SESSION ID: TECH-W14 WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES Jennifer Minella VP of Engineering & Security Carolina Advanced Digital, Inc. @jjx securityuncorked.com @CADinc cadinc.com
Today s session A vendor-neutral look at resolving the three main pitfalls of NAC projects: products, people and processes. This session will look at architectures that dictate product success or failure in an environment and mapping to today s products, followed by a look at the processes and people topics that can t be ignored for successful NAC projects. Presented by a NAC SME based on 10+ years and hundreds of client projects. 2
Why NAC is Hard Challenges Cost $$$ Complexity Language History of Failure or Requires Downsizing of Scope Cause of Failure Wrong People Wrong Processes Wrong Product(s)
Why NAC is Hard NAC Server Authentication Server Switch or AP (Authenticator) Wired Endpoints Wireless Endpoints
Why NAC is Hard Executives Policy Legal NAC Server MDM Security tools, SIEM, Firewalls, IPS Applications Authentication Server Switch or AP (Authenticator) Compliance Wireless Endpoints Your NAC integration teams Wired Endpoints 3 rd Party Vendors Users Help Desk Funky IoT things Asset mgmt., CMDB
10,000-FOOT VIEW: FEATURE COMPONENTS OF NAC Profiling Endpoint Integrity Authentication Access Control
10,000-foot View: Feature Components of NAC http://securityuncorked.com/docs/universalnacmodel_rsarelease20100303.pdf
When you see RADIUS Think 802.1X.
Feature: Profiling & Visibility Determining what a device or device type is using DHCP fingerprinting Web browser in captive portal Reading HTTP headers Reading SNMP attributes Remote scans, OS fingerprints MAC lookup and ARP resolution Span/tap ports MAC vendor OUI Local host scan
Feature: Endpoint Integrity How healthy is an endpoint in terms of security or policy compliance, can be determined using Agent (persistent or dissolvable) Remote scanning tools Local host scan Behavior/traffic monitoring, UEBA, NBAD, 3rd party security
Feature: Authentication Identifying and/or authenticating users and/or devices to the network using RADIUS, 802.1X with user credentials RADIUS, 802.1X with device certificates/credentials RADIUS, 802.1X with MAC-authentication bypass (MAB) MAC address lookup and authentication (without 802.1X) Web Portal authentication
Feature: Access Control Controlling access of a user or device to network resources through Managing edge port VLANs/ACLs with RADIUS enforcement Managing edge port VLANs/ACLs with Non- RADIUS enforcement Depreciated or less common included in notes section.
FEATURE/FUNCTION DIFFERENCES IN NAC PRODUCTS High level, in order of increasing impact 15
Feature Components Product Variance
Feature: Profiling & Visibility Product Variance Determining what a device or device type is using DHCP fingerprinting Web browser in captive portal Reading HTTP headers Reading SNMP attributes Remote scans, OS fingerprints MAC lookup and ARP resolution Span/tap ports MAC vendor OUI Local host scan Some products have built-in collectors for traffic data from span/tap ports. Others have integrations with 3 rd party collectors and SIEM. (Low Impact variance) Some products have pre-loaded Vendor OUI lists to ID niche devices, any product can be set to do the same thing through profiling rules using Vendor OUI. (Low Impact variance) Some products use local host scan/domain admin accounts to profile. (Low Impact variance)
Feature: Endpoint Integrity Product Variance How healthy is an endpoint in terms of security or policy compliance, can be determined using Agent (persistent or dissolvable) Remote scanning tools Local host scan Behavior/traffic monitoring, UEBA, NBAD, 3rd party security One vendor uses local host scan for posturing (in addition to profiling) but presents issues in larger environments. (Low impact variance) Some products have built-in traffic collectors using span/tap ports for monitoring integrity. (Medium Impact variance)
Feature: Authentication Product Variance Identifying and/or authenticating users and/or devices to the network using RADIUS, 802.1X with user credentials RADIUS, 802.1X with device certificates/credentials RADIUS, 802.1X with MAC-authentication bypass (MAB) MAC address lookup and authentication (without 802.1X) Web Portal authentication Some products have robust Built-in RADIUS / TACACS+ servers. (Medium to High impact variance). Some products have Built-in certificate servers to issue device certificates to non-domain machines for BYOD. Not commonly used due to support and complexity. (Low impact variance) Some products have robust options for MAC address registrations, imports and 3rd party data while others are more manual. (Medium Impact variance)
Feature: Access Control Product Variance Controlling access of a user or device to network resources through Managing edge port VLANs/ACLs with RADIUS enforcement Managing edge port VLANs/ACLs with Non- RADIUS enforcement The single most impactful variance for wired deployments. Most products are either primarily designed for RADIUS OR- Non-RADIUS-based enforcement in the network, not both. (Wireless: Low impact variance) (Wired: High impact variance) Options for MAC registration and/or CMDB lookups. (High impact variance).
DIFFERENCES IN PRODUCTS FOCUS ON ACCESS CONTROL FOR MAKING PRODUCT DECISIONS Boils down to whether you want Access Control on wired, wireless, or both.
RADIUS vs Non-RADIUS Enforcement No, really.
WHY 802.1X SUCKS ON WIRED NETWORKS Alternatives to 802.1X and how to make 1X suck less.
access allowed Can send RADIUS attributes with additional Access Control settings. How RADIUS Enforcement Works (802.1X) Client EAPoL port connect Only EAP auth traffic allowed between network and client. Switch or AP access blocked internal network NAC/RADIUS tells switch/ap what to do through RADIUS packets. NAC and/or RADIUS Server RADIUS eapol-start eap-request/identity eap-response/identity radius-access-request eap-request radius-access-challenge eap-response (credentials) eapol-success radius-access-request radius-access-accept
How Non-RADIUS Enforcement Works (NOT 802.1X) Client No auth protocol needed MAC-learn or link up Admin-defined communication allowed between network and client. Switch or AP custom access options internal network NAC/RADIUS tells switch/ap what to do through SNMP/CLI. SNMP/CLI NAC Server Network connection MAC learn or link-up trap Lookup and decision Switch applies VLAN or ACL to port/client Instructions sent to switch No auth protocol is needed, means no requirement for AAA configs on switches or for endpoint to speak 802.1X/have a supplicant Can send any custom config with additional Access Control settings.
Comparing Switch Configs Required If using RADIUS/802.1X Visibility/Profiling SNMP traps to NAC server IP helpers to NAC server Access Control Add VLANs to switches/uplinks AAA configs per switch (3-6 lines) AAA configs per edge port (4-15 lines, may be different per port based on endpoint needs) If using Non-RADIUS (CLI/SNMP) Visibility/Profiling SNMP traps to NAC server IP helpers to NAC server Access Control Add VLANs to switches/uplinks
Why RADIUS vs Non-RADIUS Matters Limited control options MAB not a great option Tedious switch configs Ongoing change management Instability of off-standard implementations on switches Inconsistency of endpoint behavior 3rd-party managed endpoints Inflexibility of 802.1X Better visibility without 802.1X on wired 28
Example of 802.1X (RADIUS AAA) config on a single switch port Example of a port-level config for 802.1X First attempt to authenticate with 802.1x Then if 802.1X times out, attempt to authenticate with MAB Prefer 802.1X over MAB Periodically reauthenticate If the RADIUS server is unreachable, reinitialize to VLAN XX Reinitialize the voice VLAN on the port LOTS-o-stuff to track
When to Use RADIUS/802.1X Enforcement 1. Wireless 2. Exceptionally highly secured wired networks 3. Ports servicing public areas, kiosks 30
Size of Environment Overview of Products in the Market RADIUS/802.1X Non-RADIUS Product enforcement preference
MANAGING PEOPLE AND PROCESSES IN NAC
Managing People of NAC Network, Security, Architecture, Operations, Help Desk, Legal all play a role but Network and Security especially need to be in sync Legal and Executive sponsors play a role in creating and backing policy, without executive buy-in and C-level enforcement, policy controls at the technical level will be bypassed or overridden Network team, regardless of wired, wireless, RADIUS or Non-RADIUS needs to lead infrastructure design and consult throughout the engagement (especially prior to product selection) to ensure the environment supports the planned design. Security team may own the project/product and plays a major role in translating organizational policy to controls, again with help of network team. They will also be involved in maintenance, management, incident response, and security integrations. Help Desk and end user advisor groups will help you understand end user expectations, use cases, and culture. Internal Communications to end users are vital when making changes that impact the user s experience on the network. Educating users on the why in addition to how is strongly urged. Multi-departmental NAC Task Forces are your friend!!! Most enterprise organizations should have minimum of 3 people fully involved and others consulted. Project Managers inside the organization are also highly recommended.
Managing Processes of NAC Processes- Any NAC solution/architecture will result in the need for more processes, and process failure in NAC can render the solution ineffective. Common processes best practices include Processes for asset management, CMDB entry, data standardization Processes for MACD on network (moves, adds, changes, deletes) specifically Processes for documenting any moves/additions of switches, routers, wireless Processes for making changes to configs of switches, routers, wireless Processes for endpoint compliance policy updates based on new applications or versions Processes for testing and validation of new endpoints on your NAC-enforced network Processes for addressing or remediating threats as identified by NAC
SUMMARY
Summary and Highlights Recap NAC is complicated, even in the most basic configurations. Involving the right people and processes is critical. Not all products work the same, focus on what s most important to your mission, and Don t try to make your use case fit a product in a PoC, make the product fit your use case. Get someone else to do it. (Just kidding) Recap of order of impact related to product selection: Access Control #1 influencer (for 1X/not-1X, specifically if you want to enforce wired, wireless or both) Authentication #2 influencer (if you want a built-in robust RADIUS/TACACS+ or certificate server) Endpoint Integrity #3 influencer (products have same agent options, but offer different options for 3rd party integrations and/or analysis from traffic collectors) Profiling #4 influencer (most products have parity here)
WHAT TO DO NEXT How to apply knowledge from today s session.
How to Apply your new NAC knowledge Review processes and see if there are gaps that may cause issues or if there s an opportunity to add clarity. Make sure NAC controls align with C-level sponsored policies so they have teeth and backing. Use NAC Task Force Teams throughout including after deployment. Don t dismiss seemingly negative comments from a team, the people that are telling you why something can t work will be the people telling you how it CAN work pay attention. Don t be afraid to use 2 NAC products in your environment we recommend it regularly for wired vs wireless there are ways to integrate NAC products and avoid duplication. Best deployments leverage team strengths and rely on Network Teams to manage infrastructure even if Security owns the project.
SESSION ID: TECH-W14 WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES Jennifer Minella VP of Engineering & Security Carolina Advanced Digital, Inc. @jjx securityuncorked.com @CADinc cadinc.com