Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

Similar documents
Interop Labs Network Access Control

Lessons from the Lab: NAC Framework Testing

Layered Access Control-Six Defenses That Work. Joel M Snyder Senior Partner Opus One, Inc.

1. How will NAC deal with lying clients?

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Reviewer s guide. PureMessage for Windows/Exchange Product tour

InteropLabs Network Access Control

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Enterasys. Design Guide. Network Access Control P/N

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Interop Labs Network Access Control

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Configuring Client Profiling

SACM Information Model Based on TNC Standards. Lisa Lorenzin & Steve Venema

WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES

RADIUS Grows Up. Identity Management for Networks Secure IT Sean Convery Identity Engines

Enterasys Network Access Control

Wireless Integration Overview

Standard For IIUM Wireless Networking

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Configure Client Posture Policies

IFIP World Computer Congress (WCC2010)

User Directories and Campus Network Authentication - A Wireless Case Study

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Cisco Network Admission Control (NAC) Solution

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

4 Network Access Control 4.1 IPsec Network Security Encapsulated security payload (ESP) 4.2 Internet Key Exchange (IKE)

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Manage Authorization Policies and Profiles

Configure Client Posture Policies

Secure wired and wireless networks with smart access control

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

802.1x Port Based Authentication

Identity Based Network Access

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Cisco Questions & Answers

TNC EVERYWHERE. Pervasive Security

Cisco Self Defending Network

802.1X: Background, Theory & Implementation

Introduction to Network Security Missouri S&T University CPE 5420 Network Access Control

August knac! 10 (or more) ways to bypass a NAC solution. Ofir Arkin, CTO

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

COPYRIGHTED MATERIAL. Contents

Windows Server Network Access Protection. Richard Chiu

Automate to Win: The Business Case for Standards-based Security. An InformationWeek Webcast Sponsored by

802.1X: Port-Based Authentication Standard for Network Access

Executive Summery. Siddharta Saha. Downloaded from

2012 Cisco and/or its affiliates. All rights reserved. 1

Configuring 802.1X Port-Based Authentication

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

Manage Authorization Policies and Profiles

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Enterprise Guest Access

Provide One Year Free Update!

Networks with Cisco NAC Appliance primarily benefit from:

Secure Access - Update

Wireless Network Security

ForeScout Agentless Visibility and Control

Network Security Policy

Trusted Network Access Control Experiences from Adoption

Configuring Network Admission Control

Cisco Exam Questions & Answers

Layer 2 authentication on VoIP phones (802.1x)

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Configuring NAC Out-of-Band Integration

ISE Primer.

Borderless Networks. Tom Schepers, Director Systems Engineering

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Posture Services on the Cisco ISE Configuration Guide Contents

Module 9. Configuring IPsec. Contents:

Network Admission Control

HP Identity Driven Manager Software Series

Security Automation Connecting Your Silos

NETWORK THREATS DEMAN

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

ClearPass Design Scenarios

Cisco Security Solutions for Systems Engineers (SSSE) Practice Test. Version

Detecting MAC Spoofing Using ForeScout CounterACT

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Cisco ISE Ports Reference

The Context Aware Network A Holistic Approach to BYOD

Exam Questions Demo Cisco. Exam Questions

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Simplifying your 802.1X deployment

Cisco Exam Questions & Answers

High Availability Synchronization PAN-OS 5.0.3

Configuring Client Posture Policies

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

Configure Client Posture Policies

Integrating Meraki Networks with

Transcription:

Network Access Control: A Whirlwind Tour Through The Basics Joel M Snyder Senior Partner Opus One jms@opus1.com

Agenda: Defining NAC Why are we thinking about NAC? What is a definition of NAC? What are the four key components of NAC? What are the industry NAC architectures? Authentication, Environment, and Enforcement in Depth 2

Security Management Is Moving Towards the End User Last Year Poke holes in the firewall for specific IP addresses and specific services Create IPsec remote access solutions that give broad network access Next Year Determine security policy by who is connecting not where they are connecting from Create remote access solutions that focus on the end-user, not the network 3

The Marketing View of NAC The Internet Corporate Net 4

Let s Define NAC: Network Access Control NAC is user-focused, network-based access control Who you are: not your IP address, but your authenticated identity. Also: your end-point security status, location, access type Something inside of the network: enforcement occurs in the network, not on the the end points Control: limit access according to policy, where policy is based on the user 5

OK, wait a second. Isn t Access Control what a firewall does? Internet You shall not pass! Absolutely! The difference is in the decision! 6

NAC Is Firewalling, but With a Difference Common Firewall Decision Elements Source IP and port Destination IP and port Position Between two networks Common NAC Decision Elements Username and Group Access method and location End-point security status Destination IP and port Position Between user and network 7

#1: Authenticate NAC Has Four Components 1. Authentication of the user Authenticate End users are authenticated before getting network access 8

#1: Authenticate How Does the Authentication Actually Work? The Internet Three options are common 802.1X Web-based Authentication Proprietary Client Corporate Net NAC Policy 9

#1: Authenticate 802.1X is Preferred and the Most Secure Approach Corporate Net Internet User brings up link (or associates with AP) AP/Switch starts 802.1X (EAP) for authentication User authenticates to central policy server If authentication (and other stuff) is successful, policy server instructs edge device to grant appropriate access. User gets IP address. NAC Policy 10

#1: Authenticate Web Authentication is Easy to Do Corporate Net Internet User gets on network; gets IP address User opens web browser and is trapped by in-line portal User authenticates to central policy server If authentication (and other stuff) is successful, portal lets traffic through or reconfigures network to get out of the way NAC Policy 11

#2: Environment Environmental Information Modifies Access or Causes Remediation 1. Authentication of the user Authenticate Where is the user coming from? When is the access request occurring? 2. Use environmental information as part of continuous policy decision making Environment What is the End Point Security posture of the end point? ( Pre-Connect ) What is our IPS/NBA/SIM telling us about this user ( Post-Connect )? 12

#2: Environment Environmental Information Can Include Lots of Things This is the (and other stuff) part Pure Environment Access Method (wired, wireless, VPN) Time of Day/Day of Week/Date within Limits Client Platform (Mac, Windows, etc.) Authentication Method (user/pass, MAC, etc.) End Point Security Does the device comply to my policy regarding Security Tools (A/V, FW) Applications (running/not) Patch Level Corporate signature For some, this is the main reason to want NAC! 13

#2: Environment Any End Point Security Test Should Include Remediation 1 2 1. EPS says that this system is untestable or cannot be helped: Internet only 3 2. System is non-compliant, but can be helped: Access to remediation network (or autoremediate) 3. System complies with security policy: full access granted 14

#2: Environment Key Concept: Access Is a Function of Authentication & user-focused Environment What you can do = Who You Are + How Well You Comply with Policy + Darn We just summarized NAC in one slide. What else is there to talk about? How You Behave On The Network 15

#3: Access Control Access Controls Define Capabilities and Restrict the User 1. Authentication of user 2. Use environmental information as part of continuous policy decision theenvironment making Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy Allow or deny access. Put the user on a VLAN. Send user to remediation. Apply ACLs or firewall rules. 16

#3: Access Control Access Control Enforcement Has Two Main Attributes to Understand Control Granularity On/Off the network VLAN-level assignment Packet filters Stateful firewall Control Location On the client itself At the edge of the network ( Edge Enforcement ) A barrier between user and network ( Inline Enforcement ) As part of the network protocols themselves At the server itself 17

#3: Access Control Granularity is a Spectrum Largely Determined by Hardware Most granular, most secure, most powerful Joel s Fantasy of How Secure Networks Are Run Least granular, least powerful Stateful Full Firewall Basic Packet Filters VLAN Assignment Go/No-Go Decision Likely Reality for Next Few Years Typical Current Approach (and likely SMB approach in future) 18

NAC Policy #3: Access Control Edge Enforcement Occurs at the Point of Access to the Network DHCP LDAP Web Endpoints Access Layer Distribution Layer Core Layer Data Center 19

NAC Policy #3: Access Control In-line Enforcement Occurs Deeper in the Network DHCP NAC Enforcement Device LDAP Web Endpoints Access Layer Distribution Layer Core Layer Data Center 20

Hybrid Enforcement combines In-Line and Edge Authentication and Posture check occur first NAC Policy #3: Access Control? DHCP NAC Portal Auth+EPS LDAP Endpoints? Access Layer Enforcement of network access occurs at edge, after Authentication and Posture checks Web Data Center 21

#4: Management Management of Policy is the Weak Link in most NAC Solutions 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of continuous policy decision making Environment Management 4. Manage it all Usable management and cross-platform NAC normalization 22

An Architecture Helps to Understand NAC Better The Internet Corporate Net NAC Policy 23

Lots of NAC Products but Only a Few Good Architectures Access Requestor Integrity Measurement Collector Policy Decision Point Integrity Measurement Verifier Client Broker Network Access Requestor Policy Enforcement Point Broker Network Access Authority These are the TCG/TNC terms for each piece. IETF, Microsoft, and Cisco all have their own similar ones 24

Integrity Measurement Collector Integrity Measurement Verifier Client Broker Network Access Requestor Policy Enforcement Point Broker Network Access Authority What is it? IETF NEA Microsoft NAP Cisco NAC Policy Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall. Network Enforcement Point NAP Enforcement Network Access Device 25

Integrity Measurement Collector Integrity Measurement Verifier Client Broker Network Access Requestor Policy Enforcement Point Broker Network Access Authority What is it? IETF NEA Microsoft NAP Cisco NAC Integrity Measurement Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to-date?' Posture Collector System Health Agent Posture Plug-in Apps TNC Client Broker "Middleware" that talks to the Posture Collectors, collecting their data, and passes it down to Network Access Requestor Posture Broker Client NAP Agent Cisco Trust Agent Network Access Requestor Connects the client to network, such as 802.1X supplicant. Authenticates the user, and acts as a conduit for Posture Collector data Posture Transport Client NAP Enforcement Client Cisco Trust Agent 26

Integrity Measurement Collector Integrity Measurement Verifier Client Broker Network Access Requestor Policy Enforcement Point Broker Network Access Authority What is it? Integrity Measurement Verifier Receives status information from Posture Collectors then validates it against policy, returning a status to the Broker TNC Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority Network Access Authority Validates authentication and posture, then passing policy to the Network Enforcement Point. IETF NEA Posture Validator Posture Broker Posture Transport Microsoft NAP System Health Validator NAP Administration Network Policy http://www.networkworld.com/research/2006/040306-nac-overview.html Cisco NAC Policy Vendor Access Control Access Control 27

We ve Just Grazed the Surface of NAC NAC needs to be on your radar Tools like 802.1X should be part of your short and long range plans anyway Don t jump into a proprietary solution without considering the emerging standard architectures 28

Thanks! Joel Snyder Senior Partner Opus One jms@opus1.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback