May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
Network Access Control:Hard Questions
Joel M SnyderSenior Partner
Opus [email protected]
2
Agenda: Hard Questions about NAC
Questions you need to be able to answerabout NAC regarding…• Lying clients• Denial of Service, MITM, and Eavesdropping Attacks• VPN, Branch, Remote Access, and Wireless• Interdependencies• Integrating NAC with other tools• Value of NAC to the organization
3
1.How will NAC dealwith lying clients?
4
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
PostureValidator
PostureCollector
NetworkEnforcementPoint
The NAC policy servergets its information fromsoftware running on the client
The Enforcement Point getsaddress information fromsoftware running on the client
5
ClientBroker
NetworkAccessRequestor
PostureCollector
You can use scanningof the end point to helpconfirm the type ofdevice
You can use behavioranalysis to detect whenthe device is behaving“uncharacteristically”
Most NAC deployments will have to useMAC authentication for some devices
01010100101 0 10
6
ClientBroker
NetworkAccessRequestor
PostureCollector
TCG/TNC has theTPM strategy tomaximize “softwaretrust”
Behavioral analysisalso works here
Posture assessment relies on theclient to report the results
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
7
A sub-question: do you care aboutcompliance, or infection?
Software on the PC can tell youwhether the system complies withpolicy, but says nothing aboutwhether the system is infected
External sensors can’t tell you aboutpolicy compliance, but they are verygood at detecting infections
(more about this later) 8
Beware trying to have perfect securityunless you have infinite budget
The amount of
money you are
spending on security The extra security
you get for each
dollar you spend
9
Action Items: Lying Clients
Seek out NAC solutions that can incorporateexternal scanning solutions and IDS/IPSdata
Identify holes in network security caused byMAC authentication, and document how youare plugging them
Balance the cost of end-point securityassessment with the benefits that it brings tothe network
10
2.Are you ready to addanother “P1” critical
service?
11
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
PostureValidator
PostureCollector
NetworkEnforcementPoint
This Policy Decision Point isnow critical to anyoneconnecting to the network
12
Policy servers need to be scalable
User thinks that they log in onceper day1000 users = .03 decision/second
End-point security checks inevery 15 minutes1000 users = 1 decision/second
MAC devices are re-authenticated every minute1000 users = 30 decision/second
IDS+SIM+scanner generate 10events a secondevents = 10 decision/second
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
13
Policy servers need high availability
Can you build an active/active cluster?Are your decision points able to handle multiplelocations?Is the link to the backend database, such as ActiveDirectory LDAP, properly provisioned for HA?
14
Challenges to Reliability RequireBroad Thinking
ClientBroker
NetworkAccessRequestor
NetworkAccessAuthority
ServerBroker
PostureValidator
PostureCollector
NetworkEnforcementPoint
Can Enforcement Points surviveloss of policy engine gracefully?What is your policy?
What happens if a misbehaving clientthrashes the network with hundredsor thousands of authentications asecond? Or spins its MAC addressmany times a second?
How will the policy enginebehave while under a DoSattack?
15
Action Items: Critical Services
Select NAC policy engine solutions that have:• Scalability, because you can’t predict how many
decisions/second you need
• High availability, because the network can’t stop working
Review policy on enforcement points whencontact is lost with the policy decision point
Ensure that the link between enforcementpoint, policy decision point, and backendauthentication database, cleanly survivesfailures and “scale up” events
16
3.How will NAC extend
to remote access,branch, and wireless
environments?
17
NAC defines access controls based onidentity and end-point posture
Partners
SSL VPN
IPsec VPN
Branches
What workson the LANshouldbring youvalueeverywhere
18
SSL VPN
IPsec VPN
SSL VPNs did NAC before NAC waseven a buzzword
SSL VPN vendors areideally situated to be partof your NAC solution
No SSL VPN vendor has yetintegrated their policyengine with the NAC engine
Obviously, you want tohave fewer engines andfewer bits of softwarefloating around
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
19
SSL VPN
IPsec VPN
IPsec VPNs will either haveproprietary or IKE v2-based solutions
Proprietary is easy if your NACvendor is your IPsec vendor…
… and of course you can use L3enforcement
The most interesting futuresolutions build on EAP beingused in 802.1X (most currentNAC solutions) and in IPsecwhen IKE v2 is finally available
20
Branch Offices need NAC even morethan HQ, but have challenges VLANs can’t easily be
propagated to branches,and may have differentmeanings
Remediation services andpolicy engines may haveto be replicated … athigher cost
Branches
Consider pushingNAC “brains”towards HQ or usingL3 enforcement
21
Wireless almost always implies guestaccess of some sort
802.1X is a greatstrategy for LANand WLAN…
but guests willwant captiveportal
22
Action Items: Branch, VPN, Wireless
Aim to reduce number of policy engines andposture checkers you need to manage; lookforward to extend NAC capabilities outside ofthe LAN and WLAN environments
Consider different strategies for enforcementat branches (while preserving same policyengine)
Make sure your IPsec and SSL VPN solutionvendors are “on board” with your NACstrategy
23
4.How much does
NAC depend on thesecurity of yourinfrastructure?
24
When you push security into thenetwork, the network must be secure
The network team muststart treating switches as ifthey are firewalls
Your vendor must startbuilding switches to befirewalls
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
25
Many NAC solutions can help workaround infrastructure
Internal enforcementpoints can backup andextend switchenforcement
Audit tools (such as IDS)and scan tools canprovide an out-of-bandassurance layer
26
Action Items: Infrastructure Security
Bring together the network operations teamand NAC teams to resolve “infrastructure”issues early• Password management• Bug fixes and software version updating
• Change control and access rights
Deliver the key message: Every switch is afirewall
Evaluate whether your infrastructure is readyto transition from “connection utility” to“enforcement point”
27
5.How well does NAC
interact with theworld around it?
28
“No NAC is an Island”
29
You need to consider NAC’sinteraction with the rest of the world
Layers 8, 9, and 10 The all-important
religious, political, andeconomic layers of theOSI model
(see next hard question)
Layers 3 through 7 NAC is already linked to
end-point security tools What about data sources
such as IDS and IPSevents?
What about data streamsfrom SIMs?
30
NAC can talk to IPS
Watch this one! I couldn’tcheck end-point securityand they’re a “guest” user.
01010100101 0 10
Please scan thisguy and let meknow what you
find out.
Not just IPS/IDS; thiscould also be an NBAD,SIM, or vulnerabilityanalyzer, or other devicewith relevant knowledge
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
31
IPS (and IDS) could talk to NAC
Hey! That guy over there isacting suspiciously!
IDS says he’s bad.Shut him down.
(or remediate, orre-evaluate end-point posture, etc.)
Subtle Problem: “Change of Authorization”is not within existing protocols, so this is awork in progress for open frameworks
32
NAC integration with external devicesis an evolving story
Howard’s Observation: “NAC is thebouncer at the door. We need morebouncers inside of the bar.”
This integration is especiallycritical to you if end-pointsecurity is one of yourdriving factors for NAC.
33
Other complexities will confound theprocess
HowWindowsAdmins
Think Of Users:NETBIOS names
System Serial numbers
Windows Logins
HowNetworkAdmins
Think Of Users:MAC AddressesIP Addresses
34
Action Items: NAC Communications
Identify your “security sensors” such as IDS,IPS, SIM, Vulnerability Analyzers, and evenNetFlow data.• This will probably overlap in some ways with the
information provided by end-point management tools(Patchlink, BigFix, Altiris, etc.)
Determine where NAC can make use of thisdata and how well your vendor supports it
Look at how NAC can make your networksecurity tools “smarter” by sharinginformation about network users
35
6.How does NAC
change howeveryone thinks
about the network?36
NAC Fundamentally Changes the WayYou Think About the Network
Before:Switching
Infrastructure You plug things in, and
they work
After:Policy Enforcement
Infrastructure You plug things in, and
maybe they work
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
37
Dealing with a fundamental changerequires layer 8, 9, and 10 support Simple Fact: All Security Creates False
PositivesCatch more bad stuff,block more good stuff
Catch less bad stuff,block less good stuff
38
Keep In Mind The Guiding Principle ofNAC
The Goal of NAC Is to Allow Devices toConnect to the Network.
(Not to Keep Devices off of theNetwork)
J-P’s Principle of NACology:Forewarned is Forearmed
39
Visibility gives you the bestopportunity to avoid problems
What justhappened?
Where is thissystem?
Why did theconnection fail?
What the heck ison the network?
40
Gaining visibility is good networkdiscipline anyway
Network ManagementTools with Discovery:IPMonitor, What’sUp
3rd Party NAC Add-onsfor Inventory: GreatBay, ID Engines
Vulnerability Scannersand Mappers: Nessus,nmap, Sourcefire RNA,Tenable PVS
IDS using Signaturesand NBAD techniques:Mazu, Lancope, & theusual suspects
41
Action Items: Change in Thinking
Socialize the changes that NAC will bringbefore you run into problems and before theystart affecting network usage
Become “forearmed” by making use ofexisting tools for network discovery andvisibility as part of your NAC plans
Where appropriate, add new visibility tools toyour network to support NAC help desk aswell as audit and trust-but-verify functions
42
7.How will you resolveNAC susceptibilityto security attacks?
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
43
All Security Systems HaveVulnerabilities You Must Understand
CorporateNet
NACPolicy
Server
For Example:An out-of-bandNAC solutionrequiresmanagementlinks betweendevices and thepolicy server.
How is this Secured?Authenticated? Validated?
SSLCertificate?
44
Complex and Cross-Platform SolutionsNeed Extra Care
Impersonation; Loss; Privacy ofInformation
Data Feeds
Certificates and Trusted Roots;Protection of private keys; Renewals
SSL; RADIUS
Registration and impersonationvulnerabilities
Client APIs
Lack of SNMP authentication indevices; clear-text passwords; UDPlossage; change control
SNMP Tools
CLI passwords; clear-textmanagement; credentialmanagement; change control
Command-LineManagement Links
Potential IssuesAreas of Concern
45
Action Items: Security Vulnerabilities
Work with your vendor to identify areas of“linkage” between components where youneed to be concerned
Identify specific training issues for end-usersrelated to potential vulnerabilities (such asSSL certificates)
Get outside help to review securityvulnerabilities and identify areas forincreased vigilance
46
8.How will NAC’s
lifecycle and yourOrganization’s
lifecycles mesh?
47
End-Point Security Assessment isn’t a“yes/no” answer
System isevaluated
Systemloses accessand goesintoquarantine
Systemmust have
remediationof some
type
48
NAC end-point strategy must matchthe organization’s strategy
. Detect . Remediate . Quarantine . Allow .
May, 2007
Copyright (c) 2007, Joel Snyder. AllRights Reserved.
49
Key Advice: Know When To Throw theBall to the Other Team The Organization must
have infrastructure inplace before you caneven start down the NACpath.
Take a lifecycle view ofend-points.
Don’t fixate on just oneaspect of the cycle (suchas evaluation)
50
Action Items: Lifecycle
Have your end-system lifecycle alreadyimplemented and running before you addNAC to the picture
Ensure that your NAC solution will fullysupport the lifecycle the desktop team hasendorsed
Build management bridges carefully to keepdesktop and network people out of eachother’s hair
51
9.What value doesNAC bring to the
Organization?52
This one, you’re going to have toanswer for yourself But here are some things people have said
they used to build ROI case for NAC
Reduced help-desk calls (after initial spike)Reduced cost of RIAA subpoena answersBetter ability to answer compliance
requirementsReduced cost on Moves/Adds/Changes by
making the network more dynamicReduced load on “high cost” staff by allowing
“lower cost” staff to grant access
Thanks!
Joel SnyderSenior Partner
Opus [email protected]