190 likes | 316 Views
Network Admission Control to WLAN at WIT. Presented by: Aidan McGrath B.Sc. M.A. Why deploy a wireless LAN?. Can be seen to be behind the technology by potential students if not deployed. Keep up with technology demands of modern students.
E N D
Network Admission Control to WLANat WIT Presented by: Aidan McGrath B.Sc. M.A.
Why deploy a wireless LAN? • Can be seen to be behind the technology by potential students if not deployed. • Keep up with technology demands of modern students. • It will happen anyway, so why not take control from the start. • Students used to mobile phones, so why not mobile computing? • Reduce demand on providing more PCs which then need to be replaced.
What are the challenges of a WLAN? • Disappearing security boundaries expose internal infrastructure and assets. • To ensure policy compliance for all endpoint devices seeking network access. • Providing sufficient access points – how many/where? • Does one size fit all?
What are the solutions? • Turn on service and hope for the best – no checking of laptops for vulnerabilities. • Manual intervention to assess laptops for risks. • Automatic posture assessment of laptop at time of connection – network admission control (NAC).
Network Admission Control (NAC) Please enter username: PLUS PLUS • Is OS patched? • Does A/V or A/S exist? • Is it running? • Are services on? • Do required files exist? • Is policy established? • Are non-compliant devices quarantined? • Is remediation required? • Is remediation available? Use the network to enforce policies to ensure that incoming devices are compliant. • Who is the user? • Is s/he authorised? • What role does s/he get? identity device security network security NAC
All-in-One Policy Compliance and Remediation Solution • Authenticate & Authorise • Enforces authorisation policies and privileges • Supports multiple user roles • Quarantine • Isolate non-compliant devices from rest of network • MAC and IP-based quarantine effective at a per-user level • Scan & Evaluate • Agent scan for required versions of hotfixes, AV, and other software • Network scan for virus and worm infections and port vulnerabilities • Update & Remediate • Network-based tools for vulnerability and threat remediation • Help-desk integration
Cisco NAC Appliance (Cisco Clean Access) Components • Clean Access Server (CAS) • Serves as an in-band or out-of-band device for network access control • Clean Access Manager (CAM) • Centralises management for administrators, support personnel, and operators • Clean Access Agent • Optional lightweight client for device-based registry scans in unmanaged environments • Rule-set Updates • Scheduled automatic updates for anti-virus, critical hot-fixes and other applications
Clean Access: Sampling of Pre-Configured Checks Cisco Security Agent • Critical Windows Updates • Windows XP, Windows 2000, Windows 98, Windows ME • Anti-Virus Updates • Anti-Spyware Updates • Other 3rd Party Checks
Product User Flow Overview The Goal • End user attempts to access a Web page or uses an optional client • Network access is blocked until wired or wireless end user provides login information 1. Authentication Server Clean Access Manager Clean AccessServer 2. • User isredirected to a login page • Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device Intranet/Network 3b. • Device is “clean” • Machine gets on “certified devices list” and is granted access to network 3a. • Device is noncompliant or login is incorrect • User is allowed 30min limited access to appropriate remediation sites Quarantine
Screen Shots (MS Client) Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 4.
Screen Shots (Web browser – non MS) Scan is performed (types of checks depend on user role/OS) Login Screen Guided self-remediation
Process Flow: Wireless Access Role: “Unauthenticated” WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User VLAN 50 Auth Server IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Laptop IP: 192.168.50.3 Intranet Server L3 Switch IP: 192.168.10.1 Clean Access Server IP: 192.168.10.2 Radius Accounting Server IP: 10.1.1.26 DNS Server IP: 10.20.20.20 NAC Enforcement Point • Wireless user connects to WLC via LWAPP (open authentication) • Wireless user obtains IP address from WLC • Wireless user opens a browser and is redirected to download the Clean Access Agent (if they don’t already have it loaded)
Process Flow: Network Admission Control 1 Auth Server (Radius) IP: 10.1.1.25 Role: “Unauthenticated” Clean Access Manager IP: 10.1.1.30 Laptop IP: 192.168.1.150 Internet Web Server Clean Server IP: 192.168.1.2 Router IP: 192.168.1.1 DNS Server NAC Enforcement Point • CAS determines that laptop MAC address is not in “certified device” list – not logged on recently • CAS puts laptop into the “Unauthenticated Role • Laptop gets an IP address from DHCP server, but can not get past CAS acting as “IP filter.” • Laptop user opens a browser and is redirected to a SSL based weblogin page. • User enters credentials • User is asked to download the Clean Access Agent.
Process Flow: NAC 2 Role: “Temporary” • CAS forward posture report to CAM. • CAM determines that the laptop is NOT in compliance and instructs the CAS to put the laptop into the “Temporary Role.” • CAM sends remediation steps to Clean Access Agent. Auth Server IP: 10.1.1.25 Laptop IP: 192.168.1.150 Clean Access Manager IP: 10.1.1.30 Internet Web Server Router IP: 192.168.1.1 Clean Access Server IP: 192.168.1.2 NAC Enforcement Point DNS Server IP: 10.20.20.20 • Clean Access Agent performs posture assessment and forwards them to the CAS to make network admission decision.
Process Flow: NAC 3 Role: “Temporary” Auth Server IP: 10.1.1.25 Laptop IP: 192.168.1.150 Clean Access Manager IP: 10.1.1.30 Internet Web Server Clean Access Server IP: 192.168.1.2 Router IP: 192.168.1.1 NAC Enforcement Point DNS/DHCP Server IP: 10.20.20.20 • Clean Access Agent displays access time remaining in “Temporary Role” for laptop. • CCA Agent guides user step-by-step through remediation. • Patches can be downloaded from update sites such as https://liveupdate.symantec.com or http://windowsupdate.microsoft.com • CCA Agent informs CAS that the laptop has been successfully remediated.
Process Flow: NAC 4 Role: “Clean” Auth Server IP: 10.1.1.25 Laptop IP: 192.168.1.150 Clean Access Manager IP: 10.1.1.30 Internet Web Server Router IP: 192.168.1.1 Clean Access Server IP: 192.168.1.2 NAC Enforcement Point DNS Server IP: 10.20.20.20 • CAS puts MAC address of laptop into “Certified Device” list. • CAS assigns laptop to the “Clean Role” for 24 hour period. • Laptop is now allowed to complete access to the Internet.
WIT Wireless Network Internet LWAPP Encrypted Tunnel AP Network VLAN 216 WLAN Network VLAN 215 Clean Access Manager Cisco ACS Server Trusted WLAN DMZ Aironet 1100 AP Clean Access Server Un trusted WLAN DMZ ASA 5550 L3 6513 Switch Cisco 4400 Wireless LAN Controller Laptop
WIT Wireless Network Future Developments • Out of band wired access • Nesus vulnerability scanner http://www.nessus.org/ for Mac OS X, Linux, Solaris and FreeBSD