Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

The Two Variations of NAC - University System of Maryland

Managing and Securing Wireless
Networks with Cisco Clean Access
Steve Coppel
SE, Maryland Enterprise
CISSP, CCSP
© 2004 Cisco Systems, Inc. All rights reserved.
1
Agenda
• WLAN Security Issues
• WLAN Enterprise Issues
• Requirements for WLAN
Management & Security Solution
• Cisco Clean Access Solution
• Case Study: Stanford University
© 2004 Cisco Systems, Inc. All rights reserved.
2
WLAN Security Issues - A Different IT Beast
• Non-existent or Porous Boundaries
▪ More vulnerable to a variety of malicious attacks
▪ WEP security inadequate
▪ Many common areas where anyone can access a wireless
signal
• Security Challenge Shifted from Ports to Users
▪ Authentication more important but also more difficult
▪ Increase susceptibility to attacks originating from
employees’ home networks
• Wireless and Wireline Management Integration
Unresolved
▪ Management is enormous challenge
▪ Impacts usability and productivity
© 2004 Cisco Systems, Inc. All rights reserved.
3
WLAN Security Issues
• MAC and IP Spoofing Too Easy
▪ Multitude of free tools on Internet allow machines to spoof
other MAC and IP addresses
• Denial of Service (DoS) Attacks Too Easy
▪ Several DoS attacks possible including consuming all IP
addresses, DoS attacks on web servers, file servers, mail
servers, etc.
• “Man in the middle” Attack
▪ Malicious users find it easy to insert themselves in
communication path in order to steal user credentials,
session, etc.
© 2004 Cisco Systems, Inc. All rights reserved.
4
WLAN Enterprise Issues
Issue
Tools
If Left Unresolved
Multi-vendor Access
Point Management
Management software
provided by each access
point vendor but is not
interoperable with others
Heterogeneous
environments are
impossible to manage
centrally
Integrated Management
between Wired and
Wireless Networks
None
Management and user
interface complexity
increases
Viruses Imported from
External Networks
Point Products
Viruses may frequently
and severely impact
enterprise productivity
Management Difficulties
Associated with VPNs –
over-WLANs
Vendor-specific
solutions; most VPNs
built for dial-up use
Security gaps may
remain; client
maintenance complexity
increases
© 2004 Cisco Systems, Inc. All rights reserved.
5
Requirements for WLAN Management & Security
Solution
• Authentication-based Access to WLAN
▪ Users must be authenticated before provided network access
▪ Authentication must be performed using existing
authentication systems
▪ Un-authentication users (rogue users) must not be allowed to
launch DoS attacks (e.g. ping attacks, etc.)
• Client-less Deployment Mandatory
▪ Security solution should not mandate the deployment of any
client software
▪ Optional client software for ease of use, additional security,
network sniffing, rogue access point reporting, war driving, etc.
preferred
© 2004 Cisco Systems, Inc. All rights reserved.
6
Requirements for WLAN Management & Security
Solution
• Strong Data Protection
▪ Standards-based, strong, over-the-encryption is needed
of WEP or any proprietary mechanism
• Non-Proprietary Hardware Preferred
▪ Preferred that security solution not require proprietary
hardware
▪ Easily scalable hardware
© 2004 Cisco Systems, Inc. All rights reserved.
7
Requirements for WLAN Management & Security
Solution
• Centralized Deployment
▪ Security and management solution must both be
deployable centrally in the network centers
▪ Edge deployments are too expensive to deploy/manage
• Centralized Configuration & Management
▪ Ability to configure and manage entire deployment from a
central location
▪ Secure remote management
© 2004 Cisco Systems, Inc. All rights reserved.
8
Cisco Clean
Access Solution
© 2003
2004 Cisco Systems, Inc. All rights reserved.
9
What Does Clean Access Do?
Before allowing users onto the network, whether it’s
a wired or wireless network, Clean Access:
RECOGNIZES
ENFORCES
Recognizes:
Users, device, and role
(guest, employee, contractor)
Evaluates:
Identify vulnerabilities on
devices
Enforces:
Eliminate vulnerabilities
before network access
EVALUATES
© 2004 Cisco Systems, Inc. All rights reserved.
10
Key Cisco Clean Access Features
All-in-One Policy Compliance and Remediation Solution
• Role-based access control
Cisco Clean Access server
enforces authorization policies
and privileges
Supports multiple user roles
(e.g. guests, employees, and
contractors)
• Scans for security
requirements
Agent scan for required
versions of hotfixes, AV, and
other software
• Network quarantine
Isolate non-compliant machines
from rest of network
MAC and IP-based quarantine
effective at a per-user level
• Repair and update
Network-based tools for
vulnerability and threat
remediation
Help-desk integration
Network scan for virus and
worm infections
Network scan for port
vulnerabilities
© 2004 Cisco Systems, Inc. All rights reserved.
11
Cisco Clean Access Components
• Cisco Clean Access Server
Formerly CleanMachines SmartServer
Serves as an inline or out-of-band device for
network access control
• Cisco Clean Access Manager
Formerly CleanMachines SmartManager
Centralizes management for administrators,
support personnel, and operators
• Cisco Clean Access Agent
Formerly CleanMachines SmartEnforcer
Optional client for device-based registry scans
in unmanaged environments
© 2004 Cisco Systems, Inc. All rights reserved.
12
Pre-Configured Clean Access Checks
Critical Windows Update
McAfee
Windows XP, Windows 2000, Windows 98,
Windows ME
Symantec
Norton AntiVirus 2005 v. 11.0.x
Norton AntiVirus 2004 v. 10.x
Norton AntiVirus 2004 Professional v. 10.x
Norton Internet Security 2004
Norton AntiVirus 2003 v. 9.x
Norton AntiVirus 2003 Professional v. 9.x
Norton AntiVirus 2002 Professional v. 8.x
Norton AntiVirus Corporate Edition v. 7.x
Symantec Internet Security 2005 Edition 8.0.x
Symantec AntiVirus Scan Engine Edition 8.0.x
Symantec AntiVirus Corporate Edition v. 9.x
Symantec AntiVirus Corporate Edition v. 8.x
Sophos
McAfee VirusScan Enterprise v. 8.0i beta
McAfee VirusScan Enterprise Edition v. 7.5
McAfee VirusScan Enterprise Edition v. 7.1
McAfee VirusScan Enterprise Edition v. 7.0
McAfee VirusScan Enterprise Edition v. 4.5.x
McAfee VirusScan Professional Edition v. 8.0.x
McAfee VirusScan Professional Edition v. 7.x
McAfee VirusScan ASaP
Trend Micro
Trend Micro Internet Security v. 12.x
Trend Micro Internet Security v. 11.2
Trend Micro Internet Security v. 11.0
Trend Micro OfficeScan Corporate Edition v. 6.x
Trend Micro OfficeScan Corporate Edition v. 5.x
Trend Micro PC-Cillin 2004
Trend Micro PC-Cillin 2003
Cisco Systems
Sophos Anti-Virus Enterprise v. 3.x
Cisco Security Agent v. 4.x
Customers can easily add custom checks
© 2004 Cisco Systems, Inc. All rights reserved.
13
Pre-Configured Checks (cont’d)
Computer Associates (eTrust)
Computer Associates eTrust Antivirus v. 7.x
Computer Associates eTrust EZ Antivirus v. 6.2.x
Computer Associates eTrust EZ Antivirus v. 6.1.x
F-Secure
F-Secure Anti-Virus for Workstations TBYB 5.x
F-Secure Anti-Virus Client Security 5.x
F-Secure Anti-Virus 2004 5.x
Panda
Panda Titanium Anti-Virus 2004 v. 3.x
Panda Anti-Virus Platinum v. 7.x
Panda Anti-Virus Platinum v. 6.x
Panda Internet Security Platinum v. 8.x
Panda Anti-Virus Light v. 1.9x
Kaspersky
SOFTWIN (BitDefender)
BitDefender Free Edition v. 7.x
BitDefender Standard/Professional Edition 7.x
BitDefender Standard v. 8.0.x
BitDefender Professional Plus v. 8.0.x
Grisoft (AVG)
AVG Antivirus v. 7.0
AVG Antivirus v. 6.0
AVG Antivirus v. 6.0 Free Edition
Frisk Software International
F-Prot Antivirus v. 3.x
SalD
DrWeb Antivirus v. 4.31b
Eset
Kaspersky Anti-Virus Personal v. 5.x
Kaspersky Anti-Virus Personal v. 4.x
Kaspersky Anti-Virus Personal Pro v. 4.x
Authentium
NOD32 Antivirus system NT/2000/2003/XP 2.0
Zone Labs
ZoneAlarm with Antivirus v. 5.x
Authentium Command Anti-Virus Enterprise 4.x
© 2004 Cisco Systems, Inc. All rights reserved.
14
Cisco Clean Access System Operation
THE GOAL
1. End User Attempts to Access a Web
Page or Uses an Optional Client
• Network access is blocked until end
user provides login information
Authentication
Server
Cisco Clean
Access Manager
2. User Is
Redirected to a Login Page
Cisco Clean
Access Server
• Clean Access validates
username and password;
also performs device and
network scans to assess
vulnerabilities on the device
3a. Device Is Non-Compliant
or Login Is Incorrect
• User is denied access and assigned
to a quarantine role with access to
online remediation resources
© 2004 Cisco Systems, Inc. All rights reserved.
Intranet/
Network
3b. Device Is “Clean”
Quarantine
Role
• Machine gets on “clean
list” and is granted
access to network
15
Sample Reporting
Login
Screen
4.
© 2004 Cisco Systems, Inc. All rights reserved.
16
Multiple Deployment Options
Out-of-band:
For high throughput environments for
deployment in
• Campus Environments
• Branch Offices
• Extranet environments
• Highly routed environments
Inline:
Supports environments
including
• Wireless
• Hubs
• Shared Media
© 2004 Cisco Systems, Inc. All rights reserved.
17
CCA Inline Deployment
FEATURES:
• VLAN trunking support
• ~1 GB/sec throughput support
• Failover support
Border
Router
Intranet
Firewall
Clean Access
Server
Bridged Central
Deployment
Switch
Clean
Access
Server
Routed Central
Deployment
Switch
Core
Clean Access
Server
Edge Deployment
© 2004 Cisco Systems, Inc. All rights reserved.
Clean Access
Manager
Authentication
Server
18
Secure Remote Access Deployment
Secure Remote:
Supports environments
with remote users coming
through VPN
Concentrators
© 2004 Cisco Systems, Inc. All rights reserved.
19
CCA Out Of Band Deployment
Internet
Integrates with Cisco switches to
provide out of band solution.
Clean Access
Manager
Firewall
Router
Clean Access
Server
Provides network access control
for LAN users.
Deployed in highly routed networks
and environments where in-line
appliance is not appropriate.
End User
© 2004 Cisco Systems, Inc. All rights reserved.
20
CCA: User Access, Non-certified Machine
7
1
Network


6
3
Switch
Host with
CCA Agent
2
4
5
CCA Manager

CCA Server
1
End user attaches host to network
2
Switch sends MAC address via SNMP-based alert to CCA Manager
3
CCA Manager decides whether host has been previously certified
4
If NO, CCA Manager instructs switch to put device on quarantine VLAN.
CCA Server acts as a gateway or bridge for the quarantine VLAN
CCA Server intercepts device request
Performs posture assessment and remediation
5
CCA Server certifies MAC address and forwards to CCA Manager
6
CCA Manager instructs switch to change to the appropriate VLAN
7
Host is granted access to network
© 2004 Cisco Systems, Inc. All rights reserved.
21
End User Experience: with Agent
Login
Screen
User Authentication
User Machine Quarantined
Remediation Steps
4.
© 2004 Cisco Systems, Inc. All rights reserved.
22
End User Experience: with Agent
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
4.
© 2004 Cisco Systems, Inc. All rights reserved.
23
End User Experience: Web-based
Login
Screen
Scan is performed
(types of checks depend on user role/OS)
Click-through remediation
© 2004 Cisco Systems, Inc. All rights reserved.
24
Cisco Clean Access: The Holistic Solution
Products
WLAN
Security
WLAN
Management
Clean Access
Authentication
√
√
Encryption
√
√
User/Group Policy
Management
√
√
Firewall
√
√
Roaming Support
√
√
AP Configuration &
Management
√
√
Remote Client
Updates
√
√
Centralized WLAN
Management
√
√
√
√
WLAN Monitoring &
Reporting
√
© 2004 Cisco Systems, Inc. All rights reserved.
25
Case Study:
Stanford University
© 2003
2004 Cisco Systems, Inc. All rights reserved.
26
Stanford University – Authentication & Ease of Use
• Challenge
Improve Authentication
Keep it simple
Interoperate with existing system
• Solution
Clean Access protects each subnet
Authentication through Kerberos
Centralized Deployment (edge-based
optional)
• Benefits
Short implementation
Rapid ROI
Wireless expanding into business
school & medical center
© 2004 Cisco Systems, Inc. All rights reserved.
27
Stanford University WLAN Deployment
• Huge Campus
▪ Large student, faculty, and staff community
▪ More than 8200 acres
▪ More than 675 large buildings
• Wireless Computing Growing in Popularity
▪ Wireless laptops mandatory in certain schools
▪ Lower cost of Wireless access cards
• Deployment
▪ More than 250 access points throughout common areas
and many buildings
▪ Divided into 4 major network segments
© 2004 Cisco Systems, Inc. All rights reserved.
28
Stanford University WLAN Deployment Security
• Security for Initial Deployment
▪ Minimal
▪ Based on MAC address of access card – SU maintains
database of registered MAC addresses (NetDB) and only
registered network cards are provided IP addresses
▪ No WEP – Preferable to providing user with false sense of
security
▪ Susceptible to several different types of attacks
© 2004 Cisco Systems, Inc. All rights reserved.
29
Q&A
© 2003
2004 Cisco Systems, Inc. All rights reserved.
30
© 2004 Cisco Systems, Inc. All rights reserved.
31
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
DOCX - Christopher Polanish
DOCX - Christopher Polanish
Download