1 / 13

Enabling Authentication & Network Admission Control

Enabling Authentication & Network Admission Control. Steve Pettit. Great Bay Software Inc. Value Statements Provide the critical first step towards NAC/802.1X Dramatically shorten the deployment time for NAC and network-based authentication Provide Trusted Access to non-NAC endpoints

yadid
Download Presentation

Enabling Authentication & Network Admission Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enabling Authentication & Network Admission Control Steve Pettit

  2. Great Bay Software Inc. Value Statements • Provide the critical first step towards NAC/802.1X • Dramatically shorten the deployment time for NAC and network-based authentication • Provide Trusted Access to non-NAC endpoints • Provide data for all network attached endpoints including: • Real-time Location and Identity • Historical Addressing, Identity, and Location • Contextual views of all Enterprise owned assets Impact • St. John’s Hospital reduced 156 man-weeks of discovery and documentation work into 2 man weeks

  3. Identifying the problem space • The Enterprise LAN is comprised of a myriad of endpoint types • Windows typically comprises approximately 50% of wired endpoints • Most Enterprise endpoints are undocumented • DHCP has enabled endpoints to be added over time without IT involvement • Any Access/Admission Control system requires this information • Where WLAN is typically 30:1, Wired LAN is 1:3.5 • Goal: To generate a contextual inventory of all endpoints

  4. Endpoint Profiling • Understanding that not all network endpoints can authenticate… • All network endpoints must be Profiled and Located prior to deployment • The goal is to enable secure network access for non-authenticating devices Non-NAC NAC UPS Phone Printer

  5. Sample non-NAC Aliases • Turnstiles • Time Clocks • Vending Machines • Parking Gates • Doors • Firewalls • Proxy • Refrigerators • IP Cameras • Servers • UNIX stations • Alarm Systems • RMON Probes • Printers • Fax Machines • ISLs • IP Phones • Wireless Access Points • Managed UPS • Hubs • MultiCast video displays • Kiosks • Medical imaging machines • Video Conferencing stations • HVAC • Cash Registers

  6. Applications for Endpoint Profiling • Authentication of non-authenticating hosts • Network configuration for static access provisioning • Monitoring of non-authenticating devices for behavior • Addressing audit findings “do you know what is plugged into your network” • Provide data for all network attached endpoints including: • Real-time Location and Identity • Historical Addressing, Identity, and Location • Contextual views of all Enterprise owned assets

  7. The NAC Management lifecycle Deployment Events Management Change Control • Provide contextual information to security and events management systems • Monitor and Manage events & anomalies related to authentication • Shadow Hosts • Port Swapping • Profile Changing • MAC spoofing • Provide real-time & historical Identity and Location tracking • Enable adds, moves, and changes • Dead ended Ports • Discover all endpoints by type and location • Model the topology • Provision appropriate settings at the system level • Liaise with AAA systems for authentication

  8. Endpoint Discovery and Mapping • Profile creation - network traffic analysis • Port Mirror or Tap visibility into aggregate network traffic - L2-7 rule sets • L2 - MAC - MAC vendor • L3 - IP / IP range / TTL fingerprint • L4 port & port ranges • L7 rules – User agent, email banner, DHCP decode • Netflow Collection • Active Profiling • Boolean logic for complex rules • GUI-based for AND • XML for AND, OR, NOT • Inference-based Profiles • Manual or Auto-created via My Network

  9. Deployment Models Open L4 Ports Web Server Type User Agent MAC Vendor IP Range Static IP Passive vs. Active Profiling Web User Agent Web Server Type Print Services Web URL SMTP Banner L3 / L4 network DHCP vendor DHCP Options TTL profiling DHCP Client Host Name ARP decode NetFlow – L3/4 traffic None - - - - - Visibility Into Network Traffic - - - - - Full

  10. Use Cases for Beacon • Provide NAC for the other 50% of the Enterprise • Monitoring and authorization of Non-Windows devices • Enable the deployment of network-based authentication • Alleviate the manual discovery process • Compliment/liaise with the AAA system • EAP • MAC-auth • EAPoX • Provide Contextual information to aggregate systems: • MARS • IDS/IPS • Asset Systems

  11. NAC Appliance • Manage NRH list • Provision MAC/Role • Port/VLAN admin • NAC for non-CCA endpoints Integration Points with Cisco NAC Framework • Manage NRH list • Port/VLAN admin • Liaise w ACS via LDAP • NAC for non-CTA endpoints • Integration protocols: • Web API • LDAP • SNMP • Syslog • GAME (future) MARS • Contextual Event information • Historical ref.

  12. Summary • Reduces 156 man weeks of work to 2 weeks • Automated discovery and system-level provisioning • Ongoing monitoring of non-NAC endpoints • Flexible Deployment model

More Related