Enabling authentication network admission control
Download
1 / 13

Enabling Authentication & Network Admission Control - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

Enabling Authentication & Network Admission Control. Steve Pettit. Great Bay Software Inc. Value Statements Provide the critical first step towards NAC/802.1X Dramatically shorten the deployment time for NAC and network-based authentication Provide Trusted Access to non-NAC endpoints

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Enabling Authentication & Network Admission Control ' - yadid


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Enabling authentication network admission control

Enabling Authentication & Network Admission Control

Steve Pettit


Great bay software inc
Great Bay Software Inc.

Value Statements

  • Provide the critical first step towards NAC/802.1X

  • Dramatically shorten the deployment time for NAC and network-based authentication

  • Provide Trusted Access to non-NAC endpoints

  • Provide data for all network attached endpoints including:

    • Real-time Location and Identity

    • Historical Addressing, Identity, and Location

    • Contextual views of all Enterprise owned assets

Impact

  • St. John’s Hospital reduced 156 man-weeks of discovery and documentation work into 2 man weeks


Identifying the problem space
Identifying the problem space

  • The Enterprise LAN is comprised of a myriad of endpoint types

    • Windows typically comprises approximately 50% of wired endpoints

    • Most Enterprise endpoints are undocumented

    • DHCP has enabled endpoints to be added over time without IT involvement

    • Any Access/Admission Control system requires this information

    • Where WLAN is typically 30:1, Wired LAN is 1:3.5

  • Goal: To generate a contextual inventory of all endpoints


Endpoint profiling
Endpoint Profiling

  • Understanding that not all network endpoints can authenticate…

  • All network endpoints must be Profiled and Located prior to deployment

  • The goal is to enable secure network access for non-authenticating devices

Non-NAC

NAC

UPS

Phone

Printer


Sample non nac aliases
Sample non-NAC Aliases

  • Turnstiles

  • Time Clocks

  • Vending Machines

  • Parking Gates

  • Doors

  • Firewalls

  • Proxy

  • Refrigerators

  • IP Cameras

  • Servers

  • UNIX stations

  • Alarm Systems

  • RMON Probes

  • Printers

  • Fax Machines

  • ISLs

  • IP Phones

  • Wireless Access Points

  • Managed UPS

  • Hubs

  • MultiCast video displays

  • Kiosks

  • Medical imaging machines

  • Video Conferencing stations

  • HVAC

  • Cash Registers


Applications for endpoint profiling
Applications for Endpoint Profiling

  • Authentication of non-authenticating hosts

  • Network configuration for static access provisioning

  • Monitoring of non-authenticating devices for behavior

  • Addressing audit findings “do you know what is plugged into your network”

  • Provide data for all network attached endpoints including:

    • Real-time Location and Identity

    • Historical Addressing, Identity, and Location

    • Contextual views of all Enterprise owned assets


The nac management lifecycle
The NAC Management lifecycle

Deployment

Events Management

Change Control

  • Provide contextual information to security and events management systems

  • Monitor and Manage events & anomalies related to authentication

    • Shadow Hosts

    • Port Swapping

    • Profile Changing

    • MAC spoofing

  • Provide real-time & historical Identity and Location tracking

  • Enable adds, moves, and changes

  • Dead ended Ports

  • Discover all endpoints by type and location

  • Model the topology

  • Provision appropriate settings at the system level

  • Liaise with AAA systems for authentication


Endpoint discovery and mapping
Endpoint Discovery and Mapping

  • Profile creation - network traffic analysis

    • Port Mirror or Tap visibility into aggregate network traffic - L2-7 rule sets

      • L2 - MAC - MAC vendor

      • L3 - IP / IP range / TTL fingerprint

      • L4 port & port ranges

      • L7 rules – User agent, email banner, DHCP decode

    • Netflow Collection

    • Active Profiling

    • Boolean logic for complex rules

      • GUI-based for AND

      • XML for AND, OR, NOT

    • Inference-based Profiles

      • Manual or Auto-created via My Network


Deployment models
Deployment Models

Open L4 Ports

Web Server Type

User Agent

MAC Vendor

IP Range

Static IP

Passive vs. Active Profiling

Web User Agent

Web Server Type

Print Services

Web URL

SMTP Banner

L3 / L4 network

DHCP vendor

DHCP Options

TTL profiling

DHCP Client

Host Name

ARP decode

NetFlow – L3/4 traffic

None - - - - - Visibility Into Network Traffic - - - - - Full


Use cases for beacon
Use Cases for Beacon

  • Provide NAC for the other 50% of the Enterprise

    • Monitoring and authorization of Non-Windows devices

  • Enable the deployment of network-based authentication

    • Alleviate the manual discovery process

    • Compliment/liaise with the AAA system

    • EAP

    • MAC-auth

    • EAPoX

  • Provide Contextual information to aggregate systems:

    • MARS

    • IDS/IPS

    • Asset Systems


  • Integration points with cisco

    NAC Appliance

    • Manage NRH list

    • Provision MAC/Role

    • Port/VLAN admin

    • NAC for non-CCA endpoints

    Integration Points with Cisco

    NAC Framework

    • Manage NRH list

    • Port/VLAN admin

    • Liaise w ACS via LDAP

    • NAC for non-CTA endpoints

    • Integration protocols:

    • Web API

    • LDAP

    • SNMP

    • Syslog

    • GAME (future)

    MARS

    • Contextual Event information

    • Historical ref.


    Summary
    Summary

    • Reduces 156 man weeks of work to 2 weeks

    • Automated discovery and system-level provisioning

    • Ongoing monitoring of non-NAC endpoints

    • Flexible Deployment model


    ad