Lessons from the Lab: NAC Framework Testing

Similar documents
Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

Interop Labs Network Access Control

1. How will NAC deal with lying clients?

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Interop Labs Network Access Control

InteropLabs Network Access Control

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

Layered Access Control-Six Defenses That Work. Joel M Snyder Senior Partner Opus One, Inc.

SecureVue. Version Supported Technologies List Updated: July 2015

Cisco Network Admission Control (NAC) Solution

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

Networks with Cisco NAC Appliance primarily benefit from:

Symbols. Numerics I N D E X

DREN IPv6 Implementation Update

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Pulse Policy Secure. Supported Platforms Guide. PPS 9.0R3 Build For more information, go to

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Bring Your Own Design: Implementing BYOD Without Going Broke or Crazy. Jeanette Lee Sr. Technical Marketing Engineer Ruckus Wireless

Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

Aruba Certified Clearpass Professional 6.5

Security and Control for all Devices on the Access Network

Security and Control for all Devices on the Access Network

WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES

ESAP Release Notes

TNC EVERYWHERE. Pervasive Security

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

McAfee Firewall Enterprise and 8.3.x

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Enterasys. Design Guide. Network Access Control P/N

Automate to Win: The Business Case for Standards-based Security. An InformationWeek Webcast Sponsored by

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

T E C H N I C A L S A L E S S E R V I C E S

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Cisco Exam Questions & Answers

Integrating Wireless into Campus Networks

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

Secure wired and wireless networks with smart access control

Solution Architecture

ESAP Release Notes

Executive Summery. Siddharta Saha. Downloaded from

Pulse Policy Secure. Access Control in the Federated Enterprise Using IF-MAP Network Configuration Example. Product Release 5.2

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Enterprise Guest Access

MOBILE SECURITY, SECURE ACCESS AND BYOD AS A SERVICE. Jonas Gyllenhammar NNTF 2012

Cisco NAC Network Module for Integrated Services Routers

Understanding Network Access Control

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Cisco Identity Services Engine

Wireless and Network Security Integration Solution Overview

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Cisco Virtualization Experience Media Engine Overview

What Works in Visibility, Access Control and IOT Security Pulse Secure NAC Outcomes at Energy Provider

Guest Access Made Easy

Unified Access Control 4.0R2. Supported Platforms. IC Build OAC Build Junos Pulse Release

EX2200 & EX2300 Sales Guide. March 2017

Multi-Vendor Support List

August knac! 10 (or more) ways to bypass a NAC solution. Ofir Arkin, CTO

Introducing Cisco Identity Services Engine for System Engineer Exam

FortiNAC. HiPath. Enterasys. Siemens. Extreme. Wireless Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Dealing with an Infectious Computer Virus

Forcepoint Sidewinder

Case study: UniCredit Tiriac Bank deploys Cisco Network Admission Control

Third Party Software Product Support for Voice Applications

The Context Aware Network A Holistic Approach to BYOD

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

ESAP. Release Notes. Build. Published. June Document Version

Cloudpath and Aruba Instant Integration

McAfee Firewall Enterprise

CounterACT Switch Plugin

Security Automation Connecting Your Silos

McAfee Network Security Platform

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

Case Study Captive Portal with QR Code authenticator assisted

Network Security Platform Overview

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

ClearPass Design Scenarios

2012 Cisco and/or its affiliates. All rights reserved. 1

Configure Posture. Note

Network Access Control

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Wireless NAC Appliance Integration

Network Configuration Example

Comprehensive Network Access Control Based on the Network You Have Today. Juniper Networks Unified Access Control

Cisco Identity Services Engine

UNIFIED ACCESS CONTROL

802.1X: Port-Based Authentication Standard for Network Access

Blackjacking. Daniel Hoffman. Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise. Wiley Publishing, Inc.

HPE Security ArcSight Connectors

How Cisco IT Upgraded Intrusion Prevention Software to Improve Endpoint Security

Introduction. What is Cisco NAC Appliance? CHAPTER

802.1X: Background, Theory & Implementation

Transcription:

Lessons from the Lab: NAC Framework Testing Joel M Snyder Opus One jms@opus1.com http://www.opus1.com/www/presentations/nac-testing-interoplv2007.pdf

Context: The World of NAC Things Claiming To Be NAC Things That Are NAC NAC based on open frameworks Unreleased NAC Products Proprietary NAC All-in-One Solutions

Context: Network World! April 19, 2007 (first publication date)! >30 products : 2 frameworks! http://www.networkworld.com/ reviews/2007/041907-nac-intro.html Cisco Secure Access Control Server (ACS) v4.1 Cisco Catalyst 3750 Switch IOS v12.2 Cisco Adaptive Security Appliance ASA5510 V7.2 Cisco VoIP Phone model 7940 Grandstream VoIP Phone model GXP2000 v1.1.1.14 Cisco Aironet 1200 Access Point v12.3(8) Trend Micro OfficeScan v7.3 Patchlink Update v6.2 LANDesk Systems and Security Management Solutions v8.7 Juniper Unified Access Controller IC-4000 v2.0r1 Juniper NetScreen-5GT v5.4.0 Juniper SSG20 v5.4.0 Vernier Networks EdgeWall 8800 v6 Vernier Networks Control Server CS8000 v6 HP ProCurve Switch 5406zl Extreme Networks Summit X450a Enterasys Networks Matrix C2 switch BigFix Enterprise Suite v6 Qualys Qualysguard Scanner Appliance McAfee epolicy Orchestrator Symantec AntiVirus Great Bay Software Beacon Appliance v2.1.5 Q1 Labs QRadar v6.0 Cisco Security Agent v5.1 Aruba Networks Aruba 800 Mobility Controller (and access points) Clients: Nokia E61 Smartphone R3, Palm TX Handheld, IBM/Lenovo Thinkpad X60s, Dell D600 Laptop

Cisco CNAC Topology Overview Not all devices and configuration are shown, but you get the general idea (Numbers & Letters represent different scenarios)

TCG/TNC Topology Overview Not all devices and configuration are shown, but you get the general idea (Numbers & Letters represent different scenarios)

So, How Do You Evaluate NAC?! Answer: You look at the requirements for NAC! Answer: You evaluate frameworks the same way as All-in-One products! Except it s a lot harder OK, so what are the requirements for NAC?

Network Access Control has four components 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all

What Did We Learn About Authentication? 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all

Authentication Lesson #1: Mainstream in Great Shape!Windows XP!Windows 2000 "Windows Vista!802.1X Authentication!Vendorsupplied Client!Juniper UAC & Cisco ACS using AD via LDAP

Authentication Lesson #2: 802.1X-only, Cisco is Easier AD Cisco ACS!Mac!Windows w/o vendor-supplied client!802.1x Authentication RADIUS router Juniper UAC!Vista

Authentication Lesson #3: Sometimes, it s not framework: It s all about the switch/ap These guys don t have NAC or 802.1X clients so switches and APs have to deal with it Option A: MAC authentication bypass Option B: Guest Captive Portal

Authentication Lesson #4: Trust But Verify It worked for Reagan; it can work for you Beacon (CNAC,TNC): end-point discovery 010 1010 0101 010 Qradar (TNC): SIM Qualys (CNAC): Vulnerability Scanner But: Integration at this stage was weak

What did we learn about environment? 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all

Environment Lesson #1: The Big Boys Work Fine! BigFix (CNAC) and PatchLink (TNC) do what they say they do! We were able to mesh remediation strategy and NAC framework easily But: Using the built-in validator for each NAC framework gave us a weaker solution. Don t be tempted.

Environment Lesson #2: Cisco Has A Lot Of Muscle! Cisco has attracted more partners to the CNAC framework! However, it s waaaay better to link your NAC to patch management than simply check for A/V software

Environment Lesson #3: Guest Users Are Hard! Only liars and idiots say they can determine the posture of guest users! Pushing software at users doesn t work Posture Collector Client Broker Network Access Requestor 010 1010 0101 010 External scanning of the end point can help detect device configuration You should use IPS to protect yourself You should use IDS to detect bad behavior A necessary layer within the framework!

What did we learn about Access Control? 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all

Enforcement Lesson #1: VLANs aren t hard! RFC3580 VLAN assigment works CNAC Aruba Cisco Cisco Enterasys Extreme HP Vernier TNC

Enforcement Lesson #2: Everything Else is Hard! Cisco ACS policy definition is miserably bad! Juniper UAC policy definition is very good! But it doesn t talk to anyone but their firewalls! We only used 10% of our Vernier box

Enforcement Lesson #3: Flexible Cisco = No Auth.! Cisco has this wonderfully wide range of enforcement options! Everything but the 802.1X option loses authentication

What did we learn about Management? 1. Authentication of the user Authenticate Access Control 3. Control usage based on capabilities of hardware and security policy 2. Use environmental information as part of policy decision making Environment Management 4. Manage it all

Management Lesson #1: Drawing a Line is Important! Both CNAC and TNC draw a clear line in the sand between Network/Security and Desktop! CNAC has way more options! But CNAC requires ACS, which is suboptimal as a NAC policy engine

Management Lesson #2: Defining Policy is Important! Cisco ACS (CNAC) doesn t define policy; it sends down RADIUS options! Juniper UAC (TNC) does define policy! Both of these are implementation issues, and are not really specific to the framework

Conclusions?! Frameworks are a great way to build NAC deployments! TNC needs more partners (but Monday s news should change that)! Cisco needs to replace ACS with something else! Or simply join the New World Order of NAC and let other people be good at other things

Lessons from the Lab: NAC Framework Testing Joel M Snyder Opus One jms@opus1.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback