Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Admission Control: A Survey of Approaches Educause 2008

Published byArchibald Haynes Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Admission Control: A Survey of Approaches Educause 2008"— Presentation transcript:

1 Network Admission Control: A Survey of Approaches Educause 2008
George Finney, J.D. Director of Digital Interests Southern Methodist University Thursday, October 30th, 2008 October 30th, 2008 Southern Methodist University

2 Southern Methodist University
What Is it? October 30th, 2008 Southern Methodist University

3 Southern Methodist University
Background SMU began using NetReg in the late 1990’s for our Dorm and Wireless Networks. In 2004, SMU replaced the NetReg product with a commercial solution. In 2007, as a part of the University Strategic Objectives, SMU began the process of migrating to a “Zoned Network Architecture.” In 2007, SMU commenced a project to implement NAC for the Academic and Administrative buildings. October 30th, 2008 Southern Methodist University

4 Southern Methodist University
Process Began with a definition of NAC Defined use cases, architecture preferences, required features, and goals Created a comprehensive questionnaire Compiled the questionnaires into a matrix Assembled a short list of vendors based on red-flags from matrix Scheduled on-line demos, then onsite visits, then finally in-house evaluations October 30th, 2008 Southern Methodist University

5 Southern Methodist University
October 30th, 2008 Southern Methodist University

6 Southern Methodist University
NAC Definition Network Access Control (NAC) is the system1 that ensures each person and device2 connecting3 to the university network4 is in compliance with the security requirements of the zone5 being entered or ascending to.  The NAC System, in concert with the university security zone architecture5, ensures appropriate accountability6 (authentication and authorization) for the individual connecting to the university network and appropriate levels of protection7 for all other users and assets already on the university network and the internet. System in this context is a set of process, procedures, software, hardware, policies and people assembled to deliver a cohesive service. Device in this context is any node on the university network that receives an IP address, both routable and un-routable. Connecting to the network in this context is the process of requesting an IP address. University network includes all university IP assets involved in the delivery of voice or data services. University IP assets includes all institutionally owned or managed hardware/software and IP address ranges with actual or implied association with the university. Please reference separate work-in-progress for definition of security zone and security zone architecture. Accountability in this context is for ones own actions while using an SMU provided IP address.  While SMU respects the privacy of each individual using the university network, use of the university network does not provide anonymity or separation from ones actions .  Activity or incidents that precipitate an investigation will be pursued to the full extent of university policy and rule of law. Protection in this context is protection from malware attack afforded by the security zone occupied. October 30th, 2008 Southern Methodist University

7 Southern Methodist University
Use Cases? October 30th, 2008 Southern Methodist University

8 Southern Methodist University
NAC Use Case Scenarios Faculty/Staff users in their office Faculty/Staff Wireless users Remote users on dial up or VPN Student Wireless users Student Wired users Student users without administrative privileges Student users with company owned laptops Public access users with no SMU credentials October 30th, 2008 Southern Methodist University

9 Southern Methodist University
Requirements October 30th, 2008 Southern Methodist University

10 Southern Methodist University
NAC Requirements Must be out-of-band Must be vendor neutral for network equipment Must integrate with the existing Wireless, VPN, and dial up infrastructure Must support Single Sign on Must support Windows XP and Vista, MAC OSX, and Linux Must have the ability to provide guest login Must provide interface for distributed administration Must provide historical information and search capabilities for connection tracking and forensic analysis Must provide policy enforcement for Antivirus, Anti-Spyware and Operating System patches October 30th, 2008 Southern Methodist University

11 Additional Important Features
Integration with Wiring Database Ability to integrate with IDP/IPS/Packetshaper Ability to prevent illicit peer-to-peer usage Ability to search for historical MAC to IP address information Integration with Active Directory for Administrator login Provide separate help desk interface with reduced privileges Provide the ability to create an alarm based on failed policy checks or network policy violations Provide detailed reporting functions within the admin interface. Provide web portal customization within the interface. October 30th, 2008 Southern Methodist University

12 Southern Methodist University
Landscape October 30th, 2008 Southern Methodist University

13 Southern Methodist University
NAC Landscape ITS Reviewed the top 20 vendors in the NAC marketplace. Of these vendors, we received 18 responses. The vendors all apply different solutions for NAC. These approaches can be broken down into 7 general categories. Each vendor offers a combination of either agentless, dissolvable agent, and permanent agent solutions. These combinations are customizable based on our use case definitions. October 30th, 2008 Southern Methodist University

14 Southern Methodist University
Architecture October 30th, 2008 Southern Methodist University

15 Southern Methodist University
NAC Approaches In-line Switch Replacement Uplink Aggregation Out of Band SNMP Device Management Permanent Agent Traffic Monitoring 802.1x/Radius Device Management ARP (Address Resolution Protocol) Agent October 30th, 2008 Southern Methodist University

16 Inline – Switch Replacement
October 30th, 2008 Southern Methodist University

17 Inline – Switch Replacement
Pro Provides the most granular coverage of any NAC solution. Agentless solution. Con Requires all switches to be replaced with NAC switches. October 30th, 2008 Southern Methodist University

18 Inline – Uplink Aggregation
October 30th, 2008 Southern Methodist University

19 Inline – Uplink Aggregation
Pro Agentless solution. Con Creates a bottleneck which all traffic must flow through. October 30th, 2008 Southern Methodist University

20 Out-of-Band – SNMP Management
October 30th, 2008 Southern Methodist University

21 Out-of-Band – SNMP Management
Pro Can make VLAN changes, ensuring that users are moved to the appropriate security zone. Con SNMP packets may be dropped, consequently updates to VLANs can be delayed. Changes made via SNMP are not logged in the switch event log or in the switch log, which can make accounting for changes a challenge. October 30th, 2008 Southern Methodist University

22 Out-of-Band – Permanent Agent
October 30th, 2008 Southern Methodist University

23 Out-of-Band – Permanent Agent
Pro Can be integrated with existing Antivirus agent. Con Does not offer the ability to change VLANS. Not a good fit for unmanaged devices. October 30th, 2008 Southern Methodist University

24 Out-of-Band – Traffic Monitoring
October 30th, 2008 Southern Methodist University

25 Out-of-Band – Traffic Monitoring
Pro Obtains traffic information similar to an IDS, which offers the ability to act on signatures. Con Potential loss of traffic on mirror port. Complicates router configuration. October 30th, 2008 Southern Methodist University

26 Out-of-Band – 802.1x/Radius Device Management
October 30th, 2008 Southern Methodist University

27 Pro Con Out-of-Band – 802.1x/Radius Device Management
Integrates with 802.1x capable devices Con Requires agent to be installed on Radius or Active Directory servers. October 30th, 2008 Southern Methodist University

28 Out-of-Band – ARP Agent
October 30th, 2008 Southern Methodist University

29 Out-of-Band – ARP Agent
Pro Doesn’t require integration or replacement of existing switches. Con Manipulates ARP (Address Resolution Protocol) tables on each client, which may be viewed as being invasive. Requires at least 1 agent on each VLAN to enforce policy. October 30th, 2008 Southern Methodist University

30 Southern Methodist University
Questions? George Finney Phone: October 30th, 2008 Southern Methodist University

Download ppt "Network Admission Control: A Survey of Approaches Educause 2008"

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Information Security in Real Business

Information Security in Real Business
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
by Evolve IP Managed Services

by Evolve IP Managed Services
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.

SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
70-411: Administering Windows Server 2012

70-411: Administering Windows Server 2012
Implementing Network Access Protection

Implementing Network Access Protection
Vantage Report 3.0 Product Sales Guide

Vantage Report 3.0 Product Sales Guide

Similar presentations

Ads by Google