Upload File

nac

31
Network Access Control http://en.wikipedia.org/wiki/Network_Ac cess_Control “an approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement Aim: to control endpoint security by unifying it with network device security and the whole network Result: End devices that do not comply

Upload: cristian-lopez-hidalgo

Post on 18-Dec-2015

213 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Network Control Access

TRANSCRIPT

  • Network Access Controlhttp://en.wikipedia.org/wiki/Network_Access_Controlan approach to computer network security that attempts to unifyendpointsecurity technology (such asantivirus,host intrusion prevention, andvulnerability assessment), user or systemauthenticationand network security enforcementAim: to control endpoint security by unifying it with network device security and the whole networkResult: End devices that do not comply to the set security policies are identified and quarantined.

  • Why and What?Why NAC?http://www.ashimmy.com/2007/03/a_brief_history.htmlThe biggest driver for NAC was the realization that after spending billions on the perimeter, we still were not any more secure. Why? Internal threats

    What is NAC?http://www.ashimmy.com/2007/03/nac_bust_or_boo.htmlThe original concept of NAC was performing pre-admission health or profile checks on devices as they sought to enter the network. If the device failed they were denied access or quarantined. Then we added post-admission vulnerability scans, then IDS detection, behavior based detection, identity based access controls, etc. Before you know it, anything that has anything to do with getting on the network and staying there is part of NAC.T. A. YangNetwork Security*

    Network Security

  • NAC: Goalshttp://en.wikipedia.org/wiki/Network_Access_ControlMitigation ofnon-zero-day attacks (?)To prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contaminationPolicy enforcementTo allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches, routers, andnetwork middleboxes (like firewalls).Identity and access managementInstead ofusing IP addresses, NAC enforces network access based onauthenticateduser identities, at least for user end-stations such as laptops and desktop computers.

  • Support for NACCisco: Network Admission Control (NAC), since 2003/2004A brief history of NAC (3/8/2007) http://www.ashimmy.com/2007/03/a_brief_history.html

    Other companies joined and pushed out their NAC products (next page)A 2006 survey by Network Computing (local copy)

    Microsofts response: Network Access Protection, NAP (first introduced inWindows Server 2008)http://en.wikipedia.org/wiki/Network_Access_Protection

  • Joel Conover, NAC Vendors Square Off, Network Computing, 7/6/2006 (local copy)T. A. YangNetwork Security*

    Network Security

  • Source: http://www.forescout.com/wp-content/media/ForresterVendorSummary_ForeScout_publishable_2011.pdfT. A. YangNetwork Security*

    Network Security

  • T. A. YangNetwork Security*Gartners Magic Quadrant for NAC: published 12/2011http://www.gartner.com/technology/reprints.do?id=1-18VNF2C&ct=120119&st=sb

    (local copy)

    Network Security

  • NAC vendors compared (using comparison tools at Mosaicsecurity.com)T. A. YangNetwork Security*

    Network Security

  • NAC Basic ConceptsSource: http://en.wikipedia.org/wiki/Network_Access_ControlPre-admission vs Post-admission enforcement

    Agent vs Agentless data collectionAn agent s/w runs on the endpoint to report the statusAgentless devicesSome devices do not support NAC agent s/we.g., printers, scanners, phones, photocopiers, and other special devicesNAC uses scanning and network inventory techniques (whitelisting, blacklisting, ACLs) to discern those characteristics remotelyT. A. YangNetwork Security*

    Network Security

  • NAC Basic ConceptsSource: http://en.wikipedia.org/wiki/Network_Access_ControlOut-of-band vs Inline solutions

    Inline: A single box acts as an internal firewall foraccess-layer networksand enforces the policy

    Out-of-band: Agents on end-stations report information to a central console, which in turn control switches to enforce policy.T. A. YangNetwork Security*

    Network Security

  • NAC Basic ConceptsSource: http://en.wikipedia.org/wiki/Network_Access_ControlQuarantine vs captive portals for remediationQuarantine: A non-compliant end-station is only allowed to access a restricted network with patch and update servers.Captive portals: Thecaptive portaltechnique forces anHTTPclient on a network to see a special web page before gaining full access.In NAC, a captive portal interceptsHTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computers.

    T. A. YangNetwork Security*

    Network Security

  • Ciscos NACSource: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.htmlNAC is a set of technologies and solutions built on an industry initiative led by Cisco Systems. NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats such as viruses, worms, and spyware.T. A. YangNetwork Security*

    Network Security

  • Why NAC?Endpoints that do not comply with established security policies pose a threat and can introduce a security risk into the network.

    Goal of NAC: to prevent vulnerable and noncompliant hosts from obtaining network access

    Q: Why isnt user authentication (like 802.1x) sufficient?Ans? T. A. YangNetwork Security*

    Network Security

  • Ciscos approach to NACThe NAC solution uses the network access devices (NAD) to protect the network infrastructure from any endpoint seeking network access.Only compliant endpoints are granted access.Noncompliant devices are denied access and quarantined for remediation.

    T. A. YangNetwork Security*

    Network Security

  • Source: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd80417226.pdfT. A. YangNetwork Security*

    Network Security

  • Ciscos NAC Solutions: Two optionsThe NAC Appliance approachAka Cisco Clean Access (CCA) applianceA Cisco packaged solutionCCA agent provides posture information;Cisco Security Agent (CSA) provides protection.

    The NAC Framework approachT. A. YangNetwork Security*

    Network Security

  • Ciscos NAC Solutions: Two optionsThe NAC Framework approachBuilt on NAC-enabled network access devices (NAD), Cisco or non-CiscoCompliant endpoints are granted access to the networkNoncompliant endpoints are placed in quarantine for remediation

    c.f., Figure 13-2T. A. YangNetwork Security*

    Network Security

  • Cisco NAC Solution: two optionsFigure 13-2T. A. YangNetwork Security*

    Network Security

  • Cisco Security Agent (CSA)Ciscos host intrusion prevention toolDetails in Ch 21On June 11, 2010, Cisco announced the end-of-life and end-of-sale of CSA. (source: http://en.wikipedia.org/wiki/Cisco_Security_Agent)

    CSA componentsCSA endpoints: enforcing security policies received from the management server, sending events, interacting with the userCSA management server: a repository of configuration databaseCSA management console: an admin web-based user interface and policy configuration toolT. A. YangNetwork Security*

    Network Security

  • Ciscos NAC Frameworksource: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns617/net_implementation_white_paper0900aecd80217e26.pdf (2005)T. A. YangNetwork Security*

    Network Security

  • T. A. YangNetwork Security*Client sends a packet through a NAC-enabled router.NAD begins posture validation using EOU.Client sends posture credentials using EOU to the NAD.NAD sends posture to Cisco ACS using RADIUS.Cisco Secure ACS requests posture validation using the Host Credential Authorization Protocol (HCAP) inside an HTTPS tunnel.Posture validation/remediation server sends validation response of pass, fail, quarantine, and so on.To permit or deny network access, Cisco Secure ACS sends an accept with ACLs/URL redirect.NAD forwards posture response to client.Client is granted or denied access, redirected, or contained.

    Network Security

  • T. A. YangNetwork Security*Cisco Trust Agent (CTA)http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.htmlA posture agent (PA) serves as the single point of contact on the host for aggregating credentials from all posture plugins and communicating with the network. This module also provides a trusted relationship with the network for the purposes of exchanging these posture credentials.

    Network Security

  • Cisco Trust Agent (CTA)http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.html (2009)T. A. YangNetwork Security*Acts as a middleware component that takes host policy information and securely communicates the information to the AAA policy serverInteracts directly with "NAC-enabled" applications running on the host without user interventionCan communicate at Layer 3 (EAP over UDP) or Layer 2 (802.1x supplicant) with the NADsThe supplicant is able to use the EAP-FAST protocol to carry both identity and posture information within the 802.1x transport.Free to download

    Network Security

  • Cisco Trust Agent (CTA)http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps5923/product_data_sheet0900aecd80119868.htmlT. A. YangNetwork Security*

    Network Security

  • T. A. YangNetwork Security*Source: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd80417226.pdf (2006)

    Network Security

  • T. A. YangNetwork Security*

    Network Security

  • T. A. YangNetwork Security*source: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/ns617/net_implementation_white_paper0900aecd80217e26.pdf (2005)

    Network Security

  • NAC vs 802.1X for endpoint securitySource: http://www.cloudcentrics.com/?p=579802.1x technologies do a great job in protecting network assets before they are utilized on the network. Non-authorized machines generally never get on the network. In addition 802.1x technologies have greater flexibility in provisioning users in different types of VLANs for isolation such as guest or remediation VLANs.NAC technologies do a great job in assuring when a user is on a network they meet minimum criteria of software patches to stay on the network. If they do not meet these requirements upstream devices, such as firewalls from accessing the network, block them.Q: Agree ?T. A. YangNetwork Security*

    Network Security

  • NAC Comparison GuideSource: http://www.itsecurity.com/whitepaper/pdf/nac-comp-guide_8-07.pdf (2007), local copyVendors included in the comparison: Bradford Networks, Check Point Software Technologies, Cisco Systems, ConSentry Networks, Elemental Security, Enterasys Networks, ForeScout, HP, Infoblox, InfoExpress, Insightix, Juniper Networks, Lockdown Networks, McAfee, Mirage Networks, Nevis Networks, Nortel Networks, Senforce Technologies, Sophos, StillSecure, Symantec, Trend Micro, and Vernier NetworksComparison criteria:Product type (s/w, appliance)Endpoint assessment & compliance?User authentication?Remediation?Preadmission?Post-Admission?PriceT. A. YangNetwork Security*

    Network Security

  • More recent lists and comparisonsBy Mosaic Security ResearchSource: https://mosaicsecurity.com/categories/81-network-access-control?direction=asc&sort=vendors.name39 vendors (as of 7/2012)Product info, resources, awards, etc.

    By JafSec.comSource: http://jafsec.com/Network-Access-Control/Network-Access-Control-A-B.htmlAbout 29 vendors (as of 7/2012)Include two open source NACs: FreeNAC, PacketFenceT. A. YangNetwork Security*

    Network Security

  • More ReferencesJoel Snyder, Network access control vendors pass endpoint security testing - Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond, Network World, June 21, 2010http://www.networkworld.com/reviews/2010/062110-network-access-control-test-end-point.html

    Tutorial: Network Access Control (NAC), July 17, 2007http://www.networkcomputing.com/data-protection/229607166?pgno=3

    Good explanation of basic NAC concepts: http://en.wikipedia.org/wiki/Network_Access_Control

    FAQ for Network Admission Control (NAC), 2006: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bc84.pdfT. A. YangNetwork Security*

    Network Security

    GAME: Generic Authorization Message Exchange

    *See the FAQ, http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bc84.pdf:HCAP: Host Credential Authorization ProtocolAV server: attribute-value server (aka posture validation server)PA: Posture AgentAPT: Application Posture TokenSPT: System Posture Token

    *


지니안 NAC(Genian NAC)'는 내부 정보 보호 체계를 …'지니안 NAC(Genian NAC)'는 내부 정보 보호 체계를 수립하여 내부 자산과 사용자를 보호하고

SEIZOEN 2015-2016 - NAC VerzamelaarSEIZOEN 2015-2016 Jupiler League 01-04-2016 Sparta – NAC 1-1 08-04-2016 NAC – RKC Waalwijk 1-1 11-04-2016 Telstar – NAC 1-4 15-04-2016 NAC

SELECTIVO SURAMERICANO JUEGOS OLIMPICOS DE LA … · Varones: Fecha Nac. Varones: Fecha Nac. Damas: Fecha Nac. Damas: Fecha Nac. Varones: Fecha Nac. Varones

FOR SALE!...1x used NAC Hi-Motion Camera Channel in top condition for sale! 1x used NAC Hi-Motion Camera Channel coming with NAC Camera channel NAC CCU NAC OCP NAC Hi-Motion OLED 7.4"

Amcat & nac

Royal Society of Chemistry · SAMC 109 115 112 NAC+SAMC 71.2 65 68.1 Fig2B Control NAC SAMC SAMC+NAC Fig2C Control NAC SAMC SAMC+NAC PI Annexin V % of apoptotic cells control 4.57

NAC Technologies

NAC & Linux

NAC Introduction

NAC Creche

Fotografie NAC

Mirage NAC The Most Powerful Agent-less NAC

NAC - SEAP

Nac pediatria

Instruments: NAC

NAC Adultos

Configuring NAC - Cisco · Chapter 9 Configuring NAC Information About NAC † LPIP Validation and Other Security Features, page 9-11 † Virtualization Support, page 9-13 NAC Device

Enfermeria nac

NAC-N 272 NAC-N 172 XS · 2015. 12. 2. · NAC-N 172 XS 동봉된 전원 케이블이나 Naim Power-Line을 사용하여 NAC-N172 XS를 전원 콘센트에 연결하십시오. NAC-N

GENERAL PROVISIONS NAC 636.010 NAC 636.050 “ ” defined

Nac Seminario

Guia_adultos NAC

Algoritmo Nac

NAC Appliance

NAc idsa.pdf

NAC Verzamelaar - De verzamelsite over alles wat met NAC ...De Graafschap – NAC 1-1 24-09-1995 NAC – Ajax 0-1 2 SEIZOEN 1995-1996 PTT Telecompetitie 30-09-1995 NEC – NAC 1-3

AccessManager Professnitgen.com/admin/cs_center/fileupload/EN AccessManager Professional User Manual DC1...NAC-5000 NAC-3000, NAC-3000plus NAC-2500, NAC-2500plus, NAC-2500 SOC FINGKEY

Chaperones Nac

Nac Colombiana

Curriculo nac

NVandersom | NAC

NAC – Nivelles

Defensa Nac

Rapport Nac

#NAC Cisco0704