Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interop Labs Network Access Control

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Interop Labs Network Access Control"— Presentation transcript:

1 Interop Labs Network Access Control
Interop Las Vegas 2007 Jan Trumbo

2 Interop Labs Interop Labs are: With team members from:
Technology Motivated, Open Standards Based, Vendor neutral, Test and Education focused, Initiatives… With team members from: Industry Academia Government Visit us at Booth 122! Technical contributions to this presentation include: Steve Hanna, Juniper Networks and TCG TNC Kevin Koster, Cloudpath Networks, Inc. Karen O’Donoghue, Joel Snyder, and the whole Interop Labs NAC team Interop Labs Network Access Control, May 2007, Page 2

3 Objectives This presentation will: This presentation will not:
Provide a general introduction to the concept of Network Access Control Highlight the three most well known solutions Provide a context to allow a network engineer to begin to plan for NAC deployment Articulate a vision for NAC This presentation will not: Provide specifics on any of the three major approaches introduced Delve into the underlying protocol details One thing I acknowledge up front is that there is a big difference between vision and reality at this point. Some of this information will be available from Interop Lab Engineers in the booth Interop Labs Network Access Control, May 2007, Page 3

4 Why Network Access Control?
Desire to grant different network access to different users, e.g. employees, guests, contractors Network endpoints can be threats Enormous enterprise resources are wasted to combat an increasing numbers of viruses, worms, and spyware Proliferation of devices requiring network connectivity Laptops, phones, PDAs Logistical difficulties associated with keeping corporate assets monitored and updated Interop Labs Network Access Control, May 2007, Page 4

5 Network Access Control is
Who you are … …should determine What you can access Interop Labs Network Access Control, May 2007, Page 5

6 “Who” Has Several Facets
User Identity + End-point Security Assessment + Network Environment Interop Labs Network Access Control, May 2007, Page 6

7 Access Policy May Be Influenced By
Identity Jim (CTO), Steve (Network Admin), Sue (Engineering), Bob (Finance), Brett (Guest) Location Secure room versus non-secured room Connection Method Wired, wireless, VPN Time of Day Limit after hours wireless access Limit access after hours of employee’s shift Posture A/V installed, auto update enabled, firewall turned on, supported versions of software Realtime traffic analysis feedback (IPS) Interop Labs Network Access Control, May 2007, Page 7

8 Sample Policy IF user group=“phone”
THEN VLAN=“phone-vlan” ELSE IF non-compliant AND user = “Alice” THEN VLAN=“quarantine” AND activate automatic remediation ELSE IF non-compliant AND user = “Bob” THEN VLAN=“quarantine” ELSE IF compliant THEN VLAN=“trusted” ELSE deny all Interop Labs Network Access Control, May 2007, Page 8

9 NAC is More Than VLAN Assignment
Additional access possibilities: Access Control Lists Switches Routers Firewall rules Traffic shaping (QoS) Non-edge enforcement options Such as a distant firewall Interop Labs Network Access Control, May 2007, Page 9

10 NAC is More Than Sniffing Clients for Viruses
Behavior-based assessment Why is this printer trying to connect to ssh ports? VPN-connected endpoints cannot access HR database You need control points inside the network to make this happen Interop Labs Network Access Control, May 2007, Page 10

11 Generic NAC Components
Access Requestor Policy Enforcement Point Policy Decision Point Network Perimeter Interop Labs Network Access Control, May 2007, Page 11

12 Sample NAC Transaction
Posture Collector Posture Validator Posture Collector 6 Posture Validator Posture Collector 1 Posture Validator Network Enforcement Point Server Broker Client Broker 2 7 8 Posture Collectors gather information about the state of the end point security on the client. Client Broker consolidates endpoint data from posture collectors(s) and passes it to the Network Access Requestor (supplicant) Network Access Requestor gets security assessment data from the TNC client and sends it to the Policy Enforcement Point. The Policy Enforcement Point receives the authentication and security assessment data and sends it on the Policy Decision Point. The Network Access Authority receives the data from the Access Requestor via the Policy Enforcement Point. If authentication is involved, the Network Access Authority checks with an authentication database to see if the user has valid credentials. Each Posture Validator checks the information from the corresponding Posture Collector and passes the verdict to the Server Broker The server broker consolidates the posture validator input into a single policy answer The Network Access Authority sends the corresponding answer and instructions to the PEP. Network Access Authority Network Access Requestor 4 5 3 Policy Enforcement Point Policy Decision Point Access Requestor Interop Labs Network Access Control, May 2007, Page 12

13 Access Requestors Sample Access Requestors
Laptops PDAs VoIP phones Desktops Printers Components of an Access Requestor/Endpoint Posture Collector(s) Collects security status information (e.g. A/V software installed and up to date, personal firewall turned on) May be more than one per access requestor Client Broker Collects data from one or more posture collectors Consolidates collector data to pass to Network Access Requestor Network Access Requestor Connects client to network (e.g X supplicant or IPSec VPN client) Authenticates user Sends posture data to Posture Validators Posture Collector Posture Collector Client Broker Network Access Requestor Access Requestor Interop Labs Network Access Control, May 2007, Page 13

14 Policy Enforcement Points
Components of a Policy Enforcement Point Network Enforcement Point Provides access to some or all of the network Sample Policy Enforcement Points Switches Wireless Access Points Routers VPN Devices Firewalls Network Enforcement Point Policy Enforcement Point Interop Labs Network Access Control, May 2007, Page 14

15 Network Access Authority
Policy Decision Point Components of a Policy Decision Point Posture Validator(s) Receives data from the corresponding posture collector Validates against policy Returns status to Server Broker Server Broker Collects/consolidates information from Posture Validator(s) Determines access decision Passes decision to Network Access Authority Network Access Authority Validates authentication and posture information Passes decision back to Policy Enforcement Point Posture Validator Server Broker Network Access Authority Policy Decision Point Interop Labs Network Access Control, May 2007, Page 15

16 InteropLabs Network Access Control Architecture Alphabet Soup
What is it? TCG TNC Microsoft NAP Cisco NAC Posture Collector Third-party software that runs on the client and collects information on security status and applications, such as 'is A/V enabled and up-to-date?' Integrity Measurement Collector System Health Agent Posture Plug-in Applications Client Broker "Middleware" that runs on the client and talks to the Posture Collectors, collecting their data, and passing it down to Network Access Requestor TNC Client NAP Agent Cisco Trust Agent Network Access Requestor Software that connects the client to network. Examples might be 802.1X supplicant or IPSec VPN client. Used to authenticate the user, but also as a conduit for Posture Collector data to make it to the other side Network Access Requestor NAP Enforcement Client Posture Collector Posture Validator Client Broker Server Broker Network Enforcement Point IETF terms InteropLabs Network Access Control Architecture Alphabet Soup Network Access Requestor Network Access Authority What is it? TCG TNC Microsoft NAP Cisco NAC Network Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or WLAN, VPN gateway, or firewall. Policy Enforcement Point NAP Enforcement Server Network Access Device Posture Validator Third-party software that receives status information from Posture Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server Integrity Measurement Verifier System Health Validator Policy Vendor Server Server Broker "Middleware" acting as an interface between multiple Posture Validators and the Network Access Authority TNC Server NAP Administration Server Access Control Server Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Network Enforcement Point. Network Access Authority Network Policy Server 2006Apr04

17 Example: Policy Enforcement
Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 17

18 Example: Policy Enforcement
Users who pass policy check are placed on production network Users who fail are quarantined Interop Labs Network Access Control, May 2007, Page 18

19 NAC Solutions There are three prominent solutions:
Cisco’s Network Admission Control (CNAC) Microsoft’s Network Access Protection (NAP) Trusted Computer Group’s Trusted Network Connect (TNC) There are several proprietary approaches that we did not address Interop Labs Network Access Control, May 2007, Page 19

20 Cisco NAC Network Admission Control
Strengths Many posture collectors for client Installed base of network devices Limitations More options with Cisco hardware Not an open standard Requires additional supplicant Status Product shipping today Interop Labs Network Access Control, May 2007, Page 20

21 Microsoft NAP Network Access Protection
Strengths Part of Windows operating system Supports auto remediation Network device neutral Limitations Not an open standard Status Client (Vista) shipping today; will be in XP SP3 Linux client available Server (Longhorn) still in beta; 3rd parties shipping Expect Longhorn (Windows Server 2008) release in 2007?? Interop Labs Network Access Control, May 2007, Page 21

22 Trusted Computing Group (TCG) Trusted Network Connect (TNC)
Strengths Open standards based Not tied to specific hardware, servers, or client operating systems Multiple vendor backing - Juniper, Microsoft Limitations Potential integration risk with multiple parties Status Products shipping today Tightly integrated with Microsoft NAP but products not shipping yet (Monday announcement) Updated specifications released May 2007 Multivendor interoperability is harder than single vendor interoperability Interop Labs Network Access Control, May 2007, Page 22

23 TNC Architecture Source: TCG
IF-IMC Integrity Measurement Collector Interface IF-IMV Integrity Measurement Verifier Interface IF-TNCCS – TNC Client Server Interface IF-IMC and IF-IMV – Vendor Specific IMC-IMV messages IF-T Network Authorization Transport Protocol IF-PTS Platform Trust Services IF-PEP Policy Enforcement point Interface Source: TCG Interop Labs Network Access Control, May 2007, Page 23

24 Current State of Affairs
Multiple semi-interoperable solutions Cisco NAC, Microsoft NAP, TCG TNC Conceptually, all 3 are very similar All with limitations Industry efforts at convergence and standardization TCG IETF Interop Labs Network Access Control, May 2007, Page 24

25 Getting Started - What’s Most Important to You?
User Authentication Very Important Not Very Important End Point Security Very Important Not Very Important Enforcement Granularity Very Important Not Very Important VPN WLAN Guests Desktops Computer Room Everywhere Where will NAC apply? Interop Labs Network Access Control, May 2007, Page 25

26 Where Can You Learn More?
Visit the Interop Labs Booth (#122) Live Demonstrations of all three major NAC architectures with engineers to answer questions Visit Interop Labs online: Interop Labs white papers, this presentation, and demonstration layout diagram Network Access Control VOIP: Wireless & Security Interop Labs Network Access Control, May 2007, Page 26

27 Interop Labs Network Access Control, May 2007, Page 27

28 VLANs Network Access Control Devices Spectrum
Gigamon net monitor Port Monitor Posture Validators Cisco ACS Server Broker & Network Access Authority Trend Micro LANDesk Cisco CSA internal EAP-FAST Port Monitor Devices Spectrum Cross-VLAN Firewall Packet Filters WildPackets analyzer Extreme Sentriant NG sensor DHCP info Posture Collectors Client Broker & Network Access Requestor Cisco NAC-Capable Client Trend Micro LANDesk Cisco CSA Cisco CTA Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches and APs with full framework capability doing VLAN assignment Juniper IDP Device authentication VLANs Great Bay Beacon LDAP Device database Network behavior info phones printers badge readers Cisco Extreme HP Trapeze Posture Validators Juniper UAC Q1 Wave Systems PatchLink internal Server Broker & Network Access Authority EAP-JEAP Production Cisco CCA non-NAC clients Posture Collectors Client Broker & Network Access Requestor TCG TNC-Capable Client PatchLink Wave Systems Juniper UAC Contractor EAP/RADIUS LDAP Quarantine Enforcement Spectrum Posture Validators ID Engines Ignition internal Server Broker & Network Access Authority EAP-PEAP Guest Edge Enforcement User authentication Posture Collectors Client Broker & Network Access Requestor Microsoft NAP-Capable Client Trend Micro Microsoft System Health Agent Cisco Enterasys Extreme HP Trapeze Active Directory Auth by 802.1X Enforcement by: VLAN ACL / Filter QOS User database Switches RADIUS router (proxy) LDAP APs Posture Validators OSC Radiator internal Server Broker & Network Access Authority EAP-TTLS Network Enforcement Point Internet Windows Unix Mac EAP/RADIUS Axis Camera 802.1X/TLS HP Printer 802.1X/TLS Non-Edge Enforcement Cisco CCA Juniper ScreenOS 802.1X Clients without Posture Collectors posture Captive Portals Cisco Enterasys Extreme HP Lockdown Proxy Access Requestor Extreme Sentriant AG Posture Validators Microsoft NPS Trend Micro internal Server Broker & Network Access Authority EAP-PEAP NAC-capable switches Network Access Control Linksys Network Attached Storage Old switches and hubs Juniper firewall EAP/RADIUS Pingtel Phone Non 802.1X Clients Las Vegas 2007 Data center

29 Where can you learn more?
White Papers available in the Interop Labs: What is Network Admission Control? What is 802.1X? Getting Started with Network Admission Control What is the TCG’s Trusted Network Connect? What is Microsoft Network Access Protection? What is Cisco Network Admission Control? What is the IETF’s Network Endpoint Assessment? Switch Functionality for 802.1X-based NAC Exception Cases and NAC Get the “NAC” of Troubleshooting NAC Resources Free USB key to the first 600 attendees! (has all NAC and VOIP materials) Interop Labs Network Access Control, May 2007, Page 29

30 NAC Lab Participants http://www.opus1.com/nac
In ter o pL a bs N A C Te am M embers Kare n O'D o noghu e, U S Navy , Te a m L e ad Kevi n Koste r , C loud p at h N e tworks Bill Clary l , gran d m o therboar d .org Jef f F u lso m , Univ o f U t ah Joel Snyde r , Opus One Mik e McC a uley , O pen Sys t em s Consu l ta n ts Jan Tr u mb o , Opu s One Henry H e , UN H IOL Chris Hessin g , Id e nt i fy En g ines Lynn Ha n ey , Ti p pin g Po i nt Terry S i mons , I de n tit y Engi n es In ter o pL a bs N A C Vendor E n g i n eers Th o mas Ho w ard , Cisc o Sy s tem s , In c . Mark Townsen d, E n terasys Mik e Skri p ek , E x tr e me N etworks Charles Owens , Gr e a t B ay S o ftware Eric H ol t on , H P Procurve Bre t Jorda n, Id e nt i fy E n gines Bo b F i ler , Juni p er N e tworks Chrisita n McDona l d , Junipe r N e tworks Denzil Wessels , Jun i per N e tworks S t eve H a nna , Jun i per N etworks Oliver C hun g , L ockdown Net w orks P a t Fe t ty , Microso f t Don G onzale s , P a tchlink Sco tt V a nWa r t , Q 1 Labs Ti m McCarth y , Trapez e N e tworks Ryan Ho l lan d , Tren d M icro Alw i n Y u , Tren d M icro A mi t Desh p and e , Wave Syst e ms Interop Labs Network Access Control, May 2007, Page 30

31 Thank You. Questions. Interop Labs -- Booth 122 http://www. opus1
Interop Labs Network Access Control, May 2007, Page 31

Download ppt "Interop Labs Network Access Control"

Similar presentations

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.

Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.

Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant

InteropLabs Network Access Control Interop Las Vegas 2008 Robert Nagy Accuvant Inc Principal Security Consultant
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business

Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

Similar presentations

Ads by Google