default Role... Single physical interface SMAC = Anita SMAC = Bob 802.1X Login PWA Login Port X MUA&P Logic 802.1X PWA Policy Credit 802.1X Credentials Policy Sales PWA Credentials Dynamic Admin Rule Dynamic Admin Rule Filter ID Credit Filter ID Policy Sales RADIUS Authority SMAC = Ted Any Traffic MAC Policy Engineering Dynamic Admin Rule Filter ID Policy Engineering DFE NAC Controller MAC Credentials 16

17 Roles, Services, Rules Network Administrator Office Non-Office Guest Allow HTTP Allow DNS Allow DHCP Deny ALL Authorization roles & rules Administrative Protocols Acceptable Use Legacy Protocols Deny Faculty Server Farm Internet Only Deny IP Range Drop DecNet Drop IPX Drop Apple Deny IPX Deny Apple Deny OSPF Deny RIP Deny DHCP Reply Deny TFTP Deny Telnet Deny SNMP

18 Guest Access Solution with sponsoring - End-User Authentication End user must enter a valid username and password to successfully register a device Guest Sponsor Username/password validated against a backend LDAP server (e.g. MS Active Directory, OpenLDAP, etc.) - Sponsored Registration 1X, MAC, WEB NAC Controller NAC Gateway functions End user must be in the presence of a trusted employee (i.e. sponsor) to successfully register a device IT Admin Sponsor username/password validated against backend LDAP server, OR sponsor accounts configured in NAC manager - MAC Reg Web Admin Interface Supports bounded visibility and control into MAC Reg system - View, edit, add, delete registered end systems - Useful for HelpDesk access into system without mandating HelpDesk access to NAC manager Sponsor Web Admin Interface is supported so sponsors can view, edit, delete, add their end systems

19 How it works pre-connect Non-compliant asset on the network Enterasys NAC Manager Role = quarantine 3 rd party switch like Cisco Catalyst (if RFC compliant ) VLAN = quarantine Pre-connect NAC functions 1 Detect 2 Authenticate 3 Assess 4 Authorize 5 Remediate NAC gateway (out-of-band appliance) or ENAC controller (used in out-of band) User laptop Enterasys Matrix /SecureStack switch Role = quarantine Compliance check 3 2 Role = quarantine 5 Assessment server (optionally included in NAC gateway with ITA ) Authentication server 19

20 Summary NAC is still a volatile technology. Pick wisely a open and scaleability architecture Define all of your requirements before you select the solution Insist on open API s for efficient IT workflow integration NAC is about technology but also about organization Enterasys can offer you a solid, scableable and open architecture to adress all of these items 20

21 Thank you