610 likes | 986 Views
Network Security Effective Practices - NAC/P, TNC A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.
E N D
Network Security Effective Practices - NAC/P, TNC A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.
Overview This presentation will discuss a survey and informal poll of the current campus network access and admissions security practices and products in higher education on both wired and wireless networks.
Agenda • Introduction • What is NAC, NAP and TNC? • NAC/P Concepts and Terminology • NAC/P Feature Checklists • NAC/P Effective Practices in Higher Ed • Survey of NAC/P Practices in Academia • Discussion and Questions
NAC, NAP, TNC timeline In 2003, RPC/DCOM worms (Blaster, NACHI) caused widespread problems on campus networks. NetReg, Bradford Campus Networks and other reg/quarantine systems were used as effective solutions. Cisco (bought Perfigo) and many vendors (particularly wireless) entered this market. Microsoft and the TCG alliance have been promising standars (w/Cisco) for a time (2008?).
NAC/P Open Source Efforts • Uconn/Umass/etc (Rodrigue, et al) “NetReg” mods (RPC/Dcom NASL scanning ala Nessus) • PacketFence • NoCAT - Captive Web Portal
NAC/P Goes Mainstream Standards: • Cisco / Microsoft agreement • 802.1X and EAPs • WPA2
What is NAC/NAP/TNC? • NAC - Network Access (or Admission) Control • Generic • Cisco • NAP - Network Access (or Admission) Protection • Microsoft Vista and Longhorn Server (2008) • TNC - Trusted Network Computing (form Trusted Computing Group - TCG) • Anti-Virus / Anti-Malware vendors
Why NAC? IS NAT RELEVANT AND STILL NEEDED? • New Paradigms may obviate NAC: • Enterrpise wide A/V / Anti-Malware • XP XP2 Firewall & Vista Security - • renders scanners obsolete? • Managed Workstations, “lockdown” GPO policies • Arguments for NAC/P going forward: • Un-managed & guest personal computers & devices • End-point protection and assessment • IDP/DLP/C<F (Leakage Protection, Content Filtering) • Legal Liability, CALEA, etc.
NAC/P Issues to deal with • NAC/P Phones • Printers • User hubs, switchs, WiFi Aps and SOHO routers • XBOX™, Sony PlayStation™, Nintendo™ • PDAs, SmartPhones, etc. • Other unique IP devices and non-std Oses • “Guest/Visitor” and conference attendees
NAC/P vs. No NAC/P • You can actually have even better security using NAC/P IF you use strong encryption (and a good implementation) -- even over wired networks. • Inline is more secure, reliable(?) than non-inline… • Complex solutions may cause problems (run amuck). • You will need to provide overrides and exceptions -- but SOP & Policy should discourage this as much as possible.
Threats to NAC/P(in order of sophistication) • Scalability - worst case scenario : several thousand PCs seeking network admission simultaneously overwhelming scanner / NAC / Network. • Single Point of Failure - only 1 scanner / gate / remediation website, etc • Self-Assigning IPs. • Spoofing Ips • Spoofing EHAs (MACs) • ARP spoofing/poisoning (Dsniff, Ettercap, etc.) • Router EHA Cloning DoS Attack • 802.1X / EAP DoS Attacks • VLAN “jumping”
NAC System Components • Database (User, Computer, MAC, etc) • Registration System • DHCP and/or Authentication (RaDIUS/802.1X) Server • Scanning engine and Policy Server • Quarantine LAN/VLAN/Subnet • ACL (switch/router), Firewall, Filter/Blocking device • Captive Portal • Remediation Site • Proxy • Agent (one time/registration, temporary, permanent) • Management Interface and/or Station/App.
Other NAC Architectures • EHA / MAC filtering • NAT Control • Forced VPN option • WiFi • Wired • Remote Access • Guest networks
NAC Concepts/Terms • Pre-authentication • Post-authentication • DLP/ILP - Leak Protect • In-line • Out-of-Band • Agent / Agent-less • One-time • Boot/Connect time • Dissolvable • Continual • Policy Server • Remediation Server • End Point Protection • Security via Virtualization • Quarantine
NAC/P Implementation Checklist Practical NAC/P Planning “high level short list”: • Create, publish and enforce security policies. • Practice rigorous physical security. • Verify user identities. • Actively monitor logs, firewalls & IDSes. • Logically segregate data & voice traffic. • Harden Oses. • Encrypt whenever and whatever you can.
NAC Implementation Checklist Detailed and Specfic list: • Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the quarantine network. • Use a private (RFC1918) IP network for the quarantine VLAN. • Use NAT and/or proxies to hide internal addresses. • Use a firewall (packet filtering or ALG) to protect & connect the Quarantine network to the data IP network. • Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall). • Use agents, 802.1X & RADIUS auth & EAP supplicants.
NAC/P Effective Practices in Higher Ed Some schools: • Uses separate VLAN, L2 switches and RFC1918 IP addresses for the quarantine network. Many Schools: • Using Cisco Secure/Clean Access • Rolling their own via NetReg, NoCat & PacketFence • Looking at appliances
NAC/P Effective Practices in Higher Ed Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=security&P=13595) Date: Fri, 19 Jan 2007 15:58:22 -0500 Reply-To: The EDUCAUSE Security Discussion Group Listserv From: "Charles L. Bombard" Subject: Re: Network access control In-Reply-To: <[log in to unmask]> Content-Type: text/plain; charset="us-ascii" Still looking. I am on the fence (excuse the pun) and can go with either one at the moment. Packetfence seems to have acquired a large following, and netreg seems to not be in active development any longer. www.netreg.org www.packetfence.org - Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234
NAC/P Effective Practices in Higher Ed Small Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=smallcol&P=20469) Date: Wed, 18 Apr 2007 11:00:47 -0400 Reply-To: The EDUCAUSE Small College Constituent Group Listserv From: "Beyer, Bill (William)" <[log in to unmask]> Subject: Network Access Control and Vista Content-Type: multipart/alternative; Hartwick College has been an early adopter of Network Access Control using Sygate Secure Enterprise in conjunction with using 802.1x protocols on our HP network data switches. While Sygate has worked well it does have its limitations mainly that it does not yet have a Vista client (our fingers are crossed that it will be released in May 2007) or a workable Mac client or Linux client. Our plans also include rolling out Vista Business on the student laptops we will issue to all freshmen this fall.
NAC/P - Other Surveys Network Computing MagazineRolling Review Kickoff: Out-Of-Band NAC - Oct 22, 2007 - By Mike Fratto “Thing is, out-of-band NAC seems to have an image problem: Our own reader research indicates that 65% of organizations deploying NAC prefer in-line appliances versus 50% using out-of-band products. And the outlook doesn't look likely to improve. Nearly 70% of companies in the planning stages are leaning toward in-line systems, versus just 43% favoring out-of-band NAC. A recent survey by Infonetics Research shows that 55% of companies plan on buying in-line NAC products; this syncs with the firm's market forecast, which shows more than half the NAC units shipped are in-line appliances. Is the problem just bad PR, or does the out-of-band approach really carry technical disadvantages compared with going in-band?” • http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=202403321
NAC/P Higher Ed Effective Practices Survey Which NAC/P Securitymechanisms do[n’t] you use? • Use of IPS or FW between NAC/P network and production backbone IP network. • Use of IDS between NAC/P network and production backbone IP network. • Use NAC (network access control) such as 802.1X and RADIUS to authenticate. • Devices require the use of the separate NAC/P network (physical LAN, VLAN, subnet address, etc.) from the production backbone data IP network. • VoIP phones are automatically allowed access to the backbone network?. • Computers are allowed with IPSEC or other VPNs. • Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. • Allow quarantine access automatically to the Internet but not campus network? • Provide separate dedicated bandwidth for NAC/P quarantine network traffic to the Internet?
Survey • 47 Responses (as of October 20, 2007)http://www.surveymonkey.com/s.aspx?sm=w7FZIc_2fK4_2frF3icYgfKXig_3d_3d
NAC/P Higher Ed Effective Practices Survey 2.6% Solutions (1 Response each) IBM (Internet Security Systems) Impulse Point (Safe Connect) InfoBlox (ID Aware) Juniper Networks (Endpoint Assurance (was Funk)) LANDesk Software (Trusted Access) Lockdown Networks (Lockdown Enforcer) McAfee (McAfee Policy Enforcer) ProCurve Networking Symantec (Sygate NAC) VeriSign Inc
NAC/P Higher Ed Effective Practices Survey Q1: Other Category Several comments about not having NAC, planning on buying NAC, using oepn source or developing a home grown solution.
NAC/P Higher Ed Effective Practices Survey Q2: Other Category RACS - homegrown system We rolled our own (for wireless) none Saint Mary's NetReg and in house developed Homebuilt Complete Home Brew home grown nessus
NAC/P Higher Ed Effective Practices Survey Q3: Other Category IPSec None
NAC/P Higher Ed Effective Practices Survey Q4: Other Category Just Authentication Currently none 30 day registration Once per Semester Weekly re-assessment Arbitrary, configurable check-in
NAC/P Higher Ed Effective Practices Survey Q5: Other Category staff/student laptops No where