Network Security Effective Practices

Download Report

Transcript Network Security Effective Practices

Network Security Effective
Practices - NAC/P, TNC
A Survey of Network
Access/Admissions Control
Security Practices in Higher
Education
H. Morrow Long
Director, Information Security
Yale University
Educause 2007 Annual Conference Session
Wednesday, October 24, 2007
11:30 a.m. - 12:45 p.m.
Introductions
2
Overview
This presentation will discuss a survey and
informal poll of the current campus
network access and admissions security
practices and products in higher
education on both wired and wireless
networks.
3
Agenda
Introduction
What is NAC, NAP and TNC?
NAC/P Concepts and Terminology
NAC/P Feature Checklists
NAC/P Effective Practices in Higher Ed
Survey of NAC/P Practices in Academia
Discussion and Questions
4
NAC, NAP, TNC timeline
In 2003, RPC/DCOM worms (Blaster, NACHI)
caused widespread problems on campus
networks. NetReg, Bradford Campus Networks
and other reg/quarantine systems were used as
effective solutions.
Cisco (bought Perfigo) and many vendors
(particularly wireless) entered this market.
Microsoft and the TCG alliance have been
promising standars (w/Cisco) for a time (2008?).
5
NAC/P Open Source
Efforts
Uconn/Umass/etc (Rodrigue, et al)
“NetReg” mods (RPC/Dcom NASL scanning
ala Nessus)
PacketFence
NoCAT - Captive Web Portal
6
NAC/P Goes Mainstream
Standards:
Cisco / Microsoft agreement
802.1X and EAPs
WPA2
7
What is NAC/NAP/TNC?
NAC - Network Access (or Admission) Control
 Generic
 Cisco
NAP - Network Access (or Admission) Protection
 Microsoft Vista and Longhorn Server (2008)
TNC - Trusted Network Computing (form Trusted
Computing Group - TCG)
 Anti-Virus / Anti-Malware vendors
8
Why NAC?
IS NAT RELEVANT AND STILL NEEDED?
New Paradigms may obviate NAC:
 Enterrpise wide A/V / Anti-Malware
 XP XP2 Firewall & Vista Security • renders scanners obsolete?
 Managed Workstations, “lockdown” GPO policies
Arguments for NAC/P going forward:




Un-managed & guest personal computers & devices
End-point protection and assessment
IDP/DLP/C<F (Leakage Protection, Content Filtering)
Legal Liability, CALEA, etc.
9
NAC/P Issues to deal with
NAC/P Phones
Printers
User hubs, switchs, WiFi Aps and SOHO routers
XBOX™, Sony PlayStation™, Nintendo™
PDAs, SmartPhones, etc.
Other unique IP devices and non-std Oses
“Guest/Visitor” and conference attendees
10
NAC/P vs. No NAC/P
You can actually have even better security
using NAC/P IF you use strong encryption (and a
good implementation) -- even over wired
networks.
Inline is more secure, reliable(?) than noninline…
Complex solutions may cause problems (run
amuck).
You will need to provide overrides and
exceptions -- but SOP & Policy should
discourage this as much as possible.
11
Threats to NAC/P
(in order of sophistication)
Scalability - worst case scenario : several thousand PCs
seeking network admission simultaneously
overwhelming scanner / NAC / Network.
Single Point of Failure - only 1 scanner / gate /
remediation website, etc
Self-Assigning IPs.
Spoofing Ips
Spoofing EHAs (MACs)
ARP spoofing/poisoning (Dsniff, Ettercap, etc.)
Router EHA Cloning DoS Attack
802.1X / EAP DoS Attacks
VLAN “jumping”
12
NAC System Components
Database (User, Computer, MAC, etc)
Registration System
DHCP and/or Authentication (RaDIUS/802.1X) Server
Scanning engine and Policy Server
Quarantine LAN/VLAN/Subnet
ACL (switch/router), Firewall, Filter/Blocking device
Captive Portal
Remediation Site
Proxy
Agent (one time/registration, temporary,
permanent)
13
Management Interface and/or Station/App.
Other NAC Architectures
 EHA / MAC filtering
 NAT Control
 Forced VPN option
• WiFi
• Wired
• Remote Access
• Guest networks
14
NAC Concepts/Terms
In-line
Out-of-Band
Agent / Agent-less




Pre-authentication
Post-authentication
DLP/ILP - Leak Protect
One-time
Boot/Connect time
Dissolvable
Continual
Policy Server
Remediation Server
End Point Protection
Security via Virtualization
Quarantine
15
NAC/P Implementation
Checklist
Practical NAC/P Planning “high level short list”:
Create, publish and enforce security policies.
Practice rigorous physical security.
Verify user identities.
Actively monitor logs, firewalls & IDSes.
Logically segregate data & voice traffic.
Harden Oses.
Encrypt whenever and whatever you can.
16
NAC Implementation
Checklist
Detailed and Specfic list:
Use a separate VLAN with 802.1p/q QoS w/priority
VLAN tagging for the quarantine network.
Use a private (RFC1918) IP network for the
quarantine VLAN.
Use NAT and/or proxies to hide internal addresses.
Use a firewall (packet filtering or ALG) to protect &
connect the Quarantine network to the data IP
network.
Use an IDS or IPS to examine the traffic allowed
through the firewall (may be built into the firewall).
17
Use agents, 802.1X & RADIUS auth & EAP supplicants.
NAC/P Effective
Practices in Higher Ed
Some schools:
Uses separate VLAN, L2 switches and RFC1918
IP addresses for the quarantine network.
Many Schools:
Using Cisco Secure/Clean Access
Rolling their own via NetReg, NoCat &
PacketFence
Looking at appliances
18
NAC/P Effective
Practices in Higher Ed
Colleges
(http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=security&P=13595)
Date:
Fri, 19 Jan 2007 15:58:22 -0500
Reply-To: The EDUCAUSE Security Discussion Group Listserv
From:
"Charles L. Bombard"
Subject:
Re: Network access control
In-Reply-To: <[log in to unmask]>
Content-Type: text/plain; charset="us-ascii"
Still looking. I am on the fence (excuse the pun) and can go with either one at the
moment. Packetfence seems to have acquired a large following, and netreg
seems to not be in active development any longer. www.netreg.org
www.packetfence.org - Charlie
==========================================
Charles Bombard, GSEC LAN/Systems Administrator Community College of
Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234
19
NAC/P Effective
Practices in Higher Ed
Small Colleges
(http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind07&L=smallcol&P=20469)
Date:
Wed, 18 Apr 2007 11:00:47 -0400
Reply-To: The EDUCAUSE Small College Constituent Group Listserv
From:
"Beyer, Bill (William)" <[log in to unmask]>
Subject:
Network Access Control and Vista
Content-Type: multipart/alternative;
Hartwick College has been an early adopter of Network Access Control using Sygate
Secure Enterprise in conjunction with using 802.1x protocols on our HP network
data switches. While Sygate has worked well it does have its limitations mainly
that it does not yet have a Vista client (our fingers are crossed that it will be
released in May 2007) or a workable Mac client or Linux client. Our plans also
include rolling out Vista Business on the student laptops we will issue to all
freshmen this fall.
20
NAC/P - Other Surveys
Network Computing Magazine
Rolling Review Kickoff: Out-Of-Band NAC Oct 22, 2007 - By Mike Fratto
“Thing is, out-of-band NAC seems to have an image problem: Our own
reader research indicates that 65% of organizations deploying NAC
prefer in-line appliances versus 50% using out-of-band products. And
the outlook doesn't look likely to improve. Nearly 70% of companies in
the planning stages are leaning toward in-line systems, versus just
43% favoring out-of-band NAC. A recent survey by Infonetics Research
shows that 55% of companies plan on buying in-line NAC products;
this syncs with the firm's market forecast, which shows more than half
the NAC units shipped are in-line appliances. Is the problem just bad PR,
or does the out-of-band approach really carry technical disadvantages
compared with going in-band?”
http://www.networkcomputing.com/channels/security/showArticle.jht
ml?articleID=202403321
21
NAC/P Higher Ed
Effective Practices Survey
Which NAC/P Security mechanisms do[n’t] you
use?
Use of IPS or FW between NAC/P network and production backbone IP network.
Use of IDS between NAC/P network and production backbone IP network.
Use NAC (network access control) such as 802.1X and RADIUS to authenticate.
Devices require the use of the separate NAC/P network (physical LAN, VLAN,
subnet address, etc.) from the production backbone data IP network.
VoIP phones are automatically allowed access to the backbone network?.
Computers are allowed with IPSEC or other VPNs.
Use NAC (network access control) such as 802.1X and RADIUS to authenticate
hard phones.
Allow quarantine access automatically to the Internet but not campus network?
Provide separate dedicated bandwidth for NAC/P quarantine network traffic to
the Internet?
22
Survey
47 Responses (as of October 20, 2007)
http://www.surveymonkey.com/s.aspx?sm=w7
FZIc_2fK4_2frF3icYgfKXig_3d_3d
23
NAC/P Higher Ed Effective
Practices Survey
Q1 Commercial NAC/P Deployments
Cisco
Other
30.00%
25.00%
20.00%
Bradford
Networks
BlueSocket
15.00%
HP
10.00%
Aruba
5.00%
0.00%
3Com/Tipping
Point
eEye
24
NAC/P Higher Ed Effective
Practices Survey
2.6% Solutions (1 Response each)
IBM (Internet Security Systems)
Impulse Point (Safe Connect)
InfoBlox (ID Aware)
Juniper Networks (Endpoint Assurance (was Funk))
LANDesk Software (Trusted Access)
Lockdown Networks (Lockdown Enforcer)
McAfee (McAfee Policy Enforcer)
ProCurve Networking
Symantec (Sygate NAC)
25
VeriSign Inc
NAC/P Higher Ed Effective
Practices Survey
Q1: Other Category
Several comments about not having NAC, planning
on buying NAC, using oepn source or developing a
home grown solution.
26
NAC/P Higher Ed Effective
Practices Survey
Q2 Open Source NAC/P Deployments
CMU NetReg
ESP Wizard
50.00%
45.00%
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
NetPass
NetReg 2.0
NoCatAuth
PacketFence
Southwestern
NetReg
Other
27
NAC/P Higher Ed Effective
Practices Survey
Q2: Other Category
1. RACS - homegrown system
2. We rolled our own (for wireless)
3. none
4. Saint Mary's NetReg and in house developed
5. Homebuilt
6. Complete Home Brew
7. home grown
8. nessus
28
NAC/P Higher Ed Effective
Practices Survey
Q3: NAC Isolation Modes Deployed
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
802.1x
ACL FW
ACL Router
ACL Switch
AD
ARP
DHCP
Inline Device
VLAN
Other
29
NAC/P Higher Ed Effective
Practices Survey
Q3: Other Category
1. IPSec
2. None
30
NAC/P Higher Ed Effective
Practices Survey
Q4: NAC/P Functionality Enabled
De tec tio n
No tify u se r
No tify admins
Isolatio n
Re gistration
80.00%
Re me diation
A g entle ss
60.00%
Dissolvable A gen t
Persiste nt A g ent
A g ent in en dpoint prot s/w
40.00%
A g ent rep lac ed b y en dpoint s/w
One time c hec k -in (e .g. reg )
20.00%
0.00%
S ession c hec k -in (e .g. c onne c t/bo
Time -based c he c k-in (e.g . daily)
Co ntinu ous c h ec k-in (always c h ec
Othe r
31
NAC/P Higher Ed Effective
Practices Survey
Q4: Other Category
1.Just Authentication Currently
2.none
3.30 day registration
4.Once per Semester
5.Weekly re-assessment
6.Arbitrary, configurable check-in
32
NAC/P Higher Ed Effective
Practices Survey
Q5: Where do you deploy NAC/P?
Wireless
VPN
PPP dialups
100.00%
Student residential networks
80.00%
Ethernet ports for roaming
users
60.00%
Office and departmental
ethernets
40.00%
20.00%
0.00%
Datacenter (serv er) networks
VoIP networks
Building sensor/alarm
networks.
Other
33
NAC/P Higher Ed Effective
Practices Survey
Q5: Other Category
1. staff/student laptops
2. No where
34
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 1: Policy Question
Do you require an agent be installed
on user-owned computers?
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
YES
NO
N/A
35
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 2: Policy Question
Do you allow user-ow ned hubs and switches?
60.00%
YES
50.00%
40.00%
NO
30.00%
20.00%
N/A
10.00%
0.00%
36
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 3: Policy Question
Do you allow user-ow ned SOHO routers?
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
YES
NO
N/A
37
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 4: Policy Question
Do you allow user-ow ned WiFi APs?
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
YES
NO
N/A
38
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 5: Policy Question
Do you allow an override or opt-out on
NAC/P for game consoles?
60.00%
YES
50.00%
40.00%
NO
30.00%
20.00%
N/A
10.00%
0.00%
39
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 5: Policy Question
Do you allow an override or opt-out on
NAC/P for game consoles?
80.00%
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
YES
NO
N/A
40
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 6: Policy Question
Do you allow an override or opt-out on
NAC/P for VoIP phones?
60.00%
YES
50.00%
40.00%
NO
30.00%
20.00%
N/A
10.00%
0.00%
41
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 7: Policy Question
Do you allow an override or opt-out on
NAC/P for printers?
60.00%
YES
50.00%
40.00%
NO
30.00%
20.00%
N/A
10.00%
0.00%
42
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 8: Policy Question
Do you allow an override or opt-out on
NAC/P for other devices?
70.00%
60.00%
50.00%
40.00%
30.00%
20.00%
10.00%
0.00%
YES
NO
N/A
43
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 9: Policy Question
Do you authenticate or identify individual users?
100.00%
YES
80.00%
60.00%
40.00%
NO
N/A
20.00%
0.00%
44
NAC/P Higher Ed Effective
Practices Survey
Q6 Pt 10: Policy Question
Do you authenticate or identify individual
(unique) computers?
100.00%
YES
80.00%
60.00%
40.00%
NO
N/A
20.00%
0.00%
45
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 1: Rating Satisfaction
"Few False Negatives" (Avg 3.15)
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
46
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 2: Rating Satisfaction
"Few False Positives" (Avg 3.17)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
47
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 3: Rating Satisfaction
"Ease of Use for Users" (Avg 3.38)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
48
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 4: Rating Satisfaction
"Ease of Use for Administrators"
(Avg 3.15)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
49
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 5: Rating Satisfaction
"Reliability" (Avg 3.43)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
50
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 6: Rating Satisfaction
"Maintainability" (Avg 3.0)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
51
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 7: Rating Satisfaction
"Scalability" (Avg 3.11)
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
52
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 8: Rating Satisfaction
"Interoperability" (Avg 3.13)
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
53
NAC/P Higher Ed Effective
Practices Survey
Q7 Pt 9: Rating Satisfaction
"Overall Rating" (Avg 3.13)
40.00%
35.00%
30.00%
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Poor
Fair
Good
Very Good
Excellent
N/A
54
Survey Conclusions
Implementers appear :




Somewhat satisfied.
Split between commerical and open source s/w
Allow overrides & don’t require agents.
Don’t allow private WiFi Access Points.
Technology appears to be fairly mature now.
http://www.surveymonkey.com/s.aspx?sm=w7FZIc_2
fK4_2frF3icYgfKXig_3d_3d
55
Listservs & Newsgroups
EDUCAUSE Security Discussion Listserv
http://www.educause.edu/SecurityDiscussionGroup/979
I2 SALSA NetAuth Working Group
http://www.internet2.edu/netauth
IETF Working Group
Network Endpoint Assessment (nea)
http://tools.ietf.org/wg/nea/
http://www.ietf.org/html.charters/nea-charter.html
56
Q&A
Question & Answer
57
Contact Info
H. Morrow Long
[email protected]
Security.yale.edu
58
Credits:
Cisco - NAC Overview,
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
Gartner RAS Core Research Note G00143551, John
Pescatore, Mark Nicolett, Lawrence Orans, 5
October 2006 R2052 1/25/2007
http://www.cisco.com/web/ES/publicaciones/06-10-Cisco-gartner-NAC.pdf
"Network Access Control" Seminar Presentation,
Security Professionals Conference 2006,
Kevin Amorin (Harvard University),
Chris Misra (University of Massachusetts, Amherst)
59
Credits:
Wikipedia (Pages on NAC/NAP, etc.)
60
This has been a chalk
outline™ production.