Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

Published byMervin Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer"— Presentation transcript:

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer lbillot@cisco.com October 2007 Network Academy Istambul

2 Presentation_ID 2 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential The Diversity of Education Networks Every bit of user data touches the network Every device students and admin has is attached to the network In this environment, EVERYTHING is a potential target AND a potential threat >> Threat vectors have changed: your “trusted users” can be the weakest link in your network’s security

3 Presentation_ID 3 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential The Evolution of Education Threats Mitigating threats via policy compliance Balancing access and security in a “connected” world Changing threats from infection to “targeted attacks” >> Education vectors have changed: you are accountable for your “policies” that are not enforced

4 Presentation_ID 4 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential What Is NAC, Really? N etwork A dmission C ontrol = Better criteria for network access beyond “Who Is It?” Authenticate & Authorize Update & Remediate Quarantine & Enforce Scan & Evaluate What’s the preferred way to check or fix it? Where is it coming from? What’s on it? What is it doing? What do you have? Who owns it? = 4 Key Functions

5 Presentation_ID 5 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Means Better Criteria for Education What’s The Preferred Way To Check/Fix It? Pre-Configured Checks Customized Checks Self-Remediation or Auto-Remediation Third-Party Software Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Corporate Asset What System Is It? University Faculty Student Guest Unknown Who Owns It? VPN LAN WLAN WAN Where Is It Coming From? Anti-Virus, Anti-Spyware Personal Firewall Patching Tools What’s On It? Is It Running?

6 Presentation_ID 6 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Must Address Top Pain Points Authenticates and controls guest and unmanaged assets Source: Current Analysis, July 2006 Assesses, quarantines, and remediates noncompliant endpoints Applies identity and access policies based on roles to all users and devices Implement identity-based access control Handle guest and unmanaged users Enforce endpoint policy requirements

7 Presentation_ID 7 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential THE GOAL Intranet/ Network Cisco NAC Overview 2. User is redirected to a login page Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device Device is noncompliant or login is incorrect User is denied access and assigned to a quarantine role with access to online remediation resources 3a. Quarantine Role 3b. Device is “clean” Machine gets on “certified devices list” and is granted access to network NAC Server NAC Manager 1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login information Authentication Server

8 Presentation_ID 8 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Identity Based Access Control

9 Presentation_ID 9 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Automated URL Redirection

10 Presentation_ID 10 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Guest Provisioning

11 Presentation_ID 11 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Student OS Restriction Compliance

12 Presentation_ID 12 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential End User Experience: Web-based Login Screen Scan is performed (types of checks depend on user role/OS) Click-through remediation

13 Presentation_ID 13 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Downloading the Agent (Optional)  Guest user will be offered the choice to download agent for posture  Guest user can still proceed by clicking Restricted Network Access if they choose not to download the agent

14 Presentation_ID 14 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Endpoint Security Posture 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate

15 Presentation_ID 15 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Single-Sign-On AD SSO VPN and Wireless SSO

16 Presentation_ID 16 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Dynamic DHCP Renewal Web or Agent DHCP Renewal Role Based DHCP Renewal Configurable DHCP Renewal

17 Presentation_ID 17 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Appliance - Microsoft Support Window OS Agent Support Vista (All Editions) XP (Home/Pro/MCE/Tablet) 2000/ME/98 (Agent) Windows Agentless Support WinCE, WinMobile IE5.x, 6.x and 7.x Windows Language Pack Support 15+ languages supported Windows Hotfixes/AV Checks Auto-updates to pre-configured Hotfix and oneCare AV checks Windows Update via WSUS Ability to configure Windows Updater parameters Immediate launch WSUS agent for auto- remediation via Severity levels Windows Update via windowsupdate.com Redirect to windowsupdate.com for remediation AD Single-Sign-On Windows 2003/2000 Server GPO Launch post Authentication Ability to launch GPO to tie AD desktop policy to access VLAN Login Script “hold” Configuration Provide a configuration to hold login script mapping till access VLAN Current SupportGPO/Login Differentiators Single-Sign-On Automated RuleSet Updates Dynamic DHCP Renewal Support for GPO and Login Scripts

18 Presentation_ID 18 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager: Simplified NAC Management Automated Cisco updates simplifies management for over 350+ partner applications

19 Presentation_ID 19 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server: Integrated NAC Services Integrating posture and profiling services to ensure that incoming devices are compliant. Guest Portal Services  Guest & Registration Portal  OS Detection & Restriction  Role based AUP Profiling Services  Device Profiling  Behavioral Monitoring  Device Reporting Posture Services  Managed Device Posture  Unmanaged Device Scanning  Remediation Authentication Services  Web, MAC, IP Authentication  Authentication & SSO  Radius Accounting Proxy NEW!

20 Presentation_ID 20 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager NAC API NAC Server with Collector (NPC) NAC Profiler Server (NPS) 1.NAC Profiler Collector discovers and profiles devices (e.g. phones, printers, badge reader, healthcare modalities). 2.NAC Profiler Collector continuously monitor behavior of profiled devices (spoofing behavior) and updates NAC Profiler Server Windows AD AAA Server NAC Profiler and Collector SPAN 3.NAC Profiler Server automatically adds/deletes/modifies MAC/IP on CAM and places it in the filter list (allow, deny, ignore, or “role”).

21 Presentation_ID 21 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Appliance Use Cases INTERNET Endpoint Compliance Network access only for compliant devices Guest Compliance Restricted internet access only for guest users IPSec 802.1Q CAMPUS BUILDING 1 Wireless Compliance Secured network access only for compliant wireless devices WIRELESS BUILDING 2 CONFERENCE ROOM IN BUILDING 3 VPN User Compliance Intranet access only for compliant remote access users Intranet Access Compliance Ensure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.

22 Presentation_ID 22 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Manager and Server Sizing 3500 users each Super Manager manages up to 40 Enterprise and Branch Servers Enterprise and Branch Servers 1500 users each Standard Manager manages up to 20 Branch Office or SMB Servers 100 users250 users500 users Manager Lite manages up to 3 Users = online, concurrent 2500 users each

23 Presentation_ID 23 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential  Plug & deploy (basic)  VPN, wireless, campus & remote LANS  Support non-Cisco devices  Enforcement via appliance NAC Deployment Options NAC In-Band IP WAN 802.1q NAC Server NAC Manager VPN NAC Out-of-Band L3 802.1q NAC Server NAC Manager NAC RADIUS NAC Server NAC Manager SNMP ACS Radius 802.1x NAC NM L2 Available Planning  Plan & deploy (intermediate)  Campus LANS (L2, L3)  Leverages Cisco infrastructure  SNMP as control plane  Enforcement via switch or appliance  Plan & deploy (advanced)  Campus LANS (802.1x, non-802.1x)  Leverages Cisco infrastructure and future IBPN features  RADIUS as control plane  Enforcement via switch

24 Presentation_ID 24 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Virtual Gateway and Real IP Gateway  NAC Servers at the most basic level can pass traffic in one of two ways: Bridged Mode = Virtual Gateway Routed Mode = Real IP Gateway / NAT Gateway  Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Gateway mode selection affects the logical traffic path  Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

25 Presentation_ID 25 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Virtual Gateway  Direct Bridging: Frame Comes In, Frame Goes Out  VLAN IDs are either passed through untouched or mapped from A to B  DHCP and Client Routes point directly to network devices on the Trusted side  NAC Server is an IP passive bump in the wire, like a transparent firewall

26 Presentation_ID 26 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Real IP/NAT Gateway  NAC Server is Routing, Packet Comes In, Packet Goes Out  VLAN IDs terminate at the Server, no pass-through or mapping  DHCP and Client Routes usually point to the Server for /30  NAC Server is an active IP router, can also NAT outbound packets * 2 * Be aware of NAT performance limitations

27 Presentation_ID 27 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Edge and Central Deployment  NAC Servers have two physical deployment models Edge Deployment Central Deployment  Any NAC Server can be configured for either method  Deployment mode selection affects the physical traffic path  Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

28 Presentation_ID 28 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Edge Deployment  Easiest deployment option to understand  NAC Server is logically inline, and Physically inline  Supports all Catalyst Switches  VLAN IDs are passed straight through when in VGW 10  10  Installations with multiple Access Layer closets can become complex

29 Presentation_ID 29 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Central Deployment  Most common deployment option  NAC Server is logically inline, NOT physically inline  Supports 6500 / 4500 / 3750 / 3560  VLAN IDs are mapped when in VGW 110  10  Easiest installation  Most scalable in large environments *3550 is not supported

30 Presentation_ID 30 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Central Deployment  Virtual Gateway Mode 3 Access Layer Closets, 6 VLANs 500 users per VLAN total 3000 users 3 VLANS per NAC Server 500 users each Example University Central Deployment

31 Presentation_ID 31 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: In Band and Out of Band  NAC Servers have two traffic flow deployment models In Band Out of Band  Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Selection is based on whether the customer wants to remove the NAC Server from the data path  NAC Server is ALWAYS inline during Posture Assessment

32 Presentation_ID 32 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: In Band  Easiest deployment option  NAC Server is Inline (in the data path) before and after posture assessment  Supports any switch, any hub, any AP  Role Based Access Control Guest, Contractor, Employee  ACL Filtering and Bandwidth Throttling

33 Presentation_ID 33 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential NAC Server Foundation: Out of Band  Multi-Gig Throughput deployment option  NAC Server is Inline for Posture Assessment Only  Supports most common Cisco Switches **  Port VLAN Based and Role Based Access Control  ACL Filtering and Bandwidth Throttling for Posture Assessment Only

34 Presentation_ID 34 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Q& A

35 Presentation_ID 35 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential

Download ppt "© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer"

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Information Security in Real Business

Information Security in Real Business
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

Similar presentations

Ads by Google