Interop Labs Network Access Control

Slides:



Advertisements
Similar presentations
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Guide to Network Defense and Countermeasures Second Edition
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant
Security and Policy Enforcement Mark Gibson Dave Northey
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Network Access Control “an approach to computer network security that attempts to unify endpoint security.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Exploring the Network Introduction to Networks.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
Enabling Authentication & Network Admission Control Steve Pettit.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Module 6: Network Policies and Access Protection.
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
Module 5: Network Policies and Access Protection
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
Great Bay Beacon Extreme Sentriant AG RADIUS router (proxy) Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
D-Link Wireless AP with NAP 802.1x solution
Implementing Network Access Protection
Firewalls.
Introduction to Cisco Identity Services Engine (ISE)
Trusted Network Connect: Open Standards for NAC
Network Access Control
Network Access Control
Security and identity (Network Access Protection, Parental Controls)
Intel Active Management Technology
Network Access Control
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Interop Labs Network Access Control Interop Las Vegas 2007 Jan Trumbo trumbo@opus1.com

Interop Labs Interop Labs are: With team members from: Technology Motivated, Open Standards Based, Vendor neutral, Test and Education focused, Initiatives… With team members from: Industry Academia Government Visit us at Booth 122! Technical contributions to this presentation include: Steve Hanna, Juniper Networks and TCG TNC Kevin Koster, Cloudpath Networks, Inc. Karen O’Donoghue, Joel Snyder, and the whole Interop Labs NAC team Interop Labs Network Access Control, May 2007, Page 2

Objectives This presentation will: This presentation will not: Provide a general introduction to the concept of Network Access Control Highlight the three most well known solutions Provide a context to allow a network engineer to begin to plan for NAC deployment Articulate a vision for NAC This presentation will not: Provide specifics on any of the three major approaches introduced Delve into the underlying protocol details One thing I acknowledge up front is that there is a big difference between vision and reality at this point. Some of this information will be available from Interop Lab Engineers in the booth Interop Labs Network Access Control, May 2007, Page 3

Why Network Access Control? Desire to grant different network access to different users, e.g. employees, guests, contractors Network endpoints can be threats Enormous enterprise resources are wasted to combat an increasing numbers of viruses, worms, and spyware Proliferation of devices requiring network connectivity Laptops, phones, PDAs Logistical difficulties associated with keeping corporate assets monitored and updated Interop Labs Network Access Control, May 2007, Page 4

Network Access Control is Who you are … …should determine What you can access Interop Labs Network Access Control, May 2007, Page 5

“Who” Has Several Facets User Identity + End-point Security Assessment + Network Environment Interop Labs Network Access Control, May 2007, Page 6

Access Policy May Be Influenced By Identity Jim (CTO), Steve (Network Admin), Sue (Engineering), Bob (Finance), Brett (Guest) Location Secure room versus non-secured room Connection Method Wired, wireless, VPN Time of Day Limit after hours wireless access Limit access after hours of employee’s shift Posture A/V installed, auto update enabled, firewall turned on, supported versions of software Realtime traffic analysis feedback (IPS) Interop Labs Network Access Control, May 2007, Page 7

Sample Policy IF user group=“phone” THEN VLAN=“phone-vlan” ELSE IF non-compliant AND user = “Alice” THEN VLAN=“quarantine” AND activate automatic remediation ELSE IF non-compliant AND user = “Bob” THEN VLAN=“quarantine” ELSE IF compliant THEN VLAN=“trusted” ELSE deny all Interop Labs Network Access Control, May 2007, Page 8

NAC is More Than VLAN Assignment Additional access possibilities: Access Control Lists Switches Routers Firewall rules Traffic shaping (QoS) Non-edge enforcement options Such as a distant firewall Interop Labs Network Access Control, May 2007, Page 9

NAC is More Than Sniffing Clients for Viruses Behavior-based assessment Why is this printer trying to connect to ssh ports? VPN-connected endpoints cannot access HR database You need control points inside the network to make this happen Interop Labs Network Access Control, May 2007, Page 10

Generic NAC Components Access Requestor Policy Enforcement Point Policy Decision Point Network Perimeter Interop Labs Network Access Control, May 2007, Page 11

Sample NAC Transaction Posture Collector Posture Validator Posture Collector 6 Posture Validator Posture Collector 1 Posture Validator Network Enforcement Point Server Broker Client Broker 2 7 8 Posture Collectors gather information about the state of the end point security on the client. Client Broker consolidates endpoint data from posture collectors(s) and passes it to the Network Access Requestor (supplicant) Network Access Requestor gets security assessment data from the TNC client and sends it to the Policy Enforcement Point. The Policy Enforcement Point receives the authentication and security assessment data and sends it on the Policy Decision Point. The Network Access Authority receives the data from the Access Requestor via the Policy Enforcement Point. If authentication is involved, the Network Access Authority checks with an authentication database to see if the user has valid credentials. Each Posture Validator checks the information from the corresponding Posture Collector and passes the verdict to the Server Broker The server broker consolidates the posture validator input into a single policy answer The Network Access Authority sends the corresponding answer and instructions to the PEP. Network Access Authority Network Access Requestor 4 5 3 Policy Enforcement Point Policy Decision Point Access Requestor Interop Labs Network Access Control, May 2007, Page 12

Access Requestors Sample Access Requestors Laptops PDAs VoIP phones Desktops Printers Components of an Access Requestor/Endpoint Posture Collector(s) Collects security status information (e.g. A/V software installed and up to date, personal firewall turned on) May be more than one per access requestor Client Broker Collects data from one or more posture collectors Consolidates collector data to pass to Network Access Requestor Network Access Requestor Connects client to network (e.g. 802.1X supplicant or IPSec VPN client) Authenticates user Sends posture data to Posture Validators Posture Collector Posture Collector Client Broker Network Access Requestor Access Requestor Interop Labs Network Access Control, May 2007, Page 13

Policy Enforcement Points Components of a Policy Enforcement Point Network Enforcement Point Provides access to some or all of the network Sample Policy Enforcement Points Switches Wireless Access Points Routers VPN Devices Firewalls Network Enforcement Point Policy Enforcement Point Interop Labs Network Access Control, May 2007, Page 14

Network Access Authority Policy Decision Point Components of a Policy Decision Point Posture Validator(s) Receives data from the corresponding posture collector Validates against policy Returns status to Server Broker Server Broker Collects/consolidates information from Posture Validator(s) Determines access decision Passes decision to Network Access Authority Network Access Authority Validates authentication and posture information Passes decision back to Policy Enforcement Point Posture Validator Server Broker Network Access Authority Policy Decision Point Interop Labs Network Access Control, May 2007, Page 15

InteropLabs Network Access Control Architecture Alphabet Soup What is it? TCG TNC Microsoft NAP Cisco NAC Posture Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to-date?' Integrity Measurement Collector System Health Agent Posture Plug-in Applications Client Broker "Middleware" that runs on the client and talks to the Posture Collectors, collecting their data, and passing it down to Network Access Requestor TNC Client NAP Agent Cisco Trust Agent Network Access Requestor Software that connects the client to network. Examples might be 802.1X supplicant or IPSec VPN client. Used to authenticate the user, but also as a conduit for Posture Collector data to make it to the other side Network Access Requestor NAP Enforcement Client Posture Collector Posture Validator Client Broker Server Broker Network Enforcement Point IETF terms InteropLabs Network Access Control Architecture Alphabet Soup Network Access Requestor Network Access Authority What is it? TCG TNC Microsoft NAP Cisco NAC Network Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall. Policy Enforcement Point NAP Enforcement Server Network Access Device Posture Validator Third-party software that receives status information from Posture Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server Integrity Measurement Verifier System Health Validator Policy Vendor Server Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority TNC Server NAP Administration Server Access Control Server Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Network Enforcement Point. Network Access Authority Network Policy Server 2006Apr04

Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 17

Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 18

NAC Solutions There are three prominent solutions: Cisco’s Network Admission Control (CNAC) Microsoft’s Network Access Protection (NAP) Trusted Computer Group’s Trusted Network Connect (TNC) There are several proprietary approaches that we did not address Interop Labs Network Access Control, May 2007, Page 19

Cisco NAC Network Admission Control Strengths Many posture collectors for client Installed base of network devices Limitations More options with Cisco hardware Not an open standard Requires additional supplicant Status Product shipping today Interop Labs Network Access Control, May 2007, Page 20

Microsoft NAP Network Access Protection Strengths Part of Windows operating system Supports auto remediation Network device neutral Limitations Not an open standard Status Client (Vista) shipping today; will be in XP SP3 Linux client available Server (Longhorn) still in beta; 3rd parties shipping Expect Longhorn (Windows Server 2008) release in 2007?? Interop Labs Network Access Control, May 2007, Page 21

Trusted Computing Group (TCG) Trusted Network Connect (TNC) Strengths Open standards based Not tied to specific hardware, servers, or client operating systems Multiple vendor backing - Juniper, Microsoft Limitations Potential integration risk with multiple parties Status Products shipping today Tightly integrated with Microsoft NAP but products not shipping yet (Monday announcement) Updated specifications released May 2007 Multivendor interoperability is harder than single vendor interoperability Interop Labs Network Access Control, May 2007, Page 22

TNC Architecture Source: TCG IF-IMC Integrity Measurement Collector Interface IF-IMV Integrity Measurement Verifier Interface IF-TNCCS – TNC Client Server Interface IF-IMC and IF-IMV – Vendor Specific IMC-IMV messages IF-T Network Authorization Transport Protocol IF-PTS Platform Trust Services IF-PEP Policy Enforcement point Interface Source: TCG Interop Labs Network Access Control, May 2007, Page 23

Current State of Affairs Multiple semi-interoperable solutions Cisco NAC, Microsoft NAP, TCG TNC Conceptually, all 3 are very similar All with limitations Industry efforts at convergence and standardization TCG IETF Interop Labs Network Access Control, May 2007, Page 24

Getting Started - What’s Most Important to You? User Authentication Very Important Not Very Important End Point Security Very Important Not Very Important Enforcement Granularity Very Important Not Very Important VPN WLAN Guests Desktops Computer Room Everywhere Where will NAC apply? Interop Labs Network Access Control, May 2007, Page 25

Where Can You Learn More? Visit the Interop Labs Booth (#122) Live Demonstrations of all three major NAC architectures with engineers to answer questions Visit Interop Labs online: Interop Labs white papers, this presentation, and demonstration layout diagram Network Access Control VOIP: Wireless & Security http://www.opus1.com/nac http://www.opus1.com/voip Interop Labs Network Access Control, May 2007, Page 26

Interop Labs Network Access Control, May 2007, Page 27

VLANs Network Access Control Devices Spectrum Gigamon net monitor 010 1010 0101 010 Port Monitor Posture Validators Cisco ACS Server Broker & Network Access Authority Trend Micro LANDesk Cisco CSA internal EAP-FAST Port Monitor Devices Spectrum Cross-VLAN Firewall Packet Filters WildPackets analyzer Extreme Sentriant NG sensor DHCP info Posture Collectors Client Broker & Network Access Requestor Cisco NAC-Capable Client Trend Micro LANDesk Cisco CSA Cisco CTA Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches and APs with full framework capability doing VLAN assignment Juniper IDP Device authentication VLANs Great Bay Beacon LDAP Device database Network behavior info phones printers badge readers Cisco Extreme HP Trapeze Posture Validators Juniper UAC Q1 Wave Systems PatchLink internal Server Broker & Network Access Authority EAP-JEAP Production Cisco CCA non-NAC clients Posture Collectors Client Broker & Network Access Requestor TCG TNC-Capable Client PatchLink Wave Systems Juniper UAC Contractor EAP/RADIUS LDAP Quarantine Enforcement Spectrum Posture Validators ID Engines Ignition internal Server Broker & Network Access Authority EAP-PEAP Guest Edge Enforcement User authentication Posture Collectors Client Broker & Network Access Requestor Microsoft NAP-Capable Client Trend Micro Microsoft System Health Agent Cisco Enterasys Extreme HP Trapeze Active Directory Auth by 802.1X Enforcement by: VLAN ACL / Filter QOS User database Switches RADIUS router (proxy) LDAP APs Posture Validators OSC Radiator internal Server Broker & Network Access Authority EAP-TTLS Network Enforcement Point Internet Windows Unix Mac EAP/RADIUS Axis Camera 802.1X/TLS HP Printer 802.1X/TLS Non-Edge Enforcement Cisco CCA Juniper ScreenOS 802.1X Clients without Posture Collectors posture Captive Portals Cisco Enterasys Extreme HP Lockdown Proxy Access Requestor Extreme Sentriant AG Posture Validators Microsoft NPS Trend Micro internal Server Broker & Network Access Authority EAP-PEAP NAC-capable switches Network Access Control Linksys Network Attached Storage Old switches and hubs Juniper firewall EAP/RADIUS Pingtel Phone Non 802.1X Clients Las Vegas 2007 Data center

Where can you learn more? White Papers available in the Interop Labs: What is Network Admission Control? What is 802.1X? Getting Started with Network Admission Control What is the TCG’s Trusted Network Connect? What is Microsoft Network Access Protection? What is Cisco Network Admission Control? What is the IETF’s Network Endpoint Assessment? Switch Functionality for 802.1X-based NAC Exception Cases and NAC Get the “NAC” of Troubleshooting NAC Resources Free USB key to the first 600 attendees! (has all NAC and VOIP materials) http://www.opus1.com/nac Interop Labs Network Access Control, May 2007, Page 29

NAC Lab Participants http://www.opus1.com/nac In ter o pL a bs N A C Te am M embers Kare n O'D o noghu e, U S Navy , Te a m L e ad Kevi n Koste r , C loud p at h N e tworks Bill Clary l , gran d m o therboar d .org Jef f F u lso m , Univ o f U t ah Joel Snyde r , Opus One Mik e McC a uley , O pen Sys t em s Consu l ta n ts Jan Tr u mb o , Opu s One Henry H e , UN H IOL Chris Hessin g , Id e nt i fy En g ines Lynn Ha n ey , Ti p pin g Po i nt Terry S i mons , I de n tit y Engi n es In ter o pL a bs N A C Vendor E n g i n eers Th o mas Ho w ard , Cisc o Sy s tem s , In c . Mark Townsen d, E n terasys Mik e Skri p ek , E x tr e me N etworks Charles Owens , Gr e a t B ay S o ftware Eric H ol t on , H P Procurve Bre t Jorda n, Id e nt i fy E n gines Bo b F i ler , Juni p er N e tworks Chrisita n McDona l d , Junipe r N e tworks Denzil Wessels , Jun i per N e tworks S t eve H a nna , Jun i per N etworks Oliver C hun g , L ockdown Net w orks P a t Fe t ty , Microso f t Don G onzale s , P a tchlink Sco tt V a nWa r t , Q 1 Labs Ti m McCarth y , Trapez e N e tworks Ryan Ho l lan d , Tren d M icro Alw i n Y u , Tren d M icro A mi t Desh p and e , Wave Syst e ms http://www.opus1.com/nac Interop Labs Network Access Control, May 2007, Page 30

Thank You. Questions. Interop Labs -- Booth 122 http://www. opus1 Interop Labs Network Access Control, May 2007, Page 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.