InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Interop Labs Network Access Control
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Security and Policy Enforcement Mark Gibson Dave Northey
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
Copyright © 2008 Juniper Networks, Inc. 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted.
Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Module 6: Network Policies and Access Protection.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
Great Bay Beacon Extreme Sentriant AG RADIUS router (proxy) Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
D-Link Wireless AP with NAP 802.1x solution
Implementing Network Access Protection
Threat Management Gateway
Firewalls.
Trusted Network Connect: Open Standards for NAC
Network Access Control
Free Dumps With Real Exam Question Answers | Free Update
Network Access Control
Network Access Control
Presentation transcript:

InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant

Interop Labs Network Access Control, April 2008, Page 2 Interop Labs Interop Labs are: Technology Motivated, Open Standards Based, Vendor neutral, Test and Education focused, Initiatives… With team members from: Industry Academia Government Visit us at Booth 151! Technical contributions to this presentation include: Kevin Koster, Cloudpath Networks, Inc. Karen O’Donoghue, Jan Trumbo, Joel Snyder, and the whole Interop Labs NAC team

Interop Labs Network Access Control, April 2008, Page 3 Objectives This presentation will: –Provide a general introduction to the concept of Network Access Control Highlight the evolution of the current NAC solutions –Provide a context to allow a network engineer to begin to plan for NAC deployment –Articulate a vision for NAC This presentation will not: –Provide specifics on any one vendor’s solution. –Delve into the underlying protocol details

Interop Labs Network Access Control, April 2008, Page 4 Why Network Access Control? Desire to grant different network access to different users, e.g. employees, guests, contractors Network endpoints can be threats –Enormous enterprise resources are wasted to combat an increasing numbers of viruses, worms, and spyware Proliferation of devices requiring network connectivity –Laptops, phones, PDAs Logistical difficulties associated with keeping corporate assets monitored and updated

Interop Labs Network Access Control, April 2008, Page 5 Network Access Control is Who you are … …should determine What you can access

Interop Labs Network Access Control, April 2008, Page 6 “Who” Has Several Facets User Identity + End-point Security Assessment + Network Environment

Interop Labs Network Access Control, April 2008, Page 7 Access Policy May Be Influenced By Identity –Jim (CTO), Steve (Network Admin), Sue (Engineering), Bob (Finance), Brett (Guest) Location –Secure room versus non-secured room Connection Method –Wired, wireless, VPN Time of Day –Limit after hours wireless access –Limit access after hours of employee’s shift Posture –A/V installed, auto update enabled, firewall turned on, supported versions of software –Realtime traffic analysis feedback (IPS)

Interop Labs Network Access Control, April 2008, Page 8 Sample Policy IF user group=“phone” THEN VLAN=“phone-vlan”, ACL = phone-only ELSE IF non-compliant AND user = “Alice” THEN VLAN=“quarantine” AND activate automatic remediation ELSE IF non-compliant AND user = “Bob” THEN VLAN=“quarantine” ELSE IF compliant THEN VLAN=“trusted” ELSE deny all

Interop Labs Network Access Control, April 2008, Page 9 NAC is More Than VLAN Assignment Additional access possibilities: –Access Control Lists Switches Routers –Firewall rules –Traffic shaping (QoS) Non-edge enforcement options –Such as a distant firewall

Interop Labs Network Access Control, April 2008, Page 10 NAC is More Than Sniffing Clients for Viruses Behavior-based assessment –Why is this printer trying to connect to ssh ports? VPN-connected endpoints cannot access HR database You need control points inside the network to make this happen

Interop Labs Network Access Control, April 2008, Page 11 Generic NAC Components Access RequestorPolicy Enforcement Point Policy Decision Point Network Perimeter

Interop Labs Network Access Control, April 2008, Page 12 Posture Validator Sample NAC Transaction Client Broker Network Access Requestor Network Enforcement Point Network Access Authority Server Broker Posture Validator Access Requestor Policy Enforcement Point Policy Decision Point Posture Collector

Interop Labs Network Access Control, April 2008, Page 13 Access Requestors Sample Access Requestors –Laptops –PDAs –VoIP phones –Desktops –Printers Components of an Access Requestor/Endpoint –Posture Collector(s) Collects security status information (e.g. A/V software installed and up to date, personal firewall turned on) May be more than one per access requestor –Client Broker Collects data from one or more posture collectors Consolidates collector data to pass to Network Access Requestor –Network Access Requestor Connects client to network (e.g X supplicant or IPSec VPN client) Authenticates user Sends posture data to Posture Validators Client Broker Network Access Requestor Posture Collector Access Requestor

Interop Labs Network Access Control, April 2008, Page 14 Policy Enforcement Points Components of a Policy Enforcement Point –Network Enforcement Point Provides access to some or all of the network Sample Policy Enforcement Points –Switches –Wireless Access Points –Routers –VPN Devices –Firewalls Network Enforcement Point Policy Enforcement Point

Interop Labs Network Access Control, April 2008, Page 15 Policy Decision Point Components of a Policy Decision Point –Posture Validator(s) Receives data from the corresponding posture collector Validates against policy Returns status to Server Broker –Server Broker Collects/consolidates information from Posture Validator(s) Determines access decision Passes decision to Network Access Authority –Network Access Authority Validates authentication and posture information Passes decision back to Policy Enforcement Point Network Access Authority Server Broker Posture Validator Policy Decision Point

Interop Labs Network Access Control, April 2008, Page 16

Interop Labs Network Access Control, April 2008, Page 17 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined

Interop Labs Network Access Control, April 2008, Page 18 Example: Policy Enforcement Users who pass policy check are placed on production network Users who fail are quarantined

Interop Labs Network Access Control, April 2008, Page 19 NAC Solutions - Last Years Slide There are three prominent solutions: –Cisco’s Network Admission Control (CNAC) –Microsoft’s Network Access Protection (NAP) –Trusted Computer Group’s Trusted Network Connect (TNC) There are several proprietary approaches that we did not address

Interop Labs Network Access Control, April 2008, Page 20 NAC Solutions - This Years Slide Moving towards industry convergence: –NAP and TCG(TNC) are moving ever closer –Cisco renewed focus on interoperability with NAP –Cisco consolidating their NAC appliance solution There are several proprietary approaches that we did not address All 3 major players are moving ever closer This ultimately benefits you the implementer! Still a way to go until nirvana :-)

Interop Labs Network Access Control, April 2008, Page 21 Microsoft NAP Network Access Protection Strengths –Part of Windows operating system –Supports auto remediation –Network device neutral Limitations –Part of Windows operating system –Not an open standard Status –Client (Vista) shipping today; will be in XP SP3 –Linux client available –Server Longhorn (Windows Server 2008)

Interop Labs Network Access Control, April 2008, Page 22 Cisco NAC Network Admission Control Strengths –Many posture collectors for client for NAC solution –NAC integration with Microsoft NAP –Large and diverse installed base of network and security/NAC devices Limitations –More options with Cisco hardware which may make planning harder –Not an open standard –Requires additional supplicant with NAC solution Status –Products shipping today –Cool stuff is coming which I expect to be announced soon…

Interop Labs Network Access Control, April 2008, Page 23 Trusted Computing Group (TCG) Trusted Network Connect (TNC) Strengths –Open standards based –Not tied to specific hardware, servers, or client operating systems –Multiple vendor backing - Juniper, Microsoft Limitations –Potential integration risk with multiple parties Status –Products shipping today –Common ground with Microsoft NAP continues to move towards interoperability –Updated specifications released May 2007

Interop Labs Network Access Control, April 2008, Page 24 Source: TCG TNC Architecture

Interop Labs Network Access Control, April 2008, Page 25 Getting Started - What’s Most Important to You? User Authentication Very Important Not Very Important End Point Security Very Important Not Very Important Enforcement Granularity Very Important Not Very Important VPN WLAN Guests Desktops Computer Room Everywhere Where will NAC apply?

Interop Labs Network Access Control, April 2008, Page 26 Where Can You Learn More? Visit the Interop Labs Booth (#151) –Live Demonstrations of many multi-vendor NAC architectures with engineers to answer questions Visit Interop Labs online: Interop Labs white papers, this presentation, and demonstration layout diagram Network Access Control Unified Communications

Interop Labs Network Access Control, April 2008, Page 28 Visit the InteropLabs Entrance InteropLabs Cisco Novell Foundry

Interop Labs Network Access Control, April 2008, Page 29 See This Presentation Again! Tuesday 4/29/08 Wednesday 4/30/08 Thursday 5/1/08 InteropLabs: UC Class 10:00am - 10:45am InteropLabs: NAC Class 11:15am - 12:00pm InteropLabs: NAC Class 11:15am - 12:00pm InteropLabs: NAC Class 11:00am - 11:45pm InteropLabs: UC Class 12:15pm - 1:00pm InteropLabs: UC Class 12:15pm - 1:00pm

Interop Labs Network Access Control, April 2008, Page 30 Where can you learn even more? White Papers available in the Interop Labs: What is Network Admission Control? What is 802.1X? Getting Started with Network Admission Control What is the TCG’s Trusted Network Connect? What is Microsoft Network Access Protection? Merger of TNC and NAP What is the IETF’s Network Endpoint Assessment? Switch Functionality for 802.1X-based NAC Handling NAC Exception Cases NAC Resources VLANs vs ACLs Free USB key to the first 600 attendees! (has all NAC and Unified Communications materials)

Interop Labs Network Access Control, April 2008, Page 31 InteropLabs NAC Vendor Engineers NAC Lab Participants InteropLabs NAC Team Members Kevin Koster, Cloudpath Networks, Team Lead Jim Martin, Woven Systems Rob Nagy, Accuvant Inc, NAC Instructor Joel Snyder, Opus One Craig Watkins, Transcend, Inc. Karen O'Donoghue, NSWCDD Gerard Goubert, Cisco Systems, Inc. Lynn Haney, TippingPoint Technologies, Inc. Jan Trumbo, Opus One Mike McCauley, Open Systems Consultants Asim Rasheed, Ixia Barb Cline, Blue Ridge Networks, Inc. Bhagya Prasad NR, Avenda Systems Bob Durkee, Great Bay Software Charles Owens, Great Bay Software Ernie Brown, Xirrus Corp. Faith Comlekoglu, Blue Ridge Networks, Inc. Greg Hankins, Force10 Networks, Inc. Ingo Bente, Fachhochschule Honnover Jeff Reilly, Juniper Networks, Inc. Josef von Helden, Fachhochschule Hannover King Won, Gigamon Systems LLC Mark Townsend, Enterasys Networks, Inc. Myke Rydalch, Xirrus Corp. Mike Steinmetz, Fachhochschule Hannover Mitsunori Sagae, Cisco Systems, Inc. Nathan Jenne, ProCurve Networking by HP Pat Fetty, Microsoft Corporation Pattabhi Attaluri, Avenda Systems Prem Ananthakrishnan, Cisco Systems, Inc. Rick Duchaney, Great Bay Software Saurabh Pradhan, Trapeze Networks Steve Pettit, Great Bay Software Ted Fornoles, Trapeze Networks Thenu Kittappa, Aruba Networks Tom Maufer, Mu Security Thomas Howard, Cisco Systems, Inc. Tim McCarthy, Trapeze Networks Tom Gilbert, Blue Ridge Networks

Interop Labs Network Access Control, April 2008, Page 32 Thank You! Questions? Interop Labs -- Booth 151

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.