enabling authentication & network admission control
DESCRIPTION
Enabling Authentication & Network Admission Control. Steve Pettit. Great Bay Software Inc. Value Statements Provide the critical first step towards NAC/802.1X Dramatically shorten the deployment time for NAC and network-based authentication Provide Trusted Access to non-NAC endpoints - PowerPoint PPT PresentationTRANSCRIPT
Enabling Authentication & Network Admission Control
Steve Pettit
Endpoint Profiling
Great Bay Software Inc.
Value Statements Provide the critical first step towards NAC/802.1X Dramatically shorten the deployment time for NAC and network-based authentication Provide Trusted Access to non-NAC endpoints Provide data for all network attached endpoints including:
• Real-time Location and Identity• Historical Addressing, Identity, and Location• Contextual views of all Enterprise owned assets
Impact St. John’s Hospital reduced 156 man-weeks of discovery
and documentation work into 2 man weeks
Endpoint Profiling
Identifying the problem space
The Enterprise LAN is comprised of a myriad of endpoint types– Windows typically comprises approximately
50% of wired endpoints– Most Enterprise endpoints are undocumented– DHCP has enabled endpoints to be added
over time without IT involvement– Any Access/Admission Control system
requires this information– Where WLAN is typically 30:1, Wired LAN is
1:3.5
Goal: To generate a contextual inventory of all endpoints
Endpoint Profiling
Endpoint Profiling
Understanding that not all network endpoints can authenticate… All network endpoints must be Profiled and Located prior to deployment The goal is to enable secure network access for non-authenticating devices
NAC Non-NAC
UPS Phone Printer
Endpoint Profiling
Sample non-NAC Aliases
Printers Fax Machines ISLs IP Phones Wireless Access Points Managed UPS Hubs MultiCast video displays Kiosks Medical imaging machines Video Conferencing stations HVAC Cash Registers
Turnstiles Time Clocks Vending Machines Parking Gates Doors Firewalls Proxy Refrigerators IP Cameras Servers UNIX stations Alarm Systems RMON Probes
Endpoint Profiling
Applications for Endpoint Profiling
Authentication of non-authenticating hosts Network configuration for static access provisioning Monitoring of non-authenticating devices for behavior Addressing audit findings “do you know what is plugged into
your network” Provide data for all network attached endpoints including:
• Real-time Location and Identity• Historical Addressing, Identity, and Location• Contextual views of all Enterprise owned assets
Endpoint Profiling
The NAC Management lifecycle
Discover all endpoints by type and location
Model the topology Provision
appropriate settings at the system level
Liaise with AAA systems for authentication
Provide real-time & historical Identity and Location tracking
Enable adds, moves, and changes
Dead ended Ports
Provide contextual information to security and events management systems
Monitor and Manage events & anomalies related to authentication
• Shadow Hosts• Port Swapping• Profile Changing• MAC spoofing
Deployment Change Control Events Management
Endpoint Profiling
Endpoint Discovery and Mapping
Profile creation - network traffic analysis– Port Mirror or Tap visibility into aggregate
network traffic - L2-7 rule sets• L2 - MAC - MAC vendor• L3 - IP / IP range / TTL fingerprint• L4 port & port ranges• L7 rules – User agent, email banner, DHCP
decode– Netflow Collection– Active Profiling– Boolean logic for complex rules
• GUI-based for AND• XML for AND, OR, NOT
– Inference-based Profiles• Manual or Auto-created via My Network
Endpoint Profiling
Deployment Models
None - - - - - Visibility Into Network Traffic - - - - - Full
Pas
sive
vs.
Act
ive
Pro
fili
ng
MAC VendorIP RangeStatic IP
Web User AgentWeb Server TypePrint ServicesWeb URLSMTP BannerL3 / L4 network
DHCP vendorDHCP OptionsTTL profilingDHCP ClientHost NameARP decode
Open L4 PortsWeb Server TypeUser Agent
NetFlow – L3/4 traffic
Endpoint Profiling
Use Cases for Beacon
Provide NAC for the other 50% of the Enterprise• Monitoring and authorization of Non-Windows devices
Enable the deployment of network-based authentication• Alleviate the manual discovery process• Compliment/liaise with the AAA system• EAP• MAC-auth• EAPoX
Provide Contextual information to aggregate systems:• MARS• IDS/IPS• Asset Systems
Endpoint Profiling
Integration Points with Cisco
NAC Framework• Manage NRH list• Port/VLAN admin• Liaise w ACS via LDAP• NAC for non-CTA endpoints
NAC Appliance• Manage NRH list• Provision MAC/Role• Port/VLAN admin• NAC for non-CCA endpoints
MARS• Contextual Event information•Historical ref.
Integration protocols:• Web API• LDAP• SNMP• Syslog• GAME (future)
Endpoint Profiling
Summary
Reduces 156 man weeks of work to 2 weeks
Automated discovery and system-level provisioning
Ongoing monitoring of non-NAC endpoints
Flexible Deployment model
Endpoint Profiling