Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

Published byAdele May Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A."— Presentation transcript:

1

2 1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

3 2 Why deploy a wireless LAN? Can be seen to be behind the technology by potential students if not deployed. Keep up with technology demands of modern students. It will happen anyway, so why not take control from the start. Students used to mobile phones, so why not mobile computing? Reduce demand on providing more PCs which then need to be replaced.

4 3 What are the challenges of a WLAN? Disappearing security boundaries expose internal infrastructure and assets. To ensure policy compliance for all endpoint devices seeking network access. Providing sufficient access points – how many/where? Does one size fit all?

5 4 What are the solutions? Turn on service and hope for the best – no checking of laptops for vulnerabilities. Manual intervention to assess laptops for risks. Automatic posture assessment of laptop at time of connection – network admission control (NAC).

6 5 Network Admission Control (NAC) Please enter username : device security network security Use the network to enforce policies to ensure that incoming devices are compliant. identity  Who is the user?  Is s/he authorised?  What role does s/he get? NAC  Is OS patched?  Does A/V or A/S exist?  Is it running?  Are services on?  Do required files exist? PLUS  Is policy established?  Are non-compliant devices quarantined?  Is remediation required?  Is remediation available? PLUS

7 6 Authenticate & Authorise Enforces authorisation policies and privileges Supports multiple user roles Quarantine Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level All-in-One Policy Compliance and Remediation Solution Scan & Evaluate Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections and port vulnerabilities Update & Remediate Network-based tools for vulnerability and threat remediation Help-desk integration

8 7 Clean Access Server (CAS) Serves as an in-band or out-of-band device for network access control Clean Access Manager (CAM) Centralises management for administrators, support personnel, and operators Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments Rule-set Updates Scheduled automatic updates for anti-virus, critical hot-fixes and other applications Cisco NAC Appliance (Cisco Clean Access) Components

9 8 Clean Access: Sampling of Pre-Configured Checks Critical Windows Updates Windows XP, Windows 2000, Windows 98, Windows ME Anti-Virus Updates Anti-Spyware Updates Other 3 rd Party Checks Cisco Security Agent

10 9 Product User Flow Overview The Goal Intranet/ Network 2. User is redirected to a login page Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device Device is noncompliant or login is incorrect User is allowed 30min limited access to appropriate remediation sites 3a. Quarantine 3b. Device is “clean” Machine gets on “certified devices list” and is granted access to network Clean Access Server Clean Access Manager 1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login information Authentication Server

11 10 Screen Shots (MS Client) 4. Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate

12 11 Screen Shots (Web browser – non MS) Login Screen Scan is performed (types of checks depend on user role/OS) Guided self-remediation

13 12 Process Flow: Wireless Access NAC Enforcement Point 1.Wireless user connects to WLC via LWAPP (open authentication) 2.Wireless user obtains IP address from WLC 3.Wireless user opens a browser and is redirected to download the Clean Access Agent (if they don’t already have it loaded) Auth Server IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Intranet Server Role: “Unauthenticated” Radius Accounting Server IP: 10.1.1.26 DNS Server IP: 10.20.20.20 Laptop IP: 192.168.50.3 L3 Switch IP: 192.168.10.1 Clean Access Server IP: 192.168.10.2 WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User VLAN 50

14 13 Process Flow: Network Admission Control 1 NAC Enforcement Point 1.CAS determines that laptop MAC address is not in “certified device” list – not logged on recently 2.CAS puts laptop into the “Unauthenticated Role 3.Laptop gets an IP address from DHCP server, but can not get past CAS acting as “IP filter.” 4.Laptop user opens a browser and is redirected to a SSL based weblogin page. User enters credentials User is asked to download the Clean Access Agent. Auth Server (Radius) IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Internet Web Server Laptop IP: 192.168.1.150 DNS Server Router IP: 192.168.1.1 Clean Server IP: 192.168.1.2 Role: “Unauthenticated”

15 14 Process Flow: NAC 2 5.Clean Access Agent performs posture assessment and forwards them to the CAS to make network admission decision. 6.CAS forward posture report to CAM. CAM determines that the laptop is NOT in compliance and instructs the CAS to put the laptop into the “Temporary Role.” 7.CAM sends remediation steps to Clean Access Agent. Auth Server IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Internet Web Server Laptop IP: 192.168.1.150 NAC Enforcement Point DNS Server IP: 10.20.20.20 Router IP: 192.168.1.1 Clean Access Server IP: 192.168.1.2 Role: “Temporary”

16 15 Process Flow: NAC 3 8.Clean Access Agent displays access time remaining in “Temporary Role” for laptop. CCA Agent guides user step-by-step through remediation. Patches can be downloaded from update sites such as https://liveupdate.symantec.com or http://windowsupdate.microsoft.comhttps://liveupdate.symantec.comhttp://windowsupdate.microsoft.com 9.CCA Agent informs CAS that the laptop has been successfully remediated. Auth Server IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Internet Web Server Laptop IP: 192.168.1.150 NAC Enforcement Point DNS/DHCP Server IP: 10.20.20.20 Router IP: 192.168.1.1 Clean Access Server IP: 192.168.1.2 Role: “Temporary”

17 16 Process Flow: NAC 4 Auth Server IP: 10.1.1.25 Clean Access Manager IP: 10.1.1.30 Internet Web Server Laptop IP: 192.168.1.150 NAC Enforcement Point DNS Server IP: 10.20.20.20 Router IP: 192.168.1.1 Clean Access Server IP: 192.168.1.2 10.CAS puts MAC address of laptop into “Certified Device” list. CAS assigns laptop to the “Clean Role” for 24 hour period. Laptop is now allowed to complete access to the Internet. Role: “Clean”

18 17 Internet WIT Wireless Network Cisco 4400 Wireless LAN Controller LWAPP Encrypted Tunnel Aironet 1100 AP AP Network VLAN 216 WLAN Network VLAN 215 Cisco ACS Server Un trusted WLAN DMZ Trusted WLAN DMZ L3 6513 Switch Laptop ASA 5550 Clean Access Manager Clean Access Server

19 18 WIT Wireless Network Future Developments Out of band wired access Nesus vulnerability scanner http://www.nessus.org/ for Mac OS X, Linux, Solaris and FreeBSDhttp://www.nessus.org/

20 19 WIT Wireless Network - Partners

Download ppt "1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A."

Similar presentations

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Larry Edie & Annie Ballew.  Who are you users?  What do you know about your users?  How can you cost-effectively manage this information?  How can.

Larry Edie & Annie Ballew.  Who are you users?  What do you know about your users?  How can you cost-effectively manage this information?  How can.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business

Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.

RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.

Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
Technical Training: DIR-615

Technical Training: DIR-615
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
TAX-AIDE Network Router Setup Network Printer Setups July 2013 2013 SMT/TCS Training - Dallas1.

TAX-AIDE Network Router Setup Network Printer Setups July SMT/TCS Training - Dallas1.

Similar presentations

Ads by Google