Transcript NAC Survey Powerpoint 2 MB, Powerpoint Slides

Network Admission Control:
A Survey of Approaches
Educause 2008
George Finney, J.D.
Director of Digital Interests
Southern Methodist University
Thursday, October 30th, 2008
October 30th, 2008
Southern Methodist University
Page 1
What Is it?
October 30th, 2008
Southern Methodist University
Page 2
Background
• SMU began using NetReg in the late 1990’s for our
Dorm and Wireless Networks.
• In 2004, SMU replaced the NetReg product with a
commercial solution.
• In 2007, as a part of the University Strategic Objectives,
SMU began the process of migrating to a “Zoned
Network Architecture.”
• In 2007, SMU commenced a project to implement NAC
for the Academic and Administrative buildings.
October 30th, 2008
Southern Methodist University
Page 3
Process
• Began with a definition of NAC
• Defined use cases, architecture preferences, required
features, and goals
• Created a comprehensive questionnaire
• Compiled the questionnaires into a matrix
• Assembled a short list of vendors based on red-flags
from matrix
• Scheduled on-line demos, then onsite visits, then finally
in-house evaluations
October 30th, 2008
Southern Methodist University
Page 4
October 30th, 2008
Southern Methodist University
Page 5
NAC Definition
Network Access Control (NAC) is the system1 that ensures each person and device2
connecting3 to the university network4 is in compliance with the security requirements of the
zone5 being entered or ascending to. The NAC System, in concert with the university security
zone architecture5, ensures appropriate accountability6 (authentication and authorization) for
the individual connecting to the university network and appropriate levels of protection7 for all
other users and assets already on the university network and the internet.
1.
2.
3.
4.
5.
6.
7.
System in this context is a set of process, procedures, software, hardware, policies and people assembled to
deliver a cohesive service.
Device in this context is any node on the university network that receives an IP address, both routable and unroutable.
Connecting to the network in this context is the process of requesting an IP address.
University network includes all university IP assets involved in the delivery of voice or data services. University
IP assets includes all institutionally owned or managed hardware/software and IP address ranges with actual
or implied association with the university.
Please reference separate work-in-progress for definition of security zone and security zone architecture.
Accountability in this context is for ones own actions while using an SMU provided IP address. While SMU
respects the privacy of each individual using the university network, use of the university network does not
provide anonymity or separation from ones actions . Activity or incidents that precipitate an investigation will
be pursued to the full extent of university policy and rule of law.
Protection in this context is protection from malware attack afforded by the security zone occupied.
October 30th, 2008
Southern Methodist University
Page 6
Use Cases?
October 30th, 2008
Southern Methodist University
Page 7
NAC Use Case Scenarios
•
•
•
•
•
•
•
•
Faculty/Staff users in their office
Faculty/Staff Wireless users
Remote users on dial up or VPN
Student Wireless users
Student Wired users
Student users without administrative privileges
Student users with company owned laptops
Public access users with no SMU credentials
October 30th, 2008
Southern Methodist University
Page 8
Requirements
October 30th, 2008
Southern Methodist University
Page 9
NAC Requirements
• Must be out-of-band
• Must be vendor neutral for network equipment
• Must integrate with the existing Wireless, VPN, and dial up
infrastructure
• Must support Single Sign on
• Must support Windows XP and Vista, MAC OSX, and Linux
• Must have the ability to provide guest login
• Must provide interface for distributed administration
• Must provide historical information and search capabilities for
connection tracking and forensic analysis
• Must provide policy enforcement for Antivirus, Anti-Spyware and
Operating System patches
October 30th, 2008
Southern Methodist University
Page 10
Additional Important Features
•
•
•
•
•
•
•
Integration with Wiring Database
Ability to integrate with IDP/IPS/Packetshaper
Ability to prevent illicit peer-to-peer usage
Ability to search for historical MAC to IP address information
Integration with Active Directory for Administrator login
Provide separate help desk interface with reduced privileges
Provide the ability to create an alarm based on failed policy checks
or network policy violations
• Provide detailed reporting functions within the admin interface.
• Provide web portal customization within the interface.
October 30th, 2008
Southern Methodist University
Page 11
Landscape
October 30th, 2008
Southern Methodist University
Page 12
NAC Landscape
• ITS Reviewed the top 20 vendors in the NAC
marketplace. Of these vendors, we received 18
responses.
• The vendors all apply different solutions for
NAC. These approaches can be broken down
into 7 general categories.
• Each vendor offers a combination of either
agentless, dissolvable agent, and permanent
agent solutions. These combinations are
customizable based on our use case definitions.
October 30th, 2008
Southern Methodist University
Page 13
Architecture
October 30th, 2008
Southern Methodist University
Page 14
NAC Approaches
• In-line
– Switch Replacement
– Uplink Aggregation
• Out of Band
–
–
–
–
–
SNMP Device Management
Permanent Agent
Traffic Monitoring
802.1x/Radius Device Management
ARP (Address Resolution Protocol) Agent
October 30th, 2008
Southern Methodist University
Page 15
Inline – Switch Replacement
October 30th, 2008
Southern Methodist University
Page 16
Inline – Switch Replacement
• Pro
– Provides the most granular coverage of any
NAC solution.
– Agentless solution.
• Con
– Requires all switches to be replaced with NAC
switches.
October 30th, 2008
Southern Methodist University
Page 17
Inline – Uplink Aggregation
October 30th, 2008
Southern Methodist University
Page 18
Inline – Uplink Aggregation
• Pro
– Agentless solution.
• Con
– Creates a bottleneck which all traffic must flow
through.
October 30th, 2008
Southern Methodist University
Page 19
Out-of-Band – SNMP Management
October 30th, 2008
Southern Methodist University
Page 20
Out-of-Band – SNMP Management
• Pro
– Can make VLAN changes, ensuring that users are
moved to the appropriate security zone.
• Con
– SNMP packets may be dropped, consequently
updates to VLANs can be delayed.
– Changes made via SNMP are not logged in the switch
event log or in the switch log, which can make
accounting for changes a challenge.
October 30th, 2008
Southern Methodist University
Page 21
Out-of-Band – Permanent Agent
October 30th, 2008
Southern Methodist University
Page 22
Out-of-Band – Permanent Agent
• Pro
– Can be integrated with existing Antivirus
agent.
• Con
– Does not offer the ability to change VLANS.
– Not a good fit for unmanaged devices.
October 30th, 2008
Southern Methodist University
Page 23
Out-of-Band – Traffic Monitoring
October 30th, 2008
Southern Methodist University
Page 24
Out-of-Band – Traffic Monitoring
• Pro
– Obtains traffic information similar to an IDS,
which offers the ability to act on signatures.
• Con
– Potential loss of traffic on mirror port.
– Complicates router configuration.
October 30th, 2008
Southern Methodist University
Page 25
Out-of-Band – 802.1x/Radius Device Management
October 30th, 2008
Southern Methodist University
Page 26
Out-of-Band – 802.1x/Radius Device Management
• Pro
– Integrates with 802.1x capable devices
• Con
– Requires agent to be installed on Radius or
Active Directory servers.
October 30th, 2008
Southern Methodist University
Page 27
Out-of-Band – ARP Agent
October 30th, 2008
Southern Methodist University
Page 28
Out-of-Band – ARP Agent
• Pro
– Doesn’t require integration or replacement of
existing switches.
• Con
– Manipulates ARP (Address Resolution
Protocol) tables on each client, which may be
viewed as being invasive.
– Requires at least 1 agent on each VLAN to
enforce policy.
October 30th, 2008
Southern Methodist University
Page 29
Questions?
George Finney
Email: [email protected]
Phone: 214-768-3950
October 30th, 2008
Southern Methodist University
Page 30