a survey of network access admissions control security practices in higher education l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Survey of Network Access/Admissions Control Security Practices in Higher Education PowerPoint Presentation
Download Presentation
A Survey of Network Access/Admissions Control Security Practices in Higher Education

Loading in 2 Seconds...

play fullscreen
1 / 61

A Survey of Network Access/Admissions Control Security Practices in Higher Education - PowerPoint PPT Presentation


  • 329 Views
  • Uploaded on

Network Security Effective Practices - NAC/P, TNC A Survey of Network Access/Admissions Control Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Survey of Network Access/Admissions Control Security Practices in Higher Education' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a survey of network access admissions control security practices in higher education

Network Security Effective Practices - NAC/P, TNC

A Survey of Network Access/Admissions Control Security Practices in Higher Education

H. Morrow Long

Director, Information Security

Yale University

Educause 2007 Annual Conference Session

Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.

overview
Overview

This presentation will discuss a survey and informal poll of the current campus network access and admissions security practices and products in higher education on both wired and wireless networks.

agenda
Agenda
  • Introduction
  • What is NAC, NAP and TNC?
  • NAC/P Concepts and Terminology
  • NAC/P Feature Checklists
  • NAC/P Effective Practices in Higher Ed
  • Survey of NAC/P Practices in Academia
  • Discussion and Questions
nac nap tnc timeline
NAC, NAP, TNC timeline

In 2003, RPC/DCOM worms (Blaster, NACHI) caused widespread problems on campus networks. NetReg, Bradford Campus Networks and other reg/quarantine systems were used as effective solutions.

Cisco (bought Perfigo) and many vendors (particularly wireless) entered this market.

Microsoft and the TCG alliance have been promising standars (w/Cisco) for a time (2008?).

nac p open source efforts
NAC/P Open Source Efforts
  • Uconn/Umass/etc (Rodrigue, et al) “NetReg” mods (RPC/Dcom NASL scanning ala Nessus)
  • PacketFence
  • NoCAT - Captive Web Portal
nac p goes mainstream
NAC/P Goes Mainstream

Standards:

  • Cisco / Microsoft agreement
  • 802.1X and EAPs
  • WPA2
what is nac nap tnc
What is NAC/NAP/TNC?
  • NAC - Network Access (or Admission) Control
    • Generic
    • Cisco
  • NAP - Network Access (or Admission) Protection
    • Microsoft Vista and Longhorn Server (2008)
  • TNC - Trusted Network Computing (form Trusted Computing Group - TCG)
    • Anti-Virus / Anti-Malware vendors
why nac
Why NAC?

IS NAT RELEVANT AND STILL NEEDED?

  • New Paradigms may obviate NAC:
    • Enterrpise wide A/V / Anti-Malware
    • XP XP2 Firewall & Vista Security -
      • renders scanners obsolete?
    • Managed Workstations, “lockdown” GPO policies
  • Arguments for NAC/P going forward:
    • Un-managed & guest personal computers & devices
    • End-point protection and assessment
    • IDP/DLP/C<F (Leakage Protection, Content Filtering)
    • Legal Liability, CALEA, etc.
nac p issues to deal with
NAC/P Issues to deal with
  • NAC/P Phones
  • Printers
  • User hubs, switchs, WiFi Aps and SOHO routers
  • XBOX™, Sony PlayStation™, Nintendo™
  • PDAs, SmartPhones, etc.
  • Other unique IP devices and non-std Oses
  • “Guest/Visitor” and conference attendees
nac p vs no nac p
NAC/P vs. No NAC/P
  • You can actually have even better security using NAC/P IF you use strong encryption (and a good implementation) -- even over wired networks.
  • Inline is more secure, reliable(?) than non-inline…
  • Complex solutions may cause problems (run amuck).
  • You will need to provide overrides and exceptions -- but SOP & Policy should discourage this as much as possible.
threats to nac p in order of sophistication
Threats to NAC/P(in order of sophistication)
  • Scalability - worst case scenario : several thousand PCs seeking network admission simultaneously overwhelming scanner / NAC / Network.
  • Single Point of Failure - only 1 scanner / gate / remediation website, etc
  • Self-Assigning IPs.
  • Spoofing Ips
  • Spoofing EHAs (MACs)
  • ARP spoofing/poisoning (Dsniff, Ettercap, etc.)
  • Router EHA Cloning DoS Attack
  • 802.1X / EAP DoS Attacks
  • VLAN “jumping”
nac system components
NAC System Components
  • Database (User, Computer, MAC, etc)
  • Registration System
  • DHCP and/or Authentication (RaDIUS/802.1X) Server
  • Scanning engine and Policy Server
  • Quarantine LAN/VLAN/Subnet
  • ACL (switch/router), Firewall, Filter/Blocking device
  • Captive Portal
  • Remediation Site
  • Proxy
  • Agent (one time/registration, temporary, permanent)
  • Management Interface and/or Station/App.
other nac architectures
Other NAC Architectures
  • EHA / MAC filtering
  • NAT Control
  • Forced VPN option
    • WiFi
    • Wired
    • Remote Access
    • Guest networks
nac concepts terms
NAC Concepts/Terms
  • Pre-authentication
  • Post-authentication
  • DLP/ILP - Leak Protect
  • In-line
  • Out-of-Band
  • Agent / Agent-less
    • One-time
    • Boot/Connect time
    • Dissolvable
    • Continual
  • Policy Server
  • Remediation Server
  • End Point Protection
  • Security via Virtualization
  • Quarantine
nac p implementation checklist
NAC/P Implementation Checklist

Practical NAC/P Planning “high level short list”:

  • Create, publish and enforce security policies.
  • Practice rigorous physical security.
  • Verify user identities.
  • Actively monitor logs, firewalls & IDSes.
  • Logically segregate data & voice traffic.
  • Harden Oses.
  • Encrypt whenever and whatever you can.
nac implementation checklist
NAC Implementation Checklist

Detailed and Specfic list:

  • Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the quarantine network.
  • Use a private (RFC1918) IP network for the quarantine VLAN.
  • Use NAT and/or proxies to hide internal addresses.
  • Use a firewall (packet filtering or ALG) to protect & connect the Quarantine network to the data IP network.
  • Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall).
  • Use agents, 802.1X & RADIUS auth & EAP supplicants.
nac p effective practices in higher ed
NAC/P Effective Practices in Higher Ed

Some schools:

  • Uses separate VLAN, L2 switches and RFC1918 IP addresses for the quarantine network.

Many Schools:

  • Using Cisco Secure/Clean Access
  • Rolling their own via NetReg, NoCat & PacketFence
  • Looking at appliances
nac p effective practices in higher ed19
NAC/P Effective Practices in Higher Ed

Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=security&P=13595)

Date: Fri, 19 Jan 2007 15:58:22 -0500

Reply-To: The EDUCAUSE Security Discussion Group Listserv

From: "Charles L. Bombard"

Subject: Re: Network access control

In-Reply-To: <[log in to unmask]>

Content-Type: text/plain; charset="us-ascii"

Still looking. I am on the fence (excuse the pun) and can go with either one at the moment. Packetfence seems to have acquired a large following, and netreg seems to not be in active development any longer. www.netreg.org www.packetfence.org - Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234

nac p effective practices in higher ed20
NAC/P Effective Practices in Higher Ed

Small Colleges (http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=smallcol&P=20469)

Date: Wed, 18 Apr 2007 11:00:47 -0400

Reply-To: The EDUCAUSE Small College Constituent Group Listserv

From: "Beyer, Bill (William)" <[log in to unmask]>

Subject: Network Access Control and Vista

Content-Type: multipart/alternative;

Hartwick College has been an early adopter of Network Access Control using Sygate Secure Enterprise in conjunction with using 802.1x protocols on our HP network data switches. While Sygate has worked well it does have its limitations mainly that it does not yet have a Vista client (our fingers are crossed that it will be released in May 2007) or a workable Mac client or Linux client. Our plans also include rolling out Vista Business on the student laptops we will issue to all freshmen this fall.

nac p other surveys
NAC/P - Other Surveys

Network Computing MagazineRolling Review Kickoff: Out-Of-Band NAC - Oct 22, 2007 - By Mike Fratto

“Thing is, out-of-band NAC seems to have an image problem: Our own reader research indicates that 65% of organizations deploying NAC prefer in-line appliances versus 50% using out-of-band products. And the outlook doesn't look likely to improve. Nearly 70% of companies in the planning stages are leaning toward in-line systems, versus just 43% favoring out-of-band NAC. A recent survey by Infonetics Research shows that 55% of companies plan on buying in-line NAC products; this syncs with the firm's market forecast, which shows more than half the NAC units shipped are in-line appliances. Is the problem just bad PR, or does the out-of-band approach really carry technical disadvantages compared with going in-band?”

  • http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=202403321
nac p higher ed effective practices survey
NAC/P Higher Ed Effective Practices Survey

Which NAC/P Securitymechanisms do[n’t] you use?

  • Use of IPS or FW between NAC/P network and production backbone IP network.
  • Use of IDS between NAC/P network and production backbone IP network.
  • Use NAC (network access control) such as 802.1X and RADIUS to authenticate.
  • Devices require the use of the separate NAC/P network (physical LAN, VLAN, subnet address, etc.) from the production backbone data IP network.
  • VoIP phones are automatically allowed access to the backbone network?.
  • Computers are allowed with IPSEC or other VPNs.
  • Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones.
  • Allow quarantine access automatically to the Internet but not campus network?
  • Provide separate dedicated bandwidth for NAC/P quarantine network traffic to the Internet?
survey
Survey
  • 47 Responses (as of October 20, 2007)http://www.surveymonkey.com/s.aspx?sm=w7FZIc_2fK4_2frF3icYgfKXig_3d_3d
nac p higher ed effective practices survey25
NAC/P Higher Ed Effective Practices Survey

2.6% Solutions (1 Response each)

IBM (Internet Security Systems)

Impulse Point (Safe Connect)

InfoBlox (ID Aware)

Juniper Networks (Endpoint Assurance (was Funk))

LANDesk Software (Trusted Access)

Lockdown Networks (Lockdown Enforcer)

McAfee (McAfee Policy Enforcer)

ProCurve Networking

Symantec (Sygate NAC)

VeriSign Inc

nac p higher ed effective practices survey26
NAC/P Higher Ed Effective Practices Survey

Q1: Other Category

Several comments about not having NAC, planning on buying NAC, using oepn source or developing a home grown solution.

nac p higher ed effective practices survey28
NAC/P Higher Ed Effective Practices Survey

Q2: Other Category

RACS - homegrown system

We rolled our own (for wireless)

none

Saint Mary's NetReg and in house developed

Homebuilt

Complete Home Brew

home grown

nessus

nac p higher ed effective practices survey32
NAC/P Higher Ed Effective Practices Survey

Q4: Other Category

Just Authentication Currently

none

30 day registration

Once per Semester

Weekly re-assessment

Arbitrary, configurable check-in

nac p higher ed effective practices survey34
NAC/P Higher Ed Effective Practices Survey

Q5: Other Category

staff/student laptops

No where

survey conclusions
Survey Conclusions
  • Implementers appear :
    • Somewhat satisfied.
    • Split between commerical and open source s/w
    • Allow overrides & don’t require agents.
    • Don’t allow private WiFi Access Points.
  • Technology appears to be fairly mature now.
  • http://www.surveymonkey.com/s.aspx?sm=w7FZIc_2fK4_2frF3icYgfKXig_3d_3d
listservs newsgroups
Listservs & Newsgroups
  • EDUCAUSE Security Discussion Listserv

http://www.educause.edu/SecurityDiscussionGroup/979

  • I2 SALSA NetAuth Working Group

http://www.internet2.edu/netauth

  • IETF Working Group Network Endpoint Assessment (nea)http://tools.ietf.org/wg/nea/http://www.ietf.org/html.charters/nea-charter.html
slide57
Q & A
  • Question & Answer
contact info
Contact Info
  • H. Morrow Long
  • morrow.long@yale.edu
  • Security.yale.edu
credits
Credits:
  • Cisco - NAC Overview, http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
  • Gartner RAS Core Research Note G00143551, John Pescatore, Mark Nicolett, Lawrence Orans, 5 October 2006 R2052 1/25/2007http://www.cisco.com/web/ES/publicaciones/06-10-Cisco-gartner-NAC.pdf
  • "Network Access Control" Seminar Presentation, Security Professionals Conference 2006, Kevin Amorin (Harvard University), Chris Misra (University of Massachusetts, Amherst)
credits60
Credits:
  • Wikipedia (Pages on NAC/NAP, etc.)