Network Admission Control: A Survey of Approaches Educause 2008

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Information Security in Real Business
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Department Of Computer Engineering
Network security policy: best practices
by Evolve IP Managed Services
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Vantage Report 3.0 Product Sales Guide
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Model: DS-600 5x 10/100/1000Mbps Ethernet Port Centralized WLAN management and Access Point Discovery Manages up to 50 APs with access setting control.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
City of Hyattsville City Council IT Briefing October 19, 2015 dataprise.com | #ITinRealLife.
Network System Security - Task 2. Russell Johnston.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
Security fundamentals
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
CompTIA Security+ Study Guide (SY0-401)
Web Content Security Unlock the Power of the Web
HP ProCurve Alliance + Dr Carl Windsor CISSP Major Account Manager
Phare EIONET Centralised Training Session
CONNECTING TO THE INTERNET
Module Overview Installing and Configuring a Network Policy Server
CompTIA Server+ Certification (Exam SK0-004)
Implementing Network Access Protection
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Forefront Security ISA
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Firewalls.
CompTIA Security+ Study Guide (SY0-401)
IS4550 Security Policies and Implementation
2018 Real Cisco Dumps IT-Dumps
Unit 27: Network Operating Systems
UNM Enterprise Firewall
– Chapter 3 – Device Security (B)
Contact Center Security Strategies
How to Mitigate the Consequences What are the Countermeasures?
Implementing Client Security on Windows 2000 and Windows XP Level 150
Security and identity (Network Access Protection, Parental Controls)
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Presentation transcript:

Network Admission Control: A Survey of Approaches Educause 2008 George Finney, J.D. Director of Digital Interests Southern Methodist University Thursday, October 30th, 2008 October 30th, 2008 Southern Methodist University

Southern Methodist University What Is it? October 30th, 2008 Southern Methodist University

Southern Methodist University Background SMU began using NetReg in the late 1990’s for our Dorm and Wireless Networks. In 2004, SMU replaced the NetReg product with a commercial solution. In 2007, as a part of the University Strategic Objectives, SMU began the process of migrating to a “Zoned Network Architecture.” In 2007, SMU commenced a project to implement NAC for the Academic and Administrative buildings. October 30th, 2008 Southern Methodist University

Southern Methodist University Process Began with a definition of NAC Defined use cases, architecture preferences, required features, and goals Created a comprehensive questionnaire Compiled the questionnaires into a matrix Assembled a short list of vendors based on red-flags from matrix Scheduled on-line demos, then onsite visits, then finally in-house evaluations October 30th, 2008 Southern Methodist University

Southern Methodist University October 30th, 2008 Southern Methodist University

Southern Methodist University NAC Definition Network Access Control (NAC) is the system1 that ensures each person and device2 connecting3 to the university network4 is in compliance with the security requirements of the zone5 being entered or ascending to.  The NAC System, in concert with the university security zone architecture5, ensures appropriate accountability6 (authentication and authorization) for the individual connecting to the university network and appropriate levels of protection7 for all other users and assets already on the university network and the internet. System in this context is a set of process, procedures, software, hardware, policies and people assembled to deliver a cohesive service. Device in this context is any node on the university network that receives an IP address, both routable and un-routable. Connecting to the network in this context is the process of requesting an IP address. University network includes all university IP assets involved in the delivery of voice or data services. University IP assets includes all institutionally owned or managed hardware/software and IP address ranges with actual or implied association with the university. Please reference separate work-in-progress for definition of security zone and security zone architecture. Accountability in this context is for ones own actions while using an SMU provided IP address.  While SMU respects the privacy of each individual using the university network, use of the university network does not provide anonymity or separation from ones actions .  Activity or incidents that precipitate an investigation will be pursued to the full extent of university policy and rule of law. Protection in this context is protection from malware attack afforded by the security zone occupied. October 30th, 2008 Southern Methodist University

Southern Methodist University Use Cases? October 30th, 2008 Southern Methodist University

Southern Methodist University NAC Use Case Scenarios Faculty/Staff users in their office Faculty/Staff Wireless users Remote users on dial up or VPN Student Wireless users Student Wired users Student users without administrative privileges Student users with company owned laptops Public access users with no SMU credentials October 30th, 2008 Southern Methodist University

Southern Methodist University Requirements October 30th, 2008 Southern Methodist University

Southern Methodist University NAC Requirements Must be out-of-band Must be vendor neutral for network equipment Must integrate with the existing Wireless, VPN, and dial up infrastructure Must support Single Sign on Must support Windows XP and Vista, MAC OSX, and Linux Must have the ability to provide guest login Must provide interface for distributed administration Must provide historical information and search capabilities for connection tracking and forensic analysis Must provide policy enforcement for Antivirus, Anti-Spyware and Operating System patches October 30th, 2008 Southern Methodist University

Additional Important Features Integration with Wiring Database Ability to integrate with IDP/IPS/Packetshaper Ability to prevent illicit peer-to-peer usage Ability to search for historical MAC to IP address information Integration with Active Directory for Administrator login Provide separate help desk interface with reduced privileges Provide the ability to create an alarm based on failed policy checks or network policy violations Provide detailed reporting functions within the admin interface. Provide web portal customization within the interface. October 30th, 2008 Southern Methodist University

Southern Methodist University Landscape October 30th, 2008 Southern Methodist University

Southern Methodist University NAC Landscape ITS Reviewed the top 20 vendors in the NAC marketplace. Of these vendors, we received 18 responses. The vendors all apply different solutions for NAC. These approaches can be broken down into 7 general categories. Each vendor offers a combination of either agentless, dissolvable agent, and permanent agent solutions. These combinations are customizable based on our use case definitions. October 30th, 2008 Southern Methodist University

Southern Methodist University Architecture October 30th, 2008 Southern Methodist University

Southern Methodist University NAC Approaches In-line Switch Replacement Uplink Aggregation Out of Band SNMP Device Management Permanent Agent Traffic Monitoring 802.1x/Radius Device Management ARP (Address Resolution Protocol) Agent October 30th, 2008 Southern Methodist University

Inline – Switch Replacement October 30th, 2008 Southern Methodist University

Inline – Switch Replacement Pro Provides the most granular coverage of any NAC solution. Agentless solution. Con Requires all switches to be replaced with NAC switches. October 30th, 2008 Southern Methodist University

Inline – Uplink Aggregation October 30th, 2008 Southern Methodist University

Inline – Uplink Aggregation Pro Agentless solution. Con Creates a bottleneck which all traffic must flow through. October 30th, 2008 Southern Methodist University

Out-of-Band – SNMP Management October 30th, 2008 Southern Methodist University

Out-of-Band – SNMP Management Pro Can make VLAN changes, ensuring that users are moved to the appropriate security zone. Con SNMP packets may be dropped, consequently updates to VLANs can be delayed. Changes made via SNMP are not logged in the switch event log or in the switch log, which can make accounting for changes a challenge. October 30th, 2008 Southern Methodist University

Out-of-Band – Permanent Agent October 30th, 2008 Southern Methodist University

Out-of-Band – Permanent Agent Pro Can be integrated with existing Antivirus agent. Con Does not offer the ability to change VLANS. Not a good fit for unmanaged devices. October 30th, 2008 Southern Methodist University

Out-of-Band – Traffic Monitoring October 30th, 2008 Southern Methodist University

Out-of-Band – Traffic Monitoring Pro Obtains traffic information similar to an IDS, which offers the ability to act on signatures. Con Potential loss of traffic on mirror port. Complicates router configuration. October 30th, 2008 Southern Methodist University

Out-of-Band – 802.1x/Radius Device Management October 30th, 2008 Southern Methodist University

Pro Con Out-of-Band – 802.1x/Radius Device Management Integrates with 802.1x capable devices Con Requires agent to be installed on Radius or Active Directory servers. October 30th, 2008 Southern Methodist University

Out-of-Band – ARP Agent October 30th, 2008 Southern Methodist University

Out-of-Band – ARP Agent Pro Doesn’t require integration or replacement of existing switches. Con Manipulates ARP (Address Resolution Protocol) tables on each client, which may be viewed as being invasive. Requires at least 1 agent on each VLAN to enforce policy. October 30th, 2008 Southern Methodist University

Southern Methodist University Questions? George Finney Email: gfinney@smu.edu Phone: 214-768-3950 October 30th, 2008 Southern Methodist University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.