Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Guide to Network Defense and Countermeasures Second Edition
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Interop Labs Network Access Control
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Network Access Control “an approach to computer network security that attempts to unify endpoint security.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –
Course 201 – Administration, Content Inspection and SSL VPN
Proving SIP Interoperability Networld+Interop Las Vegas 2004 iLabs Team.
Clinic Security and Policy Enforcement in Windows Server 2008.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
IS3220 Information Technology Infrastructure Security
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Boris Ulík Technology Solutions Professional Microsoft Slovakia Microsoft ® System Center 2012: System Center Endpoint Protection 2012.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
Great Bay Beacon Extreme Sentriant AG RADIUS router (proxy) Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
D-Link Wireless AP with NAP 802.1x solution
Chapter 7. Identifying Assets and Activities to Be Protected
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Deriving more value from your Windows investment
Trusted Network Connect: Open Standards for NAC
Network Access Control
Cybersecurity Strategy
Network Access Control
Intel Active Management Technology
Network Access Control
Presentation transcript:

Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue

Karen O’Donoghue, May 2006, Page 2 Interop Labs Interop Labs are: Technology Motivated, Open Standards Based, Vendor neutral, Test and Education focused, Initiatives… With team members from: Industry Academia Government Visit us at Booth 2506! Technical contributions to this presentation include: Steve Hanna, Juniper Networks and TCG TNC Kevin Koster, Cloudpath Networks, Inc. Jan Trumbo, Joel Snyder, and the whole Interop Labs NAC team

Karen O’Donoghue, May 2006, Page 3 Objectives This presentation will: –Provide a general introduction to the concept of Network Access Control Highlight the three most well known solutions –Provide a context to allow a network engineer to begin to plan for NAC deployment –Articulate a vision for NAC This presentation will not: –Provide specifics on any of the three major approaches introduced –Delve into the underlying protocol details

Karen O’Donoghue, May 2006, Page 4 Agenda Why NAC? What is a Policy? Generic NAC architecture What is emerging today? What are your first steps? Where can you learn more?

Karen O’Donoghue, May 2006, Page 5 Why NAC? Proliferation of devices requiring network connectivity –Laptops, phones, PDAs Increasingly mobile workforce –Requiring roughly the same access regardless of where they are connecting from Mobile workforce is becoming infected –Enormous enterprise resources are wasted to combat an increasing numbers of viruses, worms, and spyware Logistical difficulties associated with keeping corporate assets monitored and updated

Karen O’Donoghue, May 2006, Page 6 Policy Possibilities Who –Jim (CTO), Steve (Network Admin), Sue (Engineering), Bob (Finance), Brett (Guest) Location –Secure room versus non-secured room Connection Method –Wired, wireless, VPN Time of Day –Limit after hours wireless access –Limit access after hours of employee’s shift Posture –A/V installed, auto update enabled, firewall turned on, supported versions of software –Realtime traffic analysis feedback (IPS)

Karen O’Donoghue, May 2006, Page 7 Sample Policy IF user group=“phone” THEN VLAN=“phone-vlan” ELSE IF non-compliant AND user = “Alice” THEN VLAN=“quarantine” AND activate automatic remediation ELSE IF non-compliant AND user = “Bob” THEN VLAN=“quarantine” ELSE IF compliant THEN VLAN=“trusted” ELSE deny all

Karen O’Donoghue, May 2006, Page 8 Is NAC only VLANS? NAC is not limited to dynamic VLAN configuration Additional access possibilities: –Access Control Lists Switches Routers –Firewall rules –Traffic shaping (QoS) Inline enforcement options

Karen O’Donoghue, May 2006, Page 9 Agenda Why NAC? What is a Policy? Generic NAC architecture What is emerging today? What are your first steps? Where can you learn more?

Karen O’Donoghue, May 2006, Page 10 Generic NAC Components Access RequestorPolicy Enforcement Point Policy Decision Point Network Perimeter

Karen O’Donoghue, May 2006, Page 11 Posture Validator Sample NAC Transaction Client Broker Network Access Requestor Network Enforcement Point Network Access Authority Server Broker Posture Validator Access Requestor Policy Enforcement Point Policy Decision Point Posture Collector

Karen O’Donoghue, May 2006, Page 12 Access Requestors Sample Access Requestors –Laptops –PDAs –VoIP phones –Desktops –Printers Components of an Access Requestor/Endpoint –Posture Collector(s) Collects security status information (e.g. A/V software installed and up to date, personal firewall turned on) May be more than one per access requestor –Client Broker Collects data from one or more posture collectors Consolidates collector data to pass to Network Access Requestor –Network Access Requestor Connects client to network (e.g X supplicant or IPSec VPN client) Authenticates user Sends posture data to Posture Validators Client Broker Network Access Requestor Posture Collector

Karen O’Donoghue, May 2006, Page 13 Policy Enforcement Points Components of a Policy Enforcement Point –Network Enforcement Point Provides access to some or all of the network Sample Policy Enforcement Points –Switches –Wireless Access Points –Routers –VPN Devices –Firewalls Network Enforcement Point

Karen O’Donoghue, May 2006, Page 14 Policy Decision Point Components of a Policy Decision Point –Posture Validator(s) Receives data from the corresponding posture collector Validates against policy Returns status to Server Broker –Server Broker Collects/consolidates information from Posture Validator(s) Determines access decision Passes decision to Network Access Authority –Network Access Authority Validates authentication and posture information Passes decision back to Policy Enforcement Point Network Access Authority Server Broker Posture Validator

What is it?TCG TNCMicrosoft NAPCisco NAC Posture Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to- date?' Integrity Measurement Collector System Health Agent Posture Plug-in Applications Client Broker "Middleware" that runs on the client and talks to the Posture Collectors, collecting their data, and passing it down to Network Access Requestor TNC Client NAP Agent Cisco Trust Agent Network Access Requestor Software that connects the client to network. Examples might be 802.1X supplicant or IPSec VPN client. Used to authenticate the user, but also as a conduit for Posture Collector data to make it to the other side Network Access Requestor NAP Enforcement Client Cisco Trust Agent What is it?TCG TNCMicrosoft NAPCisco NAC Network Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall. Policy Enforcement Point NAP Enforcement Server Network Access Device Posture Validator Third-party software that receives status information from Posture Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server Integrity Measurement Verifier System Health Validator Policy Vendor Server Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority TNC Server NAP Administration Server Access Control Server Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Network Enforcement Point. Network Access Authority Network Policy Server Access Control Server Client Broker Network Access Requestor Network Access Authority Server Broker Posture Validator IETF terms Posture Collector InteropLabs Network Access Control Architecture Alphabet Soup 2006Apr04 Network Enforcement Point

Karen O’Donoghue, May 2006, Page 16 Generic Architecture Source: NEA BOF at IETF65

Karen O’Donoghue, May 2006, Page 17 Protocol Requirements Source: NEA BOF at IETF65

Karen O’Donoghue, May 2006, Page 18 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined

Karen O’Donoghue, May 2006, Page 19 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined

Karen O’Donoghue, May 2006, Page 20 Agenda Why NAC? What is a Policy? Generic NAC architecture What is emerging today? What are your first steps? Where can you learn more?

Karen O’Donoghue, May 2006, Page 21 NAC Solutions There are three prominent solutions: –Cisco’s Network Admission Control (NAC) –Microsoft’s Network Access Protection (NAP) –Trusted Computer Group’s Trusted Network Connect (TNC) There are several additional approaches that we did not address.

Karen O’Donoghue, May 2006, Page 22 Cisco NAC Strengths –Third party support for client –Installed base of network devices Limitations –Tied to Cisco hardware –Not an open standard –Requires third party supplicant for wireless Status –Product shipping today –Refinement of policy server expected (2007)

Karen O’Donoghue, May 2006, Page 23 Microsoft NAP Strengths –Part of Windows operating system –Supports auto remediation –Network device neutral Limitations –Part of Windows operating system –Client support limited (only Vista guaranteed) –Not an open standard Status –Not shipping today Expect release in early 2007.

Karen O’Donoghue, May 2006, Page 24 Trusted Computing Group (TCG) Trusted Network Connect (TNC) Strengths –Open standards based Trusted Computing Group –Not tied to specific hardware, servers, or client operating systems Limitations –Still in its infancy –Potential integration risk with multiple parties Status –Currently no shipping products Maybe Fall 2006 –Updated specifications released May 2006

Karen O’Donoghue, May 2006, Page 25 Source: TCG TNC Architecture

Karen O’Donoghue, May 2006, Page 26 Current State of Affairs Multiple non-interoperable solutions –Cisco NAC, Microsoft NAP, TCG TNC –Conceptually, all 3 are very similar –All with limitations –None completely functional Industry efforts at convergence and standardization –TCG –IETF

Karen O’Donoghue, May 2006, Page 27 What is the IETF role? The Internet Engineering Task Force (IETF) is considering additional standards in this area –Network Endpoint Assessment BOF held in March 2005 –Co-chaired by Cisco and TNC representatives –Formation of a working group under consideration

Karen O’Donoghue, May 2006, Page 28 Agenda Why NAC? What is a Policy? Generic NAC architecture What is emerging today? What are your first steps? Where can you learn more?

Posture Collector Client Broker & Network Access Requestor Cisco Network Admission Control Posture Validator Cisco ACS LAN- Desk Info- Express Server Broker & Network Access Authority Posture Validator OSC Radiator Server Broker & Network Access Authority Vernier Switch AP Cisco Enterasys Extreme HP Nortel Vista (Windows) Built-in Posture Collector Aruba Cisco HP Microsoft Network Access Protection Posture Validator Windows Longhorn Network Policy Server Server Broker & Network Access Authority Built-in Validator TCG Trusted Network Connect Posture Validator Juniper Steel Belted Radius Server Broker & Network Access Authority Symantec Xsupplicant (Linux) AP Juniper Enterprise Agent/ Odyssey (Windows) Symantec Posture Collector Client Broker & Network Access Requestor Cisco Enterasys Extreme HP Cisco Enterasys 802.1X Switch XAP Network Enforcement Point EAP over 802.1X Posture Collector Client Broker & Network Access Requestor TCG Trusted Network Connect Clients without NAC Network Enforcement Point EAP over 802.1X Posture Collector Client Broker & Network Access Requestor Cisco Trust Agent (Windows) LAN- Desk Info- Express EAP over UDP Network Access Control Las Vegas 2006 Network Enforcement Point Cisco switch Network Enforcement Point Cisco switch Cisco AP Juniper Proxy Access Requestor Lockdown Posture Collector Client Broker & Network Access Requestor Cisco Trust Agent/ Odyssey (Windows) Built-in Posture Collector EAP over 802.1X

Karen O’Donoghue, May 2006, Page 30 NAC Lab Participants NAC Contributors A10 Networks Aruba Networks Enterasys Networks Extreme Networks Cisco Systems Hewlett-Packard InfoExpress Juniper Networks LANDesk Lockdown Networks Microsoft Nortel Networks Open1X Project Open Systems Consultants Vernier Networks, Inc. NAC Team Engineers Steve Hultquist, Infinite Summit, Team Lead Chris Hessing,University of Utah Kevin Koster,Cloudpath Networks, Inc. Mike McCauley, Open System Consultants Karen O'Donoghue, US Navy Joel Snyder, Opus One Inc. Brett Thorson, RavenWing, Inc. Jan Trumbo, Opus One Inc. Craig Watkins, Transcend, Inc. NAC Contributor Engineers Jack Coates, LANDesk Chris Edson, Microsoft Christian MacDonald, Juniper Networks Bryan Nairn, Lockdown Networks Jeff Reilly, Juniper Networks Mauricio Sanchez, Hewlett-Packard Eric Thomas, WildPackets, Inc. Mark Townsend, Enterasys Networks

Karen O’Donoghue, May 2006, Page 31 Getting started with NAC Answer three basic questions. –What is your access control policy? –What access methods do you want to protect? –What is your existing infrastructure? Test early and often Monitor the progress of open standards based solutions Don’t do this alone! (at least today)

Karen O’Donoghue, May 2006, Page 32 Where can you learn more? Visit the Interop Labs Booth (#2506) –Live Demonstrations of all three major NAC architectures with engineers to answer questions –White Papers available:  What is NAC?  What is 802.1X?  Getting Started with Network Access Control  What is TCG’s Trusted Network Connect?  What is Microsoft’s Network Access Protection?  What is Cisco Network Admission Control?  What is the IETF NAC Strategy?  Network Access Control Resources Visit us online: – Interop Labs white papers, this presentation, and demonstration layout diagram

Karen O’Donoghue, May 2006, Page 33 Thank You! Questions? Interop Labs -- Booth

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.