Network Access Control:A Whirlwind Tour ThroughThe Basics
Joel M SnyderSenior Partner
Opus [email protected]
2
Agenda: Defining NAC
Why are we thinking about NAC? What is a definition of NAC? What are the four key components of NAC? What are the industry NAC architectures? Authentication, Environment, and
Enforcement in Depth
3
Security Management Is MovingTowards the End User
Last Year Poke holes in the firewall
for specific IP addressesand specific services
Create IPsec remoteaccess solutions thatgive broad networkaccess
Next Year Determine security
policy by who isconnecting not wherethey are connecting from
Create remote accesssolutions that focus onthe end-user, not thenetwork
4
The Marketing View of NACThe
Internet
CorporateNet
5
Let’s Define NAC:“Network Access Control”
NAC is user-focused, network-based access control
Who you are:not your IP address,but your authenticatedidentity.
Also: your end-pointsecurity status,location, access type Control: limit
access according topolicy, where policyis based on theuser
Something insideof the network:enforcementoccurs in thenetwork, not onthe the end points
6
“OK, wait a second. Isn’t AccessControl what a firewall does?”
You shall notpass!
Internet
Absolutely!
The difference is in the decision!
7
NAC Is Firewalling,but With a Difference
Common FirewallDecision Elements
Source IP and portDestination IP and port
Position
Between two networks
Common NAC Decision Elements
Username and GroupAccess method and locationEnd-point security statusDestination IP and port
Position
Between user and network
8
NAC Has Four Components
1. Authentication of theuser
Authenticate
End users areauthenticated beforegetting networkaccess
#1: Authenticate
9
How Does the Authentication ActuallyWork?
TheInternet
Corporate Net
NAC PolicyServer
Three options arecommon
802.1X Web-based Authentication Proprietary Client
#1: Authenticate
10
802.1X is Preferred and the MostSecure Approach
Internet
CorporateNet
NACPolicyServer
If authentication (and other stuff) is successful, policy server instructsedge device to grant appropriate access. User gets IP address.
User authenticates to central policy server AP/Switch starts 802.1X (EAP) for authentication
User brings up link (or associates with AP)
#1: Authenticate
11
Web Authentication is Easy to Do
Internet
CorporateNet
NACPolicyServer
If authentication (and other stuff) is successful, portal lets trafficthrough or reconfigures network to get out of the way
User authenticates to central policy server User opens web browser and is trapped by in-line portal
User gets on network; gets IP address
#1: Authenticate
12
Environmental InformationModifies Access or CausesRemediation
2. Useenvironmentalinformation aspart of continuouspolicy decisionmaking
Environment
Where is the user comingfrom ?
When is the access requestoccurring?
What is the End PointSecurity posture of the endpoint? (“Pre-Connect”)
What is our IPS/NBA/SIMtelling us about this user(“Post-Connect”)?
1. Authentication of theuser
Authenticate
#2: Environment
13
Environmental InformationCan Include Lots of Things
Pure Environment Access Method (wired,
wireless, VPN) Time of Day/Day of
Week/Date within Limits Client Platform (Mac,
Windows, etc.) Authentication Method
(user/pass, MAC, etc.)
End Point Security Does the device comply to
my policy regarding• Security Tools (A/V, FW)
• Applications (running/not)
• Patch Level
• Corporate “signature”
This is the “(and other stuff)” part
For some, this is themain reason to want
NAC!
#2: Environment
14
12
31. EPS says that thissystem is untestableor cannot be helped:Internet only
2. System is non-compliant,but can be helped: Access toremediation network (or auto-remediate)
3. System complieswith security policy:full access granted
#2: Environment
Any End Point Security Test ShouldInclude Remediation
15
Key Concept: Access Is a Function ofAuthentication & user-focused Environment
Whatyou can
do=
Who You Are
How Well YouComply with Policy
+
Darn… We just summarizedNAC in one slide. What elseis there to talk about?
#2: Environment
How YouBehave On The
Network
+
16
Access Controls Define Capabilitiesand Restrict the User
3. Control usagebased oncapabilities ofhardware andsecurity policy
Allow or deny access.
Put the user on a VLAN.
Send user to remediation.
Apply ACLs or firewall rules.
Environment
1. Authentication of theuser
Authenticate Access Control
#3: Access Control
2. Useenvironmentalinformation aspart of continuouspolicy decisionmaking
17
Access Control Enforcement Has TwoMain Attributes to Understand
Control Granularity On/Off the network VLAN-level
assignment Packet filters Stateful firewall
Control Location On the client itself At the edge of the
network (“EdgeEnforcement”)
A barrier between userand network (“InlineEnforcement”)
As part of the networkprotocols themselves
At the server itself
#3: Access Control
18
Granularity is a Spectrum LargelyDetermined by Hardware
Most granular,most secure, mostpowerful
Least granular,least powerful
Stateful FullFirewall
BasicPacketFilters
VLANAssignment
Go/No-GoDecision
Joel’s Fantasy of HowSecure Networks Are Run
Likely Reality for Next FewYears
Typical Current Approach(and likely SMB approach infuture)
#3: Access Control
19Endpoints Access
LayerDistribution
LayerCoreLayer
Data Center
NAC Policy Server
Edge Enforcement Occurs at the Pointof Access to the Network
DHCP
LDAP
Web
#3: Access Control
20Endpoints Access
LayerDistribution
LayerCoreLayer
Data Center
NAC Policy Server
In-line Enforcement Occurs Deeper inthe Network
DHCP
LDAP
Web
NAC Enforcement
Device
#3: Access Control
21Endpoints Access
LayerData Center
NAC Policy Server
Hybrid Enforcement combines In-Lineand Edge
DHCP
LDAP
Web
NAC“Portal”
Auth+EPS
Authentication andPosture check occur first
?
? Enforcement of networkaccess occurs at edge, afterAuthentication and Posturechecks
#3: Access Control
22
Management of Policy is the Weak Linkin most NAC Solutions
4. Manage it all
Usable management andcross-platform NACnormalization
3. Control usagebased oncapabilities ofhardware andsecurity policy
1. Authentication of theuser
Environment
Authenticate Access Control
Management
#4: Management
2. Useenvironmentalinformation aspart of continuouspolicy decisionmaking
23
An Architecture Helps to UnderstandNAC Better
TheInternet
CorporateNet
NAC
PolicyServer
24
Lots of NAC Products… but Onlya Few Good Architectures
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
IntegrityMeasurementVerifier
IntegrityMeasurementCollector
PolicyEnforcementPoint
These are the TCG/TNC terms foreach piece. IETF, Microsoft, andCisco all have their own similar ones
Access Requestor Policy Decision Point
25
NetworkAccessDevice
NAPEnforcementServer
NetworkEnforcementPoint
Policy Enforcement Point Component withinthe network that enforces policy, typically an802.1X-capable switch or WLAN, VPN gateway,or firewall.
CiscoNAC
MicrosoftNAP
IETF NEAWhat is it?
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
IntegrityMeasurementVerifier
IntegrityMeasurementCollector
PolicyEnforcementPoint
26
CiscoTrustAgent
NAPAgent
Posture BrokerClient
TNC Client Broker "Middleware" that talks tothe Posture Collectors, collecting their data, andpasses it down to Network Access Requestor
CiscoTrustAgent
NAPEnforcementClient
PostureTransportClient
Network Access Requestor Connects theclient to network, such as 802.1X supplicant.Authenticates the user, and acts as a conduit forPosture Collector data
PosturePlug-inApps
SystemHealthAgent
PostureCollector
Integrity Measurement Collector Third-partysoftware that runs on the client and collectsinformation on security status and applications,such as 'is A/V enabled and up-to-date?'
CiscoNAC
MicrosoftNAP
IETF NEAWhat is it?
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
IntegrityMeasurementVerifier
IntegrityMeasurementCollector
PolicyEnforcementPoint
27
PolicyVendorServer
SystemHealthValidator
PostureValidator
Integrity Measurement Verifier Receivesstatus information from Posture Collectors thenvalidates it against policy, returning a status tothe Server Broker
AccessControlServer
NAPAdministrationServer
Posture BrokerServer
TNC Server Broker "Middleware" acting as aninterface between multiple Posture Validatorsand the Network Access Authority
AccessControlServer
NetworkPolicyServer
PostureTransportServer
Network Access Authority Validatesauthentication and posture, then passing policyto the Network Enforcement Point.
CiscoNAC
MicrosoftNAP
IETF NEAWhat is it?
http://www.networkworld.com/research/2006/040306-nac-overview.html
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
IntegrityMeasurementVerifier
IntegrityMeasurementCollector
PolicyEnforcementPoint
28
We’ve Just Grazed the Surface ofNACNAC needs to be on your radar
Tools like 802.1X should be part ofyour short and long range plansanyway
Don’t jump into a proprietarysolution without considering theemerging standard architectures