Network Access Control (NAC)

Similar documents
Solutions for LAN Protection

x900 Switch Access Requestor

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Solutions Guide. Resilient Networking with EPSR

Solutions Guide. Education Networks

Network Security Solutions Implementing Network Access Control (NAC)

Penola Catholic College

Network Security. Ensuring Information Availability. Security

Success Story. Kanaiwa Hospital

AlliedWare Plus OS How To Use Web-authentication

St Mary MacKillop College

The top 3 network management challenges

Solutions Guide. Ethernet-based Network Virtualization for the Enterprise

VCStack - Powerful Simplicity. Network Virtualization for Today's Business

Technical Note. CounterACT: 802.1X and Network Access Control

Whitepaper. Securing Visitor Access through Network Access Control Technology

All You Wanted to Know About WiFi Rogue Access Points

Firewalls: on-premises or in the cloud?

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Deploying Firewalls Throughout Your Organization

Solution Network Virtualization. Allied Telesis - delivering value with Network Virtualization

Secure Networks for Process Control

ForeScout CounterACT. Continuous Monitoring and Mitigation

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

Network-in-a-Box Solution. Services already integrated in the core switch Ideal concept for branch offices, schools or other small business networks

National Hospital Organization Chiba Medical Center

Best Practices for DanPac Express Cyber Security

Using IEEE 802.1x to Enhance Network Security

Top 14 best practices for building video surveillance networks

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Allied Telesis provide virtual customer networks

Executive Summary. This white paper includes the following sections: A.What Does 802.1x Do? B. An Overview of the 802.1x Standard

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Demystifying Software-Defined Networking (SDN)

Cisco TrustSec Solution Overview

What information will you find in this document?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Trusted Network Connect (TNC)

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

BYOD: BRING YOUR OWN DEVICE.

A Migration Path to Software-Defined Networking (SDN) in an Enterprise Network

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Solution Profile. Branch in a Box

Tested Solution: Protecting your network with Symantec Network Access Control (NAC) and Allied Telesis Switches

Endpoint Protection Small Business Edition 2013?

Solutions Guide. High Availability IPv6

Military College of Electronic and Mechanical Engineering

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Sygate Secure Enterprise and Alcatel

Using a VPN with Niagara Systems. v0.3 6, July 2013

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Best Practices for Outdoor Wireless Security

Closing Wireless Loopholes for PCI Compliance and Security

IBM Managed Security Services Vulnerability Scanning:

How To Create An Intelligent Infrastructure Solution

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network security strategy to meet new threats and simplify IT security operations

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Network Access Control ProCurve and Microsoft NAP Integration

Cisco Advanced Services for Network Security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

How To Understand The Benefits Of Cisco Network Management Software And Hardware

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Cisco ASA 5500 Series IPS Solution

Software Defined Networking

Preparing your network for the mobile onslaught

What Do You Mean My Cloud Data Isn t Secure?

Reducing the cost and complexity of endpoint management

How To Secure Your System From Cyber Attacks

AlliedWare Plus OS How To Use sflow in a Network

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

HP ProCurve Networking. Networking solutions for small and growing businesses

The Cisco ASA 5500 as a Superior Firewall Solution

Internet Content Provider Safeguards Customer Networks and Services

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Host-based Protection for ATM's

Transcription:

Solutions Network Access Control (NAC) Allied Telesis provides advanced edge security for Enterprise networks

Security Issues The security issues facing Enterprise networks have evolved over the years, with the focus moving from mitigating outward attacks, to reducing internal breaches and the infiltration of malicious software. This internal defense requires significant involvement with individual devices on a network, which creates greater overhead on network administrators. Allied Telesis lower this overhead and provide an effective solution to internal network security by integrating advanced switching technology as a part of Network Access Control (NAC). The evolution of network defenses For many years, the focus in Enterprise network security was on defending against external threats. Firewalls were installed to protect the LAN from the hackers, worms, spammers and other security dangers of the Internet. However, with the growth in mobile computing and the proliferation of Ethernet-capable devices, LAN-based attacks now outnumber external threats as the main security issues facing network administrators. Thus, attention has turned towards the enemy within - the security dangers lurking within the local LAN. Malicious software, known as malware, makes its way onto a network via employees, contractors and visitors. Personal laptops, wireless gadgets, and ever-popular USB flash drives all provide excellent vectors through which malware can enter the workplace. Even careful employees can unwittingly bring in malware, by using their equipment outside of the network. Visitors and contractors may be careless carriers of malware or, even worse, may be planning a malicious attack to steal data or cause disruption. Defense against the enemy within To effectively defend the network against internal threats, network administrators need secure LAN switches that provide protection against common attacks. They also need to implement policies that ensure that each device connecting to a network is as secure as possible. This combination of secure LAN switches and anti-malware policy can be very effective. Allied Telesis switches have long provided a suite of defenses to combat internal attacks. These attacks range from data stealing attacks, such as Address Resolution Protocol (ARP) spoofing, to Denial of Service (DoS) attacks such as Tear Drop or Ping of Death. Correct deployment of these defenses can create a network that is impermeable to most of the harm these attacks cause. Additionally, network administrators can institute a policy whereby network users are required to install and maintain anti-malware scanners, and to install security patches as they are released by Operating System vendors. However, this has required network administrators to spend time ensuring that users are adhering to policies, and has even generated counter-productive tension between network administrators and users. More detailed information on how Allied Telesis secure LAN switches defend against the various types of LAN threats can be found on our website: http://www.alliedtelesis.com/solutions/category.aspx?5 2 Network Access Control (NAC) Solution alliedtelesis.com

The solution is NAC This is where Network Access Control (NAC) provides a solution. NAC allows network administrators to automate policy enforcement. Rather than requesting that users ensure their devices conform to anti-malware policies, administrators can simply let the network do the job instead. NAC has very quickly become an industry requirement, and is clearly much more than a new buzzword for network professionals. NAC offers an excellent way to control network access with automated policy enforcement, and to manage network security without vast administration overhead. Put simply, NAC lets you define a comprehensive security policy for your network, implement that policy on a centralized server, and have the network automatically enforce that policy on all network users. NAC is much more than just user authentication it is also designed to protect the network from users and devices that may be authorized, but still pose threats. The most sensible place for this to occur is at the edge of the network, removing security threats before they gain any form of access. A NAC solution including switches that act as enforcement points ensures a proactive approach to network security. How NAC secures your network Today, network access for multiple device types or temporary users is an expectation, not an exception. Modern Enterprise network requirements include: some level of access, no matter who or where you are access for guests such as sub-contractors, partners, remote employees access control for a new range of connected devices, for example smartphones, tablets and digital cameras. Allied Telesis LAN switches meet these emerging requirements, with comprehensive NAC features and integration. Used in conjunction with appropriate server-side and client-side software tools, they provide a remarkable level of control over the security status of the devices that connect to your network. The Allied Telesis NAC implementation is Trusted Computing Group s Trusted Network Connect (TCG-TNC) standards-based, to guarantee interoperability with the major third party suppliers of NAC software, such as Microsoft and Symantec. This provides customers with the confidence to create a comprehensive NAC solution from trusted vendors. At the heart of using NAC for your network security are three key elements: no (or very limited) access without identification the quarantine and remediation of non-compliant devices setting the level of access to network resources based on a device s authenticated identity X X Internet Corporate Net Remediation Server Network Access Control (NAC) Solution 3

In practice, this means that every device is required to identify itself when it connects, and if appropriate, is then examined for its compliance to security policies. On a typical network, devices that: Cannot provide a valid identity: are completely barred from the network (or alternatively could have restricted access to the Internet, and nothing else). Authenticate successfully but fail the policy adherence test: are given access to a remediation process, and nothing else. Authenticate successfully and are deemed policy adherent: are given access to the network resources that match their identity. Network access requested Is a valid ID provided? Yes Does device adhere to policy? Yes Access to network resources appropriate to authenticated identity No No Very limited guest level network access (Internet) Access only provided to remediation process This layered approach to network access control is illustrated in the figure above. In this way, security policy enforcement and resource access control are performed by the network itself, utilizing NAC. Malware cannot harm the network, as it is never allowed access to the network. Intruders cannot commit theft or cause disruption, as they are either blocked or very tightly constrained. NAC features on Allied Telesis switches To provide this advance in network security, the significant elements included in Allied Telesis switch functionality are tri-authentication, roaming authentication, two-step authentication, and integration with NAC infrastructure. Tri-authentication Tri-authentication allows the network to identify all devices connecting to it. It can be used as part of a comprehensive NAC solution; or on its own where it provides a low overhead method of implementing network access security. Roaming authentication Mobile users move from one attachment point to another. Once a user has been given acccess, Allied Telesis roaming authentication ensures they are not inconvenienced by the need to re-authenticate as they roam. Two-step authentication Devices and users can be separately authenticated, to prevent sophisticated attempts to circumvent security. Integration with NAC infrastructure Allied Telesis equipment can integrate as a key component in network-wide NAC solutions. Other documents you may be interested in: Solutions: Find out how Allied Telesis products and industryleading features create solutions to meet business needs: alliedtelesis.com/library/solutions How To Notes: Find out how to set up and configure key features on Allied Telesis advanced switches and routers: alliedtelesis.com/support/documentation Case Studies: Read customer success stories featuring Allied Telesis superior products and features: alliedtelesis.com/library/casestudies 4 Network Access Control (NAC) Solution alliedtelesis.com

Tri-authentication: the three methods 802.1X is a highly secure authentication protocol that enables encrypted password exchange and certificate validation. A user is prompted for their name and password, and this is then checked against a user database before they are able to access the network. It is secure and configurable, but does require that 802.1X software is embedded and also configured in the client device. Not all devices connecting to the network will have this software embedded or pre-configured - this is particularly so for users who are temporary visitors. Web authentication is provided to cater for computers in which 802.1X is not present or configured. The switch detects web-browsing activity from the client computer, and presents a login screen to the web browser. The user can progress no further until they have submitted a valid identity using the login screen. This authentication can either be performed in clear text, using the HTTP protocol, or performed in encrypted form using the HTTPS protocol. MAC authentication is a fallback option you can use for non-interactive devices like printers or web cameras. A device s MAC address provides a unique identity that can be used to authenticate the device. By providing these three authentication options, Allied Telesis switches make it possible to build a network in which you can authenticate all devices attaching to the network. EAPOL exchange RADIUS Server 802.1X authenticated device HTTP exchange x510 Tri-authentication capable switch All 3 types of authentication require data exchange with RADIUS server Web authenticated device MAC address gleaned from any packet MAC authenticated device Network Access Control (NAC) Solution 5

Roaming authentication Wireless Ethernet users are mobile, and can roam from one access point to another. A user can be authenticated to a switch, behind the access points. By default, an authenticated session is associated with a specific switch port, which can make it inconvenient for the user to reauthenticate when moving between access points that are attached to different ports. To solve this problem, Allied Telesis switches allow authentication status to roam along with the user. This capability is called roaming authentication. With roaming authentication, when a user moves from one port to another, the authentication information about the user is transferred from the original port to the new one. Therefore, the user does not need to re-authenticate their port transition is transparent. In a wired environment, where simple Extensible Authentication Protocol (EAP) pass-through switches are used at the edge of the network, then 802.1X or web authentication is performed on the authentication-capable switch at the aggregation layer. Simple layer 2 switches with EAP pass through Supplicant is authenticated by switch using 802.1x or web authentication Authenticating Switch Access layer Aggregation layer A Access Point 1 Supplicant moves from A to B Access Point 2 Authenticating Switch In this case, roaming authentication for dot1x or web authentication enables a user to unplug from one edge switch and plug into another without needing to re-authenticate. Roaming authentication can support the case that the user is connected directly to the authenticating switch. Roaming authentication in wireless and wired environments In environments where 802.1X authentication is not used at the access point, the alternative is to use web authentication at the switch behind the access point. In this situation, roaming authentication is most valuable. B The roaming authentication for disconnected ports feature enables a user to be disconnected from a port on the authenticating switch and connected to another port of the switch without needing to re-authenticate. Supplicant disconnects from A and reconnects to B A B Authenticating Switch Authenticating Switch Supplicant is authenticated by switch using web-authentication 6 Network Access Control (NAC) Solution alliedtelesis.com

Two-step authentication Traditionally, network access authentication has involved just a single authentication method. Once a user or device has been authorized by MAC authentication, web authentication or 802.1X, then the authentication process is complete. This single-step approach to authentication has potential security risks: an unauthorized user can access the network with an authorized device, for example by stealing a device that is authenticated by MAC authentication. an authorized user can access the network with an unauthorized device. The 802.1X and web authentication methods verify the identity of the user, but not of the device they are using. To resolve these security risks, Allied Telesis have introduced two-step authentication. Per-method RADIUS servers As another, further level of security, Allied Telesis support the use of different RADIUS servers for different authentication methods. Different RADIUS servers can be used for each of the three authentication methods. This allows for complete separation of the RADIUS databases used for the authentication methods that are used in two-step authentication. Because of this database separation, a malicious user cannot circumvent two-step authentication by using the same username/password combination for both of the methods. The username/password that exists on one RADIUS server, for authentication by one method, should not be present on the RADIUS server used by the second method. Two-step authentication involves authenticating both the user and the device. The supplicant will only become authenticated if both these steps are successful. Step 1 MAC authentication RADIUS server for Web authentication Radius server for MAC authentication The process that occurs in two-step authentication is quite literally that the supplicant is authenticated twice, by two different methods. The following authentication sequences are supported for two-step authentication: MAC authentication followed by 802.1X authentication MAC authentication followed by web authentication 802.1X authentication followed by web authentication Step 2 Web authentication x210 Device s MAC authentication details are used to authenticate against one RADIUS server RADIUS server for Web authentication Radius server for MAC authentication x210 Uesr s authentication details are validated by the Web authentication RADIUS server Network Access Control (NAC) Solution 7

Integration with NAC Infrastructures NAC integration makes it possible for switches to act as enforcement points in a NAC infrastructure with third party software vendors. Specifically, this means that the switch will: transport the packets that constitute the NAC server s interrogation of the client device receive notification of the decision made at the decision point, and enforce that decision The below figure illustrates the role of the switch as Policy Enforcement Point (PEP) in a NAC solution. The NAC server decides the level of network access a user can have, or the remedial action required to bring the user s computer or other end-point up to an acceptable level of compliance. The switch acts as the policy s enforcer, ensuring the ongoing security of the network, and the appropriate access to resources. The integration of advanced switching technology in a NAC solution provides very granular enforcement options, providing significant added value to the NAC infrastructure. A more secure network In conclusion, the modern enterprise has seen a phenomenal increase in the convergence of functionality on the network, with voice, video, security monitoring and more added to the traditional data and internet access. The need to control network access and provide a secure infrastructure is greater than ever. Network Access Control can mitigate threats by combining access control with automated management of the security compliance of devices attached to the network. The advanced edge features on Allied Telesis switches ensure a secure environment for business to thrive. RADIUS Server x210 Switch Policy Decision Point (PDP) Policy Enforcement Point (PEP) Access Requestor (AR) 8 Network Access Control (NAC) Solution alliedtelesis.com

Featured products SwitchBlade x8100 Series Next Generation Intelligent Layer 3+ Chassis Switches SwitchBlade x3112 Enterprise Edge Switches Access Edge Layer 2+ Chassis Switches SwitchBlade x908 x900 Series x610 Series x510 Series 8100S Series Fast Ethernet Switches Gigabit Edge Switches 8500 Series Managed Fast Ethernet Edge Switches Layer 3+ Gigabit Switches 8600 Series Fast Ethernet Layer 3 Switches Advanced Layer 3 Switches 9400 Series Gigabit Ethernet Edge Switches Advanced Layer 3 Modular Switches x210 Series 8000S Series Low Cost Managed Stackable Fast Ethernet Edge Switches Network Access Control (NAC) Solution 9

About Allied Telesis, Inc. Founded in 1987, and with offices worldwide, Allied Telesis is a leading provider of networking infrastructure and flexible, interoperable network solutions. The Company provides reliable video, voice and data network solutions to clients in multiple markets including government, healthcare, defense, education, retail, hospitality, and network service providers. Allied Telesis is committed to innovating the way in which services and applications are delivered and managed, resulting in increased value and lower operating costs. Visit us online at alliedtelesis.com North America Headquarters 19800 North Creek Parkway Suite 100 Bothell WA 98011 USA T: +1 800 424 4284 F: +1 425 481 3895 Asia-Pacific Headquarters 11 Tai Seng Link Singapore 534182 T: +65 6383 3832 F: +65 6383 3830 EMEA & CSA Operations Incheonweg 7 1437 EK Rozenburg The Netherlands T: +31 20 7950020 F: +31 20 7950021 alliedtelesis.com 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners. C618-31006-00 RevE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information