Klaudia Bakšová System Engineer Cisco Systems Cisco Clean Access
Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits
The Challenge of Securing Complexity This is a story about network security. Specifically, how you can have productivity. security without compromising More to the point, your company may already be bristling with network defenses, but you still have one glaring vulnerability your network users.
The Business Case for NAC Limit the impact of security problems, stop threats from propagating 86% Increase overall corporate security posture 78% Protect against loss of sensitive/ personal information 77% Drivers Control network access based on user identity and role Protect against loss of intellectual property 60% 76% Demonstrate compliance to security/access policies 59% Regulatory requirements 44% 0% 20% 40% 60% 80% 100% Source: Infonetics Research, June 2009
Productivity Causes Complexity WHAT SYSTEM IS IT? WHO OWNS IT? WHERE IS IT COMING FROM? WHAT S ON IT? IS IT RUNNING? WHAT S THE PREFERRED WAY TO CHECK/FIX IT? Windows, Mac or Linux Laptop or desktop or PDA Printer or other corporate asset Company Employee Contractor Guest Unknown VPN LAN WLAN WAN Anti-virus, anti-spyware Personal firewall Patching tools Pre-configured checks Customized checks Self-remediation or auto-remediation Third-party software
Complexity Demands Defense-in-Depth identity endpoint security X Identity alone fails: Protects against unauthorized access, but not malware Identifies user, but not device network security X Endpoint security alone fails: 99% have AV, but infections persist! Host based apps are easily manipulated even unintentionally Time gap between virus and virus def/repair X Network security alone fails: Firewalls cannot block legitimate ports VPNs cannot block legitimate users Malware signatures must be known Detection often occurs after-the-fact
What Is Network Admission Control? Using the network to enforce policies ensures that incoming devices are compliant. identity Who is the user? Is s/he authorized? What role does s/he get? Please enter username: Is MS patched? Does A/V or A/S exist? Is it running? Are services on? Do required files exist? device security network security PLUS Is policy established? Are non-compliant devices quarantined? Is remediation required? Is remediation available?
Four Key Capabilities of NAC WHAT IT MEANS Uniquely identifies users and devices, and creates associations between the two Assess and enforce a ubiquitous policy across the entire network Acts on posture assessment results, isolates device, brings into compliance Easily creates comprehensive, granular policies that map quickly to user groups and roles WITHOUT IT... Associate users and devices with roles to know which policies apply; prevents device spoofing. A decentralized policy mechanism (e.g. on endpoint) can leave gaping security holes. Just knowing a device is non-compliant is not enough, someone still needs to fix it. Policies too complex or difficult to create and use will lead to abandonment of project.
Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits
NAC Appliance (a.k.a. Cisco Clean Access) Components Cisco Clean Access Server Serves as an in-band or out-of-band device for network access control Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments Rule-set Updates Scheduled automatic updates for anti-virus, critical hotfixes and other applications
Clean Access Server CAS is the enforcement point for network access CAS has two key interfaces (eth0/eth1): Untrusted Interface (eth1): Facing end users to be NACed untrusted network Trusted Interface (eth0): Facing the network to be secured trusted network Traffic is BRIDGED (Virtual Gateway) or ROUTED (Real IP Gateway) between the two interfaces VIRTUAL GATEWAY REAL IP GATEWAY SVI : Vlan 10 SVI : Vlan 40 Vlan 10 eth0 Vlan 40 eth0 Map 10>>40 10.10.20.0/24 eth1 Vlan 10 eth1 Vlan 10 eth1 10.10.10.0/24 eth0 Frame in > Frame out Frame in VLAN- Map on CAS Frame Out Packet in Routed by CAS packet Out
NAC Manager Overview Controls all NAC servers centrally Configuration policies pushed to all servers Communicates with servers for status and updates Scalable to support multiple servers NAC Manager NAC Server NAC Server NAC Server
NAC Appliance Sizing Super Manager manages more than 40 Users = online, concurrent Standard Manager manages up to 20 Enterprise and Branch Servers Enterprise and Manager Branch Servers Lite manages up to 3 Branch Office or SMB Servers 1500 users 2500 users 3500 users 100 users 250 users 500 users 50 users NM 100 users NM
NAC Server Deployment Mode The NAC server is deployed in a combination of the following 3 modes. In-Band (IB) or Out-of-Band (OOB) The NAC server (CAS) is in the data path all the time The NAC server is in the path only during the NAC process A given CAS server can only be IB or OOB Layer 2 (L2) or Layer 3 (L3) Users are L2 adjacent to the NAC server or they are multiple hops away (L3) from the NAC server (CAS) A given NAC server can support both L2 and L3 adjacent users Virtual Gateway (VG) or Real-IP Gateway (RIP-GW) The NAC server (CAS) acts as bridge (VG) or router (RIP- GW) between its two interfaces A given NAC server (CAS) can only be VG or RIP-GW,not both
CAS Physical Deployment Models Centralized - Redundant Example: Collapsed Core Centralized Deployment Virtual Gateway Mode 6 Access Layer Closets, 6 Data VLANs 500 users per VLAN total 3000 users 3 VLANS per CAS 1500 users each VLAN s 40, 50, 60 VLAN s 140, 150, 160 VLAN s 10, 20, 30 VLAN s 110, 120, 130 Access Collapsed Core / DistribuJon VLAN 110 VLAN 120 VLAN 130 VLAN 140 VLAN 150 VLAN 160 Access
CAS Physical Deployment Models Centralized Load-Balancing Example Enterprise Central Deployment Virtual Gateway Mode 3 Access Layer Closets, 6 VLANs 500 users per VLAN total 3000 users 3 VLANS per CAS 1500 users each
CAS Traffic Flow Deployment Models In Band & Out of Band In Band CAS is Inline (in the data path) before and after posture assessment ACL Filtering and Bandwidth Throttling Remote offices, VPN connectivity Limited scalability Out of Band Multi-gig throughput Inline only during posture assessment Port VLAN-based and Rolebased access control
CAS Client Access Deployment Models L2 & L3 L2 Model Client is L2 adjacent to CAS VG/Real IP GW/IB/OOB Mostly for LAN deployments MAC add as identifier L3 Model Client is not L2 adjacent to CAS VG/Real IP GW/IB/OOB Mostly for WAN/VPN deployments IP add as identifier
NAC Appliance for VPN Access Laptop IP: 192.168.1.150 Auth Server IP: 10.1.1.25 NAC Appliance Manager IP: 10.1.1.30 ASA IP: 192.168.1.3 NAC Appliance Server IP: 192.168.1.2 Router IP: 192.168.1.1 Intranet Server IP: 10.10.10.10 NAC Enforcement Point DNS Server IP: 10.20.20.20 Radius Accounting Server IP: 10.1.1.26 1. Remote user connects to ASA via IPSec or SSL VPN tunnel 2. Remote user obtains IP address from ASA 3. ASA forwards Radius accounting login info to CAS 4. Radius Accounting information logs user into Appliance, so no need to sign on twice - SSO 5. Everything else the same as in-band deployment
How do you create and manage headless devices in your environment? NAC Profiler can manage all other headless devices Automatic Discovery and Inventory via SNMP Profiles Devices into NAC Roles SPAN PROFILER NACS/Collector API SNMP NACM Devices added to Filter List from Profiler Devices get proper access under NAC
Dynamic Provisioning into NAC Manager NAC Profiler profiles device and automatically places it in the NAC Manager filter list Detailed Device Information
Cisco NAC Appliance Agents Clean Access Agent - local-machine, Agent-based Posture and Remediation Bundled with CAM software release/update Full Agent Installation/Stub Agent Installation (Java/ActiveX)
Cisco NAC Appliance Agents Cisco NAC Web Agent permanent client application not required Posture assessment available, no automatic Remediation
Cisco NAC Services Automated Policy Updates Automated Cisco Rulesets Simplify support for over 350+ security and management applications AutoUpdates Hotfixes, Service Packs (direct to WSUS Server) Cisco NAC Manager
Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits
NAC Appliance Technical Benefits Product Experience With 500+ deployments, Cisco understands the technical impact on your network Defensein-Depth NAC Appliance is a self-contained, proactive way to enforce policy compliance on all incoming devices Rapid Setup Easy Mgmt Pre-configured rulesets and checks make it easy to setup, maintain, modify, and expand Flexible Deployment Broad deployment options means that NAC Appliance fits into your network the way you need it to Future Proof NAC Appliance is core to Cisco s strategic NAC vision and can be leveraged across all future deployment options