+ All Categories
Home > Documents > Enterasys Network Access Control - Hlavní stránka

Enterasys Network Access Control - Hlavní stránka

Date post: 27-Mar-2022
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
21
“There is nothing more important than our customers” Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control ČIMIB konference 11.2 Praha
Transcript
Page 1: Enterasys Network Access Control - Hlavní stránka

“There is nothing more important than our customers”

Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control Enterasys Network Access Control

ČIMIB konference 11.2 Praha

Page 2: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 2

What is NAC ?What is NAC ?What is NAC ?What is NAC ?

• A User focused technology that:

- Authorizes a user or device (PC, Phone, Printer) and

- Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time

- The parameters are set in the so called Pre-Connect Assessment (aka Health Check) , i.e. before connecting to the infrastructure

- However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment

Page 3: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 3

Corporate &regulatory

compliance

Can I enforce these regulations prior to granting network access?Do I have reporting and auditing tools to verify compliance?

NAC NAC NAC NAC –––– Why care ?Why care ?Why care ?Why care ?

Networkusage

Who is using the network infrastructure?Are these users authorized?Does access correspond to organizational role?

Workstationsecurity

Does system have up-to-date OS patches?Does every system conform to corporate security standards?

Guestusers

Does a guest system contain threats?Can I limit access for guest users?

Non-workstationend systems

Is this device what it claims to be?Can I assess its security posture?Can I locate rogue access points, hijacked print servers etc?

Page 4: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC NAC NAC NAC –––– continuous business protectioncontinuous business protectioncontinuous business protectioncontinuous business protection

• Ensures health and compliance prior to allowing network access

- Agent and network based assessment

• Provides appropriate access (to assets and QoS) based on organizational role

- Policy or VLAN assignment options

• Supports guest access, sponsored access and end system / user tracking

- Track user name, IP, MAC, location, etc.

• Ensures continuing health and compliance after connection

- Continuous monitoring with IDS, NBAD, SIEM

• Automatically contains detected threats

4

Page 5: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC Business Drivers/TrendsNAC Business Drivers/TrendsNAC Business Drivers/TrendsNAC Business Drivers/Trends

A Leading sales “door opener”, Big Hype!

Drivers: Compelling!

• Compliance

• Security/risk mitigation

• Guest access

Trends: Confusion!

1.Trusted Network Computing/Trusted Network Group (TNC/TNG)

2.Cisco Network Admissions Control (C-NAC)

3.Microsoft Network Access Protection (MS-NAP)

4.IETF-NEA (International Engineering Task Force – Network Endpoint Assessment

5

Page 6: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 6

Policy Enforcement OptionsPolicy Enforcement OptionsPolicy Enforcement OptionsPolicy Enforcement Options

Access 3. Scan/Authentication Request 4.

Policy Assignment 6.

Threat Assessment 5.

RADIUSServer / Directory

NetworkInfrastructure

Access DeviceClient SystemUser

NAC Gateway(Proxy RADIUS, out of band)

Policy Role Creation 1.VLAN Creation (3rd Party) 1.1

NetSight™Policy Manager /NAC Manager NAC Gateway

Configuration 2.

Kernel

Syscall Table

1) sys_open()2) ...3) ...4) ...5) ...6) ...7) ...8) ...9) ...10) ...11) ...12) ...13) ...14) ...15) ...

Userland

New security layer in the core

• Switch-based (with true Out-of-Band Appliance): the best solution for NAC in a LAN is implementation of access switches that support 802.1x authentication and policies

• Inline-Appliance: Achieve a faster implementation of a NAC solution; often a transition solution to a switch based NAC solution. The access switches can continue to be used; in very heterogeneous environments which might contain “older” switches this a very good solution

• Out-of-band Appliance: This method initially appears to be very attractive but it has its difficulties, particularly in the following areas:

- Recognition of new end systems

- Reconfiguration of access switches in assessment and quarantine

- Granularity in assessment and quarantine

- Scalability

• Software-based: Enforcement at the agent level permits very precise control in quarantine cases. These solutions can easily be combined with network based solutions

• DHCP, IPSec based

Page 7: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC NAC NAC NAC –––– take End System Diversity into accounttake End System Diversity into accounttake End System Diversity into accounttake End System Diversity into account

40000

30000

20000

10000

0

2000 2002 2005 2008

Production Systems

RFID InventorySecurity Video

Building Control

Multi-Modal Devices

IP Phones

Office ProductivityConferencing

Server

PC Desktop

Laptop

Lege

nd

Page 8: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 8

ExampleExampleExampleExample

1X

, M

AC

, W

EB

PEPPolicy Enforcement Point

802.1X

Enterprise user

Guest user

Enterprise user

Enterprise devices

(printers, cameras...)

?

RADIUS ADS

Important assets

Free for all

(Internet)

VoIP phone

Let‘s put it into a different VLANMh, it doesn‘t

speak 802.1x

Uh-oh!How do we destinguish

them?

I need to access our assets

May I use your Internet

connection?Uhm,

802.1...what?

Hey, we both don‘t know what I am, but people want to talk to

me..

Mh, what to do about all those

different devices?

Page 9: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 9

Example SolutionExample SolutionExample SolutionExample Solution

•We implement…

- Multi-user authentication (allows multiple devices per port)

- Multi-method authentication (Web, MAC, 802.1x, Kerberos snooping..)

- Port based policies

- Role based policies

•We get...

- Vendor independency

- Client capability independency

- Precise communication restrictions (guest and enterprise use)

- Preserve device mobility where needed

- Central management

- Device/User inventory data

1X, MAC, WEB

PEPPolicy Enforcement

Point

VoIP Phone Guest User

Enterprise Devices

(printer, cameras...)

?

Page 10: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

The Solution The Solution The Solution The Solution ---- NACNACNACNAC

•Enterasys NAC solutions will fit the following topol ogies:- LAN

- WLAN

- VPN

- Remote Branch

•Enterasys’ focus is on pre-connect and post-connect NA C solutions- Switch based

- Inline Appliance based NAC Controller

- “True” out-of-band Appliance based NAC Gateway

•Enterasys will leverage standards and provide open API´ s whereever possible, whenever necessary

Enterasys Provides Choice

© 2008 Enterasys Networks, Inc. 10

Page 11: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

The Solution The Solution The Solution The Solution –––– How We Position OurselvesHow We Position OurselvesHow We Position OurselvesHow We Position Ourselves

© 2008 Enterasys Networks, Inc. 11

Enterasys

NAC

Gateway

Enterasys

NAC

Controller

Directory

MS-NPS

RADIUS

SIEM

802.1X

MS

AGENT

1X

, M

AC

, W

EB

LDAP

EAP-PEAP [TNCCS-SOH]EAP-TLS

HEALTH CHECK

XML_

API

802.1X

IF-M

AP

PEP and PDPPolicy Enforcement Point

Policy Decision Point

Kerberos

Location

Asset Management

Policy provisioning

and assignmentEnterasys

AGENT

XML API

Page 12: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC/VOIP Integration via SOANAC/VOIP Integration via SOANAC/VOIP Integration via SOANAC/VOIP Integration via SOA

12

The solution developed by Siemens Enterprise Communications and Enterasys is an important

component to protect real-time applications, like voice and video, over a converged IT

infrastructures. Features supported:

•Automatic Inventory Reduces risk of operation of non-compliant end-devices with invalid

configuration or software release.

• Automatic Adaptation Location-based configuration of end-devices and usage of special

functionalities (e.g. configuration of speed dial button)

•IP Phone monitoring Detecting non-compliant and compromised end-devices

•Automatic fault-alerting & error-correction Automatic generated fault information and

notification for fast and effective error-correction

•Automatic authorization Warranty of secure, reliable and high-quality operation of real-time

applications through automatically assigned QoS-parameter and security mechanism

Finally the use of this solution provides the following value add:

•Reduces administrative effort and costs

•Increases protection and reliability of real-time applications

•Minimizes the risk of attacks and the probability of outage

•Increases compliance to enterprise’s security policies

Page 13: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 13

wiredLAN

SiemensSiemensSiemensSiemens

HiPath DLSHiPath DLSHiPath DLSHiPath DLS

EventEventEventEvent----basedbasedbasedbased

synchronization of data-

bases via API: IP phone,

phone number, switch,

switch-port, building, room

NACManager

HiPath HiPath HiPath HiPath

PlatformPlatformPlatformPlatform

Enterasys NAC

Appliance

Database with physical infrastructure / cabling - wall-socket - Building- Room

Enterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPathEnterasys NAC / Siemens HiPath

12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4 2008.03.04

34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4 2008.03.04

56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2 2008.02.21

Phonenumber

Phone IP Address

Phone MAC Address

Switch-name

Switch IP Address

Switch-port

Building Room Wall jacket PhoneSoftware

PhoneConfiguration

Page 14: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC ControllersNAC ControllersNAC ControllersNAC Controllers

• Provides Network Access Control in any 3rd party environment

- No replacement of existing infrastructure required

- Not dependent on 3rd party switch capabilities

• Implements NAC for any access method

- Wired LAN switch deployments

› Within layer 2 domain

› Across layer 3 boundary

- Wireless

- VPN (e.g. IPSec, SSL)

• Pre and post assessment capabilities in a single appliance with dragon integration

Wired LAN

EnterpriseNetwork

WirelessSwitch

Wireless LAN

EnterpriseNetwork

Remote Access (VPN)

EnterpriseNetwork

Inline NAC Appliance

Inline NAC Appliance

Inline NAC ApplianceVPN

Concentrator

Page 15: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

NAC in NAC in NAC in NAC in AnyAnyAnyAny EnvironmentEnvironmentEnvironmentEnvironment

•Hybrid deployment- Best of both models for mixed environments

- Single, integrated solution – seamless management from single system

© 2008 Enterasys Networks, Inc. 15

EnterpriseNetwork

Enterasys Policy capable switch

RFC3580 capable switch

RFC3580 capable Wireless Access PointNAC Gateway

Core EdgeDistribution

Non-intelligent Wireless

VPN

Non-intelligent edge switches

Shared Access LANNAC Controller

NAC Manager

Page 16: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 16

MUA&P Logic

802.1X

PWA

MAC

RA

DIU

S A

uthority

Dynamic Admin Rule

DFE

802.1X Credentials

PWA Credentials

802.1X Login

Filter ID � Policy Sales

SMAC = Anita

SMAC = BobPWA Login

SMAC = TedAny Traffic

MAC Credentials

Filter ID � Policy Engineering

Dynamic Admin Rule

Dynamic Admin Rule

Port X

Filter ID � Credit

Policy Sales

Policy Credit

Policy Engineering

• Up to 2000 user per system

• Different authentication methods (in random combination per port/user)

- 802.1x, PWA (Web), MAC authentication, Radius, Ker beros, Default Role ....

• Single physical interface

MultiMultiMultiMulti----user Authentication and Policyuser Authentication and Policyuser Authentication and Policyuser Authentication and Policy

NAC Controller

Page 17: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

Roles, Services , RulesRoles, Services , RulesRoles, Services , RulesRoles, Services , Rules

NetworkAdministrator

GuestOffice Non-Office

Deny RIP

Deny OSPF

Deny Apple

Deny IP

X

Deny DHCP Reply

Deny IP

Range

Allow DNS

Allow DHCP

Allow HTTP

Deny ALL

Deny SNMP

Deny Telnet

Deny TFTP

Drop Apple

Drop IP

X

Drop DecNet

Deny FacultyServer Farm

AdministrativeProtocols

Acceptable UseLegacyProtocols Internet Only

Authorization – roles & rules

Page 18: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

Guest Access Solution with sponsoringGuest Access Solution with sponsoringGuest Access Solution with sponsoringGuest Access Solution with sponsoring

- End-User Authentication› End user must enter a valid username and password to

successfully register a device

› Username/password validated against a backend LDAPserver (e.g. MS Active Directory, OpenLDAP, etc.)

- Sponsored Registration› End user must be in the presence of a

trusted employee (i.e. sponsor) to successfully register a device

› Sponsor username/password validated against backend LDAP server, OR sponsoraccounts configured in NAC manager

- MAC Reg Web Admin Interface› Supports bounded visibility and

control into MAC Reg system- View, edit, add, delete registered end systems

- Useful for HelpDesk access into systemwithout mandating HelpDesk access toNAC manager

› “Sponsor Web Admin” Interface is supported so sponsors can view, edit, delete, add their end systems

NAC

Gateway

functions

NAC

Controller

1X

, M

AC

, W

EB

IT Admin

SponsorGuest

Page 19: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 19

NonNonNonNon----compliant asset on the networkcompliant asset on the networkcompliant asset on the networkcompliant asset on the network

User laptop

Role = quarantine

Compliance check

4

3

NAC gateway(out-of-band appliance)

or ENAC controller (used in out-of band)

Assessment server (optionally included in NAC gateway with

ITA )

Enterasys NAC Manager

1

EnterasysMatrix ®/SecureStack™ switch

Role = quarantine

Role = quarantine

How it works How it works How it works How it works –––– prepreprepre----connectconnectconnectconnect

3rd party switch like Cisco Catalyst

(if RFC 3580- compliant )

VLAN = quarantine 12

3

Pre-connect NAC functions� Detect� Authenticate� Assess� Authorize� Remediate

Authentication server

2

4

5

Page 20: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential 20

SummarySummarySummarySummary

• NAC is still a volatile technology.

• Pick wisely a open and scaleability architecture

• Define all of your requirements before you select t he solution

• Insist on open API ´́́́s for efficient IT workflow integration

• NAC is about technology but also about organization

• Enterasys can offer you a solid, scableable and ope n architecture to adress all of these items

Page 21: Enterasys Network Access Control - Hlavní stránka

© 2008 Enterasys Networks, Inc. All rights reserved. Confidential

Thank you


Recommended