evaluating nac architectures n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Evaluating NAC Architectures PowerPoint Presentation
Download Presentation
Evaluating NAC Architectures

Loading in 2 Seconds...

play fullscreen
1 / 27

Evaluating NAC Architectures - PowerPoint PPT Presentation


  • 181 Views
  • Uploaded on

Evaluating NAC Architectures. Sean Tippett Product Manager stippett@consentry.com. Agenda. Why NAC, Why Now? Components of a NAC Solution NAC Architectures Business Cases Shameless Product Pitch. risk of disgruntled employee. regulatory environment. rogue hosts.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Evaluating NAC Architectures' - terrian


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
evaluating nac architectures

Evaluating NAC Architectures

Sean Tippett

Product Manager

stippett@consentry.com

© 2007 ConSentry Networks

agenda
Agenda
  • Why NAC, Why Now?
  • Components of a NAC Solution
  • NAC Architectures
  • Business Cases
  • Shameless Product Pitch

© 2007 ConSentry Networks

you can t build the lan on trust

risk of disgruntled employee

regulatory environment

rogue hosts

contractors and partners

motivated by profit

Historically we haven’t secured the LAN. What’s changed?

offshoring, outsourcing

attacks are getting more elusive

The LAN was built for connectivity, not control.

You Can’t Build the LAN on Trust

© 2007 ConSentry Networks

requirements of nac

Corporate

LAN

Requirements of NAC

Visibility/Audit

Monitor users – check for infractions

Threat Control

Continuously watch for 0-day attacks

User Control

Control user based on their role

Posture Check

Check systems for compliance

Authenticate

Only valid users* are allowed on the network

© 2007 ConSentry Networks

pre vs post admission control
Pre vs. Post Admission Control

Both pre-admission and post-admission control

is required to secure the LAN.

Visibility/Audit

Threat Control

Post-admission Control

Identity-Based Control

Posture Check

Pre-admission Control

(classic view of NAC)

Authenticate

© 2007 ConSentry Networks

lots of choices

Internet

guest

Lots of choices

firewall

  • Product confusion – everything is “NAC”
  • Infrastructure impact – switches, VLANs, clients
  • Deployment choices – where, how?
  • Overwhelming scope – where do I start?

WAN router

VPN

IDS/IPS

Active Directory

?

?

© 2007 ConSentry Networks

nac evaluation criteria
NAC Evaluation Criteria

© 2007 ConSentry Networks

nac architectures
NAC Architectures

Architectures we will cover

  • Endpoint enforcement
  • Infrastructure-based 802.1X
  • Out-of-band NAC solutions
  • Inline NAC solutions

How do the architectures differ?

  • What drops the packet? (policy enforcement point)
  • Who makes the drop decision? (policy decision point)
  • Where is user information stored? (authentication dir.)

© 2007 ConSentry Networks

endpoint enforcement

Bldg 1, Floor 1

Bldg 1, Floor 2

Bldg 1, Floor 3

Endpoint Enforcement

Components to deploy

  • Endpoint agent software
  • Endpoint gateway
  • Endpoint policy manager

RADIUS

Active Directory

Oracle database

Endpoint Policy Manager

© 2007 ConSentry Networks

endpoint security evaluation
Endpoint Security: Evaluation

© 2007 ConSentry Networks

infrastructure based 802 1x nac
Infrastructure-Based 802.1X NAC

Components to deploy

  • 802.1X client supplicants
  • 802.1X capable switches
  • 802.1X capable RADIUS server

Quarantine

Bldg 1, Floor 1

Guest

Active Directory

Bldg 1, Floor 2

Contractor

Bldg 1, Floor 3

Employee

802.1X RADIUS

Oracle database

Infrastructure reconfiguration

  • Enable policy VLANs on core and edge (quarantine, employee, guest, contractor)
  • Enable policy ACLs on core (sometimes edge)
  • Configure user directory for VLAN mapping

© 2007 ConSentry Networks

802 1x nac how it works

User enters credentials into 802.1X supplicant

802.1X Authenticator in switch relays it to RADIUS server

RADIUS server checks with AD and, if correct sends admit message and VLAN tag for user

User can now access the network subject to the ACLs on the VLAN

1

2

3

4

802.1X NAC: How it works

Active Directory

802.1X RADIUS

Oracle database

© 2007 ConSentry Networks

802 1x nac evaluation
802.1X NAC: Evaluation

© 2007 ConSentry Networks

out of band oob nac solution
Out-of-Band (OOB) NAC Solution

Components to deploy

  • Out-of-band NAC appliance
  • Centralized manager (optional)

Quarantine

OOB NAC Appliance

Bldg 1, Floor 1

Guest

Active Directory

Bldg 1, Floor 2

Contractor

Bldg 1, Floor 3

Employee

OOB Central Manager

Oracle database

Infrastructure reconfiguration

  • Enable policy VLANs on core and edge (quarantine, employee, guest, contractor)
  • Set up SNMP, point traps to OOB controller
  • Quarantine VLAN to OOB controller

© 2007 ConSentry Networks

oob nac how it works

User connects to switch and switch sends SNMP trap to controller

Controller signals switch to put user port on quarantine VLAN

User enters login credentials – health-check is performed

Controller and manager talk and determine user VLAN

Quarantine VLAN is removed and proper VLAN is deployed

1

2

3

5

4

OOB NAC: How it works

OOB NAC Appliance

Active Directory

OOB Central Manager

Oracle database

© 2007 ConSentry Networks

oob nac evaluation
OOB NAC: Evaluation

© 2007 ConSentry Networks

inline nac solution

Bldg 1, Floor 1

Bldg 1, Floor 2

Bldg 1, Floor 3

Inline NAC Solution

Components to deploy

  • Inline NAC appliance
  • Inline NAC manager

RADIUS

Active Directory

Oracle database

Inline Manager

© 2007 ConSentry Networks

how it works inline nac solution

Inline controller “snoops” authentication reply and queries AD for role

Active Directory

Server

Inline controller “snoops” the username

AD validates user credentials

user logs into AD

Inline controller applies role-based policy, monitors all flows

3

4

2

1

5

How it works: Inline NAC Solution

Oracle Financials

core switch

Inline NAC Appliance

Inline manager

edge switch

© 2007 ConSentry Networks

inline nac solution evaluation
Inline NAC Solution: Evaluation

© 2007 ConSentry Networks

stacking up against real problems
Stacking up against real problems

© 2007 ConSentry Networks

navigating nac is complicated
Navigating NAC is Complicated
  • Understand the architecture of the NAC solution
  • Choose a solution that will solve your current problems but can also solve future needs
  • Consider the infrastructure reconfiguration of the solution
  • Run through troubleshooting scenarios – how can issues be isolated?

© 2007 ConSentry Networks

about consentry networks

About ConSentry Networks

Wire-speed inline NAC

© 2007 ConSentry Networks

consentry secure switching

ConSentry InSight

Internet

GUI-based LAN tracking, incident reports, and policy setting

ConSentry Secure Switching

Control every user, secure every port.

LANShield Switch

LANShield Controller

Embedded security for the existing LAN infrastructure

Integrated security and switching for the access layer

Router

Firewall

Access Switch

Core Switch

Access Switch

AD, RADIUS, database

Access Switch

Data Center

WLAN Switch

© 2007 ConSentry Networks

consentry enabling technology
ConSentry – Enabling Technology
  • CPU – LANShield Processor
    • Deep packet inspection and analysis
    • 128 simultaneous threads
    • Stateful processing
    • Programmable
  • Programmable ASICs
    • LANShield Accelerator
      • Detects flows and determines whether deep packet inspection is needed
    • LANShield Visualizer
      • Provides flow statistics and accounting

© 2007 ConSentry Networks

elements of secure switching

IM

MSN

Yahoo

AOL

P2P

BitTorrent

eDonkey 2000

Gnutella

WinNY

eMule

Kazaa

AppleJuice

Network Services

DNS

DHCP/BOOTP

Kerberos

SUNRPC

MS-RPC

RADIUS

Connectivity

SSH

Telnet

VNC

RTSP

MS-Media

Business Apps

Oracle TNS

SAP R/3

VOIP

SIP

H.323

Cisco SCCP (Skinny)

Web/Mail

HTTP

SMTP

POP3

IMAP

File Transfer

FTP, FTP-Data, TFTP

CIFS/SMB/NetBIOS

Elements of Secure Switching

Only valid people and clean systems get on the LAN

  • Authentication and posture check
  • No changes to user login procedure

User behavior analysis

  • Who’s on the LAN?
  • What are they doing?
  • Everything tied to user
  • Faster incident response

Anomaly detection

  • Zero-day malware containment
  • Application protection

Control access to resources and applications

  • Control where people can go by their role
  • Only allow them access to applications relevant to their job

© 2007 ConSentry Networks

why consentry
Why ConSentry
  • Architected from the ground up to secure your LAN
    • Full control of users and devices
    • With rich application understanding
    • At wire speed
  • Simple deployment of identity-based control
    • Full visibility and reporting
    • In a single, self-contained platform

© 2007 ConSentry Networks

consentry leadership

“The best example of these new (embedded security) vendors is ConSentry Networks”

Mark Fabbi, Gartner

Select Customers

Recognition

ConSentry Leadership

© 2007 ConSentry Networks