WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES

Similar documents
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Secure wired and wireless networks with smart access control

P ART 3. Configuring the Infrastructure

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Securing Cisco Wireless Enterprise Networks ( )

SACM Information Model Based on TNC Standards. Lisa Lorenzin & Steve Venema

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

Identity Based Network Access

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Cisco TrustSec How-To Guide: Monitor Mode

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

ClearPass Design Scenarios

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

2012 Cisco and/or its affiliates. All rights reserved. 1

Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

ISE Primer.

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Cisco TrustSec How-To Guide: Central Web Authentication

802.1X: Background, Theory & Implementation

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Pulse Policy Secure X Network Access Control (NAC) White Paper

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Integrating Meraki Networks with

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management

Using the Cisco NAC Profiler Endpoint Console

Configuring Network Admission Control

Configuring Client Profiling

BYOD: BRING YOUR OWN DEVICE.

Borderless Networks. Tom Schepers, Director Systems Engineering

Configure Guest Flow with ISE 2.0 and Aruba WLC

Visibility, control and response

ForeScout Extended Module for VMware AirWatch MDM

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Configuring 802.1X Port-Based Authentication

Cisco TrustSec How-To Guide: Phased Deployment Overview

ForeScout CounterACT. Configuration Guide. Version 4.3

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Cisco ISE Ports Reference

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

NETWORK SENTRY KNOWN ANOMALIES. Network Sentry /8.2.9 Agent Analytics Rev: G 9/26/2018

RADIUS Change of Authorization Support

Intelligent Edge Protection

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Configuring IEEE 802.1x Port-Based Authentication

Support Device Access

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Cisco ISE Ports Reference

Cisco ISE Ports Reference

Guest Access User Interface Reference

Cisco Exam Questions & Answers

Cisco ISE Ports Reference

ISE Version 1.3 Hotspot Configuration Example

Detecting MAC Spoofing Using ForeScout CounterACT

Configuring IEEE 802.1x Port-Based Authentication

CounterACT 802.1X Plugin

USP Network Authentication System & MobileIron. Good for mobile security solutions

802.1x Port Based Authentication

IEEE 802.1X with ACL Assignments

ForeScout Extended Module for MobileIron

Configuring Network Admission Control

ForeScout Extended Module for MaaS360

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Cisco Exam Questions & Answers

ARUBA CLEARPASS POLICY MANAGER

Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1X Multiple Authentication

Enterprise Guest Access

Forescout. Configuration Guide. Version 4.4

Building a Secure Wireless Network. Use i and WPA to Protect the Channel and Authenticate Users. May, 2007

Wireless Integration Overview

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

The Context Aware Network A Holistic Approach to BYOD

Access Guardian and BYOD in AOS Release 8.1.1

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

HPE Aruba Focus Areas

MS Switch Access Policies (802.1X) Host Modes

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Cisco ISE Features Cisco ISE Features

With 802.1X port-based authentication, the devices in the network have specific roles.

2013 InterWorks, Page 1

FortiNAC. HiPath. Enterasys. Siemens. Extreme. Wireless Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Cisco Network Admission Control (NAC) Solution

Configuring 802.1X Port-Based Authentication

CounterACT Afaria MDM Plugin

Posture Services on the Cisco ISE Configuration Guide Contents

Support Device Access

What Is Wireless Setup

SIEM: Five Requirements that Solve the Bigger Business Issues

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Deployment Guide. ForeScout CounterACT Deployment on Juniper Networks:Wired Post-Connect

Transcription:

SESSION ID: TECH-W14 WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES Jennifer Minella VP of Engineering & Security Carolina Advanced Digital, Inc. @jjx securityuncorked.com @CADinc cadinc.com

Today s session A vendor-neutral look at resolving the three main pitfalls of NAC projects: products, people and processes. This session will look at architectures that dictate product success or failure in an environment and mapping to today s products, followed by a look at the processes and people topics that can t be ignored for successful NAC projects. Presented by a NAC SME based on 10+ years and hundreds of client projects. 2

Why NAC is Hard Challenges Cost $$$ Complexity Language History of Failure or Requires Downsizing of Scope Cause of Failure Wrong People Wrong Processes Wrong Product(s)

Why NAC is Hard NAC Server Authentication Server Switch or AP (Authenticator) Wired Endpoints Wireless Endpoints

Why NAC is Hard Executives Policy Legal NAC Server MDM Security tools, SIEM, Firewalls, IPS Applications Authentication Server Switch or AP (Authenticator) Compliance Wireless Endpoints Your NAC integration teams Wired Endpoints 3 rd Party Vendors Users Help Desk Funky IoT things Asset mgmt., CMDB

10,000-FOOT VIEW: FEATURE COMPONENTS OF NAC Profiling Endpoint Integrity Authentication Access Control

10,000-foot View: Feature Components of NAC http://securityuncorked.com/docs/universalnacmodel_rsarelease20100303.pdf

When you see RADIUS Think 802.1X.

Feature: Profiling & Visibility Determining what a device or device type is using DHCP fingerprinting Web browser in captive portal Reading HTTP headers Reading SNMP attributes Remote scans, OS fingerprints MAC lookup and ARP resolution Span/tap ports MAC vendor OUI Local host scan

Feature: Endpoint Integrity How healthy is an endpoint in terms of security or policy compliance, can be determined using Agent (persistent or dissolvable) Remote scanning tools Local host scan Behavior/traffic monitoring, UEBA, NBAD, 3rd party security

Feature: Authentication Identifying and/or authenticating users and/or devices to the network using RADIUS, 802.1X with user credentials RADIUS, 802.1X with device certificates/credentials RADIUS, 802.1X with MAC-authentication bypass (MAB) MAC address lookup and authentication (without 802.1X) Web Portal authentication

Feature: Access Control Controlling access of a user or device to network resources through Managing edge port VLANs/ACLs with RADIUS enforcement Managing edge port VLANs/ACLs with Non- RADIUS enforcement Depreciated or less common included in notes section.

FEATURE/FUNCTION DIFFERENCES IN NAC PRODUCTS High level, in order of increasing impact 15

Feature Components Product Variance

Feature: Profiling & Visibility Product Variance Determining what a device or device type is using DHCP fingerprinting Web browser in captive portal Reading HTTP headers Reading SNMP attributes Remote scans, OS fingerprints MAC lookup and ARP resolution Span/tap ports MAC vendor OUI Local host scan Some products have built-in collectors for traffic data from span/tap ports. Others have integrations with 3 rd party collectors and SIEM. (Low Impact variance) Some products have pre-loaded Vendor OUI lists to ID niche devices, any product can be set to do the same thing through profiling rules using Vendor OUI. (Low Impact variance) Some products use local host scan/domain admin accounts to profile. (Low Impact variance)

Feature: Endpoint Integrity Product Variance How healthy is an endpoint in terms of security or policy compliance, can be determined using Agent (persistent or dissolvable) Remote scanning tools Local host scan Behavior/traffic monitoring, UEBA, NBAD, 3rd party security One vendor uses local host scan for posturing (in addition to profiling) but presents issues in larger environments. (Low impact variance) Some products have built-in traffic collectors using span/tap ports for monitoring integrity. (Medium Impact variance)

Feature: Authentication Product Variance Identifying and/or authenticating users and/or devices to the network using RADIUS, 802.1X with user credentials RADIUS, 802.1X with device certificates/credentials RADIUS, 802.1X with MAC-authentication bypass (MAB) MAC address lookup and authentication (without 802.1X) Web Portal authentication Some products have robust Built-in RADIUS / TACACS+ servers. (Medium to High impact variance). Some products have Built-in certificate servers to issue device certificates to non-domain machines for BYOD. Not commonly used due to support and complexity. (Low impact variance) Some products have robust options for MAC address registrations, imports and 3rd party data while others are more manual. (Medium Impact variance)

Feature: Access Control Product Variance Controlling access of a user or device to network resources through Managing edge port VLANs/ACLs with RADIUS enforcement Managing edge port VLANs/ACLs with Non- RADIUS enforcement The single most impactful variance for wired deployments. Most products are either primarily designed for RADIUS OR- Non-RADIUS-based enforcement in the network, not both. (Wireless: Low impact variance) (Wired: High impact variance) Options for MAC registration and/or CMDB lookups. (High impact variance).

DIFFERENCES IN PRODUCTS FOCUS ON ACCESS CONTROL FOR MAKING PRODUCT DECISIONS Boils down to whether you want Access Control on wired, wireless, or both.

RADIUS vs Non-RADIUS Enforcement No, really.

WHY 802.1X SUCKS ON WIRED NETWORKS Alternatives to 802.1X and how to make 1X suck less.

access allowed Can send RADIUS attributes with additional Access Control settings. How RADIUS Enforcement Works (802.1X) Client EAPoL port connect Only EAP auth traffic allowed between network and client. Switch or AP access blocked internal network NAC/RADIUS tells switch/ap what to do through RADIUS packets. NAC and/or RADIUS Server RADIUS eapol-start eap-request/identity eap-response/identity radius-access-request eap-request radius-access-challenge eap-response (credentials) eapol-success radius-access-request radius-access-accept

How Non-RADIUS Enforcement Works (NOT 802.1X) Client No auth protocol needed MAC-learn or link up Admin-defined communication allowed between network and client. Switch or AP custom access options internal network NAC/RADIUS tells switch/ap what to do through SNMP/CLI. SNMP/CLI NAC Server Network connection MAC learn or link-up trap Lookup and decision Switch applies VLAN or ACL to port/client Instructions sent to switch No auth protocol is needed, means no requirement for AAA configs on switches or for endpoint to speak 802.1X/have a supplicant Can send any custom config with additional Access Control settings.

Comparing Switch Configs Required If using RADIUS/802.1X Visibility/Profiling SNMP traps to NAC server IP helpers to NAC server Access Control Add VLANs to switches/uplinks AAA configs per switch (3-6 lines) AAA configs per edge port (4-15 lines, may be different per port based on endpoint needs) If using Non-RADIUS (CLI/SNMP) Visibility/Profiling SNMP traps to NAC server IP helpers to NAC server Access Control Add VLANs to switches/uplinks

Why RADIUS vs Non-RADIUS Matters Limited control options MAB not a great option Tedious switch configs Ongoing change management Instability of off-standard implementations on switches Inconsistency of endpoint behavior 3rd-party managed endpoints Inflexibility of 802.1X Better visibility without 802.1X on wired 28

Example of 802.1X (RADIUS AAA) config on a single switch port Example of a port-level config for 802.1X First attempt to authenticate with 802.1x Then if 802.1X times out, attempt to authenticate with MAB Prefer 802.1X over MAB Periodically reauthenticate If the RADIUS server is unreachable, reinitialize to VLAN XX Reinitialize the voice VLAN on the port LOTS-o-stuff to track

When to Use RADIUS/802.1X Enforcement 1. Wireless 2. Exceptionally highly secured wired networks 3. Ports servicing public areas, kiosks 30

Size of Environment Overview of Products in the Market RADIUS/802.1X Non-RADIUS Product enforcement preference

MANAGING PEOPLE AND PROCESSES IN NAC

Managing People of NAC Network, Security, Architecture, Operations, Help Desk, Legal all play a role but Network and Security especially need to be in sync Legal and Executive sponsors play a role in creating and backing policy, without executive buy-in and C-level enforcement, policy controls at the technical level will be bypassed or overridden Network team, regardless of wired, wireless, RADIUS or Non-RADIUS needs to lead infrastructure design and consult throughout the engagement (especially prior to product selection) to ensure the environment supports the planned design. Security team may own the project/product and plays a major role in translating organizational policy to controls, again with help of network team. They will also be involved in maintenance, management, incident response, and security integrations. Help Desk and end user advisor groups will help you understand end user expectations, use cases, and culture. Internal Communications to end users are vital when making changes that impact the user s experience on the network. Educating users on the why in addition to how is strongly urged. Multi-departmental NAC Task Forces are your friend!!! Most enterprise organizations should have minimum of 3 people fully involved and others consulted. Project Managers inside the organization are also highly recommended.

Managing Processes of NAC Processes- Any NAC solution/architecture will result in the need for more processes, and process failure in NAC can render the solution ineffective. Common processes best practices include Processes for asset management, CMDB entry, data standardization Processes for MACD on network (moves, adds, changes, deletes) specifically Processes for documenting any moves/additions of switches, routers, wireless Processes for making changes to configs of switches, routers, wireless Processes for endpoint compliance policy updates based on new applications or versions Processes for testing and validation of new endpoints on your NAC-enforced network Processes for addressing or remediating threats as identified by NAC

SUMMARY

Summary and Highlights Recap NAC is complicated, even in the most basic configurations. Involving the right people and processes is critical. Not all products work the same, focus on what s most important to your mission, and Don t try to make your use case fit a product in a PoC, make the product fit your use case. Get someone else to do it. (Just kidding) Recap of order of impact related to product selection: Access Control #1 influencer (for 1X/not-1X, specifically if you want to enforce wired, wireless or both) Authentication #2 influencer (if you want a built-in robust RADIUS/TACACS+ or certificate server) Endpoint Integrity #3 influencer (products have same agent options, but offer different options for 3rd party integrations and/or analysis from traffic collectors) Profiling #4 influencer (most products have parity here)

WHAT TO DO NEXT How to apply knowledge from today s session.

How to Apply your new NAC knowledge Review processes and see if there are gaps that may cause issues or if there s an opportunity to add clarity. Make sure NAC controls align with C-level sponsored policies so they have teeth and backing. Use NAC Task Force Teams throughout including after deployment. Don t dismiss seemingly negative comments from a team, the people that are telling you why something can t work will be the people telling you how it CAN work pay attention. Don t be afraid to use 2 NAC products in your environment we recommend it regularly for wired vs wireless there are ways to integrate NAC products and avoid duplication. Best deployments leverage team strengths and rely on Network Teams to manage infrastructure even if Security owns the project.

SESSION ID: TECH-W14 WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES Jennifer Minella VP of Engineering & Security Carolina Advanced Digital, Inc. @jjx securityuncorked.com @CADinc cadinc.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback