© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

Slides:



Advertisements
Similar presentations
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Information Security in Real Business
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Enabling Authentication & Network Admission Control Steve Pettit.
1 © 2004 Cisco Systems, Inc. All rights reserved. Managing and Securing Wireless Networks with Cisco Clean Access Steve Coppel SE, Maryland Enterprise.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.
Selecting the Right Network Access Protection Architecture
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 6: Securing the Local Area Network
NAC-NAP Interoperability
7.4 Update - ISE Session.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
So how to identify exactly who and what is on your network at any point in time? Andrew Noonan, SE ForeScout February 2015.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
Working at a Small-to-Medium Business or ISP – Chapter 8
Implementing Network Access Protection
2018 Real Cisco Dumps IT-Dumps
Implementing Client Security on Windows 2000 and Windows XP Level 150
Network Access Control
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer October 2007 Network Academy Istambul

Presentation_ID 2 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential The Diversity of Education Networks Every bit of user data touches the network Every device students and admin has is attached to the network In this environment, EVERYTHING is a potential target AND a potential threat >> Threat vectors have changed: your “trusted users” can be the weakest link in your network’s security

Presentation_ID 3 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential The Evolution of Education Threats Mitigating threats via policy compliance Balancing access and security in a “connected” world Changing threats from infection to “targeted attacks” >> Education vectors have changed: you are accountable for your “policies” that are not enforced

Presentation_ID 4 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential What Is NAC, Really? N etwork A dmission C ontrol = Better criteria for network access beyond “Who Is It?” Authenticate & Authorize Update & Remediate Quarantine & Enforce Scan & Evaluate What’s the preferred way to check or fix it? Where is it coming from? What’s on it? What is it doing? What do you have? Who owns it? = 4 Key Functions

Presentation_ID 5 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Means Better Criteria for Education What’s The Preferred Way To Check/Fix It? Pre-Configured Checks Customized Checks Self-Remediation or Auto-Remediation Third-Party Software Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Corporate Asset What System Is It? University Faculty Student Guest Unknown Who Owns It? VPN LAN WLAN WAN Where Is It Coming From? Anti-Virus, Anti-Spyware Personal Firewall Patching Tools What’s On It? Is It Running?

Presentation_ID 6 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Must Address Top Pain Points Authenticates and controls guest and unmanaged assets Source: Current Analysis, July 2006 Assesses, quarantines, and remediates noncompliant endpoints Applies identity and access policies based on roles to all users and devices Implement identity-based access control Handle guest and unmanaged users Enforce endpoint policy requirements

Presentation_ID 7 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential THE GOAL Intranet/ Network Cisco NAC Overview 2. User is redirected to a login page Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device Device is noncompliant or login is incorrect User is denied access and assigned to a quarantine role with access to online remediation resources 3a. Quarantine Role 3b. Device is “clean” Machine gets on “certified devices list” and is granted access to network NAC Server NAC Manager 1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login information Authentication Server

Presentation_ID 8 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Identity Based Access Control

Presentation_ID 9 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Automated URL Redirection

Presentation_ID 10 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Guest Provisioning

Presentation_ID 11 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Student OS Restriction Compliance

Presentation_ID 12 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential End User Experience: Web-based Login Screen Scan is performed (types of checks depend on user role/OS) Click-through remediation

Presentation_ID 13 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Downloading the Agent (Optional)  Guest user will be offered the choice to download agent for posture  Guest user can still proceed by clicking Restricted Network Access if they choose not to download the agent

Presentation_ID 14 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Endpoint Security Posture 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate

Presentation_ID 15 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Single-Sign-On AD SSO VPN and Wireless SSO

Presentation_ID 16 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Dynamic DHCP Renewal Web or Agent DHCP Renewal Role Based DHCP Renewal Configurable DHCP Renewal

Presentation_ID 17 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Appliance - Microsoft Support Window OS Agent Support Vista (All Editions) XP (Home/Pro/MCE/Tablet) 2000/ME/98 (Agent) Windows Agentless Support WinCE, WinMobile IE5.x, 6.x and 7.x Windows Language Pack Support 15+ languages supported Windows Hotfixes/AV Checks Auto-updates to pre-configured Hotfix and oneCare AV checks Windows Update via WSUS Ability to configure Windows Updater parameters Immediate launch WSUS agent for auto- remediation via Severity levels Windows Update via windowsupdate.com Redirect to windowsupdate.com for remediation AD Single-Sign-On Windows 2003/2000 Server GPO Launch post Authentication Ability to launch GPO to tie AD desktop policy to access VLAN Login Script “hold” Configuration Provide a configuration to hold login script mapping till access VLAN Current SupportGPO/Login Differentiators Single-Sign-On Automated RuleSet Updates Dynamic DHCP Renewal Support for GPO and Login Scripts

Presentation_ID 18 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager: Simplified NAC Management Automated Cisco updates simplifies management for over 350+ partner applications

Presentation_ID 19 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server: Integrated NAC Services Integrating posture and profiling services to ensure that incoming devices are compliant. Guest Portal Services  Guest & Registration Portal  OS Detection & Restriction  Role based AUP Profiling Services  Device Profiling  Behavioral Monitoring  Device Reporting Posture Services  Managed Device Posture  Unmanaged Device Scanning  Remediation Authentication Services  Web, MAC, IP Authentication  Authentication & SSO  Radius Accounting Proxy NEW!

Presentation_ID 20 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager NAC API NAC Server with Collector (NPC) NAC Profiler Server (NPS) 1.NAC Profiler Collector discovers and profiles devices (e.g. phones, printers, badge reader, healthcare modalities). 2.NAC Profiler Collector continuously monitor behavior of profiled devices (spoofing behavior) and updates NAC Profiler Server Windows AD AAA Server NAC Profiler and Collector SPAN 3.NAC Profiler Server automatically adds/deletes/modifies MAC/IP on CAM and places it in the filter list (allow, deny, ignore, or “role”).

Presentation_ID 21 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Appliance Use Cases INTERNET Endpoint Compliance Network access only for compliant devices Guest Compliance Restricted internet access only for guest users IPSec 802.1Q CAMPUS BUILDING 1 Wireless Compliance Secured network access only for compliant wireless devices WIRELESS BUILDING 2 CONFERENCE ROOM IN BUILDING 3 VPN User Compliance Intranet access only for compliant remote access users Intranet Access Compliance Ensure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.

Presentation_ID 22 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager and Server Sizing 3500 users each Super Manager manages up to 40 Enterprise and Branch Servers Enterprise and Branch Servers 1500 users each Standard Manager manages up to 20 Branch Office or SMB Servers 100 users250 users500 users Manager Lite manages up to 3 Users = online, concurrent 2500 users each

Presentation_ID 23 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential  Plug & deploy (basic)  VPN, wireless, campus & remote LANS  Support non-Cisco devices  Enforcement via appliance NAC Deployment Options NAC In-Band IP WAN 802.1q NAC Server NAC Manager VPN NAC Out-of-Band L q NAC Server NAC Manager NAC RADIUS NAC Server NAC Manager SNMP ACS Radius 802.1x NAC NM L2 Available Planning  Plan & deploy (intermediate)  Campus LANS (L2, L3)  Leverages Cisco infrastructure  SNMP as control plane  Enforcement via switch or appliance  Plan & deploy (advanced)  Campus LANS (802.1x, non-802.1x)  Leverages Cisco infrastructure and future IBPN features  RADIUS as control plane  Enforcement via switch

Presentation_ID 24 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Virtual Gateway and Real IP Gateway  NAC Servers at the most basic level can pass traffic in one of two ways: Bridged Mode = Virtual Gateway Routed Mode = Real IP Gateway / NAT Gateway  Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Gateway mode selection affects the logical traffic path  Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

Presentation_ID 25 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Virtual Gateway  Direct Bridging: Frame Comes In, Frame Goes Out  VLAN IDs are either passed through untouched or mapped from A to B  DHCP and Client Routes point directly to network devices on the Trusted side  NAC Server is an IP passive bump in the wire, like a transparent firewall

Presentation_ID 26 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Real IP/NAT Gateway  NAC Server is Routing, Packet Comes In, Packet Goes Out  VLAN IDs terminate at the Server, no pass-through or mapping  DHCP and Client Routes usually point to the Server for /30  NAC Server is an active IP router, can also NAT outbound packets * 2 * Be aware of NAT performance limitations

Presentation_ID 27 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Edge and Central Deployment  NAC Servers have two physical deployment models Edge Deployment Central Deployment  Any NAC Server can be configured for either method  Deployment mode selection affects the physical traffic path  Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

Presentation_ID 28 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Edge Deployment  Easiest deployment option to understand  NAC Server is logically inline, and Physically inline  Supports all Catalyst Switches  VLAN IDs are passed straight through when in VGW 10  10  Installations with multiple Access Layer closets can become complex

Presentation_ID 29 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Central Deployment  Most common deployment option  NAC Server is logically inline, NOT physically inline  Supports 6500 / 4500 / 3750 / 3560  VLAN IDs are mapped when in VGW 110  10  Easiest installation  Most scalable in large environments *3550 is not supported

Presentation_ID 30 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Central Deployment  Virtual Gateway Mode 3 Access Layer Closets, 6 VLANs 500 users per VLAN total 3000 users 3 VLANS per NAC Server 500 users each Example University Central Deployment

Presentation_ID 31 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: In Band and Out of Band  NAC Servers have two traffic flow deployment models In Band Out of Band  Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Selection is based on whether the customer wants to remove the NAC Server from the data path  NAC Server is ALWAYS inline during Posture Assessment

Presentation_ID 32 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: In Band  Easiest deployment option  NAC Server is Inline (in the data path) before and after posture assessment  Supports any switch, any hub, any AP  Role Based Access Control Guest, Contractor, Employee  ACL Filtering and Bandwidth Throttling

Presentation_ID 33 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Out of Band  Multi-Gig Throughput deployment option  NAC Server is Inline for Posture Assessment Only  Supports most common Cisco Switches **  Port VLAN Based and Role Based Access Control  ACL Filtering and Bandwidth Throttling for Posture Assessment Only

Presentation_ID 34 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Q& A

Presentation_ID 35 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.