SOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect

Transcription

1 SOSPG2 Implementing Network Access Controls Nate Isaacson Security Solution Architect

2 Offer Pa Agenda The BYOD Challenges NAC terms The Big Picture NAC Solutions and Deployment

3 What about outside the Enterprise? The New Normal

4 MOBILE GROWTH RATE

5 MOBILE GROWTH RATE

6 YOUR USERS HAVE NEW EXPECTATIONS The Evolving Workplace Landscape NEXT GENERATION WORKFORCE Work Is No Longer a Place You Go to Work People Are Willing to Take a Pay Cut as Long as They Are Able to Work from Home 70% percent of end users admit to breaking IT policy to make their lives easier Need Anywhere, Anytime, Any Device Access DEVICE PROLIFERATION NEXT GENERATION WORKFORCE VIRTUALIZATION

7 TOP OF MIND CONCERNS The Burden Falls on IT Am I hindering my workforce from being competitive? How do I retain top talent? How do I ensure compliance with SOX, HIPAA, etc? Can I handle partners, consultants, and guests appropriately? CHANGING WORKFORCE

8 THE BORDERLESS NETWORK Intelligent Access Wherever it is Needed Anyone R=RoO x SLE An Authorized Person Borderless Networks Any Device Anywhere An Approved Device Anytime In a Secure Way As Needed

9 Glossary NAC and Security Acronyms NAC - Network Access Control ISE (Cisco NAC) - Identity Services Engine DLP - Data Loss Prevention

10 Glossary NAC and Security Acronyms PKI - Public Key Infrastructure CA - Certificate Authority CRL - Certificate Revocation List

11 Glossary NAC and Security Acronyms ACL - Access Control List dacl - Dynamic Access Control List CoA - Change of Authorization

12 Glossary NAC and Security Acronyms MDM - Mobile Device Management 802.1x - NAC authentication protocol MAB - MAC Authentication Bypass

13 STOP AND THINK What are we trying to do with NAC? A: Secure the Network B: Prevent Malware C: Maintain Regulatory Compliance D: Secure Sensitive Data E: All the above

14 Top Data Threats Procedure Policy Technology 1. Malicious insiders 2. Well-meaning insiders 3. Malicious intarweb hax0rz 4. Lost or stolen media 5. Dissemination of data 6. Mobile devices 7. BAs, suppliers, vendors, partners 8. Cloud/SaaS providers 9. Virtual offices 10. Wireless data transfers 11. Advanced Persistent Threats

15 The Big Picture DLP Outgoing Poses the Biggest Threat to Sensitive Data Monitor Usage of Sensitive Data MDM Enforce Password Enforce Data Encryption Jailbreak Detection PKI Should Unknown Devices Access Sensitive Data? Fingerprint approved devices NAC Control Access to the Private Network Manage Guest Access

16 Traditional Approach to BYOD Guest Network Wireless Conference Room ports Problematic for Wired ports SSL VPN (Application portal) Still a viable solution Virtual Desktop Citrix, Remote Desktop, VDI, etc. Still a viable solution

17 Mobile Device Management Provision Retire Secure Support Apps & Content Monitor

18 Mobile Device Management User Groups & Roles Provision Remove/Hide Unwanted Apps WiFi & VPN Settings Push Apps & Content , Contacts, & Calendars Secure Enforce Password Enforce Data Encryption OS Updates Jailbreak Detection Apps & Content Private App Store Apple VPP Distribution Web Apps & Clips Homegrown Content Locker

19 Mobile Device Management Monitor Support Retire Device Check-Ins Asset Tracking & Reporting Geo-location Remote Lock Remote Password Reset Self Service Jailbreak Detection Lost/Stolen Device Selective Wipe Full Wipe

20 How Do I Control Who and What Access the Network?

21 EVOLVING POLICIES IN A MOBILE WORLD Printers should only ever communicate internally. Internet Employees should be able to access everything but have no access on personal devices. Switch Internal Resources Campus Network Guest and partners are only allowed bandwidth constrained Internet access via wireless. Access Point Wireless LAN Controller Policy Services

22 TYPICAL POLICY OPTIONS Permit Access I have an ipad. Can I get on the network? Low maintenance High risk Tailor Access by Scenario Centralized Policy Engine Simplified, Scalable Access Policy Employee Low maintenance Low risk Deny Access Unified Access Management Converged Monitoring and Troubleshooting Low maintenance Low risk

23 Devices in the New Enterprise A Spectrum of Possibilities & New Trust Equation Enterprise Owned Enterprise Managed User Owned Enterprise Managed User Owned Unmanaged Trust the File System Trust the Device Trust the User Trust the App

24 Deploying NAC - Step 1 Develop a Written Policy Approved Devices List OS, Disk Encryption, etc. Access Methods Allowed Guest Policy BYOD/MDM Policy

25 What is a Certificate? Credential that binds your name to an identity You must be vetted by a trusted authority to get it It provides you access or privileges to communities People who did not give it to you are willing to trust it s contents

26 How Do You Manage Certificates? One option is to self-manage with readily available tools Certificate Software & Hardware Microsoft MDM s Not always Multi-platform? &%$#! Not easy to use Difficult to Scale?

27 Symantec Managed PKI Service The Leading Cloud PKI Platform And It Just Got Better Cost- Effective Deploy PKI applications quickly & easily with no upfront capital investment Simple Deliver consistent, automated, and easy-to-use operation across platforms Flexible Deliver and manage multiple PKI applications from a unified platform Scalable Build on the proven reliability of the longestrunning commercial PKI platform

28 NAC Then and Now Then Pass/Fail (NOT flexible) Few devices supported 802.1x Inline devices created bottlenecks Expensive Overall painful and not practical Now Very Flexible Most devices support 802.1x No more inline devices Affordable Overall Works as advertised

29 Evaluating NAC solutions What Authentication Methods supported AAA (802.1x) MAC Authentication (MAB) Guest management How are Policies Enforced Inline Appliance Endpoint Agent Network Layer (dynamic VLAN or ACL)

30 Evaluating NAC solutions Vendor Alignment HUGE factor Cisco network Cisco ISE Aruba Wireless Aruba ClearPass Juniper Network Juniper UAC MDM integration Don t under estimate the value of MDM Wired and Wireless Capabilities There may be discrepancies Don t assume same features for both

31 Deploying NAC Step 2 Walk before you Run What happens IF You lock down the Network on Day 1 Test and Pilot use cases Deploy in Monitor Mode Evaluate Authentication Success and failures Evaluate what policies would be assigned, prior to enforcement

32 Identity Services Engine (ISE) ACS Centralized Policy NAC Profiler NAC Guest NAC Manager NAC Server Identity Services Engine AAA Services Device Profiling Posture Assessment Guest Access Services Distributed Enforcement Centralized Monitoring and Reporting

33 IEEE 802.1X Authentication Standard for link layer authentication and access control Components: supplicant (client), authenticator (switch), and AAA server Uses Extensible Authentication Protocol (EAP) to transport authentication info. MAC Auth Bypass (MAB) Authenticate using the client s MAC address For devices that don t support 802.1X (no supplicant), such as printers. Web Authentication Cisco TrustSec MAC Authentication IEEE 802.1X For clients that don t support 802.1X (no supplicant), but are capable for interactive HTTP authentication Web Authentication

34 THE IDENTITY BASED ACCESS ARCHITECTURE Identity Context Employee Contractor Guest Device Type Access Type Location Posture Server 802.1X, Web Authentication, MAC Authentication Bypass (MAB), Profiling Authorization and Enforcement Broad Access Limited Access Guest/Internet VLAN, DACL, Security Group Access, Identity Firewall VLAN ACL Data Integrity and Confidentiality MACSec (802.1AE) Policy and Reporting

35 DIFFERENTIATED DEVICE PROFILES Users, on the same wireless network, can be associated to different wired networks after authentication Employee using a corporate laptop with their AD user id assigned to Full network access Employee using personal ipad/iphone with their AD user id assigned to Internet only 1 EAP Authentication ISE Employee Employee Same-SSID 3 2 CAPWAP Accept with VLAN 30 EAP Authentication 4 Accept with VLAN 40 VLAN Q Trunk VLAN 40 Corporate Resources Internet

36 Deploying NAC Authentication Flexibility EASY We can Stack multiple authentication methods to deal with anything that comes along Wireless Auth Guest Auth More Complex Wired Auth Onboarding

37 Deploying NAC Authentication One policy fits all? Don t lump multiple use cases into a single policy Break out use cases to individual policies Taylor default behavior Conference Rooms default to guest Cubicle ports default to private network Device Authentication vs User Authentication Device Identity takes precedence for security policy Device Certificates make it easy (MDM, MS-CA, etc.)

38 Guest Access Sponsor Portal Customizable portal Create multiple accounts Sponsor sets group/id store Time profiles Users account notification Print SMS Sponsor Guest URL-REDIRECT ISE Guest Server Guest Portal Change password Change password at first login Download posture client Self service Device registration

39 Deploying NAC Web Authentication Can reference multiple User Databases AD Local(guest DB) Web Auth is great for sporadic guest access Web Auth is not great for Daily access Get s annoying fast Look at device registration for daily users MAB in the backgraound

40 Device Profiling Cisco ISE Profiler Discovers and Profiles (classifies) each endpoint using the network Monitors for changing endpoint identity attributes Maintains a database of all endpoints on the network Profiling is based on data from: Netflow SNMP CDP DNS DHCP RADIUS accounting Web Auth NMAP IOS Sensor ipad Custom Template

41 Deploying NAC Profiling Great for onboarding New/Unknown devices IP Phones Printers End User devices Reporting on the Install base Prevent MAC Spoofing

42 Posture Assessment ISE Endpoint Posture Assessment The Cisco NAC Agent is used for endpoint checks Thick client on managed machines Thin client via ActiveX or Java Access is controlled via ACL s or VLAN assignments delivered by RADIUS Quarantine Role-based access Periodic reassessment Available checks include: Antivirus condition Antispyware condition File condition Registry condition Application condition Service condition Automated and manual remediation

43 Deploying NAC Posture Assessment Posture Assessment should be backed up by a written policy that you intend to enforce Don t posture assess just for fun, it s not! Deploying NAC Agents adds difficulty Web Agent Great for onboarding, bring device under management Not great for daily access Consider your other solutions in place for managing endpoints

44 ISE Topology Typical SMB Deployment (Under 5000 endpoints) Typical Enterprise Deployment (10,000 endpoints or more)

45 Deploying NAC Architecture Insist on Redundancy Centralized Deployments Cheaper More Practical Need WAN redundancy or a Fail Open policy Scalability Distributable services/node types Load distribution is fairly easy

46 Deploying NAC Avoid the Pitfalls Engage an Architect for design before committing Run a POC if you or provider have uncertainty If your requirements are complex Leverage an experienced partner Or be prepared for a slow painful deployment To Avoid mistakes made by others Ensure a proven real-world deployment

47 Deploying NAC Avoid the Pitfalls Test the Use cases, make sure they make sense Looks good on paper Might not look good in practice

48 Questions