710 likes | 1.2k Views
Cisco NAC. Luc Billot Security Consulting Engineer lbillot@cisco.com October 2007 Network Academy Istambul. The Diversity of Education Networks. Every bit of user data touches the network Every device students and admin has is attached to the network
E N D
Cisco NAC Luc Billot Security Consulting Engineer lbillot@cisco.com October 2007Network Academy Istambul
The Diversity of Education Networks Every bit of user data touches the network Every device students and admin has is attached to the network In this environment, EVERYTHING is a potential target AND a potential threat >>Threat vectors have changed: your “trusted users” can be the weakest link in your network’s security
The Evolution of Education Threats Mitigating threats via policy compliance Balancing access and security in a “connected” world Changing threats from infection to “targeted attacks” >>Education vectors have changed: you are accountable for your “policies” that are not enforced
4 Key Functions Network Authenticate & Authorize Scan & Evaluate Admission = Quarantine & Enforce Update & Remediate Control Where is it coming from? What do you have? Who owns it? What’s on it? What is it doing? What’s the preferred way to check or fix it? What Is NAC, Really? Better criteria for network access beyond “Who Is It?” =
Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Corporate Asset What System Is It? University Faculty Student Guest Unknown Who Owns It? Where Is It Coming From? VPN LAN WLAN WAN Anti-Virus, Anti-Spyware Personal Firewall Patching Tools What’s On It? Is It Running? Pre-Configured Checks Customized Checks Self-Remediation or Auto-Remediation Third-Party Software What’s The Preferred Way To Check/Fix It? NAC Means Better Criteria for Education
NAC Must Address Top Pain Points Implement identity-based access control Applies identity and access policies based on roles to all users and devices Handle guest and unmanaged users Authenticates and controls guest and unmanaged assets Enforce endpoint policy requirements Assesses, quarantines, and remediates noncompliant endpoints Source: Current Analysis, July 2006
1. • End user attempts to access a Web page or uses an optional client • Network access is blocked until wired or wireless end user provides login information 3b. • Device is “clean” • Machine gets on “certified devices list” and is granted access to network Cisco NAC Overview THE GOAL Authentication Server NAC Manager 2. • User is redirected to a login page • Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device Intranet/Network NAC Server 3a. • Device is noncompliant or login is incorrect • User is denied access and assigned to a quarantine role with access to online remediation resources Quarantine Role
End User Experience: Web-based Scan is performed (types of checks depend on user role/OS) Login Screen Click-through remediation
Downloading the Agent (Optional) • Guest user will be offered the choice to download agent for posture • Guest user can still proceed by clicking Restricted Network Access if they choose not to download the agent
Endpoint Security Posture Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 4.
Single-Sign-On AD SSO VPN and Wireless SSO
Dynamic DHCP Renewal Web or Agent DHCP Renewal Role Based DHCP Renewal Configurable DHCP Renewal
NAC Appliance - Microsoft Support Current Support GPO/Login AD Single-Sign-On Windows 2003/2000 Server GPO Launch post Authentication Ability to launch GPO to tie AD desktop policy to access VLAN Login Script “hold” Configuration Provide a configuration to hold login script mapping till access VLAN Window OS Agent Support Vista (All Editions) XP (Home/Pro/MCE/Tablet) 2000/ME/98 (Agent) Windows Agentless Support WinCE, WinMobile IE5.x, 6.x and 7.x Windows Language Pack Support 15+ languages supported Windows Hotfixes/AV Checks Auto-updates to pre-configured Hotfix and oneCare AV checks Windows Update via WSUS Ability to configure Windows Updater parameters Immediate launch WSUS agent for auto-remediation via Severity levels Windows Update via windowsupdate.com Redirect to windowsupdate.com for remediation Differentiators Single-Sign-On Automated RuleSet Updates Dynamic DHCP Renewal Support for GPO and Login Scripts
NAC Manager: Simplified NAC Management Automated Cisco updates simplifies management for over 350+ partner applications
NAC Server: Integrated NAC Services Integrating posture and profiling services to ensure that incoming devices are compliant. Guest Portal Services Posture Services • Managed Device Posture • Unmanaged Device Scanning • Remediation • Guest & Registration Portal • OS Detection & Restriction • Role based AUP NEW! Profiling Services Authentication Services • Web, MAC, IP Authentication • Authentication & SSO • Radius Accounting Proxy • Device Profiling • Behavioral Monitoring • Device Reporting
NAC Profiler and Collector • NAC Profiler Server automatically adds/deletes/modifies MAC/IP on CAM and places it in the filter list (allow, deny, ignore, or “role”). NAC API NAC Profiler Server (NPS) NAC Manager Windows AD SPAN AAA Server NAC Server with Collector (NPC) • NAC Profiler Collector discovers and profiles devices (e.g. phones, printers, badge reader, healthcare modalities). • NAC Profiler Collector continuously monitor behavior of profiled devices (spoofing behavior) and updates NAC Profiler Server
INTERNET NAC Appliance Use Cases Endpoint Compliance Network access only for compliant devices Wireless Compliance Secured network access only for compliant wireless devices CAMPUS BUILDING 1 Intranet Access Compliance Ensure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc. 802.1Q WIRELESS BUILDING 2 Guest Compliance Restricted internet access only for guest users VPN User Compliance Intranet access only for compliant remote access users IPSec CONFERENCE ROOM IN BUILDING 3
NAC Manager and Server Sizing Users = online, concurrent Super Manager manages up to 40 Enterprise and Branch Servers Standard Manager manages up to 20 Enterprise and Branch Servers Manager Lite 3500 users each manages up to 3 2500 users each Branch Office or SMB Servers 1500 users each 100 users 250 users 500 users
Available Available NAC Deployment Options Planning NAC In-Band NAC Out-of-Band NAC RADIUS NAC Manager NAC Manager NAC Manager NAC Server NAC Server NAC Server SNMP ACS Radius L3 VPN IP WAN L2 802.1q 802.1q L2 NAC NM 802.1x 802.1x • Plug & deploy (basic) • VPN, wireless, campus & remote LANS • Support non-Cisco devices • Enforcement via appliance • Plan & deploy (advanced) • Campus LANS (802.1x, non-802.1x) • Leverages Cisco infrastructure and future IBPN features • RADIUS as control plane • Enforcement via switch • Plan & deploy (intermediate) • Campus LANS (L2, L3) • Leverages Cisco infrastructure • SNMP as control plane • Enforcement via switch or appliance
NAC Server Foundation:Virtual Gateway and Real IP Gateway • NAC Servers at the most basic level can pass traffic in one of two ways: Bridged Mode = Virtual Gateway Routed Mode = Real IP Gateway / NAT Gateway • Any NAC Server can be configured for either method, but a NAC Server can only be one at a time • Gateway mode selection affects the logical traffic path • Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band
NAC Server Foundation: Virtual Gateway • Direct Bridging: Frame Comes In, Frame Goes Out • VLAN IDs are either passed through untouched or mapped from A to B • DHCP and Client Routes point directly to network devices on the Trusted side • NAC Server is an IP passive bump in the wire, like a transparent firewall
NAC Server Foundation: Real IP/NAT Gateway • NAC Server is Routing, Packet Comes In, Packet Goes Out • VLAN IDs terminate at the Server, no pass-through or mapping • DHCP and Client Routes usually point to the Server for /30 • NAC Server is an active IP router, can also NAT outbound packets * 2 * Be aware of NAT performance limitations
NAC Server Foundation:Edge and Central Deployment • NAC Servers have two physical deployment models Edge Deployment Central Deployment • Any NAC Server can be configured for either method • Deployment mode selection affects the physical traffic path • Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band
NAC Server Foundation: Edge Deployment • Easiest deployment option to understand • NAC Server is logically inline, and Physically inline • Supports all Catalyst Switches • VLAN IDs are passed straight through when in VGW 10 10 • Installations with multiple Access Layer closets can become complex
NAC Server Foundation: Central Deployment • Most common deployment option • NAC Server is logically inline, NOT physically inline • Supports 6500 / 4500 / 3750 / 3560 • VLAN IDs are mapped when in VGW 110 10 • Easiest installation • Most scalable in large environments *3550 is not supported
NAC Server Foundation: Central Deployment Example University Central Deployment • Virtual Gateway Mode 3 Access Layer Closets, 6 VLANs 500 users per VLAN total 3000 users 3 VLANS per NAC Server 500 users each
NAC Server Foundation:In Band and Out of Band • NAC Servers have two traffic flow deployment models In Band Out of Band • Any NAC Server can be configured for either method, but a NAC Server can only be one at a time • Selection is based on whether the customer wants to remove the NAC Server from the data path • NAC Server is ALWAYS inline during Posture Assessment
NAC Server Foundation: In Band • Easiest deployment option • NAC Server is Inline (in the data path) before and after posture assessment • Supports any switch, any hub, any AP • Role Based Access Control Guest, Contractor, Employee • ACL Filtering and Bandwidth Throttling
NAC Server Foundation: Out of Band • Multi-Gig Throughput deployment option • NAC Server is Inline for Posture Assessment Only • Supports most common Cisco Switches ** • Port VLAN Based and Role Based Access Control • ACL Filtering and Bandwidth Throttling for Posture Assessment Only