Presentation on theme: "A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause."— Presentation transcript:
A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m. Network Security Effective Practices - NAC/P, TNC
3 Overview This presentation will discuss a survey and informal poll of the current campus network access and admissions security practices and products in higher education on both wired and wireless networks.
4 Agenda Introduction What is NAC, NAP and TNC? NAC/P Concepts and Terminology NAC/P Feature Checklists NAC/P Effective Practices in Higher Ed Survey of NAC/P Practices in Academia Discussion and Questions
5 NAC, NAP, TNC timeline In 2003, RPC/DCOM worms (Blaster, NACHI) caused widespread problems on campus networks. NetReg, Bradford Campus Networks and other reg/quarantine systems were used as effective solutions. Cisco (bought Perfigo) and many vendors (particularly wireless) entered this market. Microsoft and the TCG alliance have been promising standars (w/Cisco) for a time (2008?).
6 NAC/P Open Source Efforts Uconn/Umass/etc (Rodrigue, et al) “NetReg” mods (RPC/Dcom NASL scanning ala Nessus) PacketFence NoCAT - Captive Web Portal
7 NAC/P Goes Mainstream Standards: Cisco / Microsoft agreement 802.1X and EAPs WPA2
8 What is NAC/NAP/TNC? NAC - Network Access (or Admission) Control Generic Cisco NAP - Network Access (or Admission) Protection Microsoft Vista and Longhorn Server (2008) TNC - Trusted Network Computing (form Trusted Computing Group - TCG) Anti-Virus / Anti-Malware vendors
9 Why NAC? IS NAT RELEVANT AND STILL NEEDED? New Paradigms may obviate NAC: Enterrpise wide A/V / Anti-Malware XP XP2 Firewall & Vista Security - renders scanners obsolete? Managed Workstations, “lockdown” GPO policies Arguments for NAC/P going forward: Un-managed & guest personal computers & devices End-point protection and assessment IDP/DLP/C
"name": "9 Why NAC. IS NAT RELEVANT AND STILL NEEDED.",
"description": "New Paradigms may obviate NAC: Enterrpise wide A/V / Anti-Malware XP XP2 Firewall & Vista Security - renders scanners obsolete. Managed Workstations, lockdown GPO policies Arguments for NAC/P going forward: Un-managed & guest personal computers & devices End-point protection and assessment IDP/DLP/C
10 NAC/P Issues to deal with NAC/P Phones Printers User hubs, switchs, WiFi Aps and SOHO routers XBOX™, Sony PlayStation™, Nintendo™ PDAs, SmartPhones, etc. Other unique IP devices and non-std Oses “Guest/Visitor” and conference attendees
11 NAC/P vs. No NAC/P You can actually have even better security using NAC/P IF you use strong encryption (and a good implementation) -- even over wired networks. Inline is more secure, reliable(?) than non- inline… Complex solutions may cause problems (run amuck). You will need to provide overrides and exceptions -- but SOP & Policy should discourage this as much as possible.
12 Threats to NAC/P (in order of sophistication) Scalability - worst case scenario : several thousand PCs seeking network admission simultaneously overwhelming scanner / NAC / Network. Single Point of Failure - only 1 scanner / gate / remediation website, etc Self-Assigning IPs. Spoofing Ips Spoofing EHAs (MACs) ARP spoofing/poisoning (Dsniff, Ettercap, etc.) Router EHA Cloning DoS Attack 802.1X / EAP DoS Attacks VLAN “jumping”
13 NAC System Components Database (User, Computer, MAC, etc) Registration System DHCP and/or Authentication (RaDIUS/802.1X) Server Scanning engine and Policy Server Quarantine LAN/VLAN/Subnet ACL (switch/router), Firewall, Filter/Blocking device Captive Portal Remediation Site Proxy Agent (one time/registration, temporary, permanent) Management Interface and/or Station/App.
14 Other NAC Architectures EHA / MAC filtering NAT Control Forced VPN option WiFi Wired Remote Access Guest networks
15 NAC Concepts/Terms In-line Out-of-Band Agent / Agent-less One-time Boot/Connect time Dissolvable Continual Policy Server Remediation Server End Point Protection Security via Virtualization Quarantine Pre-authentication Post-authentication DLP/ILP - Leak Protect
16 NAC/P Implementation Checklist Practical NAC/P Planning “high level short list”: Create, publish and enforce security policies. Practice rigorous physical security. Verify user identities. Actively monitor logs, firewalls & IDSes. Logically segregate data & voice traffic. Harden Oses. Encrypt whenever and whatever you can.
17 NAC Implementation Checklist Detailed and Specfic list: Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the quarantine network. Use a private (RFC1918) IP network for the quarantine VLAN. Use NAT and/or proxies to hide internal addresses. Use a firewall (packet filtering or ALG) to protect & connect the Quarantine network to the data IP network. Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall). Use agents, 802.1X & RADIUS auth & EAP supplicants.
18 NAC/P Effective Practices in Higher Ed Some schools: Uses separate VLAN, L2 switches and RFC1918 IP addresses for the quarantine network. Many Schools: Using Cisco Secure/Clean Access Rolling their own via NetReg, NoCat & PacketFence Looking at appliances
19 NAC/P Effective Practices in Higher Ed Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=security&P=13595) Date: Fri, 19 Jan 2007 15:58:22 -0500 Reply-To: The EDUCAUSE Security Discussion Group Listserv From: "Charles L. Bombard" Subject: Re: Network access control In-Reply-To: Content-Type: text/plain; charset="us-ascii" Still looking. I am on the fence (excuse the pun) and can go with either one at the moment. Packetfence seems to have acquired a large following, and netreg seems to not be in active development any longer. www.netreg.org www.packetfence.org - Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234
20 NAC/P Effective Practices in Higher Ed Small Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=smallcol&P=20469) Date: Wed, 18 Apr 2007 11:00:47 -0400 Reply-To: The EDUCAUSE Small College Constituent Group Listserv From: "Beyer, Bill (William)" Subject: Network Access Control and Vista Content-Type: multipart/alternative; Hartwick College has been an early adopter of Network Access Control using Sygate Secure Enterprise in conjunction with using 802.1x protocols on our HP network data switches. While Sygate has worked well it does have its limitations mainly that it does not yet have a Vista client (our fingers are crossed that it will be released in May 2007) or a workable Mac client or Linux client. Our plans also include rolling out Vista Business on the student laptops we will issue to all freshmen this fall.
21 “Thing is, out-of-band NAC seems to have an image problem: Our own reader research indicates that 65% of organizations deploying NAC prefer in-line appliances versus 50% using out-of-band products. And the outlook doesn't look likely to improve. Nearly 70% of companies in the planning stages are leaning toward in-line systems, versus just 43% favoring out-of-band NAC. A recent survey by Infonetics Research shows that 55% of companies plan on buying in-line NAC products; this syncs with the firm's market forecast, which shows more than half the NAC units shipped are in-line appliances. Is the problem just bad PR, or does the out-of-band approach really carry technical disadvantages compared with going in-band?” http://www.networkcomputing.com/channels/security/showArticle.jht ml?articleID=202403321 Network Computing Magazine Rolling Review Kickoff: Out-Of-Band NAC - Oct 22, 2007 - By Mike Fratto NAC/P - Other Surveys
22 Use of IPS or FW between NAC/P network and production backbone IP network. Use of IDS between NAC/P network and production backbone IP network. Use NAC (network access control) such as 802.1X and RADIUS to authenticate. Devices require the use of the separate NAC/P network (physical LAN, VLAN, subnet address, etc.) from the production backbone data IP network. VoIP phones are automatically allowed access to the backbone network?. Computers are allowed with IPSEC or other VPNs. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Allow quarantine access automatically to the Internet but not campus network? Provide separate dedicated bandwidth for NAC/P quarantine network traffic to the Internet? Which NAC/P Security mechanisms do[n’t] you use? NAC/P Higher Ed Effective Practices Survey
23 Survey 47 Responses (as of October 20, 2007) http://www.surveymonkey.com/s.aspx?sm=w7 FZIc_2fK4_2frF3icYgfKXig_3d_3d
28 NAC/P Higher Ed Effective Practices Survey Q2: Other Category 1. RACS - homegrown system 2. We rolled our own (for wireless) 3. none 4. Saint Mary's NetReg and in house developed 5. Homebuilt 6. Complete Home Brew 7. home grown 8. nessus