Efficient and easy-to-use
network access control and
dynamic vlan management
2
Connection to the enterprise LAN is often (too) easy
LAN sockets may be located in
open work spaces
:
Open-plan offices
Meeting rooms
Hallways and printing corners
Unlocked wiring closets
(Too)
many people may have physical access
to
LAN ports:
Employees
Visitors
Cleaning staff, Electricians, etc.
NOTES:
The enterprise LANneeds to beeasy to useandreliable, however:
Many people (visitors, employees, cleaners, temporary staff) may have physical access to the offices
Network sockets may be located in “open” work spaces, or meeting rooms. Network connections may not be documented
Mobilityrequires more flexibility and security
The amount of Laptops in companies is growing
Potentially more than one user per Network Socket (often there are more ‘hubs’ or small unmanaged switches than expected)
3
The need for dynamic LAN management
Ethernet cabling is difficult to change
and expensive.
Is Cabling documented?
Does LAN management allow easy segmentation of
PCs/Devices?
Can Visitors / Externals be given LAN access safely and
easily?
Is cabling dynamically used, or cables reserved per
segment?
NOTES:
Current cabling should be dynamically used: •on the appropriate network
•when needed
•without the need for (expensive) manual intervention or reconfiguration LAN management should allow easy segmentation of PCs/Devices •e.g. Printer zone, office zone, lab1, lab2, External zone
4
The need for network access control
Enterprises may be faced with the following problems:
Do we
know what is on the LAN?
Live inventory?
How do we
authorise or block end devices?
How do we enforce
LAN access security policies?
NOTES:
Access Control
“Foreign” laptops (or desktops, webcams, …), connected to the enterprise LAN, represent apotential security risk.
Security/access rights should be managed.Limit access to devices we know and have some trust in.
Live inventory:
Access control means having an up-to-dateinventoryof end devices.
It may also mean having an inventory of thetopologyof the LAN (which switches, hubs, routers, end devices etc. in which rooms) including acabling plan.
The following questions then arise:
• How can wemanage our inventory efficiently? Especially if we have many end devices? •Can weprevent having multiple inventories– one for network access control and one for hardware management / (financial) accounting? Can we integrate these inventories?
5
The need for Compliance with security or governance
standards
IT
IT Security
Management System
Governance
BS 7799
ISO 17799
ISO 27000
SOX
COBIT
BSI
ITIL
NOTES:Is compliance with security standards such as: Information Security Management System (ISO17799), Sarbanes-Oxley (SOX 404), important for you?
Is compliance with IT management/Governance standards: ITIL, etc. an issue? NAC can help to:
-limit access to network resources
-provide tracking of what devices were on the network, where, when -provide a live inventory of devices, and link it to static inventory
6
The Solution:
NAC
Technology: Access is granted based on the MAC address (or 802.1x)
and an appropriate Virtual LAN assigned.
NOTES:
HOW IT WORKS:
•The Switch detects a new PC and requests authorisation from NAC via the VMPS
protocol, which checks its Database and refuses or grants access based on the MAC
address
•
802.1x
is supported
with User Authentication in the Windows Domain or
Certificates, and Vlan assignment based on MAC address
•VMPS mode: only for
Cisco Switches
and
any kind of network device
(PC,
Printers, IP phones, Webcams, etc)
NAC can directly replace other VMPS solutions, or manual “port based MAC lists”
with
major improvements in ease of use.
7
Features
Dynamic
(location based)
virtual LAN assignment
LAN port access control
Automated end-device inventory
Switch port programming
Can work with Hubs/un-managed switches
Friendly User Interface
Enterprise features:
• Linking of enterprise information sources:
Users (AD), Devices:
(MS-SMS), Anti-virus, DNS, Router tables, static inventory
• Redundancy, load balancing, advanced monitoring and alerting
• Documentation of LAN cabling
• ‘Emergency off’ for disaster response
NOTES:
SQL database provides scalability, flexibility and easier integration, and allows
querying of live network inventory:
•external databases can be linked in, to integrate into your Workflow and
processes: user databases (Active Directory, DireX, XML), end-device
databases (MS-SMS), MS-WSUS, Anti-Virus (McAfee), DNS, Routers (MAC/IP
tables via SNMP), switch (port restarts / detection of unmanaged devices) and
customer in-house static inventory databases
•scanning module to identify operating system version and open ports
•scanning module to identify devices on unmanaged or ‘static’ switch ports
•“emergency off” tool for disaster recovery
•redundancy: 1 master and many slaves allow high availability and load
distribution (we come back to this in 3 slides)
Live inventory:
•VMPS managed devices and unmanaged devices (switches scanned via SNMP):
Mac, I.P. Address, Hostname
•Operating System & Hostname: via nmap scanning
8
NAC Benefits
No software
needed on end devices
Allows a
more dynamic, efficient LAN/cabling
Proven technology: in production since 2004.
GUI can be used by helpdesk
, Cisco expertise is not needed
Extensible: open interfaces
optimal Workflow integration
OpenSource
NAC works with (legacy & new) Cisco switches
More efficient
than „manual port-based access“ or VMPS
Easier to implement than classical 802.1x
NOTES:
•no softwareis currently needed on end devices
•Open: Open Standards, open source, open review – integrate NAC more easily into your Workflows and existing Processes
•NAC works with (even old) Cisco switches (Other vendors many be added on request, or as custom developments)
•Customers who already use „manual port-based access“ willsave time and gain effectiveness
•A dynamic network allows
Better use of available switch ports (efficiency, cost savings) quick configuration of new ports, can be configured by Helpdesk easier switch configuration (ports are dynamic)
less changes in cabling during re-organisations
•Extensible: add your own modules, or interfaces to your Systems to better integrate MAC into your Processes and Workflow.
9
NAC offers cost-effective
significant risk reduction
without affecting Business
operations
NAC will continue to evolve
lowering risk further (e.g.
using 802.1x and ‘health
checking’) while allowing
customers to migrate
smoothly.
Reducing the Risk of Unauthorised LAN access
NOTES:
•802.1x offers stronger device authentication, but is more complex and requires newer switches. NAC strives to offer the best of both worlds: mac-address and 802.1x support.
-Currently we can integrate the Patch status from Microsoft WSUS and McAfee EPO.
-Long term, our aim is to use a standards based pre and post-connect security checking, such as TNC (Trusted Network Connect)
10
Architecture
NOTES:
11
Architecture
NOTES: NAC consists of
One Master server with Database and Control programs
Optionally: one or more slave servers for redundancy and load distribution In a fully integrated environment, NAC requires:
Syslogmessages from switches
Access to anemail serverfor delivery of alerts
Access toDNSfor discovering names associated IP addresses
Optionally: SNMP read/write access toswitches(to restart ports and scan for unmanaged end devices) Optionally: SNMP read access torouters(to query MAC/IP tables)
Optionally: Interface to Enterprise Static Inventory, User, Device, Inventory, MS-SMS, MS-Wsus, McAfee EPO, or other database
NAC is remotely configured via a Windows-based GUI, that may be installed on one or more a Windows PC or via a Web-based interface.
12
Usage scenarios: Where can I use NAC?
NOTES
NAC is useful Where you need efficient cable/port management and/or LAN access control: •Research and development units: with many subnets, and need to build dynamic subnets quickly. •Workstation LANS
•Meeting rooms
•Rooms exposed to the public, or non-company employees •Large Open Floor Plan offices
•During re-organisations to better track and control network access
Where is NAC not needed? (i.e. Dynamic Ports are not needed, but automated port scanning/documentation is still useful)
•Physically secured Server rooms
•DMZs (for vmps mode: mac based identification is probably not secure enough, however 802.1x may be interesting.)
13
Summary
Swisscom NAC
enables LAN access control, live inventory and dynamic
vlan management
requires no software on clients
works today
in heterogeneous environments
allows integration into your IT processes/tools via open
interfaces.
14
Appendix: Optional slides
15
How NAC works
If OK, access to Corporate Network If Unknown, access is denied
or limited to quarantine
16
How NAC works: vmps mode
17
NOTES:
Version 2.1 Summer ‘06:
•nmap scanning modules, OS detection •Linking to McAfee EPO Anti-virus server
•Linking to Microsoft SMS (systems management server) •Support of Virtual Machines as client, and also as NAC servers! Version 2.2 Mar’07:
•ldap integration into MS Active Directory
•Detection and inventory of other devices on the network not actively managed. •Auto documentation of when ports were last used, with what vlan, and mode. •Automated switch discovery for initial installations
•802.1x support for Wired LANs
Version V3.0Nov.07:
•configuration of switch ports from the windows GUI •configuration of NAC server options from the windows GUI •Automated switch scanning for unmanaged systems •Microsoft WSUS, McAfee EPO integration
•Complete code object-oriented rewrite, for better reliability, separation of features, and ease of adding new features.
18
Network Authentication with “802.1x”
The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using
cryptographic techniques it provides higher security. 802.1x authenticate the user or the
device
• BUT:
new switches are usually required
Vendor interoperability
complexity (support, supplicants, certificate management, ..)
cost
interaction with Hubs.
NAC includes 802.1x since V2.2
802.1x and MAC address can be combined, by for example authenticating the user via
Domain Logon and the Device via MAC address allow a Vlan assignment based on the
device identification (MAC address), not the user name.
19
Problems With Cisco “VMPS” and “MAC Port”
Authentication
If the above products are already in use for limiting LAN access already, what are
the limitations?
Lack of management features
• Monitoring
• Alerting
• Ease of use
• GUI
• User & device DB integration
20
What does the User Interface look like?
NOTES:
This is one view in the Windows GUI from Version 2.1. There are also dedicated Web GUIs for specific tasks.
21
Windows GUI: system details
In blue is the crucial MAC information: mac address and the vlan we assign. In red is information about where the end-device was last seen, and where.
22
Windows GUI: system details
•The Nmap scanning module can detection operating system version and open ports. It can scan one device immediately, or the list of IPs in the NAC database on a scheduled basis.
•If the McAfee EPO module is enabled, the operating system of end devices, as reported by McAfee, and the current Anti-Virus status, can be displayed.
•Beside the Anti-Virus tab, we also se an “inventory”, which is where we link to you in-house static Inventory Database, if required.
23
Windows GUI: Switch & Ports
24
NAC also shows switch/port usage
Port
Switch
Patch
PC
NOTES:
A Web GUI that maps switch port usage in the last 24 hours.
We see one device on port 2/13, it is connected via cable X04.012 in room 4.16, where the PC murderdrool is attached and this PC is assigned to the Use ‘ALLGAE’ We also see a printer on port 2/24
25
Web GUI: edit mode
26
What do automated Email Alerts look like?
NOTES:
A new device has been connected to the network (port 2/40 switch sw0303), but not authorised. -it was in room 3.16
-on Cable socket X 03.013 (this is the name written on the socket in the wall) -in this room the users Schenker, Wyler and Berger have their offices
-The user TGDSCED1 has been documented as using this cable
The ‘super-users’ defined for this switch are Schädler and Rappo, so they receive the Alert, along with the NAC Administrators.
