Network Access Control

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
The State of Security Management By Jim Reavis January 2003.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business
Lesson 19: Configuring Windows Firewall
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Network Access Control “an approach to computer network security that attempts to unify endpoint security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
ADVANCED FUNCTIONALITY & TROUBLESHOOTING. Page 2 Agenda Internet Shield Architecture Advanced functionality IDS vs. packet filter Stateful packet filters.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
© 2004, Cisco Systems, Inc. All rights reserved.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Endpoint Control. Module Objectives By the end of this module participants will be able to: Define application detection lists to monitor applications.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 8: Configuring Network Access Protection
Securing Wired Local Area Networks(LANs)
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Cisco’s Secure Access Control Server (ACS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Security fundamentals Topic 10 Securing the network perimeter.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Presented by MPIRIRWE BYANAGWA STEPHEN. An approach to computer network security that attempts to unify endpoint security technology (such as antivirus,
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Great Bay Beacon Extreme Sentriant AG RADIUS router (proxy) Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
Security fundamentals
D-Link Wireless AP with NAP 802.1x solution
CompTIA Security+ Study Guide (SY0-401)
Proventia Network Intrusion Prevention System
100% Exam Passing Guarantee & Money Back Assurance
Implementing Network Access Protection
IBM Software Group | Tivoli Brand Software
Introduction to Networking
Firewalls.
Introduction to Cisco Identity Services Engine (ISE)
To Join the Teleconference
CompTIA Security+ Study Guide (SY0-401)
2018 Real Cisco Dumps IT-Dumps
Cisco Real Exam Dumps IT-Dumps
Cybersecurity Strategy
Network Access Control
Securing Windows 7 Lesson 10.
Intrusion Detection system
Intel Active Management Technology
Latest Practice Test Dumps
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Network Access Control http://en.wikipedia.org/wiki/Network_Access_Control “an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement” Aim: to control endpoint security by unifying it with network device security and the whole network Result: End devices that do not comply to the set security policies are identified and quarantined.

Why and What? Why NAC? What is NAC? http://www.ashimmy.com/2007/03/a_brief_history.html “The biggest driver for NAC was the realization that after spending billions on the perimeter, we still were not any more secure.” Why? Internal threats … What is NAC? http://www.ashimmy.com/2007/03/nac_bust_or_boo.html “The original concept of NAC was performing pre-admission health or profile checks on devices as they sought to enter the network.  If the device failed they were denied access or quarantined.  Then we added post-admission vulnerability scans, then IDS detection, behavior based detection, identity based access controls, etc.  Before you know it, anything that has anything to do with getting on the network and staying there is part of NAC.”

NAC: Goals Mitigation of non-zero-day attacks (?) Policy enforcement http://en.wikipedia.org/wiki/Network_Access_Control Mitigation of non-zero-day attacks (?) To prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination Policy enforcement To allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes (like firewalls). Identity and access management Instead of using IP addresses, NAC enforces network access based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.

Support for NAC Cisco: Network Admission Control (NAC), since 2003/2004 A brief history of NAC (3/8/2007) http://www.ashimmy.com/2007/03/a_brief_history.html Other companies joined and pushed out their “NAC” products Microsoft’s response: Network Access Protection, NAP (first introduced in Windows Server 2008) http://en.wikipedia.org/wiki/Network_Access_Protection

Source: http://www. forescout

Gartner’s Magic Quadrant for NAC: published 12/2011 http://www.gartner.com/technology/reprints.do?id=1-18VNF2C&ct=120119&st=sb (local copy)

NAC vendors compared https://www.gartner.com/reviews/market/network-access-control/vendors

NAC Basic Concepts Source: http://en. wikipedia Pre-admission vs Post-admission enforcement Agent vs Agentless data collection An agent s/w runs on the endpoint to report the status Agentless devices Some devices do not support NAC agent s/w e.g., printers, scanners, phones, photocopiers, and other special devices NAC uses scanning and network inventory techniques (whitelisting, blacklisting, ACLs) to discern those characteristics remotely

NAC Basic Concepts Source: http://en. wikipedia Out-of-band vs Inline solutions Inline: A single box acts as an internal firewall for access-layer networks and enforces the policy Out-of-band: Agents on end-stations report information to a central console, which in turn control switches to enforce policy.

NAC Basic Concepts Source: http://en. wikipedia Quarantine vs captive portals for remediation Quarantine: A non-compliant end-station is only allowed to access a restricted network with patch and update servers. Captive portals: The captive portal technique forces an HTTP client on a network to see a special web page before gaining full access. In NAC, a captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computers.

Cisco’s NAC Source: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.html NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems®. NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware.

Why NAC? Endpoints that do not comply with established security policies pose a threat and can introduce a security risk into the network. Goal of NAC: to prevent vulnerable and noncompliant hosts from obtaining network access Q: Why isn’t user authentication (like 802.1x) sufficient? Ans?

Cisco’s approach to NAC The NAC solution uses the network access devices (NAD) to protect the network infrastructure from any endpoint seeking network access. Only compliant endpoints are granted access. Noncompliant devices are denied access and quarantined for remediation.

Source: http://www. cisco

Cisco’s NAC Solutions: Two options The NAC Appliance approach Aka Cisco Clean Access (CCA) appliance A Cisco packaged solution CCA agent provides posture information; Cisco Security Agent (CSA) provides protection. The NAC Framework approach

Cisco’s NAC Solutions: Two options The NAC Framework approach Built on NAC-enabled network access devices (NAD), Cisco or non-Cisco Compliant endpoints are granted access to the network Noncompliant endpoints are placed in quarantine for remediation c.f., Figure 13-2

Cisco NAC Solution: two options Figure 13-2

Cisco Security Agent (CSA) Cisco’s host intrusion prevention tool Details in Ch 21 On June 11, 2010, Cisco announced the end-of-life and end-of-sale of CSA. (source: http://en.wikipedia.org/wiki/Cisco_Security_Agent) CSA components CSA endpoints: enforcing security policies received from the management server, sending events, interacting with the user CSA management server: a repository of configuration database CSA management console: an admin web-based user interface and policy configuration tool

Cisco’s NAC Framework source: http://www. cisco

Client sends a packet through a NAC-enabled router. NAD begins posture validation using EOU. Client sends posture credentials using EOU to the NAD. NAD sends posture to Cisco ACS using RADIUS. Cisco Secure ACS requests posture validation using the Host Credential Authorization Protocol (HCAP) inside an HTTPS tunnel. Posture validation/remediation server sends validation response of pass, fail, quarantine, and so on. To permit or deny network access, Cisco Secure ACS sends an accept with ACLs/URL redirect. NAD forwards posture response to client. Client is granted or denied access, redirected, or contained.

Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.html A posture agent (PA) serves as the single point of contact on the host for aggregating credentials from all posture plugins and communicating with the network. This module also provides a trusted relationship with the network for the purposes of exchanging these posture credentials.

Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.html (2009) Acts as a middleware component that takes host policy information and securely communicates the information to the AAA policy server Interacts directly with "NAC-enabled" applications running on the host without user intervention Can communicate at Layer 3 (EAP over UDP) or Layer 2 (802.1x supplicant) with the NADs The supplicant is able to use the EAP-FAST protocol to carry both identity and posture information within the 802.1x transport. Free to download

Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.html

Source: http://www. cisco GAME: Generic Authorization Message Exchange

source: http://www. cisco See the FAQ, http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bc84.pdf: HCAP: Host Credential Authorization Protocol AV server: attribute-value server (aka posture validation server) PA: Posture Agent APT: Application Posture Token SPT: System Posture Token

NAC vs 802.1X for endpoint security Source: http://www.cloudcentrics.com/?p=579 802.1x technologies do a great job in protecting network assets before they are utilized on the network. Non-authorized machines generally never get on the network. In addition 802.1x technologies have greater flexibility in provisioning users in different types of VLANs for isolation such as guest or remediation VLANs. NAC technologies do a great job in assuring when a user is on a network they meet minimum criteria of software patches to stay on the network. If they do not meet these requirements upstream devices, such as firewalls from accessing the network, block them. Q: Agree ?

More References Joel Snyder, Network access control vendors pass endpoint security testing - Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond, Network World , June 21, 2010 http://www.networkworld.com/reviews/2010/062110-network-access-control-test-end-point.html Tutorial: Network Access Control (NAC), July 17, 2007 http://www.networkcomputing.com/data-protection/229607166?pgno=3 Good explanation of basic NAC concepts: http://en.wikipedia.org/wiki/Network_Access_Control FAQ for Network Admission Control (NAC), 2006: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bc84.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.