Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause.

Similar presentations


Presentation on theme: "A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause."— Presentation transcript:

1 A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, :30 a.m. - 12:45 p.m. Network Security Effective Practices - NAC/P, TNC

2 2 Introductions

3 3 Overview This presentation will discuss a survey and informal poll of the current campus network access and admissions security practices and products in higher education on both wired and wireless networks.

4 4 Agenda Introduction What is NAC, NAP and TNC? NAC/P Concepts and Terminology NAC/P Feature Checklists NAC/P Effective Practices in Higher Ed Survey of NAC/P Practices in Academia Discussion and Questions

5 5 NAC, NAP, TNC timeline In 2003, RPC/DCOM worms (Blaster, NACHI) caused widespread problems on campus networks. NetReg, Bradford Campus Networks and other reg/quarantine systems were used as effective solutions. Cisco (bought Perfigo) and many vendors (particularly wireless) entered this market. Microsoft and the TCG alliance have been promising standars (w/Cisco) for a time (2008?).

6 6 NAC/P Open Source Efforts Uconn/Umass/etc (Rodrigue, et al) “NetReg” mods (RPC/Dcom NASL scanning ala Nessus) PacketFence NoCAT - Captive Web Portal

7 7 NAC/P Goes Mainstream Standards: Cisco / Microsoft agreement 802.1X and EAPs WPA2

8 8 What is NAC/NAP/TNC? NAC - Network Access (or Admission) Control  Generic  Cisco NAP - Network Access (or Admission) Protection  Microsoft Vista and Longhorn Server (2008) TNC - Trusted Network Computing (form Trusted Computing Group - TCG)  Anti-Virus / Anti-Malware vendors

9 9 Why NAC? IS NAT RELEVANT AND STILL NEEDED? New Paradigms may obviate NAC:  Enterrpise wide A/V / Anti-Malware  XP XP2 Firewall & Vista Security - renders scanners obsolete?  Managed Workstations, “lockdown” GPO policies Arguments for NAC/P going forward:  Un-managed & guest personal computers & devices  End-point protection and assessment  IDP/DLP/C

10 10 NAC/P Issues to deal with NAC/P Phones Printers User hubs, switchs, WiFi Aps and SOHO routers XBOX™, Sony PlayStation™, Nintendo™ PDAs, SmartPhones, etc. Other unique IP devices and non-std Oses “Guest/Visitor” and conference attendees

11 11 NAC/P vs. No NAC/P You can actually have even better security using NAC/P IF you use strong encryption (and a good implementation) -- even over wired networks. Inline is more secure, reliable(?) than non- inline… Complex solutions may cause problems (run amuck). You will need to provide overrides and exceptions -- but SOP & Policy should discourage this as much as possible.

12 12 Threats to NAC/P (in order of sophistication) Scalability - worst case scenario : several thousand PCs seeking network admission simultaneously overwhelming scanner / NAC / Network. Single Point of Failure - only 1 scanner / gate / remediation website, etc Self-Assigning IPs. Spoofing Ips Spoofing EHAs (MACs) ARP spoofing/poisoning (Dsniff, Ettercap, etc.) Router EHA Cloning DoS Attack 802.1X / EAP DoS Attacks VLAN “jumping”

13 13 NAC System Components Database (User, Computer, MAC, etc) Registration System DHCP and/or Authentication (RaDIUS/802.1X) Server Scanning engine and Policy Server Quarantine LAN/VLAN/Subnet ACL (switch/router), Firewall, Filter/Blocking device Captive Portal Remediation Site Proxy Agent (one time/registration, temporary, permanent) Management Interface and/or Station/App.

14 14 Other NAC Architectures  EHA / MAC filtering  NAT Control  Forced VPN option WiFi Wired Remote Access Guest networks

15 15 NAC Concepts/Terms In-line Out-of-Band Agent / Agent-less  One-time  Boot/Connect time  Dissolvable  Continual Policy Server Remediation Server End Point Protection Security via Virtualization Quarantine Pre-authentication Post-authentication DLP/ILP - Leak Protect

16 16 NAC/P Implementation Checklist Practical NAC/P Planning “high level short list”: Create, publish and enforce security policies. Practice rigorous physical security. Verify user identities. Actively monitor logs, firewalls & IDSes. Logically segregate data & voice traffic. Harden Oses. Encrypt whenever and whatever you can.

17 17 NAC Implementation Checklist Detailed and Specfic list: Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the quarantine network. Use a private (RFC1918) IP network for the quarantine VLAN. Use NAT and/or proxies to hide internal addresses. Use a firewall (packet filtering or ALG) to protect & connect the Quarantine network to the data IP network. Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall). Use agents, 802.1X & RADIUS auth & EAP supplicants.

18 18 NAC/P Effective Practices in Higher Ed Some schools: Uses separate VLAN, L2 switches and RFC1918 IP addresses for the quarantine network. Many Schools: Using Cisco Secure/Clean Access Rolling their own via NetReg, NoCat & PacketFence Looking at appliances

19 19 NAC/P Effective Practices in Higher Ed Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=security&P=13595) Date: Fri, 19 Jan :58: Reply-To: The EDUCAUSE Security Discussion Group Listserv From: "Charles L. Bombard" Subject: Re: Network access control In-Reply-To: Content-Type: text/plain; charset="us-ascii" Still looking. I am on the fence (excuse the pun) and can go with either one at the moment. Packetfence seems to have acquired a large following, and netreg seems to not be in active development any longer. - Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT

20 20 NAC/P Effective Practices in Higher Ed Small Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=smallcol&P=20469) Date: Wed, 18 Apr :00: Reply-To: The EDUCAUSE Small College Constituent Group Listserv From: "Beyer, Bill (William)" Subject: Network Access Control and Vista Content-Type: multipart/alternative; Hartwick College has been an early adopter of Network Access Control using Sygate Secure Enterprise in conjunction with using 802.1x protocols on our HP network data switches. While Sygate has worked well it does have its limitations mainly that it does not yet have a Vista client (our fingers are crossed that it will be released in May 2007) or a workable Mac client or Linux client. Our plans also include rolling out Vista Business on the student laptops we will issue to all freshmen this fall.

21 21 “Thing is, out-of-band NAC seems to have an image problem: Our own reader research indicates that 65% of organizations deploying NAC prefer in-line appliances versus 50% using out-of-band products. And the outlook doesn't look likely to improve. Nearly 70% of companies in the planning stages are leaning toward in-line systems, versus just 43% favoring out-of-band NAC. A recent survey by Infonetics Research shows that 55% of companies plan on buying in-line NAC products; this syncs with the firm's market forecast, which shows more than half the NAC units shipped are in-line appliances. Is the problem just bad PR, or does the out-of-band approach really carry technical disadvantages compared with going in-band?” ml?articleID= Network Computing Magazine Rolling Review Kickoff: Out-Of-Band NAC - Oct 22, By Mike Fratto NAC/P - Other Surveys

22 22 Use of IPS or FW between NAC/P network and production backbone IP network. Use of IDS between NAC/P network and production backbone IP network. Use NAC (network access control) such as 802.1X and RADIUS to authenticate. Devices require the use of the separate NAC/P network (physical LAN, VLAN, subnet address, etc.) from the production backbone data IP network. VoIP phones are automatically allowed access to the backbone network?. Computers are allowed with IPSEC or other VPNs. Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones. Allow quarantine access automatically to the Internet but not campus network? Provide separate dedicated bandwidth for NAC/P quarantine network traffic to the Internet? Which NAC/P Security mechanisms do[n’t] you use? NAC/P Higher Ed Effective Practices Survey

23 23 Survey 47 Responses (as of October 20, 2007) FZIc_2fK4_2frF3icYgfKXig_3d_3d

24 24 NAC/P Higher Ed Effective Practices Survey

25 25 NAC/P Higher Ed Effective Practices Survey 2.6% Solutions (1 Response each) IBM (Internet Security Systems) Impulse Point (Safe Connect) InfoBlox (ID Aware) Juniper Networks (Endpoint Assurance (was Funk)) LANDesk Software (Trusted Access) Lockdown Networks (Lockdown Enforcer) McAfee (McAfee Policy Enforcer) ProCurve Networking Symantec (Sygate NAC) VeriSign Inc

26 26 NAC/P Higher Ed Effective Practices Survey Q1: Other Category Several comments about not having NAC, planning on buying NAC, using oepn source or developing a home grown solution.

27 27 NAC/P Higher Ed Effective Practices Survey

28 28 NAC/P Higher Ed Effective Practices Survey Q2: Other Category 1. RACS - homegrown system 2. We rolled our own (for wireless) 3. none 4. Saint Mary's NetReg and in house developed 5. Homebuilt 6. Complete Home Brew 7. home grown 8. nessus

29 29 NAC/P Higher Ed Effective Practices Survey

30 30 NAC/P Higher Ed Effective Practices Survey Q3: Other Category 1.IPSec 2.None

31 31 NAC/P Higher Ed Effective Practices Survey

32 32 NAC/P Higher Ed Effective Practices Survey Q4: Other Category 1.Just Authentication Currently 2.none 3.30 day registration 4.Once per Semester 5.Weekly re-assessment 6.Arbitrary, configurable check-in

33 33 NAC/P Higher Ed Effective Practices Survey

34 34 NAC/P Higher Ed Effective Practices Survey Q5: Other Category 1. staff/student laptops 2. No where

35 35 NAC/P Higher Ed Effective Practices Survey

36 36 NAC/P Higher Ed Effective Practices Survey

37 37 NAC/P Higher Ed Effective Practices Survey

38 38 NAC/P Higher Ed Effective Practices Survey

39 39 NAC/P Higher Ed Effective Practices Survey

40 40 NAC/P Higher Ed Effective Practices Survey

41 41 NAC/P Higher Ed Effective Practices Survey

42 42 NAC/P Higher Ed Effective Practices Survey

43 43 NAC/P Higher Ed Effective Practices Survey

44 44 NAC/P Higher Ed Effective Practices Survey

45 45 NAC/P Higher Ed Effective Practices Survey

46 46 NAC/P Higher Ed Effective Practices Survey

47 47 NAC/P Higher Ed Effective Practices Survey

48 48 NAC/P Higher Ed Effective Practices Survey

49 49 NAC/P Higher Ed Effective Practices Survey

50 50 NAC/P Higher Ed Effective Practices Survey

51 51 NAC/P Higher Ed Effective Practices Survey

52 52 NAC/P Higher Ed Effective Practices Survey

53 53 NAC/P Higher Ed Effective Practices Survey

54 54 NAC/P Higher Ed Effective Practices Survey

55 55 Survey Conclusions Implementers appear :  Somewhat satisfied.  Split between commerical and open source s/w  Allow overrides & don’t require agents.  Don’t allow private WiFi Access Points. Technology appears to be fairly mature now. 2fK4_2frF3icYgfKXig_3d_3d

56 56 Listservs & Newsgroups EDUCAUSE Security Discussion Listserv I2 SALSA NetAuth Working Group netauth IETF Working Group Network Endpoint Assessment (nea) charter.html

57 57 Q & A Question & Answer

58 58 Contact Info H. Morrow Long Security.yale.edu

59 59 Credits: Cisco - NAC Overview, Gartner RAS Core Research Note G , John Pescatore, Mark Nicolett, Lawrence Orans, 5 October 2006 R2052 1/25/2007 "Network Access Control" Seminar Presentation, Security Professionals Conference 2006, Kevin Amorin (Harvard University), Chris Misra (University of Massachusetts, Amherst)

60 60 Credits: Wikipedia (Pages on NAC/NAP, etc.)

61 This has been a chalk outline™ production.


Download ppt "A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause."

Similar presentations


Ads by Google