Network Access Control
for Mobile Networks
Table of Contents
Network access initiatives – the candidates
Posture-based access control 4
Cisco network access control 5
Microsoft NAP 7
Juniper UAC 8
In-line traffic inspection approaches 8
Establishing identity-based access control
The power of identity-based security in mobile networks 9
The threat of an infected device gaining access to a healthy enterprise network is becoming a significant concern. The focus has been on securing the network perimeter, which leaves the network vulnerable to attacks that originate within the security perimeter. This threat is exacerbated by the growth in popularity of mobile devices such as laptops, PDAs and SmartPhones that more easily move between public and private networks. The use of these mobile devices in insecure public networks such as wireless hotspots and municipal Wi-Fi networks exposes these devices to various kinds of viruses, worms and other malicious software. When these devices re-enter the enterprise network, the lack of any security mechanism in the traditional enterprise network architecture leaves the network vulnerable to attacks from malware.
Various vendors – big and small – have recognized the need to create solutions that address this important issue. Since any re-architecture of the enterprise network is a significant undertaking, most approaches focus on an overlay solution in the short-term, providing a path of migration to comprehensive network-wide security architecture. The types of solutions are beginning to converge, with operating system and anti-virus vendors emerging as the most capable for establishing client health and network vendors for using the results to enforce identity-based security. Various approaches have been proposed, many requiring changes to the network, the end-point and other elements.
The figure below illustrates the various points in a typical enterprise network that these approaches target. The final solution will often be a combination of parts of all these solutions. However, it is important to note that networks are changing to solve this problem, as are the role of network elements.
Figure 1. Various approaches of protecting networks Data Center
Approach 4: Protect selected/sensitive
areas of network Approach 3: Inline traffic inspection and intrusion/anomaly detection
Network based access control with user authentication
Approach 1: Client security software
Network access initiatives – the candidates
While it is unanimously agreed that network access control is a problem, opinions differ about how to address it. Broadly speaking, the solutions are categorized as follows: Posture checking: Solutions in this category aim to verify the posture, or state, of the host before allowing the appropriate level of access to the network. To verify posture, such systems typically verify user identity and the health of the machine (whether it is infected by a virus or other malware). Such systems also may check whether the host has current versions of anti-malware software such as anti-virus software, host firewalls, etc.) There are a variety of solutions within this category that vary in the following ways:
• Number and types of items used to establish posture
- A primary differentiator here is OS based or “clientless” systems vs. those requiring the temporary or permanent installation of additional client software to assess posture
• Method used to convey the posture from the client to the network
• Method used to “quarantine” or protect the network (and other hosts) from non-compliant hosts
In-line packet inspection: In this category, an in-line network device (usually a switch or an appliance) is used to inspect all traffic for known malware signatures and/or anomalies. Solutions within this category differ in the following ways:
• Position of the device or appliance that inspects the traffic
• Percentage of the total traffic that is inspected
• The inspection algorithms applied to relevant traffic
When examined more closely, it becomes clear that the approaches can be complementary if implemented correctly. This paper will attempt to clarify how the different approaches diverge and to identify the simplest and most secure way to implement an effective access control solution.
Posture-based access control
All solutions in this category are based on the concept that a host must be checked for “posture” prior to gaining network access. This process validates a host against an established corporate policy to determine compliance. The result of the posture check helps determine the level of network access permitted to the host. In reality, the above description is an over-simplification. Defining the “posture” of a client is more complex and requires user identity and the “health state” of the client. The exact definition of “health state” varies in different environments. The following are examples of some common attributes that make up the health state of a client:
• Anti-malware software installed and active on the client and the version of this software is current
• Presence of any malware on the client
• Network interfaces enabled and/or active
Some of the solutions that fit into this category are Cisco NAC (both 802.1x-based and Cisco Clean Access-based), Microsoft NAP, and Juniper UAC (Universal Access Controller). Solutions in this category differ in several important ways. For instance, each solution may be unique in the method it uses to:
• Authenticate the user
• Determine the posture of the client
• Convey the posture to a server that compares the client’s posture to configured policies
It’s useful to examine each initiative in more detail and compare them across the dimensions mentioned above. Major initiatives in this category include:
• Cisco Network Access Control
• Microsoft NAP
• Juniper UAC
Some initiatives are based on a combination of posture and user identity. These include:
• 802.1x-based solutions
• IPSec-based solutions
• “Clientless” Solutions
The primary difference tends to be OS based integration (“clientless”) vs. using a downloadable software client. While the process of establishing client posture is an important one, this is a natural area for OS and antivirus software vendors and is expected to mature quickly. A process that needs to be considered even more heavily is that of enforcing the authentication decision in a mobile network. Proper enforcement by the network is the difference between simple Posture-based Access Control and more flexible and secure Identity-based Access Control, where detailed client based information such as user role and application usage are tightly coupled with posture results to determine appropriate access privileges.
Cisco network access control
Cisco Network Access Control is a posture-based Access Control solution from Cisco that involves a variety of solutions products/solutions. It should be noted that Cisco NAC is effectively a closed solution that may
introduce interoperability issues with third party software and networking equipment. Cisco offers two solutions that are most pertinent to the discussion in this paper; an 802.1x-based solution and the Clean Access solution. Cisco 802.1x framework for network access control
In this mode, the authentication mechanism is 802.1x. Because authentication occurs at Layer 2, this approach is inherently more secure than the web-based authentication used in Cisco Clean Access. Since 802.1x already is widely used in wireless, it is likely that this will become the more common of the two solutions.
The main elements in this solution are:
• Cisco Trust Agent (CTA)
• 802.1x Supplicant
• 802.1x authenticator
• ACS Radius server
• Cisco Policy Server
• Third-party client software and Policy Servers (optional)
The sequence of events when the client attempts to access the network is:
1. Since the port and client are both configured for 802.1x authentication, the port is logically “shut down” until the client successfully authenticates.
2. The Cisco Trust Agent collects all health information from the Cisco Security Agent and/or the various third-party plug-ins such as anti-virus software (McAfee, Symantec etc,).
3. Using the Extensible Authentication Protocol (EAP) exchange during 802.1x, the CTA provides this information to the Cisco Access Control Server (ACS).
4. Cisco ACS passes this information to the Cisco Policy Server which, in turn, passes information to third-party policy servers when needed.
5. Depending of the result of the evaluation by the Cisco Policy Server (and the third-party policy servers), the Cisco ACS either returns a Radius Accept with the default VLAN or returns a Radius Accept with a quarantine VLAN. This can be achieved through the use of any of the standard Radius attributes. It should be noted that more secure alternatives of enforcement exist if using a wireless overlay from Aruba networks, a WLAN and wireless security vendor. When 802.1x-based network access controls is used with network access control capabilities from Aruba Networks, the procedure outlined above can be modified based on the more flexible and secure concept of user roles.”
As an example, the Radius attribute “Tunnel-Pvt-Group-Id” can be used to return the user role – quarantine or employee.
Figure 2. Cisco NAC Framework
Cisco clean access
Cisco Clean Access is the solution that Cisco acquired from Perfigo in 2004. This solution uses a dedicated appliance to provide the capability to authenticate users by utilizing a web browser (similar to the many
vendors’ captive portal solutions) to evaluate host compliance with security policies and regulate access to the network for the hosts accordingly. There are three main components to this solution:
1. Cisco Clean Access Server (CAS): This is the appliance that acts as the authenticator using the browser-based authentication mechanism.
2. Cisco Clean Access Agent (CAA): This agent is downloaded to the client machine attempting to access the network to evaluate the health and integrity of the host.
3. Cisco Clean Access Manager (CAM): This is the out-of-band management server where security policies are configured.
There are two deployment modes for Cisco Clean Access: in-band and out-of-band. The in-band deployment has the following process flow:
1. Client attempts to access the network
2. CAS detects that the MAC address is not in the “approved” list
3. CAS redirects the HTTP request to a login page (similar to a captive portal)
Switch/802.1x authenticator EAPo802.1x Start 802.1x
EAP over Radius
Radius Accept (with quarantine attribute)/Reject
Convey result to ACS Posture information
to policy server
Cisco ACS Third party policy server CTA
4. Employee enters credentials; CAS authenticates the user through the authentication server 5. Once the CAS identifies the user as an “employee,” the employee is forced to download the CAA 6. CAA evaluates the posture of the host and forwards the result to the CAS
7. CAS forwards the report to the CAM. If the CAM reports that the client is not in compliance, the CAS places the user in a quarantine VLAN/subnet.
8. The CAS sends the remediation steps to the CAA.
Since this deployment does not have any non-standard support requirements from the network infrastructure and is vendor-agnostic, this mode of deployment is supported on most network infrastructures, including an Aruba mobile network. Note that this is also the only mode that is supported on the Cisco wireless infrastructure as well. The out-of-band deployment model requires support for communication between the switch and the Cisco CAM. This is supported only on selected Cisco wired switches. The current documented list is: Cisco Catalyst 2950, 3550, 3560, 3750, 4500, and 6500 switches.
Microsoft has launched the Network Access Protection (NAP) initiative with the Vista and Longhorn versions of the company’s Windows operating system for hosts and servers, respectively. As the developer of the client OS, Microsoft is in a very good position to develop a strong posture-based solution. While the basic concept of NAP is similar to the Cisco NAC initiative, the approach and the underlying technologies are significantly
different. The Microsoft NAP initiative is an open solution, comprised of techniques based on 802.1x, IPSec and Dynamic Host Control Protocol (DHCP). NAP is based on a framework that will accommodate for new
additional enforcement options as well. 802.1x-based approach
This approach is similar to that used in the Cisco 802.1x-based framework. The fundamental difference between the two solutions relates to the endpoint software. With Microsoft, the endpoint software is inherently coupled with the operating system and therefore does not require the installation and management of an additional piece of software such as the Cisco Trust Agent. This approach provides a significant capital and operational cost advantage for Microsoft customers who are looking to create an 802.1x-based framework for Network Access Control.
The main components in the 802.1x-based Microsoft NAP approach are:
1. 802.x supplicant + Posture Validating software (included in the Windows Vista client) 2. Network switches supporting 802.1x
3. Microsoft NPS (Network Policy Server) 4. Third-party Health Servers (optional) IPSec-based approach
In the IPSec-based approach, the network is split into three zones: secure, boundary and restricted. By default, a computer is in the restricted zone. On entering the network, the computer sets up an HTTPS channel with the Health Certificate Server (HCS) and uses this channel to convey its user credentials and posture (called
Statements of Health) to the HCS which, in turn, passes these to the Radius server and the Policy Server, respectively. If the result of these checks is a success, the computer obtains a Health Certificate. This
certificate is used to authenticate the computer when initiating communication with devices/computers in the secure zone. If the checks fail, the computer is placed in the Restricted Network. The boundary network
typically consists of remediation servers. Computers that are in the restricted network can access these servers without requiring a certificate – a capacity that is usually used to download software/patches that bring the client to compliance with policies. This approach is represented in a logical diagram below.
Figure 3. IPSec based NAP
Secure Network Boundary Network
The DHCP approach uses the same basic concepts as the 802.1x approach. It is primarily implemented in
circumstances where using 802.1x is not feasible. That situation typically occurs when 802.1x is not supported at the network switch or because it is too costly to upgrade to 802.1x across the network. While EAP is the protocol used to convey the health of the device in an 802.1x-based approach, this approach uses DHCP to convey that information.
Juniper’s Unified Access Control (UAC) solution is based on the Trusted Computing Group (TCG) Trusted Network Connect (TNC) architecture. TCG intends to create a standards-based set of API’s for NAC
components. While most NAC solutions loosely follow the TCG model, Juniper has taken a more active role in adopting and promoting it. The basic model is similar to the others in that there is posture assessment, using Integrity Measurement Collectors (IMCs), which provides health related information to a server that evaluates this data against Integrity Measurement Verifiers (IMVs) which then determines how policy enforcement is carried out. One of the primary issues with TCG-TNC today is industry adoption. Almost no one else has demonstrated conformance with the standard, providing a risky uphill battle for gaining market acceptance.
In-line traffic inspection approaches
A fundamentally different approach to protecting the network from malware is to use network elements (usually switches and network appliances) to inspect traffic to detect anomalies and signatures. Because the two approaches differ in their technique, they will often be deployed in parallel to ensure the ongoing health and security of a network.
The different methods used to detect malware usually fall into one of two categories: signature detection and anomaly detection. Signature detection will detect known attacks by looking at network traffic for established patterns. The obvious flaw in this approach is the inability to detect Day Zero attacks that are new or attacks that self-modify as they propagate. Anomaly detection should be used in addition to signature detection to recognize attacks that don’t have an existing signature. Anomaly detection looks for deviations from baseline network behavior and intelligently predicts which deviations are attacks requiring mitigation.
One of the major disadvantages of in-line traffic inspection is that the device inspecting the traffic can be the bottleneck and therefore fail to meet the performance requirements of network applications. Different
deployment models have been proposed to overcome this problem. The most common workaround is to move the inspecting device out of the data path by re-directing traffic from a switch using port mirroring capabilities or by configuring a device to do policy-based routing of specific “vulnerable” applications to the inspecting device. Among the vendors providing a solution in this category are Consentry and FireEye.
Establishing identity-based access control
As discussed above, there are a variety of solutions for providing Posture-based Access Control; however, one requirement that remains consistently important across all solutions is to deploy a sophisticated enforcement technique that supports Identity-based Access Control. In order to achieve this, a good enforcement technique should have the following characteristics:
1. Close proximity to the edge of the network - This is required for enforcement to be truly effective
2. Firewall role-based enforcement - VLANs should not be used as a security mechanism and should not be the sole mechanism for protecting networks.
3. Simple to manage. The solution should be a manageable solution. Any solution that increases the operational expenses of the network effectively becomes an un-deployable solution.
The best enforcement solutions are characterized by uniform policy-based access control across all entry points on a network. Policy enforcement should not be based on a static point of entry. The network elements that best satisfy these requirements typically integrate authentication and firewall functionality. That approach helps ensure that the network element can enforce the policy based on both the user credential and the health state/posture of the client.
The power of identity-based security in mobile networks
An interesting trend in enterprise networks is the consolidation of requirements for mobility and security. While the growth of wireless and remote access technologies is driving the requirement for greater mobility, the same technologies also are triggering a surge in the number of network vulnerabilities. This situation forces network designers and administrators to consider mobility and security requirements together, rather than treating them separately. This has created the need to establish an overlay architecture that enables mobility over existing network infrastructures. An overlay infrastructure provides a framework to support any of the network access control solutions outlined in this whitepaper, including posture-based solutions and solutions based on in-line packet inspection. Solutions such as the Aruba Networks Mobile Edge, provide an integrated user-based stateful firewall that ensures flexible and secure enforcement of NAC policiies.
An effective mobility overlay solution should have the following characteristics:
• Role- and User-based policy enforcement capabilities on the mobile edge of the network
• The ability to interoperate with any of the network access control solutions outlined in this white paper
• Centralized management and troubleshooting capabilities to provide a reasonable operational expense model
• The ability to differentiate between classes of users (such as employee, guest, quarantined, infected, etc.), rather than depending on VLANs for security
Figure 4 illustrates the various points of entry (and therefore the required points of enforcement) in a mobile network. This is, in fact, a simplified version of what exists in most large-scale enterprise networks. Such networks are comprised of multiple WLAN mobility controllers located on a single campus and sometimes also in branch offices, which are usually managed separately. Typically, such networks also have individually
managed firewalls at each location and a large number of access switches. The cost of managing and updating security policy across all these access mechanisms is a major barrier to the implementation of most of the access control techniques discussed previously in this white paper.
Figure 4. Disparate solutions (often from single vendors) lead to separately managed enforcement solutions Headquarters Branch/Home Office
VPN Authentication server
Points of network access control/policy enforcement
There is a much better way to implement mobility with NAC.
Figure 5 illustrates a non-disruptive solution that creates a mobility overlay on the existing wired infrastructure. This solution provides access control and policy enforcement across various access mechanisms without incurring the incremental cost of managing each of these individually. Policies for enforcement are configured and managed centrally using a global security construct such as roles and policies, rather than local constructs such as VLANs. Note that this approach toward policy enforcement provides a way to enforce any (and, if required, a combination) of the NAC approaches from different vendors discussed above.
Figure 5. Using an overlay mobility architecture to provide global policy enforcement
Network access control initiatives are a necessity for enterprise networks today to ensure that infected devices don’t gain access to healthy networks. A variety of solutions are available, the best of which use a combination of tactics to provide defense-in-depth to the network. OS and antivirus vendors are likely to be the natural choice for determining posture, not networking vendors. However, to achieve secure Identity-based Access Control in mobile networks, enforcement technique by the networking vendor is arguably just as important as the posture evaluation technique.
When designing a network access control initiative, it is important to consider interoperability with network infrastructure and mobility solutions. NAC initiatives place critical requirements on the devices that constitute the mobile edge, and the mobile infrastructure’s ability to support these requirements directly determines a NAC solution’s effectiveness. Even a complete NAC solution based on the ideal combination of components can be undermined if the mobility infrastructure uses an unsophisticated enforcement solution.
Headquarters Branch/Home Office
Mobility controller overlay
Generally managed global policy enforcement
© 2013 Aruba Networks, Inc. Aruba Networks’ trademarks include AirWave®, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, and Green Island®. All rights reserved. All other trademarks are the property of their respective
1344 Crossman Avenue. Sunnyvale, CA 94089
1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | email@example.com www.arubanetworks.com
As it relates to mobile networks, a NAC implementation is typically best deployed as a non-disruptive solution that creates a mobility overlay on the existing wired infrastructure. This solution is especially compelling as it provides powerful global policy enforcement with centralized management.
About Aruba Networks, Inc.
Aruba Networks is a leading provider of next-generation network access solutions for the mobile enterprise. The company’s Mobile Virtual Enterprise (MOVE) architecture unifies wired and wireless network infrastructures into one seamless access solution for corporate headquarters, mobile business professionals, remote workers and guests. This unified approach to access networks enables IT organizations and users to securely address the Bring Your Own Device (BYOD) phenomenon, dramatically improving productivity and lowering capital and operational costs. Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, Africa and Asia Pacific regions. To learn more, visit Aruba at
http://www.arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook, and for the latest technical discussions on mobility and Aruba products visit Airheads Social at http://community.