Defense in depth using network virtualization and network admission control
Download
1 / 24

Defense-in-Depth using Network Virtualization and Network Admission Control - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Defense-in-Depth using Network Virtualization and Network Admission Control. Steven Carter – [email protected] Susan Stewart – [email protected] Agenda. Background/Overview Network Virtualization Techniques Network Access Control Securing the Wild, Wild, West Q&A. Background.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Defense-in-Depth using Network Virtualization and Network Admission Control' - abla


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Agenda
Agenda Admission Control

  • Background/Overview

  • Network Virtualization Techniques

  • Network Access Control

  • Securing the Wild, Wild, West

  • Q&A


Background
Background Admission Control

  • The term “Defense-in-Depth” refers to leveraging the defensive capability of every device in the network from the border of the network through the core, distribution, and access portions of the network and into the host itself.

  • This can be done by combining the following capabilities:

    • Firewall/IDS at the border to ward of threats before they enter the network

    • Network virtualization to segregate the physical network into multiple virtual networks to support multiple security levels and services

    • Network Access Control to authenticate user/hosts onto the network, check their security posture, and place them into the network that matches their requirements


Agenda1
Agenda Admission Control

  • Background/Overview

  • Network Virtualization Techniques

  • Network Access Control

  • Securing the Wild, Wild, West

  • Q&A


Network virtualization

Voice Admission Control

Visitor

Internal

Virtual Network

Virtual Network

Virtual Network

Actual Physical Infrastructure

Network Virtualization

  • Provide several networks to support varying security postures, applications, etc.

  • One physical network supports many virtual networks

  • End-user perspective is that of being connected to a dedicated network (independent security policies, routing decisions, etc.)


Network device virtualization
Network Device Virtualization Admission Control

  • Switch Virtualization:

    • Data Plane – 802.1q VLANs

    • Control Plane – Per VLAN Spanning Tree


Network device virtualization cont
Network Device Virtualization (Cont.) Admission Control

  • Router Virtualization:

    • Data Plane - Virtual Routing/Forwarding (VRFs)

    • Control Plane – Multiple instances of routing protocols (OSPF, EIGRP, etc) per routed plane.

802.1q, GRE, LSP,

Physical Int, Others

802.1q or Others

VRF

VRF

Global


Data path virtualization

Tags: Admission Control

802.1q

Tunnels (connection oriented)

GRE/mGRE

Label Switched Paths—LSP (MPLS)

Tags

Tags

802.1q

Data Path Virtualization

Single Hop Data Path Virtualization

Multi-Hop Data Path Virtualization

IP


Putting it together
Putting it Together Admission Control


Agenda2
Agenda Admission Control

  • Background/Overview

  • Network Virtualization Techniques

  • Network Access Control

  • Securing the Wild, Wild, West

  • Q&A


Network access control nac
Network Access Control (NAC) Admission Control

  • NAC can mean different things to different people, but for the purposes of this presentation, it should provide three important functions:

    • User/Host Authentication – The network should be able to authenticate the user (or at least the host) onto the network.

    • Host Posture Verification – The ability to make sure that the host posture (virus definitions, patches, firewalls, etc.) match the policy of the network for which it is destined.

    • Host Remediation – The placement of the host into the correct network

  • NAC provides that connection between Network Security and Host Security


Network access control nac cont

Authenticate & Authorize Admission Control

Quarantine & Enforce

  • Isolate non-compliant devices from rest of network

  • MAC and IP-based quarantine effective at a per-user level

  • Enforces authorization policies and privileges

  • Supports multiple user roles

Update & Remediate

Scan & Evaluate

  • Agent scan for required versions of hotfixes, AV, etc

  • Network scan for virus and worm infections and port vulnerabilities

  • Network-based tools for vulnerability and threat remediation

  • Help-desk integration

Network Access Control (NAC) (Cont.)

First, establish ACCESS POLICIES. Then:

LIMITED COMPLIANCE = LIMITED NETWORK ACCESS


What about the exceptions
What about the exceptions? Admission Control

  • Hosts that do not support the mechanisms can be dealt with in various ways (external scanning, web authentication, etc.), but in general garner a lower level of trust and can be segregated from the general population

  • Because of their very nature, Research and Education networks have a number of hosts (upwards of 25%) that do not fit a supported configuration

  • There must be a credible option for these hosts, otherwise, you diminish much of the effect of implementing NAC in the first place


Addressing the outliers
Addressing the Outliers Admission Control

  • One option is to put a firewall in front of each and every host that cannot comply. This can be done with physical firewalls (i.e. a small firewall in front of every host):

    • Pros - Straight-forward and easy for the policy people to understand and buy into; Depending on the situation, could be more cost-effective

    • Cons – Logistically difficult and hard to administer; not scalable to large number


Addressing the outliers cont
Addressing the Outliers (Cont.) Admission Control

  • You can also do it (yes, you guessed it) VIRTUALLY

  • Difficult to do with a standard 802.1q VLANs because it is not scalable and difficult to avoid needing proper subset addresses per VLAN

  • Difficult to do with ACLs because of the shear number needed. Also not scalable and is difficult to maintain

  • Solution: Use sufficient security techniques to obviate the need for real firewalls


Agenda3
Agenda Admission Control

  • Background/Overview

  • Network Virtualization Techniques

  • Network Access Control

  • Securing the Wild, Wild, West

  • Q&A


Securing the wild wild west
Securing the Wild, Wild, West Admission Control

  • Overview:

    • Private VLANs to separate broadcast domains

    • Port Security prevents MAC spoofing

    • DHCP snooping prevents client attack on the switch and server

    • Dynamic ARP Inspection adds security to ARP using DHCP snooping table

    • IP Source Guard adds security to IP source address using DHCP snooping table


Securing the wild wild west cont

Primary VLAN Admission Control

Secondary VLANs

Securing the Wild, Wild, West (Cont.)

  • Private VLANs

    • PVLANs allow segregating broadcast segment into a non-broadcast multi-access-like segment.

    • Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that belong to the same primary VLAN.

    • Traffic that comes to a switch from a port mapped to a secondary VLAN (it can be either an isolated, a community, or a two-way community VLAN) can be forwarded to a promiscuous port or a port belonging to the same community VLAN.

Distribution

Access

Secondary VLAN (isolated)

Secondary VLAN (community)


Securing the wild wild west cont1
Securing the Wild, Wild, West (Cont.) Admission Control

  • Port Security

    • Restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port

    • Number of address on the port is configurable

    • Dynamically learned MAC address cuts down on administrative overhead

    • “sticky” and non-”sticky” variants give the option of retaining learned address across port-down events

Only 1 MAC Address Allowed on the Port: Shutdown


Securing the wild wild west cont2
Securing the Wild, Wild, West (Cont.) Admission Control

  • DHCP Snooping

    • Acts like a firewall between untrusted hosts and trusted DHCP servers

    • Validates and Rate-Limits DHCP messages received from untrusted sources and filters out invalid messages.

    • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses to validate subsequent requests from untrusted hosts

DHCP Snooping

DHCP Requests

DHCP Responses

Untrusted

Trusted

DHCPServer

Unauthorized DHCP Response


Securing the wild wild west cont3

Not by my Admission Control

binding table

I’m your GW: 10.1.1.1

Securing the Wild, Wild, West (Cont.)

  • Dynamic Arp Inspection

    • Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings

    • Valid ARP packets based upon DHCP snooping binding database or from user-configured ARP access control lists (ACLs)

    • Configurable to drop ARP packets when either the IP address or the the MAC address in the body does not match the Ethernet header

DHCP Snooping

DHCP Requests

DHCP Responses

Untrusted

Trusted

DHCPServer

Unauthorized DHCP Response


Securing the wild wild west cont4

Not by my Admission Control

Port ACL

I’m your GW: 10.1.1.1

Securing the Wild, Wild, West (Cont.)

  • IP Source Guard

    • IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through DHCP snooping on a particular port.

    • This process restricts the client IP traffic to those source IP addresses that are obtained from the DHCP server; any IP traffic with a source IP address other than that in the PACLs permit list is filtered out

DHCP Snooping

DHCP Requests

DHCP Responses

Untrusted

Trusted

DHCPServer

Unauthorized DHCP Response


The end
The End Admission Control

Questions? Comments? Criticisms?

For more information:

Steven Carter – [email protected]

Susan Stewart – [email protected]


ad