Efficient and easy-to-use network access control and dynamic vlan management Date: 4.12.2007 http:// F r e e N A C. n e t Copyright @2007, Swisscom 1
Connection to the enterprise LAN is often (too) easy LAN sockets may be located in open work spaces: Open-plan offices Meeting rooms Hallways and printing corners Unlocked wiring closets (Too) many people may have physical access to LAN ports: Employees Visitors Cleaning staff, Electricians, etc. 2 The enterprise LAN needs to be easy to use and reliable, however: Many people (visitors, employees, cleaners, temporary staff) may have physical access to the offices Network sockets may be located in open work spaces, or meeting rooms. Network connections may not be documented Mobility requires more flexibility and security The amount of Laptops in companies is growing Potentially more than one user per Network Socket (often there are more hubs or small unmanaged switches than expected) Re-organizations are more frequent, so the network needs to easily adapt 2
The need for dynamic LAN management Ethernet cabling is difficult to change and expensive. Is Cabling documented? Does LAN management allow easy segmentation of PCs/Devices? Can Visitors / Externals be given LAN access safely and easily? Is cabling dynamically used, or cables reserved per segment? 3 Current cabling should be dynamically used: on the appropriate network when needed without the need for (expensive) manual intervention or reconfiguration LAN management should allow easy segmentation of PCs/Devices e.g. Printer zone, office zone, lab1, lab2, External zone segments should be configurable by helpdesk/1 st level support, not Switch specialists 3
The need for network access control Enterprises may be faced with the following problems: Do we know what is on the LAN? Live inventory? How do we authorise or block end devices? How do we enforce LAN access security policies? 4 Access Control Foreign laptops (or desktops, webcams, ), connected to the enterprise LAN, represent a potential security risk. Security/access rights should be managed. Limit access to devices we know and have some trust in. Live inventory: Access control means having an up-to-date inventory of end devices. It may also mean having an inventory of the topology of the LAN (which switches, hubs, routers, end devices etc. in which rooms) including a cabling plan. The following questions then arise: How can we manage our inventory efficiently? Especially if we have many end devices? Can we prevent having multiple inventories one for network access control and one for hardware management / (financial) accounting? Can we integrate these inventories? 4
The need for Compliance with security or governance standards Management System Governance ISO 27000 SOX BS 7799 ISO 17799 BSI COBIT IT Security ITIL IT 5 Is compliance with security standards such as: Information Security Management System (ISO17799), Sarbanes-Oxley (SOX 404), important for you? Is compliance with IT management/governance standards: ITIL, etc. an issue? NAC can help to: -limit access to network resources -provide tracking of what devices were on the network, where, when -provide a live inventory of devices, and link it to static inventory -provide compliance reports tying together Network, User, Device information. 5
The Solution: NAC Technology: Access is granted based on the MAC address (or 802.1x) and an appropriate Virtual LAN assigned. 6 HOW IT WORKS: The Switch detects a new PC and requests authorisation from NAC via the VMPS protocol, which checks its Database and refuses or grants access based on the MAC address 802.1x is supported with User Authentication in the Windows Domain or Certificates, and Vlan assignment based on MAC address VMPS mode: only for Cisco Switches and any kind of network device (PC, Printers, IP phones, Webcams, etc) NAC can directly replace other VMPS solutions, or manual port based MAC lists with major improvements in ease of use. 6
Features Dynamic (location based) virtual LAN assignment LAN port access control Automated end-device inventory Switch port programming Can work with Hubs/un-managed switches Friendly User Interface Enterprise features: Linking of enterprise information sources: Users (AD), Devices: (MS- SMS), Anti-virus, DNS, Router tables, static inventory Redundancy, load balancing, advanced monitoring and alerting Documentation of LAN cabling Emergency off for disaster response 7 SQL database provides scalability, flexibility and easier integration, and allows querying of live network inventory: external databases can be linked in, to integrate into your Workflow and processes: user databases (Active Directory, DireX, XML), end-device databases (MS-SMS), MS-WSUS, Anti-Virus (McAfee), DNS, Routers (MAC/IP tables via SNMP), switch (port restarts / detection of unmanaged devices) and customer in-house static inventory databases scanning module to identify operating system version and open ports scanning module to identify devices on unmanaged or static switch ports emergency off tool for disaster recovery redundancy: 1 master and many slaves allow high availability and load distribution (we come back to this in 3 slides) Live inventory: VMPS managed devices and unmanaged devices (switches scanned via SNMP): Mac, I.P. Address, Hostname Operating System & Hostname: via nmap scanning Cross reference data in external databases such as MS-SMS, WSUS, McAfee EPO. 7
NAC Benefits No software needed on end devices Allows a more dynamic, efficient LAN/cabling Proven technology: in production since 2004. GUI can be used by helpdesk, Cisco expertise is not needed Extensible: open interfaces optimal Workflow integration OpenSource NAC works with (legacy & new) Cisco switches More efficient than manual port-based access or VMPS Easier to implement than classical 802.1x 8 no software is currently needed on end devices Open: Open Standards, open source, open review integrate NAC more easily into your Workflows and existing Processes NAC works with (even old) Cisco switches (Other vendors many be added on request, or as custom developments) Customers who already use manual port-based access will save time and gain effectiveness A dynamic network allows Better use of available switch ports (efficiency, cost savings) quick configuration of new ports, can be configured by Helpdesk easier switch configuration (ports are dynamic) less changes in cabling during re-organisations Extensible: add your own modules, or interfaces to your Systems to better integrate MAC into your Processes and Workflow. NAC runs on standard hardware & Operating Systems (Linux/Unix) 8
Reducing the Risk of Unauthorised LAN access NAC offers cost-effective significant risk reduction without affecting Business operations NAC will continue to evolve lowering risk further (e.g. using 802.1x and health checking ) while allowing customers to migrate smoothly. 9 802.1x offers stronger device authentication, but is more complex and requires newer switches. NAC strives to offer the best of both worlds: mac-address and 802.1x support. -Currently we can integrate the Patch status from Microsoft WSUS and McAfee EPO. -Long term, our aim is to use a standards based pre and post-connect security checking, such as TNC (Trusted Network Connect) 9
Architecture 10 The minimal components required are a VMPS or 802.1x capable switch and one NAC master server 10
Architecture 11 NAC consists of One Master server with Database and Control programs Optionally: one or more slave servers for redundancy and load distribution In a fully integrated environment, NAC requires: Syslog messages from switches Access to an email server for delivery of alerts Access to DNS for discovering names associated IP addresses Optionally: SNMP read/write access to switches (to restart ports and scan for unmanaged end devices) Optionally: SNMP read access to routers (to query MAC/IP tables) Optionally: Interface to Enterprise Static Inventory, User, Device, Inventory, MS-SMS, MS-Wsus, McAfee EPO, or other database NAC is remotely configured via a Windows-based GUI, that may be installed on one or more a Windows PC or via a Web-based interface. 11
Usage scenarios: Where can I use NAC? 12 NOTES NAC is useful Where you need efficient cable/port management and/or LAN access control: Research and development units: with many subnets, and need to build dynamic subnets quickly. Workstation LANS Meeting rooms Rooms exposed to the public, or non-company employees Large Open Floor Plan offices During re-organisations to better track and control network access Where is NAC not needed? (i.e. Dynamic Ports are not needed, but automated port scanning/documentation is still useful) Physically secured Server rooms DMZs (for vmps mode: mac based identification is probably not secure enough, however 802.1x may be interesting.) 12
Summary Swisscom NAC enables LAN access control, live inventory and dynamic vlan management requires no software on clients works today in heterogeneous environments allows integration into your IT processes/tools via open interfaces. 13 13
Appendix: Optional slides 14 14
How NAC works If Unknown, access is denied or limited to quarantine If OK, access to Corporate Network 15 How version 2 works.. 15
How NAC works: vmps mode 16 16
17 Version 2.1 Summer 06: nmap scanning modules, OS detection Linking to McAfee EPO Anti-virus server Linking to Microsoft SMS (systems management server) Support of Virtual Machines as client, and also as NAC servers! Version 2.2 Mar 07: ldap integration into MS Active Directory Detection and inventory of other devices on the network not actively managed. Auto documentation of when ports were last used, with what vlan, and mode. Automated switch discovery for initial installations 802.1x support for Wired LANs Version V3.0 Nov.07: configuration of switch ports from the windows GUI configuration of NAC server options from the windows GUI Automated switch scanning for unmanaged systems Microsoft WSUS, McAfee EPO integration Complete code object-oriented rewrite, for better reliability, separation of features, and ease of adding new features. New Policy interface with pre and post-connect methods. 17
Network Authentication with 802.1x The 802.1x standard allows authentication of devices in LAN or Wireless networks, using cryptographic techniques it provides higher security. 802.1x authenticate the user or the device BUT: new switches are usually required Vendor interoperability complexity (support, supplicants, certificate management,..) cost interaction with Hubs. NAC includes 802.1x since V2.2 802.1x and MAC address can be combined, by for example authenticating the user via Domain Logon and the Device via MAC address allow a Vlan assignment based on the device identification (MAC address), not the user name. 18 18
Problems With Cisco VMPS and MAC Port Authentication If the above products are already in use for limiting LAN access already, what are the limitations? Lack of management features Monitoring Alerting Ease of use GUI User & device DB integration Lack of support from Cisco 19 19
What does the User Interface look like? 20 This is one view in the Windows GUI from Version 2.1. There are also dedicated Web GUIs for specific tasks. 20
Windows GUI: system details 21 In blue is the crucial MAC information: mac address and the vlan we assign. In red is information about where the end-device was last seen, and where. 21
Windows GUI: system details 22 The Nmap scanning module can detection operating system version and open ports. It can scan one device immediately, or the list of IPs in the NAC database on a scheduled basis. If the McAfee EPO module is enabled, the operating system of end devices, as reported by McAfee, and the current Anti-Virus status, can be displayed. Beside the Anti-Virus tab, we also se an inventory, which is where we link to you in-house static Inventory Database, if required. 22
Windows GUI: Switch & Ports 23 23
NAC also shows switch/port usage Switch Port Patch PC 24 A Web GUI that maps switch port usage in the last 24 hours. We see one device on port 2/13, it is connected via cable X04.012 in room 4.16, where the PC murderdrool is attached and this PC is assigned to the Use ALLGAE We also see a printer on port 2/24 24
Web GUI: edit mode 25 25
What do automated Email Alerts look like? 26 A new device has been connected to the network (port 2/40 switch sw0303), but not authorised. -it was in room 3.16 -on Cable socket X 03.013 (this is the name written on the socket in the wall) -in this room the users Schenker, Wyler and Berger have their offices -The user TGDSCED1 has been documented as using this cable The super-users defined for this switch are Schädler and Rappo, so they receive the Alert, along with the NAC Administrators. 26