network access controlcheck registry entires check av/as def versions odeeper (more intense)...
TRANSCRIPT
-
Network Access ControlApproaches
ExperiencesFuture Issues
John Hayward [email protected] College
-
No Access Control
The goodThe Bradfordand the ugly
John Hayward [email protected] College
-
Agenda
• Background Experienceso Blaster fall 2003 - responseo Network Registration 2004-2007
• Approaches to NAC o DHCPo Arp manipulationo Switch port manipulation
• Verifying Security Policieso Internal / External scans - Monitoring complianceo Quality of scano Range of Policies
• Bradford Experienceso 2007- 2009o Documentation, Support, Version, Wireless, etc
• Current and future issueso Virtualization, Non computer devices
-
Background Experiences - Fall 2003
Context• Blaster just before Fall Term Aug 11 • Sent E-mail notification to all students to get
computer updated - MS had a patch available July 16 earlier
• Over 2000 computers owned and administered by students
• Registration system for students• Students on different network than Employees• Access to internet via IIS proxy server• Flat network
Results• Good:
o Employees unaffectedo Students with patch could register (exceptions)
-
Background Experiences - Fall 2003
Results• Bad :
o Any unpatched computer in registration was nailed by the virus and became a carrier
o Issue with proxy server or MS update server attacked with dos difficult to obtain update
• Uglyo So much traffic on our radio connections to some
apartments they were effectively lost networking
Response• Student lab workers distributed CD with patch and
removal tools• Hand monitoring/shutdown ports which had
malware• Some students were not on network for 3 weeks
-
Background Experiences -2004
Design Goals (Spring)• Require current patches• Require Sophos• Require Sophos Def current• Require last scan current and no virus• Allow Registration if requirements satisfied• Registration machines should be isolated from each
other• Turn on Auto Updates
Results - Good:• Web registration site with security checks• Shavlik command line check of patch levels bought
by MS and available via MBSA• Download bat to check - MBSA in command line,
check sohpos status and return results
-
Background Experiences -2004-05
Results - Bad:• MS unleashed SP2 Aug 6 - Blaster 2• Decided to require SP2• Problems with IIS proxy server or MS site• Design linear - hard for users to follow
Fall 2004 - good security - rough user experienceFall 2005 redesign site• After turning on updates One button CheckMe• Results of success failure on same page
Fall 2005 - good security OK user experience• Returning Great -Freshmen some challenges
-
Background Experiences -2006-07
Fall 2006• Fully implemented remote preregistration• Fairly smooth
Spring 2007• New Director of Computing Services• Wanted professional support with lower internal
resources to support home grown solution• MBSA was taking longer - loosing command line
facilities• Vista was had come• Many students had their own virus programs• Read reports - seriously considered
o Open source packet fence zero efforto Commercial Bradford Networks
• Bradford Selected - Experiences later in talk
-
NAC Approaches
Getting Attention of User• DHCP
o Homegrown Network Registrationo Clients use DHCP to get IPo Database keeps track of who is and is not
registered - if not registered give IP and subnet for registration
o After passing security Policy give production IPo What about hard coded IP???
• Arp Manipulationo Packet Fence can use thiso Server monitors apr announcementso If not registered poison arp to direct packets to
server
-
NAC Approaches
Getting Attention of User (cont)• Port Vlan Switching
o Bradford (and later Packet Fence) use thiso Switch sends trap to server on linkupo Server asks switch for mac addresso Server switches to correct vlan - if not registered
then registration vlano Server needs to know how to operate switch
• Inline servero Packet Fence can use thiso Server acts a router to rest of networko Single point of failure?
• All approaches provide special DNS to achieve captive portal
-
NAC Approaches
Verifying Security Policy• Internal scanning
o Registration Scans� Bradford dissolvable agent� home grown - batch file
o Periodic scans - require software on client� Bradford persistent agent - scheduled scans� Patchlink - Bradford and homegrown
• External scanso Bradford can use nessuso Packet Fence can use snorto Can be independent of NAC
-
NAC Approaches
Verifying Security Policy• Scan quality
o Light and quicker (Bradford)� Check registry entires� Check AV/AS def versions
o Deeper (more intense) Homegrown� Use MBSA Shavlik - use CAB/xml file to
determine patches - check actual validity of patches
� Verify last AV scan had clean report
Range of Security Policy• Bradford 20+ AV, 20+AS• Bradford individual registry keys• Bradford check for software
-
NAC Bradord Experience
Fall 2007• Preparation work started spring 2007
o All switches had to be adjusted for Bradford� Traps programmed� Self discovery help populate topology
• Orientation lab summer 2007o Goal was to have network configure by end of labo Problem we did not have network mapping
finished before labo Practiced examples on "practice lab" environment
not our production networko Helped some but not effective as it could be
-
NAC Bradord Experience
Fall 2007• Over 600 freshmen arriving Aug 2007
o Finally had networking mappedo Bradforized the dorm switcheso Discovered scanning not working 1 week before
bulk of freshmen arrivingo Bradford support worked remotely - Networking
staff put in lots of extra hourso Registration scanning issue resolved less than 30
minutes before Freshmen started to use network!
-
NAC Bradord Experince
2007-2008• Scheduled scanning to require policy compliance
o Put some machines in quarantine and then move them back to production
o Some machines not being scannedo Quickly gave up on scheduled scans - no way to
require compliance other than re-register!• Discover High Availability fail over did not work
Fall 2008• New 2.0.x client - support for more AV - transparent
update• Upgraded server 4.x shortly before fall• Discovered transparent update did not work
-
NAC Bradord Experince
Fall 2008 (cont)• If more than 22 AV clients checked then old client
reported inconsistent results - some passed without having required - others failed having all required -backed off on allowed AV
• Vista issues - eventually resolved
2009• AVG 8.0 definitions changed require upgrade to
2.0.3.8 client• AVG 8.5 definitions changed Bradford working on it
(3-4-2009)• Attempted upgrade client - proposed to be
transparent failed • Earlier fail over assumed both servers went down -
seems to be resolved but db not synced
-
NAC Bradord Experience
Support• Now web interface - before phone call only• Support people generally try to be helpful varying
level of competency• Support normally focus on configuration issues
more complicated issues referred to engineers which you don't have direct access to
• Support thin during fall just before school starts
Documentation• Documentation looks nice• Lacks conceptual model - says link goes to this page• Lacks how to do x• Rapid version changes - documentation not current• Overloads terms - What is a scan? depends• Command Line way out of date
-
NAC Bradord Experience
Versions• Large number of version - 4.0 started this fall we are
at 4.0.1.50 now upgrading to 4.0.3.x• Some required due to new mac addresses for non
computer devices and new switches.
Administration• Organization of GUI non intuitive - Campus manager
configuration in network topology.• Requires more effort to support than home grown• Up to 4.0.3.x server only administrators could
manually register problem machines - now operators can be granted that privilege.
• Massive number of number of alarms going off (apparently required to have an action associated with an event) - hard to see what is important
-
NAC Bradord Experince
Broken Items• Role based port mapping fails - work around• Still don't have scanning working reliably
Wireless• Continuing issues with Meru wireless and Bradford
related to registration -> production vlan switching -we tell users to reboot
Support for other vendors hardware• Supports an amazing number of switches• Large number of AV/AS• Many game controllers, other non computer IP
devices - Need to keep versions current
Trouble shooting• Client cannot initiate scan - no information on client
-
NAC Future Issues
Non Computer Nodes• Existing facility to register devices by mac addr• Only approved vendor mac prefix addresses allowed
o Requires keeping server current version oro Requires manual entry of allowed mac prefix
• Some devices need generic USB Ethernet - These are not on vendor prefix list - how to know if device or computer?
-
NAC Future Issues
Virtualization and Port Management• vmware, xen, virtual box, virtual PC • Networking - two approaches - Bridge - NAT• Bridge - now multiple mac addresses from same port
o New mac - port moved to registration - other VMs loose network access
• NAT - now possibly multiple OSs from same mac addresso How do we know all VMs satisfy security policies?
• How to support Faculty with VMs who need to be on employee, student and lab vlans?
• Vlan switching needs to be on the node if at all.
-
Questions?
Thank you !