SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...
Transcript of SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...
SOSPG2 Implementing Network Access Controls
Nate Isaacson
Security Solution Architect
Offer – Pa Agenda
The BYOD Challenges
NAC terms
The Big Picture
NAC Solutions and Deployment
What about outside the Enterprise?
The “New Normal”
MOBILE GROWTH RATE
MOBILE GROWTH RATE
The Evolving Workplace Landscape
YOUR USERS HAVE NEW EXPECTATIONS
VIRTUALIZATION NEXT GENERATION
WORKFORCE DEVICE
PROLIFERATION
NEXT GENERATION WORKFORCE
Work Is No Longer a Place You Go to
Work
People Are Willing to Take a Pay Cut as Long
as They Are Able to Work from Home
70% percent of end users admit to
breaking IT policy to make their lives easier
Need Anywhere, Anytime, Any Device Access
The Burden Falls on IT
TOP OF MIND CONCERNS
• Am I hindering my workforce from being competitive?
• How do I retain top talent?
• How do I ensure compliance with SOX, HIPAA, etc?
• Can I handle partners, consultants, and guests appropriately?
CHANGING WORKFORCE
Intelligent Access Wherever it is Needed
THE BORDERLESS NETWORK
R=RoO x SLE An Authorized Person
An Approved Device
In a Secure Way
Anyone
Any Device
Anywhere
Anytime
Borderless Networks
As Needed
NAC and Security Acronyms
NAC
- Network Access Control
ISE (Cisco NAC)
- Identity Services Engine
DLP
- Data Loss Prevention
Glossary
NAC and Security Acronyms
PKI
- Public Key Infrastructure
CA
- Certificate Authority
CRL
- Certificate Revocation List
Glossary
NAC and Security Acronyms
ACL
- Access Control List
dACL
- Dynamic Access Control List
CoA
- Change of Authorization
Glossary
NAC and Security Acronyms
MDM
- Mobile Device Management
802.1x
- NAC authentication protocol
MAB
- MAC Authentication Bypass
Glossary
STOP AND THINK
What are we trying to do with NAC?
A: Secure the Network
B: Prevent Malware
C: Maintain Regulatory Compliance
D: Secure Sensitive Data
E: All the above
Policy
Technology Procedure
1. Malicious insiders
2. Well-meaning insiders
3. Malicious intarweb hax0rz
4. Lost or stolen media
5. Dissemination of data
6. Mobile devices
7. BAs, suppliers, vendors,
partners
8. Cloud/SaaS providers
9. Virtual offices
10. Wireless data transfers
11. Advanced Persistent
Threats
8 7
9
6
5
2
1
10
11
4
3
http://webstore.ansi.org/phi
Top Data Threats
The Big Picture • Outgoing Email Poses the Biggest Threat
to Sensitive Data
• Monitor Usage of Sensitive Data
• Enforce Password
• Enforce Data Encryption
• Jailbreak Detection
• Should Unknown Devices Access Sensitive Data?
• Fingerprint approved devices
NAC
PKI
MDM
DLP
• Control Access to the Private Network
• Manage Guest Access
Traditional Approach to BYOD
Guest Network
Wireless
Conference Room ports
Problematic for Wired ports
SSL VPN (Application portal)
Still a viable solution
Virtual Desktop
Citrix, Remote Desktop, VDI, etc.
Still a viable solution
Provision
Secure
Apps & Content
Monitor
Support
Retire
Mobile Device Management
Mobile Device Management • User Groups & Roles
• Remove/Hide Unwanted Apps
• WiFi & VPN Settings
• Push Apps & Content
• Email, Contacts, & Calendars
• Enforce Password
• Enforce Data Encryption
• OS Updates
• Jailbreak Detection
• Private App Store
• Apple VPP Distribution
• Web Apps & Clips
• Homegrown
• Content Locker
Apps & Content
Secure
Provision
Mobile Device Management • Device Check-Ins
• Asset Tracking & Reporting
• Geo-location
• Remote Lock
• Remote Password Reset
• Self Service
• Jailbreak Detection
• Lost/Stolen Device
• Selective Wipe
• Full Wipe Retire
Support
Monitor
How Do I Control Who and What Access the Network?
Internet
“Printers should only ever communicate internally.”
“Employees should be able to access everything but have no access on personal devices.”
Wireless LAN
Controller
Access Point Policy
Services
Switch
Campus
Network
“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”
Internal Resources
EVOLVING POLICIES IN A MOBILE WORLD
TYPICAL POLICY OPTIONS
Permit Access
Deny Access
• Low maintenance • High risk
• Low maintenance • Low risk
Simplified, Scalable Access
Policy
Converged Monitoring and Troubleshooting
Unified Access
Management
• Low maintenance • Low risk
I have an iPad.
Can I get on
the network? Centralized
Policy Engine
Employee
Tailor Access by Scenario
Devices in the New Enterprise A Spectrum of Possibilities & New Trust Equation
User Owned Unmanaged
User Owned
Enterprise Managed
Enterprise Owned
Enterprise Managed
Trust the Device
Trust the User
Trust the App
Trust the File System
Deploying NAC - Step 1
Develop a Written Policy
Approved Devices List
OS, Disk Encryption, etc.
Access Methods Allowed
Guest Policy
BYOD/MDM Policy
What is a Certificate?
Credential that binds your
name to an identity
You must be vetted by a
trusted authority to get it
It provides you access or
privileges to communities
People who did not give it to
you are willing to trust it’s
contents
How Do You Manage Certificates? One option is to self-manage with readily available tools
Certificate Software & Hardware
&%$#!
Not easy to use Not always Multi-platform? Difficult to Scale?
Microsoft MDM’s
Symantec Managed PKI Service
The Leading Cloud PKI Platform…And It Just Got Better
Deploy PKI applications quickly & easily with no up-front capital investment
Cost-Effective
Deliver consistent, automated, and easy-to-use operation across platforms Simple
Deliver and manage multiple PKI applications from a unified platform Flexible
Build on the proven reliability of the longest-running commercial PKI platform Scalable
NAC Then and Now
Then
Pass/Fail (NOT flexible)
Few devices supported
802.1x
Inline devices created
bottlenecks
Expensive
Overall – painful and not
practical
Now
Very Flexible
Most devices support
802.1x
No more inline devices
Affordable
Overall – Works as
advertised
Evaluating NAC solutions
What Authentication Methods supported
AAA (802.1x)
MAC Authentication (MAB)
Guest management
How are Policies Enforced
Inline Appliance
Endpoint Agent
Network Layer (dynamic VLAN or ACL)
Evaluating NAC solutions
Vendor Alignment – HUGE factor
Cisco network – Cisco ISE
Aruba Wireless – Aruba ClearPass
Juniper Network – Juniper UAC
MDM integration
Don’t under estimate the value of MDM
Wired and Wireless Capabilities
There may be discrepancies
Don’t assume same features for both
Deploying NAC – Step 2
What happens IF… You lock down
the Network on Day 1
Test and Pilot use cases
Deploy in Monitor Mode
Evaluate Authentication Success
and failures
Evaluate what policies would be
assigned, prior to enforcement
Walk before you Run
Identity Services Engine (ISE)
• Centralized Policy
• AAA Services
• Device Profiling
• Posture Assessment
• Guest Access Services
• Distributed Enforcement
• Centralized Monitoring
and Reporting
ACS
NAC
Profiler
NAC
Guest
NAC
Manager
NAC
Server
Identity
Services
Engine
Authentication
IEEE 802.1X
Standard for link layer authentication and access control
Components: supplicant (client), authenticator (switch), and AAA server
Uses Extensible Authentication Protocol (EAP) to transport authentication info.
MAC Auth Bypass (MAB)
Authenticate using the client’s MAC address
For devices that don’t support 802.1X (no supplicant), such as printers.
Web Authentication
For clients that don’t support 802.1X (no supplicant), but are capable for interactive HTTP authentication
Cisco TrustSec
IEEE
802.1X
MAC
Authentication
Web
Authentication
THE IDENTITY BASED ACCESS ARCHITECTURE
Location
Identity Context
Employee Server Posture
802.1X, Web Authentication, MAC Authentication Bypass (MAB), Profiling
Authorization and Enforcement
Contractor Access Type Device Type Guest
Data Integrity and Confidentiality
VLAN, DACL, Security Group Access, Identity Firewall
Broad Access Limited Access Guest/Internet
MACSec (802.1AE)
VLAN ACL
Policy and Reporting
DIFFERENTIATED DEVICE PROFILES
Users, on the same wireless network, can be associated to
different wired networks after authentication
Employee using a corporate laptop with their AD user id
assigned to “Full network access”
Employee using personal iPad/iPhone with their AD user id
assigned to “Internet only”
CAPWAP CAPWAP
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
EAP Authentication 1
Accept with VLAN 30 2
EAP Authentication 3
Accept with VLAN 40 4
ISE
Corporate
Resources
Internet
Employee
Employee
Deploying NAC
Flexibility
We can Stack multiple authentication methods to
deal with anything that comes along
EASY
Wireless Auth
Guest Auth
More Complex
Wired Auth
Onboarding
Authentication
Deploying NAC
One policy fits all?
Don’t lump multiple use cases into a single policy
Break out use cases to individual policies
Taylor default behavior
Conference Rooms – default to guest
Cubicle ports – default to private network
Device Authentication vs User Authentication
Device Identity takes precedence for security policy
Device Certificates make it easy (MDM, MS-CA, etc.)
Authentication
Guest Access
ISE Guest Server
URL-REDIRECT
Guest
Sponsor
Sponsor Portal
• Customizable portal
• Create multiple accounts
• Sponsor sets group/ID store
• Time profiles
• Users account notification
• SMS
Guest Portal
• Change password
• Change password at first
login
• Download posture client
• Self service
• Device registration
Deploying NAC
Can reference multiple User Databases
AD
Local(guest DB)
Web Auth is great for sporadic guest access
Web Auth is not great for Daily access
Get’s annoying fast
Look at device registration for daily users
MAB in the backgraound
Web Authentication
Device Profiling
Cisco ISE Profiler
• Discovers and Profiles (classifies) each
endpoint using the network
• Monitors for changing endpoint identity
attributes
• Maintains a database of all endpoints on
the network
• Profiling is based on data from: • SNMP
• DNS
• RADIUS accounting
• NMAP
iPad
Custom
Template
• Netflow
• CDP
• DHCP
• Web Auth
• IOS Sensor
Deploying NAC
Great for onboarding New/Unknown devices
IP Phones
Printers
End User devices
Reporting on the Install base
Prevent MAC Spoofing
Profiling
Posture Assessment
ISE Endpoint Posture Assessment
• The Cisco NAC Agent is used for endpoint checks
• Thick client on managed machines
• Thin client via ActiveX or Java
• Access is controlled via ACL’s or VLAN assignments delivered by RADIUS
• Quarantine
• Role-based access
• Periodic reassessment
• Available checks include:
• Antivirus condition
• Antispyware condition
• File condition
• Registry condition
• Application condition
• Service condition
• Automated and manual remediation
Deploying NAC
Posture Assessment should be backed up by a written
policy that you intend to enforce
Don’t posture assess just for fun, it’s not!
Deploying NAC Agents adds difficulty
Web Agent
Great for onboarding, bring device under management
Not great for daily access
Consider your other solutions in place for managing
endpoints
Posture Assessment
ISE Topology
Typical Enterprise Deployment (10,000 endpoints or more)
Typical SMB Deployment
(Under 5000 endpoints)
Deploying NAC
Insist on Redundancy
Centralized Deployments
Cheaper
More Practical
Need WAN redundancy or a Fail Open policy
Scalability
Distributable services/node types
Load distribution is fairly easy
Architecture
Deploying NAC
Engage an Architect for design before committing
Run a POC
if you or provider have uncertainty
If your requirements are complex
Leverage an experienced partner
Or be prepared for a slow painful deployment
To Avoid mistakes made by others
Ensure a proven real-world deployment
Avoid the Pitfalls
Deploying NAC
Test the Use cases, make sure they make sense
Looks good on paper
Might not look good in practice
Avoid the Pitfalls
Questions