Implementation of NAC at ORNL

Similar documents
Cisco Network Admission Control (NAC) Solution

Wireless Integration Overview

ISE Version 1.3 Self Registered Guest Portal Configuration Example

August knac! 10 (or more) ways to bypass a NAC solution. Ofir Arkin, CTO

Networks with Cisco NAC Appliance primarily benefit from:

Symbols. Numerics I N D E X

Configuring NAC Out-of-Band Integration

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

NEXT GENERATION SOLUTION FOR NETWORK ACCESS MANAGEMNT & CONTROL

Wireless Network Security

Secure IP Address Management Layer 2 Network Access Control Solution

Detecting MAC Spoofing Using ForeScout CounterACT

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Cisco NAC Network Module for Integrated Services Routers

C H A P T E R Overview Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide OL

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Error and Event Log Messages

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Cisco Self Defending Network

Cisco TrustSec How-To Guide: Central Web Authentication

Integrating Wireless into Campus Networks

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

FortiNAC. HiPath. Enterasys. Siemens. Extreme. Wireless Integration. Version: 8.x. Date: 8/28/2018. Rev: B

Cisco Wireless LAN Controller Module

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Integrating Meraki Networks with

TNC EVERYWHERE. Pervasive Security

Bypassing NAC v2.0. Ofir Arkin, CTO OSSIR

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

PW0-104 Q&As. Wireless LAN Administration Exam. Pass CWNP PW0-104 Exam with 100% Guarantee

Simplifying your 802.1X deployment

Deployment Guide. Best Practices for CounterACT Deployment: Guest Management

Interop Labs Network Access Control

Cisco WAP371 Wireless-AC/N Dual Radio Access Point with Single Point Setup

WHY YOUR NAC PROJECTS KEEP FAILING: ADDRESSING PRODUCTS, PEOPLE, PROCESSES

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Access Guardian and BYOD in AOS Release 8.1.1

Homework 4 assignment for ECE374 Posted: 04/06/15 Due: 04/13/15

ClearPass Design Scenarios

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Network Access Control Approaches

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

ForeScout Extended Module for MaaS360

Case study: UniCredit Tiriac Bank deploys Cisco Network Admission Control

Campus Network Design

Extreme Management Center

Introduction. What is Cisco NAC Appliance? CHAPTER

Interoperability guide Phoenix Contact WLAN clients with Cisco Wireless LAN Controllers (WLC) Published:

2012 Cisco and/or its affiliates. All rights reserved. 1

Enterasys Network Access Control

Using the Cisco NAC Profiler Endpoint Console

USP Network Authentication System & MobileIron. Good for mobile security solutions

Configuring IEEE 802.1x Port-Based Authentication

Configuring Network Admission Control

Enterasys. Design Guide. Network Access Control P/N

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

User Management: Configuring User Roles and Local Users

Cisco WAP321 Wireless-N Selectable-Band Access Point with Power over Ethernet

Manually setting up the Linksys RE9000

Cisco WAP131 Wireless-N Dual Radio Access Point with PoE

Cisco WAP321 Wireless-N Selectable-Band Access Point with Power over Ethernet

ForeScout CounterACT. Configuration Guide. Version 1.8

Configuring Network Admission Control

Cisco WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Identity Based Network Access

Cisco Meraki Wireless Solution Comparison

Configuring AP Groups

Basic Wireless Settings on the CVR100W VPN Router

NAC: LDAP Integration with ACS Configuration Example

Monitoring Event Logs

Support Device Access

Campus Network Design. 2003, Cisco Systems, Inc. All rights reserved. 2-1

Wireless NAC Appliance Integration

Configuring Hybrid REAP

Provide One Year Free Update!

Legrand Access point manager User manual

FortiNAC ADTRAN vwlan Wireless Controllers Integration

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

802.1X: Background, Theory & Implementation

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

ForeScout Agentless Visibility and Control

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Unified Networks Administration & Monitoring System Specifications : YM - IT. YM Unified Networks Administration & Monitoring System

User Directories and Campus Network Authentication - A Wireless Case Study

Cisco ISE Ports Reference

P ART 3. Configuring the Infrastructure

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

BYOD: BRING YOUR OWN DEVICE.

Set Up Policy Conditions

Transcription:

Implementation of NAC at ORNL Paige Stafford Summer 2009 ESCC/Internet2 Joint Techs Indianapolis, IN July 19-24, 2009 Managed by UT-Battelle

Outline Background ORNL s network NAC defined Origins of ORNL s NACmgr NACmgr implementation Focus on Detection (Polling) Future direction and conclusion 2 Managed by UT-Battelle

ORNL s Network 4000 employees 3000 guests 2 class B s Segmented 10 Enclaves 32 routers +900 subnets +600 switches +20,000 registered devices Mix of Cisco, 3Com, Foundry 3 Managed by UT-Battelle

ORNL s Network, Cont. +98% clients DHCP enabled (mostly Windows) Wireless Network WPA DHCP access only Available in all buildings Visitor Network 4 Managed by UT-Battelle

NAC Implementation Choices Looked seriously at Cisco, Lockdown Both Required supplicant user implementation hurdle Cisco Too expensive (have to replace non-cisco) (total ~$3M) Lockdown Better price Accommodates current switch vendors uncertainty: viability/service support 5 Managed by UT-Battelle

NAC Implementation Choices, Cont. Not ready for COTS quite yet Looked at the nuts and bolts we really could do this ourselves Started with detection and enforcement So, what is NAC? 6 Managed by UT-Battelle

NAC Defined Network Access Control (NAC) is a set of technologies and defined processes that aim to control access to the network, allowing only authorized and compliant devices to access and operate on a network. Here are the elements: 1. Detection 2. Quarantine and Remediation 3. Enforcement 4. Post-Admission Protection 5. Authentication 6. Compliance 7. Authorization 7 Managed by UT-Battelle From Ofir Arkin: Bypassing NAC v2.0

ORNL Already Had Most Elements NACmgr is part of and ties together ORNL s NAC system 8 Managed by UT-Battelle

NACmgr Implementation 9 Managed by UT-Battelle

NACmgr Implementation Detection Poll all switches/routers Every 300 s Using SNMP Information stored for Detection MAC address (defines the host) IP address(es) used by MAC address Switch and Port Vlan and Router Date/time First and Last polled 10 Managed by UT-Battelle

NACmgr Implementation Enforcement If DHCP-client Quarantine DHCP issues special IP configuration to host requests Issued by ORNL s compliance monitoring system Changes network registration status Triggers change in DHCP configuration Sends notification to owner, sysmgr Else L2-block Disable access at the switch MAC drop / Port Disable 11 Managed by UT-Battelle

NACmgr Implementation Enforcement, Cont. Detects unregistered, non-dhcp clients L2-blocks these DROP mac on Cisco Disable port on 3Com, Foundry Masquerading MAC address monitoring Monitors ARP caches for MAC addresses showing up in more than one LAN 12 Managed by UT-Battelle

NACmgr Implementation Enforcement, Cont. Enforcement must be monitored Since host can move From DHCP enabled to static (and visa versa) To a different port/switch/network 13 Managed by UT-Battelle

NACmgr Technical Details Large Primary Server Web interface (Apache) NAC database (PostgreSQL) Outpost Server Outpost Server (2) Primary duty is polling One or many virtual outposts 14 Managed by UT-Battelle

NACmgr Code Specifications Programming language Researched benchmarks of execution time of hash algorithms of C, C++, Java C++ came out on top http://bruscy.multicon.pl/pages/przemek/java_not_really_faster_than_cpp.html http://members.lycos.co.uk/wjgoh/javavsc.html http://www.kano.net/javabench/data Libraries Net-SNMP: SNMP library for C pqxx: PostgreSQL library for C++ Oracle (Network Registration) RudeCGI: C++ CGI library (web interface) pthreads: POSIX threaded library 15 Managed by UT-Battelle

NACmgr s Network Model Network has three parts L3 (router) Arp Caches One or many Vlans Vlan Ties L3 to L2 One to many subnets L2 (switch) Bridge Table 16 Managed by UT-Battelle

NACmgr Database Model Corresponds to the Network Model 17 Managed by UT-Battelle

NACmgr Polling Optimization, Cont. Each L3-network is assigned to an Outpost Load Distribution is optimized among outposts The L3 Network model 18 Managed by UT-Battelle

NACmgr Polling Optimization, Cont. L3 distribution example NACmgr web interface The L3 Network model NACmgr polling time snapshot taken at 13:00 19 Managed by UT-Battelle

NACmgr Polling Optimization, Cont. Processing time constraint on data Depends on number of hosts Network Latency is relatively insignificant Outposts complete all polling within 50-90 s Dependent on on time of day e.g. 08:00 load higher than that at 20:00 20 Managed by UT-Battelle

NACmgr Limitations The host is already on the network Before non-compliance is detected Switches must be set up correctly Passwords, SNMP access, TTL, etc Wireless Network doesn t poll Access Points Polling and blocking is at the L3 only 21 Managed by UT-Battelle

Future Direction Room for Improvement of existing tasks Adding more tasks/functions Adding SHUNs to mix Looking to use vlan assignment at L2 port Centralizing ORNL s NAC systems Looking to hire another programmer [accepting applications now] 22 Managed by UT-Battelle

Conclusion NACmgr is part of the NAC system at ORNL Accommodates current network Managed Out-of-Band, no client supplicant Simple deployment and operation Cost Effective Good solution vs. No Solution Effectively detects and enforces compliance no NAC solution is 100% 23 Managed by UT-Battelle

24 Managed by UT-Battelle

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback