Enabling Authentication & Network Admission Control

Download Report

Transcript Enabling Authentication & Network Admission Control

Enabling Authentication &
Network Admission Control
Steve Pettit
Great Bay Software Inc.
Value Statements
 Provide the critical first step towards NAC/802.1X
 Dramatically shorten the deployment time for NAC and
network-based authentication
 Provide Trusted Access to non-NAC endpoints
 Provide data for all network attached endpoints including:
• Real-time Location and Identity
• Historical Addressing, Identity, and Location
• Contextual views of all Enterprise owned assets
Impact
 St. John’s Hospital reduced 156 man-weeks of discovery
and documentation work into 2 man weeks
Endpoint Profiling
Identifying the problem space

The Enterprise LAN is comprised
of a myriad of endpoint types
– Windows typically comprises
approximately 50% of wired
endpoints
– Most Enterprise endpoints are
undocumented
– DHCP has enabled endpoints
to be added over time without
IT involvement
– Any Access/Admission Control
system requires this information
– Where WLAN is typically 30:1,
Wired LAN is 1:3.5

Goal: To generate a contextual
inventory of all endpoints
Endpoint Profiling
Endpoint Profiling



Understanding that not all network endpoints can authenticate…
All network endpoints must be Profiled and Located prior to deployment
The goal is to enable secure network access for non-authenticating devices
Non-NAC
NAC
UPS
Phone Printer
Endpoint Profiling
Sample non-NAC Aliases













Printers
Fax Machines
ISLs
IP Phones
Wireless Access Points
Managed UPS
Hubs
MultiCast video displays
Kiosks
Medical imaging machines
Video Conferencing stations
HVAC
Cash Registers













Turnstiles
Time Clocks
Vending Machines
Parking Gates
Doors
Firewalls
Proxy
Refrigerators
IP Cameras
Servers
UNIX stations
Alarm Systems
RMON Probes
Endpoint Profiling
Applications for Endpoint Profiling




Authentication of non-authenticating hosts
Network configuration for static access provisioning
Monitoring of non-authenticating devices for behavior
Addressing audit findings “do you know what is plugged into
your network”
 Provide data for all network attached endpoints including:
• Real-time Location and Identity
• Historical Addressing, Identity, and Location
• Contextual views of all Enterprise owned assets
Endpoint Profiling
The NAC Management lifecycle
Deployment




Discover all
endpoints by type
and location
Model the topology
Provision
appropriate settings
at the system level
Liaise with AAA
systems for
authentication
Change Control



Provide real-time &
historical Identity and
Location tracking
Enable adds, moves,
and changes
Dead ended Ports
Events Management


Provide contextual
information to security
and events
management systems
Monitor and Manage
events & anomalies
related to
authentication
•
•
•
•
Shadow Hosts
Port Swapping
Profile Changing
MAC spoofing
Endpoint Profiling
Endpoint Discovery and Mapping
 Profile creation - network traffic analysis
– Port Mirror or Tap visibility into aggregate
network traffic - L2-7 rule sets
• L2 - MAC - MAC vendor
• L3 - IP / IP range / TTL fingerprint
• L4 port & port ranges
• L7 rules – User agent, email banner,
DHCP decode
– Netflow Collection
– Active Profiling
– Boolean logic for complex rules
• GUI-based for AND
• XML for AND, OR, NOT
– Inference-based Profiles
• Manual or Auto-created via My Network
Endpoint Profiling
Passive vs. Active Profiling
Deployment Models
Open L4 Ports
Web Server Type
User Agent
MAC Vendor
IP Range
Static IP
NetFlow –
L3/4 traffic
None - - - - -
DHCP vendor
DHCP Options
TTL profiling
DHCP Client
Host Name
ARP decode
Web User Agent
Web Server Type
Print Services
Web URL
SMTP Banner
L3 / L4 network
Visibility Into Network Traffic
- - - - - Full
Endpoint Profiling
Use Cases for Beacon
 Provide NAC for the other 50% of the Enterprise
• Monitoring and authorization of Non-Windows devices
 Enable the deployment of network-based authentication
• Alleviate the manual discovery process
• Compliment/liaise with the AAA system
• EAP
• MAC-auth
• EAPoX
 Provide Contextual information to aggregate systems:
• MARS
• IDS/IPS
• Asset Systems
Endpoint Profiling
Integration Points with Cisco
NAC Appliance
• Manage NRH list
• Provision MAC/Role
• Port/VLAN admin
• NAC for non-CCA
endpoints
NAC Framework
• Manage NRH list
• Port/VLAN admin
• Liaise w ACS via LDAP
• NAC for non-CTA
endpoints
Integration protocols:
• Web API
• LDAP
• SNMP
• Syslog
• GAME (future)
MARS
• Contextual Event
information
•Historical ref.
Endpoint Profiling
Summary
 Reduces 156 man weeks of work to 2 weeks
 Automated discovery and system-level provisioning
 Ongoing monitoring of non-NAC endpoints
 Flexible Deployment model
Endpoint Profiling
Endpoint Profiling