Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enabling Authentication & Network Admission Control Steve Pettit.

Published byJeffrey Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "Enabling Authentication & Network Admission Control Steve Pettit."— Presentation transcript:

1 Enabling Authentication & Network Admission Control Steve Pettit

2 Endpoint Profiling Great Bay Software Inc. Value Statements  Provide the critical first step towards NAC/802.1X  Dramatically shorten the deployment time for NAC and network-based authentication  Provide Trusted Access to non-NAC endpoints  Provide data for all network attached endpoints including: Real-time Location and Identity Historical Addressing, Identity, and Location Contextual views of all Enterprise owned assets Impact  St. John’s Hospital reduced 156 man-weeks of discovery and documentation work into 2 man weeks

3 Endpoint Profiling Identifying the problem space  The Enterprise LAN is comprised of a myriad of endpoint types –Windows typically comprises approximately 50% of wired endpoints –Most Enterprise endpoints are undocumented –DHCP has enabled endpoints to be added over time without IT involvement –Any Access/Admission Control system requires this information –Where WLAN is typically 30:1, Wired LAN is 1:3.5  Goal: To generate a contextual inventory of all endpoints

4 Endpoint Profiling  Understanding that not all network endpoints can authenticate…  All network endpoints must be Profiled and Located prior to deployment  The goal is to enable secure network access for non-authenticating devices NAC Non-NAC UPSPhonePrinter

5 Endpoint Profiling Sample non-NAC Aliases  Printers  Fax Machines  ISLs  IP Phones  Wireless Access Points  Managed UPS  Hubs  MultiCast video displays  Kiosks  Medical imaging machines  Video Conferencing stations  HVAC  Cash Registers  Turnstiles  Time Clocks  Vending Machines  Parking Gates  Doors  Firewalls  Proxy  Refrigerators  IP Cameras  Servers  UNIX stations  Alarm Systems  RMON Probes

6 Endpoint Profiling Applications for Endpoint Profiling  Authentication of non-authenticating hosts  Network configuration for static access provisioning  Monitoring of non-authenticating devices for behavior  Addressing audit findings “do you know what is plugged into your network”  Provide data for all network attached endpoints including: Real-time Location and Identity Historical Addressing, Identity, and Location Contextual views of all Enterprise owned assets

7 Endpoint Profiling The NAC Management lifecycle  Discover all endpoints by type and location  Model the topology  Provision appropriate settings at the system level  Liaise with AAA systems for authentication  Provide real-time & historical Identity and Location tracking  Enable adds, moves, and changes  Dead ended Ports  Provide contextual information to security and events management systems  Monitor and Manage events & anomalies related to authentication Shadow Hosts Port Swapping Profile Changing MAC spoofing Deployment Change Control Events Management

8 Endpoint Profiling Endpoint Discovery and Mapping  Profile creation - network traffic analysis –Port Mirror or Tap visibility into aggregate network traffic - L2-7 rule sets L2 - MAC - MAC vendor L3 - IP / IP range / TTL fingerprint L4 port & port ranges L7 rules – User agent, email banner, DHCP decode –Netflow Collection –Active Profiling –Boolean logic for complex rules GUI-based for AND XML for AND, OR, NOT –Inference-based Profiles Manual or Auto-created via My Network

9 Endpoint Profiling Deployment Models None - - - - - Visibility Into Network Traffic - - - - - Full Passive vs. Active Profiling MAC Vendor IP Range Static IP Web User Agent Web Server Type Print Services Web URL SMTP Banner L3 / L4 network DHCP vendor DHCP Options TTL profiling DHCP Client Host Name ARP decode Open L4 Ports Web Server Type User Agent NetFlow – L3/4 traffic

10 Endpoint Profiling Use Cases for Beacon  Provide NAC for the other 50% of the Enterprise Monitoring and authorization of Non-Windows devices  Enable the deployment of network-based authentication Alleviate the manual discovery process Compliment/liaise with the AAA system EAP MAC-auth EAPoX  Provide Contextual information to aggregate systems: MARS IDS/IPS Asset Systems

11 Endpoint Profiling Integration Points with Cisco NAC Framework Manage NRH list Port/VLAN admin Liaise w ACS via LDAP NAC for non-CTA endpoints NAC Appliance Manage NRH list Provision MAC/Role Port/VLAN admin NAC for non-CCA endpoints MARS Contextual Event information Historical ref. Integration protocols: Web API LDAP SNMP Syslog GAME (future)

12 Endpoint Profiling Summary  Reduces 156 man weeks of work to 2 weeks  Automated discovery and system-level provisioning  Ongoing monitoring of non-NAC endpoints  Flexible Deployment model

13 Endpoint Profiling

Download ppt "Enabling Authentication & Network Admission Control Steve Pettit."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
The Enterprise Guide to Video Conferencing Created using iThoughts [...] [...]

The Enterprise Guide to Video Conferencing Created using iThoughts [...] [...]
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
Identify and Control Printing Costs. Can You Answer These Questions? How many printers, copiers, MFPs do you have? Are they being properly used? Too much?

Identify and Control Printing Costs. Can You Answer These Questions? How many printers, copiers, MFPs do you have? Are they being properly used? Too much?
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Infoblox Network Automation Matt Gowarty, Sr. Product Marketing Manager Dynamically Controlling Your Network.

Infoblox Network Automation Matt Gowarty, Sr. Product Marketing Manager Dynamically Controlling Your Network.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Wireless Network Security

Wireless Network Security
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

Similar presentations

Ads by Google