Why NAC and Why Not NAC

1

Why NAC and Why Not NAC?

Avoid NAC Pitfalls with a Standards-Based

A hApproach

Lisa Lorenzin


I1, 4/28/2008

• Why Access Control?AGENDA

• Trusted Network Connect

• TNC Implementation

• TNC and Microsoft NAP

A idi NAC Pitf ll• Avoiding NAC Pitfalls

Lisa Lorenzin


I1, 4/28/2008

2

Why Access Control?

Lisa Lorenzin


I1, 4/28/2008

IncreasedThreat

Volume

Mi i iti l

As Access Increases Critical data at risk

Threats bypass

Network Security Problems

CarelessUsers

FasterOutbreaks

MoreTargets

Mobile devices transiting the LAN perimeter

Unmanaged or ill-managed endpoints

Mission critical network assets

Threats bypassperimeter security

Control of corporatenetwork can be lost

Network SecurityD

MaliciousAttackers

Partner, contractor, andguest access

Decreases

Lisa Lorenzin


I1, 4/28/2008

3

Enterprise Trends

Worms, viruses, spyware

Malware, Trojans and more

Exploding access requirements result in rapidly dissolving network boundaries, new demands on IT organizations to provide secure access

Internet • Employees• Business partners• Customers• Guests

WAN Access

Remote Access

Internet

Solved by DMZ deployments of firewalls IDP SSL VPNs

Remote Access

T i d

Campus

Remote Offices/

Server Farms / Data Center

• Guests• Contractors• Managed/ Ill

Managed endpoints• Trusted/ Un-

trusted trafficDiverse users• Employees• Business partners• Customers• Guests• Contractors • Business Apps

• E-mail• Internal ResourcesNeed for

Campus

Remote Offices/

Server Farms / Data Center

of firewalls, IDP, SSL VPNs

- Lack of Control- Ill managed endpoints

Trust is presumed, but unenforceable Vulnerable servers are

accessed By EVERY user population

Remote Offices/ Branch Offices

Need for ComprehensiveACCESS CONTROL

Remote Offices/ Branch Offices

Lisa Lorenzin


I1, 4/28/2008

What do you need from NAC?What do you want it to do?1. Evaluation of security state

before connection2. Quarantine and/or remediation

for non compliant sers

For which users?1. Guest Users

– Difficult to assess security state– Unmanageable devices

2 C t tfor non-compliant users3. Identity-based network

admission control – Can you get on the network?

4. Policy- and identity-based access control based on user identity

– What can you get access to?5. Evaluation of security state

throughout the session

2. Contractors– Not onsite– Need access to a variety of

mission-critical resources3. On-site employees

– May lack security awareness4. Remote or mobile employees

– Use the system outside of the office

– May be carelessthroughout the session– Threat management

Lisa Lorenzin


I1, 4/28/2008

May be careless– May run unauthorized

applications

4

Deployment Considerations• Can you deploy in a phased or selective manner?

– No one is ready for enterprise-wide, but some segments or users are criticalWhat is required to get it going today?– What is required to get it going today?

• Is the solution really open?– A large group of partners interoperating with a proprietary

architecture isn’t an open system– Network infrastructure is fluid, not static – is a solution going

to lock you in?

Lisa Lorenzin


I1, 4/28/2008

• Has it been tested?

NAC Solutions

Features• Control access

to critical resources

Benefits• Consistent access

t l– to critical resources– to entire network

• Based on– user identity and role– endpoint identity and

health– other factors

• With

controls• Reduced downtime

– Healthier endpoints– Fewer outbreaks

• Safe remote access• Safe contractor and • With

– remediation– management

guest access

Lisa Lorenzin


I1, 4/28/2008

Network access control must be akey component of every network!

5

Challenges of NAC• Vendor lock-in

– Proprietary solutions require hardware rip-and-replace

• Project scope– Need to secure thousands

of endpoints, hundreds of t ffi i t f• Complexity

– Too many moving parts, both in your network and in the solution

• Disruption of business practices

Conf sion fr stration

remote offices, a variety of user communities…

• Support costs– User impact == helpdesk

impact

• Uncertain future– Relatively new technology -– Confusion, frustration,

potential down-time– Relatively new technology -

where is it going?

Lisa Lorenzin


I1, 4/28/2008

Trusted Network Connect

Lisa Lorenzin


I1, 4/28/2008

6

Trusted Network Connect• Open Architecture for Network Access Control

– Strong security through trusted computing

• Open Standards to Ensure Interoperability• Open Standards to Ensure Interoperability– Full set of specifications– Products shipping today

• Work Group of Trusted Computing Group– Industry standards group

Focus on Trusted Computing– Focus on Trusted Computing– Over 175 member companies

Lisa Lorenzin


I1, 4/28/2008

Why is TNC Necessary?• Inappropriate and unauthorized access

– Takes many forms – Has many consequences

• Network administrators need an architecture designed toNetwork administrators need an architecture designed to assist in protecting networks– Audit endpoint configuration– Impose security policies before connection– Validate compliance throughout session

• The TNC architecture builds on existing industry standards and defines new standards as necessary

• Objective: enabling non-proprietary and interoperableObjective: enabling non proprietary and interoperable solutions within multi-vendor environments

Lisa Lorenzin


I1, 4/28/2008

7

TNC Architecture

VPN

Lisa Lorenzin


I1, 4/28/2008

TNC Architecture Detail

VerifiersVerifiers

tCollectorCollector

Integrity MeasurementCollectors (IMC)

Integrity MeasurementVerifiers (IMV)

Policy DecisionPoint

Peer Relationship(IF-M)

Policy EnforcementPointAccess Requestor

Collectors (IMC) ( )

Network Access

R tPolicy

Enforcement

Network AccessAuthority

TNC Server (TNCS)

Platform TrustService (PTS)

TNC Client (TNCC)

p

Peer Relationship(IF-TNCCS)

(IF-T)

(IF-IMC) (IF-IMV)

(IF-PTS)

(IF-PEP)Requestor Enforcement

Point (PEP)TSS

TPM

Lisa Lorenzin


I1, 4/28/2008

8

Security Software

Policy Server

IMCs

NAC Agent

System Health Agents

IMVsSystem Health VerifiersNAC Manager

TNC, NAP, C-NAC– Simply

different waysto attain network

TNC, NAP, and C-NAC

Integrity Client

Access Software

Integrity Server

Net Access Authority

NAC Agent

TNC ClientNAP AgentNAC Agent

Network Access Requester

Endpoint

TNC ServerNetwork Policy ServerAuthenticator

Network Access AuthorityRADIUSAuthenticator

access control

NAP, C-NAC = Proprietary

TNC = Open Standards= Interoperable

Network Access Device

Endpoint Authenticator

Lisa Lorenzin


I1, 4/28/2008

GREEN = TNCYELLOW = NAPRED = C-NAC

EndpointSupplicant/VPN Client, etc.

Network DeviceFW, Switch, Router, Gateway

Access RequestorAAA Server, Radius,

Diameter, IIS, etc

TNC Architecture - SupportPolicy Enforcement Point Policy Decision Point

Lisa Lorenzin


I1, 4/28/2008

9

TNC Advantages• Open standards

– Enables customer choice • Leverages existing network infrastructure

R d t d d l t ti– Reduces costs and deployment time • Roadmap for the future

– Full suite of standards– Supports optional Trusted Platform Module (TPM)

• Solves critical problem with existing products: i.e., root kits• 10s of millions of clients with TPMs in enterprise today

• Products supporting TNC standards shipping today– Certification and compliance program in development for TNC

approved solutions

Lisa Lorenzin


I1, 4/28/2008

What about IETF?• IETF Network Endpoint Assessment (NEA) WG

– Goal: Universal Agreement on NAC Protocols• Co-chaired by Cisco rep and TNC WG chair

– Steady progress towards goal• March 2006 - first NEA BOF

O t b 2006 NEA WG h t d b IESG• October 2006 - NEA WG chartered by IESG• March 2007 - first draft of NEA requirements• December 2007 - submitted NEA requirements for IESG evaluation• January 2008 - candidate protocols proposals solicited

• One Set of Proposals– PA-TNC and PB-TNC– Equivalent to IF-M 1.0 and IF-TNCCS 2.0

• Current status– General consensus at IETF 71 and on NEA email list to accept TNC

submissions as candidate protocols

Lisa Lorenzin


I1, 4/28/2008

10

TNC Implementation

Lisa Lorenzin


I1, 4/28/2008

VerifiersVerifiersIntegrity MeasurementVerifiers (IMV)


Peer Relationship(IF-M)

Policy EnforcementPoint

VerifiersVerifiersIntegrity MeasurementVerifiers (IMV)


TNC Implementation in UAC

tCollectorCollector


Access Requestor

(IF IMC)

tCollectorCollector


(IF IMC)

Access Requestor

PolicyEnforcementPoint (PEP)

Network AccessAuthority

TNC Server (TNCS)

Platform TrustService (PTS)

Peer Relationship(IF-TNCCS)

(IF-T)

(IF-IMV)

(IF-PTS)

(IF-PEP)

(IF-TNCCS-SOH)

(IF-PEP)Network Access

Authority

TNC Server (TNCS)

(IF-IMV)

Network Access Requestor

TNC Client (TNCC)

(IF-IMC)UAC Host Checker

Network Access Requestor

TNC Client (TNCC)

(IF-IMC)

PolicyEnforcementPoint (PEP)Point (PEP)

TSS

TPM

Point (PEP)

11

• UAC 2.1 is TNC compliant for truly open architecture

• UAC 2.1 interoperates

AAAAAA Servers

Identity Stores

CentralPolicy Manager

Protected

with SBR

Unified Access Control

pwith any 802.1X infrastructure, wired or wireless

• Access control for guests, contractors and employees

• UAC 2.1 can be deployed via:

– 802.1X onlyO l /fi ll l

FirewallEnforcers

Endpoint profiling, user

auth, endpoint policy

Dynamic Role Provisioning

User access to protected resources

Resource

802.1X

– Overlay w/firewall only– Both, for maximum

granularity

UAC Agent

with OAC

User admission tonetwork resources

Lisa Lorenzin


I1, 4/28/2008

Patch ManagementClassified Data

AAA ServersIdentity Stores PDP AV / Anti Spyware

TNC-Based Ecosystem

Stores / Apps

k Pe

rim

eter

UAC Agent w/OACor Agentless Network Security Information

AR PEP

Net

wor Network

Infrastructurey

& Event Manager (SIEM)

Lisa Lorenzin


I1, 4/28/2008

12

Campus HQ Wired/Wireless

Mitigate threats with user Standards based enforcement in h

Standards-based NAC

Centralized validationDistributed enforcement

Data CenterBranch Office

gand endpoint validation prior to wireless access

Gain visibility & control for user/ device access to

network, resources & applications

heterogeneous switch/access point

networks

Control access to internet, data

center & campus resources

High Availability

InternetFlexible solution to support access control in distributed networks

Applications

Branch

Lisa Lorenzin


I1, 4/28/2008

TNC and Microsoft NAP

Lisa Lorenzin


I1, 4/28/2008

13

• TNC and NAP can interoperate– Enabled by a new TNC specification (IF-TNCCS-SOH)– IF-TNCCS-SOH support already included in Windows Vista

IF TNCCS SOH s pport ill be in Windo s Ser er 2008 and

TNC/NAP Interoperability

– IF-TNCCS-SOH support will be in Windows Server 2008 and Windows XP SP 3

• Benefits of interoperability– Easier implementation – can use built-in Windows NAP client– Rapid deployment – can proceed with confidence now– Choice and compatibility – through open standards– Market clarification – clear convergence on TNC

Lisa Lorenzin


I1, 4/28/2008

Enabling Interoperability• 5/21/07 – TNC publishes the standard

– TNC adopts and publishes Microsoft Statement of Health Protocol as a new TNC standard, IF-TNCCS-SOH

– Enables interoperability of NAP clients and servers with TNC clients, d i f t tservers and infrastructure

• Interop Las Vegas 2007 – Demonstration of standard– Microsoft and TNC members demonstrate solutions based on IF-

TNCCS-SOH• Ongoing – Commercial availability of standard

– IF-TNCCS-SOH built into Windows Vista now– Microsoft to ship Windows Server 2008 and Windows XP SP3 with IF-

TNCCS-SOH support– TNC members start shipping IF-TNCCS-SOH based products by 1H

2008

Lisa Lorenzin


I1, 4/28/2008NAP Client or UAC Agent Microsoft NPS or

Juniper Infranet Controller

Switches, APs, Appliances, Servers, etc.

IF-TNCCS-SOH

14

What This Means For YouJointly developed, open standards-based

access control enabling:• Investment protection

Flexible solution that can change with your network– Flexible solution that can change with your network• Simplified deployment with built-in choice• Delivers more adaptive solution• Lower Total Cost of Ownership

– Interoperable standards– Built in functionality with Microsoft Vista client – No Extra Charge

• Faster Return on Investment

Lisa Lorenzin


I1, 4/28/2008

Standards + Interoperability = A Safe Investment

Avoiding NAC Pitfalls

Lisa Lorenzin


I1, 4/28/2008

15

TNC vs. Challenges of NAC• Interoperability - work with what you already have• Reliability - use best-of-breed

– Eliminates vendor lock-in– Minimizes disruption of business practicesp p

• Flexibility - tackle the low-hanging fruit first– Reduces complexity– Accommodates project scope in phases

• Transparency, communication, auto-remediation– Lower support cost, higher user acceptance

• Evolving standard - meet future as well as present needs

Lisa Lorenzin


I1, 4/28/2008

– Prepares for whatever the future brings

Summary• TNC is an open network access control architecture

and standard• TNC delivers:

Vendor agnostic multi vendor support for diverse heterogeneous– Vendor-agnostic, multi-vendor support for diverse, heterogeneous networking environments

– Cost and deployment time reductions by leveraging installed products

– An alternative to single vendor lock-in– A thorough and open technical review of standards– The ability to evaluate and secure managed endpoints– Higher, faster Return on Investment (ROI)

Lisa Lorenzin


I1, 4/28/2008

Higher, faster Return on Investment (ROI)– Answers to the many challenges of NAC– CHOICE!

16

Questions?

Lisa [email protected]

http://www trustedcomputinggroup org/groups/network/

Lisa Lorenzin


I1, 4/28/2008

http://www.trustedcomputinggroup.org/groups/network/

Technology

Why NAC and Why Not NAC