Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Access Control “an approach to computer network security that attempts to unify endpoint security.

Published byMarcus Payne Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Access Control “an approach to computer network security that attempts to unify endpoint security."— Presentation transcript:

1 Network Access Control http://en.wikipedia.org/wiki/Network_Access_Control “an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement” Aim: to control endpoint security by unifying it with network device security and the whole network Result: End devices that do not comply to the set security policies are identified and quarantined.

2 Why and What? Why NAC? http://www.ashimmy.com/2007/03/a_brief_history.html –“The biggest driver for NAC was the realization that after spending billions on the perimeter, we still were not any more secure.” Why? Internal threats … What is NAC? http://www.ashimmy.com/2007/03/nac_bust_or_boo.html –“The original concept of NAC was performing pre-admission health or profile checks on devices as they sought to enter the network. If the device failed they were denied access or quarantined. Then we added post-admission vulnerability scans, then IDS detection, behavior based detection, identity based access controls, etc. Before you know it, anything that has anything to do with getting on the network and staying there is part of NAC.” T. A. YangNetwork Security2

3 NAC: Goals http://en.wikipedia.org/wiki/Network_Access_Control 1.Mitigation of non-zero-day attacks (?) -To prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination 2.Policy enforcement -To allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, and network middleboxes (like firewalls). 3.Identity and access management -Instead of using IP addresses, NAC enforces network access based on authenticated user identities, at least for user end-stations such as laptops and desktop computers.

4 Support for NAC Cisco: Network Admission Control (NAC), since 2003/2004 -A brief history of NAC (3/8/2007) http://www.ashimmy.com/2007/03/a_brief_history.html http://www.ashimmy.com/2007/03/a_brief_history.html Other companies joined and pushed out their “NAC” products (next page) -A 2006 survey by Network Computing (local copy)A 2006 survey by Network Computinglocal copy Microsoft’s response: Network Access Protection, NAP (first introduced in Windows Server 2008) http://en.wikipedia.org/wiki/Network_Access_Protection

5 Joel Conover, NAC Vendors Square Off, Network Computing, 7/6/2006 (local copy)NAC Vendors Square Offlocal copy T. A. YangNetwork Security5

6 Source: http://www.forescout.com/wp- content/media/ForresterVendorSummary_ForeScout_publishable_2011.pdfhttp://www.forescout.com/wp- content/media/ForresterVendorSummary_ForeScout_publishable_2011.pdf T. A. YangNetwork Security6

7 T. A. YangNetwork Security7 Gartner’s Magic Quadrant for NAC: published 12/2011 http://www.gartner.com/tech nology/reprints.do?id=1- 18VNF2C&ct=120119&st =sb (local copy)local copy

8 NAC vendors compared (using comparison tools at Mosaicsecurity.com)Mosaicsecurity.com T. A. YangNetwork Security8

9 NAC Basic Concepts Source: http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control Pre-admission vs Post-admission enforcement Agent vs Agentless data collection –An agent s/w runs on the endpoint to report the status –Agentless devices Some devices do not support NAC agent s/w e.g., printers, scanners, phones, photocopiers, and other special devices NAC uses scanning and network inventory techniques (whitelisting, blacklisting, ACLs) to discern those characteristics remotely T. A. YangNetwork Security9

10 NAC Basic Concepts Source: http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control Out-of-band vs Inline solutions –Inline: A single box acts as an internal firewall for access- layer networks and enforces the policy –Out-of-band: Agents on end-stations report information to a central console, which in turn control switches to enforce policy. T. A. YangNetwork Security10

11 NAC Basic Concepts Source: http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control Quarantine vs captive portals for r emediation Quarantine: A non-compliant end-station is only allowed to access a restricted network with patch and update servers. Captive portals: The captive portal technique forces an HTTP client on a network to see a special web page before gaining full access. –In NAC, a captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computers. T. A. YangNetwork Security11

12 Cisco’s NAC Source: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923 /product_data_sheet0900aecd80119868.html http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923 /product_data_sheet0900aecd80119868.html NAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems ®. NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware. T. A. YangNetwork Security12

13 Why NAC? Endpoints that do not comply with established security policies pose a threat and can introduce a security risk into the network. Goal of NAC: to prevent vulnerable and noncompliant hosts from obtaining network access Q: Why isn’t user authentication (like 802.1x) sufficient? Ans? T. A. YangNetwork Security13

14 Cisco’s approach to NAC The NAC solution uses the network access devices (NAD) to protect the network infrastructure from any endpoint seeking network access. –Only compliant endpoints are granted access. –Noncompliant devices are denied access and quarantined for remediation. T. A. YangNetwork Security14

15 Source: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd80417226.pdf http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd80417226.pdf T. A. YangNetwork Security15

16 Cisco’s NAC Solutions: Two options 1.The NAC Appliance approach -Aka Cisco Clean Access (CCA) appliance -A Cisco packaged solution -CCA agent provides posture information; -Cisco Security Agent (CSA) provides protection. 2.The NAC Framework approach T. A. YangNetwork Security16

17 Cisco’s NAC Solutions: Two options 2.The NAC Framework approach –Built on NAC-enabled network access devices (NAD), Cisco or non-Cisco –Compliant endpoints are granted access to the network –Noncompliant endpoints are placed in quarantine for remediation c.f., Figure 13-2 T. A. YangNetwork Security17

18 Cisco NAC Solution: two options Figure 13-2 T. A. YangNetwork Security18

19 Cisco Security Agent (CSA) Cisco’s host intrusion prevention tool –Details in Ch 21 –On June 11, 2010, Cisco announced the end-of-life and end-of- sale of CSA. (source: http://en.wikipedia.org/wiki/Cisco_Security_Agent)end-of-life and end-of- sale of CSA http://en.wikipedia.org/wiki/Cisco_Security_Agent CSA components –CSA endpoints: enforcing security policies received from the management server, sending events, interacting with the user –CSA management server: a repository of configuration database –CSA management console: an admin web-based user interface and policy configuration tool T. A. YangNetwork Security19

20 Cisco’s NAC Framework source: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns6 17/net_implementation_white_paper0900aecd80217e26.pdf (2005) http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns6 17/net_implementation_white_paper0900aecd80217e26.pdf T. A. YangNetwork Security20

21 T. A. YangNetwork Security21 1.Client sends a packet through a NAC-enabled router. 2.NAD begins posture validation using EOU. 3.Client sends posture credentials using EOU to the NAD. 4.NAD sends posture to Cisco ACS using RADIUS. 5.Cisco Secure ACS requests posture validation using the Host Credential Authorization Protocol (HCAP) inside an HTTPS tunnel. 6.Posture validation/remediation server sends validation response of pass, fail, quarantine, and so on. 7.To permit or deny network access, Cisco Secure ACS sends an accept with ACLs/URL redirect. 8.NAD forwards posture response to client. 9.Client is granted or denied access, redirected, or contained.

22 T. A. YangNetwork Security22 Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_s heet0900aecd80119868.html A posture agent (PA) serves as the single point of contact on the host for aggregating credentials from all posture plugins and communicating with the network. This module also provides a trusted relationship with the network for the purposes of exchanging these posture credentials.

23 Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_s heet0900aecd80119868.htmlhttp://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_s heet0900aecd80119868.html (2009) T. A. YangNetwork Security23 Acts as a middleware component that takes host policy information and securely communicates the information to the AAA policy server Interacts directly with "NAC-enabled" applications running on the host without user intervention Can communicate at Layer 3 (EAP over UDP) or Layer 2 (802.1x supplicant) with the NADs –The supplicant is able to use the EAP-FAST protocol to carry both identity and posture information within the 802.1x transport. Free to download

24 Cisco Trust Agent (CTA) http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_s heet0900aecd80119868.html T. A. YangNetwork Security24

25 T. A. YangNetwork Security25 Source: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd80417226.pdf (2006) http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd80417226.pdf

26 T. A. YangNetwork Security26

27 T. A. YangNetwork Security27 source: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns6 17/net_implementation_white_paper0900aecd80217e26.pdf (2005) http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns6 17/net_implementation_white_paper0900aecd80217e26.pdf

28 NAC vs 802.1X for endpoint security Source: http://www.cloudcentrics.com/?p=579http://www.cloudcentrics.com/?p=579 802.1x technologies do a great job in protecting network assets before they are utilized on the network. Non- authorized machines generally never get on the network. In addition 802.1x technologies have greater flexibility in provisioning users in different types of VLANs for isolation such as guest or remediation VLANs. NAC technologies do a great job in assuring when a user is on a network they meet minimum criteria of software patches to stay on the network. If they do not meet these requirements upstream devices, such as firewalls from accessing the network, block them. Q: Agree ? T. A. YangNetwork Security28

29 NAC Comparison Guide Source: http://www.itsecurity.com/whitepaper/pdf/nac-comp-guide_8-07.pdf (2007), local copyhttp://www.itsecurity.com/whitepaper/pdf/nac-comp-guide_8-07.pdflocal copy Vendors included in the comparison: Bradford Networks, Check Point Software Technologies, Cisco Systems, ConSentry Networks, Elemental Security, Enterasys Networks, ForeScout, HP, Infoblox, InfoExpress, Insightix, Juniper Networks, Lockdown Networks, McAfee, Mirage Networks, Nevis Networks, Nortel Networks, Senforce Technologies, Sophos, StillSecure, Symantec, Trend Micro, and Vernier Networks Comparison criteria: –Product type (s/w, appliance) –Endpoint assessment & compliance? –User authentication? –Remediation? –Preadmission? –Post-Admission? –Price T. A. YangNetwork Security29

30 More recent lists and comparisons By Mosaic Security Research –Source: https://mosaicsecurity.com/categories/81-network-access- control?direction=asc&sort=vendors.namehttps://mosaicsecurity.com/categories/81-network-access- control?direction=asc&sort=vendors.name –39 vendors (as of 7/2012) –Product info, resources, awards, etc. By JafSec.com –Source: http://jafsec.com/Network-Access-Control/Network-Access-Control-A- B.htmlhttp://jafsec.com/Network-Access-Control/Network-Access-Control-A- B.html –About 29 vendors (as of 7/2012) –Include two open source NACs: FreeNAC, PacketFence T. A. YangNetwork Security30

31 More References Joel Snyder, Network access control vendors pass endpoint security testing - Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond, Network World, June 21, 2010Joel Snyder http://www.networkworld.com/reviews/2010/062110-network-access- control-test-end-point.html Tutorial: Network Access Control (NAC), July 17, 2007 http://www.networkcomputing.com/data-protection/229607166?pgno=3 Good explanation of basic NAC concepts: http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control FAQ for Network Admission Control (NAC), 2006: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net _design_guidance0900aecd8040bc84.pdf http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net _design_guidance0900aecd8040bc84.pdf T. A. YangNetwork Security31

Download ppt "Network Access Control “an approach to computer network security that attempts to unify endpoint security."

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.

Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Chapter 12 Network Security.

Chapter 12 Network Security.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business

Information Security in Real Business
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer

© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Similar presentations

Ads by Google