network admission control to wlan at wit
DESCRIPTION
Network Admission Control to WLAN at WIT. Presented by: Aidan McGrath B.Sc. M.A. Why deploy a wireless LAN?. Can be seen to be behind the technology by potential students if not deployed. Keep up with technology demands of modern students. - PowerPoint PPT PresentationTRANSCRIPT
1
Network Admission Control to WLAN
at WIT
Presented by: Aidan McGrath B.Sc. M.A.
2
Why deploy a wireless LAN?
• Can be seen to be behind the technology by potential students if not deployed.
• Keep up with technology demands of modern students.• It will happen anyway, so why not take control from the start.• Students used to mobile phones, so why not mobile
computing?• Reduce demand on providing more PCs which then need to
be replaced.
3
What are the challenges of a WLAN?
• Disappearing security boundaries expose internal infrastructure and assets.
• To ensure policy compliance for all endpoint devices seeking network access.
• Providing sufficient access points – how many/where?• Does one size fit all?
4
What are the solutions?
• Turn on service and hope for the best – no checking of laptops for vulnerabilities.
• Manual intervention to assess laptops for risks.• Automatic posture assessment of laptop at time of
connection – network admission control (NAC).
5
Network Admission Control (NAC)
Please enter username:
devicesecurity
networksecurity
Use the network to enforce policies to ensure that incoming devices are compliant.
identity
SiSi SiSi
Who is the user? Is s/he authorised? What role does s/he get?
NACNAC Is OS patched? Does A/V or A/S exist? Is it running? Are services on? Do required files exist?
PLUS
Is policy established? Are non-compliant devices quarantined? Is remediation required? Is remediation available?
PLUS
6
Authenticate & AuthoriseEnforces authorisation policies and privileges
Supports multiple user roles
QuarantineIsolate non-compliant devices
from rest of network MAC and IP-based quarantine
effective at a per-user level
All-in-One Policy Compliance and Remediation Solution
Scan & EvaluateAgent scan for required
versions of hotfixes, AV, and other software
Network scan for virus and worm infections and port
vulnerabilities
Update & Remediate Network-based tools for vulnerability and threat
remediationHelp-desk integration
7
Clean Access Server (CAS)Serves as an in-band or out-of-band device for network
access control
Clean Access Manager (CAM)Centralises management for administrators, support
personnel, and operators
Clean Access AgentOptional lightweight client for device-based registry scans
in unmanaged environments
Rule-set UpdatesScheduled automatic updates for anti-virus, critical hot-
fixes and other applications
Cisco NAC Appliance (Cisco Clean Access) Components
8
Clean Access: Sampling of Pre-Configured Checks
Critical Windows UpdatesWindows XP, Windows 2000, Windows 98, Windows ME
Anti-Virus Updates
Anti-Spyware UpdatesOther 3rd Party Checks
Cisco SecurityAgent
9
Product User Flow Overview
The Goal
Intranet/Network
2. User isredirected to a login page
Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device
Device is noncompliant or login is incorrect
User is allowed 30min limited access to appropriate remediation sites
3a. Quarantine3b. Device is “clean”
Machine gets on “certified devices list” and is granted access to network
Clean AccessServer
Clean Access Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
10
Screen Shots (MS Client)
4.
LoginScreen
Scan is performed(types of checks depend on user role)
Scan fails
Remediate
11
Screen Shots (Web browser – non MS)
LoginScreen
Scan is performed(types of checks depend on user role/OS)
Guided self-remediation
12
Process Flow: Wireless Access
NAC Enforcement Point
1. Wireless user connects to WLC via LWAPP (open authentication)2. Wireless user obtains IP address from WLC3. Wireless user opens a browser and is redirected to download the Clean Access
Agent (if they don’t already have it loaded)
Auth ServerIP: 10.1.1.25
Clean Access ManagerIP: 10.1.1.30
Intranet Server
Role: “Unauthenticated”
Radius Accounting ServerIP: 10.1.1.26
DNS ServerIP: 10.20.20.20
LaptopIP: 192.168.50.3
L3 SwitchIP: 192.168.10.1Clean Access Server
IP: 192.168.10.2
WLC192.168.60.3 MgmtVLAN 60 192.168.50.2 User VLAN 50
13
Process Flow: Network Admission Control 1
NAC Enforcement Point
1. CAS determines that laptop MAC address is not in “certified device” list – not logged on recently
2. CAS puts laptop into the “Unauthenticated Role3. Laptop gets an IP address from DHCP server, but can not get past CAS acting as “IP filter.”4. Laptop user opens a browser and is redirected to a SSL based weblogin page.
• User enters credentials • User is asked to download the Clean Access Agent.
Auth Server (Radius)IP: 10.1.1.25 Clean Access Manager
IP: 10.1.1.30
InternetWeb Server
LaptopIP: 192.168.1.150
DNS Server
RouterIP: 192.168.1.1
Clean ServerIP: 192.168.1.2
Role: “Unauthenticated”
14
Process Flow: NAC 2
5. Clean Access Agent performs posture assessment and forwards them to the CAS to make network admission decision.
6. CAS forward posture report to CAM.• CAM determines that the laptop is NOT in compliance and
instructs the CAS to put the laptop into the “Temporary Role.”7. CAM sends remediation steps to Clean Access Agent.
Auth ServerIP: 10.1.1.25
Clean Access ManagerIP: 10.1.1.30
InternetWeb Server
LaptopIP: 192.168.1.150
NAC Enforcement Point DNS Server
IP: 10.20.20.20
RouterIP: 192.168.1.1Clean Access Server
IP: 192.168.1.2
Role: “Temporary”
15
Process Flow: NAC 3
8. Clean Access Agent displays access time remaining in “Temporary Role” for laptop.• CCA Agent guides user step-by-step through remediation. • Patches can be downloaded from update sites such as https://liveupdate.symantec.com
or http://windowsupdate.microsoft.com 9. CCA Agent informs CAS that the laptop has been successfully remediated.
Auth ServerIP: 10.1.1.25 Clean Access Manager
IP: 10.1.1.30
InternetWeb Server
LaptopIP: 192.168.1.150
NAC Enforcement Point
DNS/DHCP ServerIP: 10.20.20.20
RouterIP: 192.168.1.1
Clean Access ServerIP: 192.168.1.2
Role: “Temporary”
16
Process Flow: NAC 4
Auth ServerIP: 10.1.1.25 Clean Access Manager
IP: 10.1.1.30
InternetWeb Server
LaptopIP: 192.168.1.150
NAC Enforcement Point
DNS ServerIP: 10.20.20.20
RouterIP: 192.168.1.1
Clean Access ServerIP: 192.168.1.2
10. CAS puts MAC address of laptop into “Certified Device” list.• CAS assigns laptop to the “Clean Role” for 24 hour period.• Laptop is now allowed to complete access to the Internet.
Role: “Clean”
17
Internet
WIT Wireless Network
Cisco 4400 Wireless LAN Controller
LWAPP Encrypted Tunnel
Aironet 1100 AP
AP Network VLAN 216WLAN Network VLAN 215
Cisco ACS Server
Un trusted WLAN DMZ
Trusted WLAN DMZ
L3 6513 Switch
Laptop
ASA 5550
Clean Access Manager
Clean Access Server
18
WIT Wireless Network Future Developments
• Out of band wired access• Nesus vulnerability scanner http://www.nessus.org/ for
Mac OS X, Linux, Solaris and FreeBSD
19
WIT Wireless Network - Partners