Upload
digitallibrary
View
2.086
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Network Access Control (NAC) can protect your network from insecure endpoints and enforce security policies. Yet deploying NAC can be a huge challenge. Does it make sense for your organization to take the plunge? Find out how to answer that question by understanding how open standards enable technology that helps ensure endpoint compliance with integrity policies at, and after, network connection.
Citation preview
1
Why NAC and Why Not NAC?
Avoid NAC Pitfalls with a Standards-Based
A hApproach
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
• Why Access Control?AGENDA
• Trusted Network Connect
• TNC Implementation
• TNC and Microsoft NAP
A idi NAC Pitf ll• Avoiding NAC Pitfalls
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
2
Why Access Control?
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
IncreasedThreat
Volume
Mi i iti l
As Access Increases Critical data at risk
Threats bypass
Network Security Problems
CarelessUsers
FasterOutbreaks
MoreTargets
Mobile devices transiting the LAN perimeter
Unmanaged or ill-managed endpoints
Mission critical network assets
Threats bypassperimeter security
Control of corporatenetwork can be lost
Network SecurityD
MaliciousAttackers
Partner, contractor, andguest access
Decreases
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
3
Enterprise Trends
Worms, viruses, spyware
Malware, Trojans and more
Exploding access requirements result in rapidly dissolving network boundaries, new demands on IT organizations to provide secure access
Internet • Employees• Business partners• Customers• Guests
WAN Access
Remote Access
Internet
Solved by DMZ deployments of firewalls IDP SSL VPNs
Remote Access
T i d
Campus
Remote Offices/
Server Farms / Data Center
• Guests• Contractors• Managed/ Ill
Managed endpoints• Trusted/ Un-
trusted trafficDiverse users• Employees• Business partners• Customers• Guests• Contractors • Business Apps
• E-mail• Internal ResourcesNeed for
Campus
Remote Offices/
Server Farms / Data Center
of firewalls, IDP, SSL VPNs
- Lack of Control- Ill managed endpoints
Trust is presumed, but unenforceable Vulnerable servers are
accessed By EVERY user population
Remote Offices/ Branch Offices
Need for ComprehensiveACCESS CONTROL
Remote Offices/ Branch Offices
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
What do you need from NAC?What do you want it to do?1. Evaluation of security state
before connection2. Quarantine and/or remediation
for non compliant sers
For which users?1. Guest Users
– Difficult to assess security state– Unmanageable devices
2 C t tfor non-compliant users3. Identity-based network
admission control – Can you get on the network?
4. Policy- and identity-based access control based on user identity
– What can you get access to?5. Evaluation of security state
throughout the session
2. Contractors– Not onsite– Need access to a variety of
mission-critical resources3. On-site employees
– May lack security awareness4. Remote or mobile employees
– Use the system outside of the office
– May be carelessthroughout the session– Threat management
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
May be careless– May run unauthorized
applications
4
Deployment Considerations• Can you deploy in a phased or selective manner?
– No one is ready for enterprise-wide, but some segments or users are criticalWhat is required to get it going today?– What is required to get it going today?
• Is the solution really open?– A large group of partners interoperating with a proprietary
architecture isn’t an open system– Network infrastructure is fluid, not static – is a solution going
to lock you in?
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
• Has it been tested?
NAC Solutions
Features• Control access
to critical resources
Benefits• Consistent access
t l– to critical resources– to entire network
• Based on– user identity and role– endpoint identity and
health– other factors
• With
controls• Reduced downtime
– Healthier endpoints– Fewer outbreaks
• Safe remote access• Safe contractor and • With
– remediation– management
guest access
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Network access control must be akey component of every network!
5
Challenges of NAC• Vendor lock-in
– Proprietary solutions require hardware rip-and-replace
• Project scope– Need to secure thousands
of endpoints, hundreds of t ffi i t f• Complexity
– Too many moving parts, both in your network and in the solution
• Disruption of business practices
Conf sion fr stration
remote offices, a variety of user communities…
• Support costs– User impact == helpdesk
impact
• Uncertain future– Relatively new technology -– Confusion, frustration,
potential down-time– Relatively new technology -
where is it going?
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Trusted Network Connect
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
6
Trusted Network Connect• Open Architecture for Network Access Control
– Strong security through trusted computing
• Open Standards to Ensure Interoperability• Open Standards to Ensure Interoperability– Full set of specifications– Products shipping today
• Work Group of Trusted Computing Group– Industry standards group
Focus on Trusted Computing– Focus on Trusted Computing– Over 175 member companies
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Why is TNC Necessary?• Inappropriate and unauthorized access
– Takes many forms – Has many consequences
• Network administrators need an architecture designed toNetwork administrators need an architecture designed to assist in protecting networks– Audit endpoint configuration– Impose security policies before connection– Validate compliance throughout session
• The TNC architecture builds on existing industry standards and defines new standards as necessary
• Objective: enabling non-proprietary and interoperableObjective: enabling non proprietary and interoperable solutions within multi-vendor environments
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
7
TNC Architecture
VPN
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
TNC Architecture Detail
VerifiersVerifiers
tCollectorCollector
Integrity MeasurementCollectors (IMC)
Integrity MeasurementVerifiers (IMV)
Policy DecisionPoint
Peer Relationship(IF-M)
Policy EnforcementPointAccess Requestor
Collectors (IMC) ( )
Network Access
R tPolicy
Enforcement
Network AccessAuthority
TNC Server (TNCS)
Platform TrustService (PTS)
TNC Client (TNCC)
p
Peer Relationship(IF-TNCCS)
(IF-T)
(IF-IMC) (IF-IMV)
(IF-PTS)
(IF-PEP)Requestor Enforcement
Point (PEP)TSS
TPM
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
8
Security Software
Policy Server
IMCs
NAC Agent
System Health Agents
IMVsSystem Health VerifiersNAC Manager
TNC, NAP, C-NAC– Simply
different waysto attain network
TNC, NAP, and C-NAC
Integrity Client
Access Software
Integrity Server
Net Access Authority
NAC Agent
TNC ClientNAP AgentNAC Agent
Network Access Requester
Endpoint
TNC ServerNetwork Policy ServerAuthenticator
Network Access AuthorityRADIUSAuthenticator
access control
NAP, C-NAC = Proprietary
TNC = Open Standards= Interoperable
Network Access Device
Endpoint Authenticator
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
GREEN = TNCYELLOW = NAPRED = C-NAC
EndpointSupplicant/VPN Client, etc.
Network DeviceFW, Switch, Router, Gateway
Access RequestorAAA Server, Radius,
Diameter, IIS, etc
TNC Architecture - SupportPolicy Enforcement Point Policy Decision Point
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
9
TNC Advantages• Open standards
– Enables customer choice • Leverages existing network infrastructure
R d t d d l t ti– Reduces costs and deployment time • Roadmap for the future
– Full suite of standards– Supports optional Trusted Platform Module (TPM)
• Solves critical problem with existing products: i.e., root kits• 10s of millions of clients with TPMs in enterprise today
• Products supporting TNC standards shipping today– Certification and compliance program in development for TNC
approved solutions
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
What about IETF?• IETF Network Endpoint Assessment (NEA) WG
– Goal: Universal Agreement on NAC Protocols• Co-chaired by Cisco rep and TNC WG chair
– Steady progress towards goal• March 2006 - first NEA BOF
O t b 2006 NEA WG h t d b IESG• October 2006 - NEA WG chartered by IESG• March 2007 - first draft of NEA requirements• December 2007 - submitted NEA requirements for IESG evaluation• January 2008 - candidate protocols proposals solicited
• One Set of Proposals– PA-TNC and PB-TNC– Equivalent to IF-M 1.0 and IF-TNCCS 2.0
• Current status– General consensus at IETF 71 and on NEA email list to accept TNC
submissions as candidate protocols
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
10
TNC Implementation
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
VerifiersVerifiersIntegrity MeasurementVerifiers (IMV)
Policy DecisionPoint
Peer Relationship(IF-M)
Policy EnforcementPoint
VerifiersVerifiersIntegrity MeasurementVerifiers (IMV)
Policy DecisionPoint
TNC Implementation in UAC
tCollectorCollector
Integrity MeasurementCollectors (IMC)
Access Requestor
(IF IMC)
tCollectorCollector
Integrity MeasurementCollectors (IMC)
(IF IMC)
Access Requestor
PolicyEnforcementPoint (PEP)
Network AccessAuthority
TNC Server (TNCS)
Platform TrustService (PTS)
Peer Relationship(IF-TNCCS)
(IF-T)
(IF-IMV)
(IF-PTS)
(IF-PEP)
(IF-TNCCS-SOH)
(IF-PEP)Network Access
Authority
TNC Server (TNCS)
(IF-IMV)
Network Access Requestor
TNC Client (TNCC)
(IF-IMC)UAC Host Checker
Network Access Requestor
TNC Client (TNCC)
(IF-IMC)
PolicyEnforcementPoint (PEP)Point (PEP)
TSS
TPM
Point (PEP)
11
• UAC 2.1 is TNC compliant for truly open architecture
• UAC 2.1 interoperates
AAAAAA Servers
Identity Stores
CentralPolicy Manager
Protected
with SBR
Unified Access Control
pwith any 802.1X infrastructure, wired or wireless
• Access control for guests, contractors and employees
• UAC 2.1 can be deployed via:
– 802.1X onlyO l /fi ll l
FirewallEnforcers
Endpoint profiling, user
auth, endpoint policy
Dynamic Role Provisioning
User access to protected resources
Resource
802.1X
– Overlay w/firewall only– Both, for maximum
granularity
UAC Agent
with OAC
User admission tonetwork resources
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Patch ManagementClassified Data
AAA ServersIdentity Stores PDP AV / Anti Spyware
TNC-Based Ecosystem
Stores / Apps
k Pe
rim
eter
UAC Agent w/OACor Agentless Network Security Information
AR PEP
Net
wor Network
Infrastructurey
& Event Manager (SIEM)
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
12
Campus HQ Wired/Wireless
Mitigate threats with user Standards based enforcement in h
Standards-based NAC
Centralized validationDistributed enforcement
Data CenterBranch Office
gand endpoint validation prior to wireless access
Gain visibility & control for user/ device access to
network, resources & applications
heterogeneous switch/access point
networks
Control access to internet, data
center & campus resources
High Availability
InternetFlexible solution to support access control in distributed networks
Applications
Branch
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
TNC and Microsoft NAP
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
13
• TNC and NAP can interoperate– Enabled by a new TNC specification (IF-TNCCS-SOH)– IF-TNCCS-SOH support already included in Windows Vista
IF TNCCS SOH s pport ill be in Windo s Ser er 2008 and
TNC/NAP Interoperability
– IF-TNCCS-SOH support will be in Windows Server 2008 and Windows XP SP 3
• Benefits of interoperability– Easier implementation – can use built-in Windows NAP client– Rapid deployment – can proceed with confidence now– Choice and compatibility – through open standards– Market clarification – clear convergence on TNC
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Enabling Interoperability• 5/21/07 – TNC publishes the standard
– TNC adopts and publishes Microsoft Statement of Health Protocol as a new TNC standard, IF-TNCCS-SOH
– Enables interoperability of NAP clients and servers with TNC clients, d i f t tservers and infrastructure
• Interop Las Vegas 2007 – Demonstration of standard– Microsoft and TNC members demonstrate solutions based on IF-
TNCCS-SOH• Ongoing – Commercial availability of standard
– IF-TNCCS-SOH built into Windows Vista now– Microsoft to ship Windows Server 2008 and Windows XP SP3 with IF-
TNCCS-SOH support– TNC members start shipping IF-TNCCS-SOH based products by 1H
2008
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008NAP Client or UAC Agent Microsoft NPS or
Juniper Infranet Controller
Switches, APs, Appliances, Servers, etc.
IF-TNCCS-SOH
14
What This Means For YouJointly developed, open standards-based
access control enabling:• Investment protection
Flexible solution that can change with your network– Flexible solution that can change with your network• Simplified deployment with built-in choice• Delivers more adaptive solution• Lower Total Cost of Ownership
– Interoperable standards– Built in functionality with Microsoft Vista client – No Extra Charge
• Faster Return on Investment
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Standards + Interoperability = A Safe Investment
Avoiding NAC Pitfalls
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
15
TNC vs. Challenges of NAC• Interoperability - work with what you already have• Reliability - use best-of-breed
– Eliminates vendor lock-in– Minimizes disruption of business practicesp p
• Flexibility - tackle the low-hanging fruit first– Reduces complexity– Accommodates project scope in phases
• Transparency, communication, auto-remediation– Lower support cost, higher user acceptance
• Evolving standard - meet future as well as present needs
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
– Prepares for whatever the future brings
Summary• TNC is an open network access control architecture
and standard• TNC delivers:
Vendor agnostic multi vendor support for diverse heterogeneous– Vendor-agnostic, multi-vendor support for diverse, heterogeneous networking environments
– Cost and deployment time reductions by leveraging installed products
– An alternative to single vendor lock-in– A thorough and open technical review of standards– The ability to evaluate and secure managed endpoints– Higher, faster Return on Investment (ROI)
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
Higher, faster Return on Investment (ROI)– Answers to the many challenges of NAC– CHOICE!
16
Questions?
Lisa [email protected]
http://www trustedcomputinggroup org/groups/network/
Lisa Lorenzin
Why NAC and Why Not NAC?
I1, 4/28/2008
http://www.trustedcomputinggroup.org/groups/network/