Network Admission Control: A Survey of Approaches Educause 2008

1. Network Admission Control:A Survey of ApproachesEducause 2008 George Finney, J.D. Director of Digital Interests Southern Methodist University Thursday, October 30th, 2008 Southern Methodist University

2. What Is it? Southern Methodist University

3. Background • SMU began using NetReg in the late 1990’s for our Dorm and Wireless Networks. • In 2004, SMU replaced the NetReg product with a commercial solution. • In 2007, as a part of the University Strategic Objectives, SMU began the process of migrating to a “Zoned Network Architecture.” • In 2007, SMU commenced a project to implement NAC for the Academic and Administrative buildings. Southern Methodist University

4. Process • Began with a definition of NAC • Defined use cases, architecture preferences, required features, and goals • Created a comprehensive questionnaire • Compiled the questionnaires into a matrix • Assembled a short list of vendors based on red-flags from matrix • Scheduled on-line demos, then onsite visits, then finally in-house evaluations Southern Methodist University

5. Southern Methodist University

6. System in this context is a set of process, procedures, software, hardware, policies and people assembled to deliver a cohesive service. Device in this context is any node on the university network that receives an IP address, both routable and un-routable. Connecting to the network in this context is the process of requesting an IP address. University network includes all university IP assets involved in the delivery of voice or data services. University IP assets includes all institutionally owned or managed hardware/software and IP address ranges with actual or implied association with the university. Please reference separate work-in-progress for definition of security zone and security zone architecture. Accountability in this context is for ones own actions while using an SMU provided IP address.  While SMU respects the privacy of each individual using the university network, use of the university network does not provide anonymity or separation from ones actions .  Activity or incidents that precipitate an investigation will be pursued to the full extent of university policy and rule of law. Protection in this context is protection from malware attack afforded by the security zone occupied. NAC Definition Network Access Control (NAC) is the system1 that ensures each person and device2 connecting3 to the university network4 is in compliance with the security requirements of the zone5 being entered or ascending to.  The NAC System, in concert with the university security zone architecture5, ensures appropriate accountability6 (authentication and authorization) for the individual connecting to the university network and appropriate levels of protection7 for all other users and assets already on the university network and the internet. Southern Methodist University

7. Use Cases? Southern Methodist University

8. Faculty/Staff users in their office Faculty/Staff Wireless users Remote users on dial up or VPN Student Wireless users Student Wired users Student users without administrative privileges Student users with company owned laptops Public access users with no SMU credentials NAC Use Case Scenarios Southern Methodist University

9. Requirements Southern Methodist University

10. Must be out-of-band Must be vendor neutral for network equipment Must integrate with the existing Wireless, VPN, and dial up infrastructure Must support Single Sign on Must support Windows XP and Vista, MAC OSX, and Linux Must have the ability to provide guest login Must provide interface for distributed administration Must provide historical information and search capabilities for connection tracking and forensic analysis Must provide policy enforcement for Antivirus, Anti-Spyware and Operating System patches NAC Requirements Southern Methodist University

11. Integration with Wiring Database Ability to integrate with IDP/IPS/Packetshaper Ability to prevent illicit peer-to-peer usage Ability to search for historical MAC to IP address information Integration with Active Directory for Administrator login Provide separate help desk interface with reduced privileges Provide the ability to create an alarm based on failed policy checks or network policy violations Provide detailed reporting functions within the admin interface. Provide web portal customization within the interface. Additional Important Features Southern Methodist University

12. Landscape Southern Methodist University

13. ITS Reviewed the top 20 vendors in the NAC marketplace. Of these vendors, we received 18 responses. The vendors all apply different solutions for NAC. These approaches can be broken down into 7 general categories. Each vendor offers a combination of either agentless, dissolvable agent, and permanent agent solutions. These combinations are customizable based on our use case definitions. NAC Landscape Southern Methodist University

14. Architecture Southern Methodist University

15. In-line Switch Replacement Uplink Aggregation Out of Band SNMP Device Management Permanent Agent Traffic Monitoring 802.1x/Radius Device Management ARP (Address Resolution Protocol) Agent NAC Approaches Southern Methodist University

16. Inline – Switch Replacement Southern Methodist University

17. Pro Provides the most granular coverage of any NAC solution. Agentless solution. Con Requires all switches to be replaced with NAC switches. Inline – Switch Replacement Southern Methodist University

18. Inline – Uplink Aggregation Southern Methodist University

19. Inline – Uplink Aggregation • Pro • Agentless solution. • Con • Creates a bottleneck which all traffic must flow through. Southern Methodist University

20. Out-of-Band – SNMP Management Southern Methodist University

21. Out-of-Band – SNMP Management • Pro • Can make VLAN changes, ensuring that users are moved to the appropriate security zone. • Con • SNMP packets may be dropped, consequently updates to VLANs can be delayed. • Changes made via SNMP are not logged in the switch event log or in the switch log, which can make accounting for changes a challenge. Southern Methodist University

22. Out-of-Band – Permanent Agent Southern Methodist University

23. Out-of-Band – Permanent Agent • Pro • Can be integrated with existing Antivirus agent. • Con • Does not offer the ability to change VLANS. • Not a good fit for unmanaged devices. Southern Methodist University

24. Out-of-Band – Traffic Monitoring Southern Methodist University

25. Out-of-Band – Traffic Monitoring • Pro • Obtains traffic information similar to an IDS, which offers the ability to act on signatures. • Con • Potential loss of traffic on mirror port. • Complicates router configuration. Southern Methodist University

26. Out-of-Band – 802.1x/Radius Device Management Southern Methodist University

27. Out-of-Band – 802.1x/Radius Device Management • Pro • Integrates with 802.1x capable devices • Con • Requires agent to be installed on Radius or Active Directory servers. Southern Methodist University

28. Out-of-Band – ARP Agent Southern Methodist University

29. Out-of-Band – ARP Agent • Pro • Doesn’t require integration or replacement of existing switches. • Con • Manipulates ARP (Address Resolution Protocol) tables on each client, which may be viewed as being invasive. • Requires at least 1 agent on each VLAN to enforce policy. Southern Methodist University

30. Questions? George Finney Email: gfinney@smu.edu Phone: 214-768-3950 Southern Methodist University