SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...
Transcript of SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...
![Page 1: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/1.jpg)
SOSPG2 Implementing Network Access Controls
Nate Isaacson
Security Solution Architect
![Page 2: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/2.jpg)
Offer – Pa Agenda
The BYOD Challenges
NAC terms
The Big Picture
NAC Solutions and Deployment
![Page 3: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/3.jpg)
What about outside the Enterprise?
The “New Normal”
![Page 4: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/4.jpg)
MOBILE GROWTH RATE
![Page 5: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/5.jpg)
MOBILE GROWTH RATE
![Page 6: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/6.jpg)
The Evolving Workplace Landscape
YOUR USERS HAVE NEW EXPECTATIONS
VIRTUALIZATION NEXT GENERATION
WORKFORCE DEVICE
PROLIFERATION
NEXT GENERATION WORKFORCE
Work Is No Longer a Place You Go to
Work
People Are Willing to Take a Pay Cut as Long
as They Are Able to Work from Home
70% percent of end users admit to
breaking IT policy to make their lives easier
Need Anywhere, Anytime, Any Device Access
![Page 7: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/7.jpg)
The Burden Falls on IT
TOP OF MIND CONCERNS
• Am I hindering my workforce from being competitive?
• How do I retain top talent?
• How do I ensure compliance with SOX, HIPAA, etc?
• Can I handle partners, consultants, and guests appropriately?
CHANGING WORKFORCE
![Page 8: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/8.jpg)
Intelligent Access Wherever it is Needed
THE BORDERLESS NETWORK
R=RoO x SLE An Authorized Person
An Approved Device
In a Secure Way
Anyone
Any Device
Anywhere
Anytime
Borderless Networks
As Needed
![Page 9: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/9.jpg)
NAC and Security Acronyms
NAC
- Network Access Control
ISE (Cisco NAC)
- Identity Services Engine
DLP
- Data Loss Prevention
Glossary
![Page 10: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/10.jpg)
NAC and Security Acronyms
PKI
- Public Key Infrastructure
CA
- Certificate Authority
CRL
- Certificate Revocation List
Glossary
![Page 11: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/11.jpg)
NAC and Security Acronyms
ACL
- Access Control List
dACL
- Dynamic Access Control List
CoA
- Change of Authorization
Glossary
![Page 12: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/12.jpg)
NAC and Security Acronyms
MDM
- Mobile Device Management
802.1x
- NAC authentication protocol
MAB
- MAC Authentication Bypass
Glossary
![Page 13: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/13.jpg)
STOP AND THINK
What are we trying to do with NAC?
A: Secure the Network
B: Prevent Malware
C: Maintain Regulatory Compliance
D: Secure Sensitive Data
E: All the above
![Page 14: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/14.jpg)
Policy
Technology Procedure
1. Malicious insiders
2. Well-meaning insiders
3. Malicious intarweb hax0rz
4. Lost or stolen media
5. Dissemination of data
6. Mobile devices
7. BAs, suppliers, vendors,
partners
8. Cloud/SaaS providers
9. Virtual offices
10. Wireless data transfers
11. Advanced Persistent
Threats
8 7
9
6
5
2
1
10
11
4
3
http://webstore.ansi.org/phi
Top Data Threats
![Page 15: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/15.jpg)
The Big Picture • Outgoing Email Poses the Biggest Threat
to Sensitive Data
• Monitor Usage of Sensitive Data
• Enforce Password
• Enforce Data Encryption
• Jailbreak Detection
• Should Unknown Devices Access Sensitive Data?
• Fingerprint approved devices
NAC
PKI
MDM
DLP
• Control Access to the Private Network
• Manage Guest Access
![Page 16: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/16.jpg)
Traditional Approach to BYOD
Guest Network
Wireless
Conference Room ports
Problematic for Wired ports
SSL VPN (Application portal)
Still a viable solution
Virtual Desktop
Citrix, Remote Desktop, VDI, etc.
Still a viable solution
![Page 17: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/17.jpg)
Provision
Secure
Apps & Content
Monitor
Support
Retire
Mobile Device Management
![Page 18: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/18.jpg)
Mobile Device Management • User Groups & Roles
• Remove/Hide Unwanted Apps
• WiFi & VPN Settings
• Push Apps & Content
• Email, Contacts, & Calendars
• Enforce Password
• Enforce Data Encryption
• OS Updates
• Jailbreak Detection
• Private App Store
• Apple VPP Distribution
• Web Apps & Clips
• Homegrown
• Content Locker
Apps & Content
Secure
Provision
![Page 19: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/19.jpg)
Mobile Device Management • Device Check-Ins
• Asset Tracking & Reporting
• Geo-location
• Remote Lock
• Remote Password Reset
• Self Service
• Jailbreak Detection
• Lost/Stolen Device
• Selective Wipe
• Full Wipe Retire
Support
Monitor
![Page 20: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/20.jpg)
How Do I Control Who and What Access the Network?
![Page 21: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/21.jpg)
Internet
“Printers should only ever communicate internally.”
“Employees should be able to access everything but have no access on personal devices.”
Wireless LAN
Controller
Access Point Policy
Services
Switch
Campus
Network
“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”
Internal Resources
EVOLVING POLICIES IN A MOBILE WORLD
![Page 22: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/22.jpg)
TYPICAL POLICY OPTIONS
Permit Access
Deny Access
• Low maintenance • High risk
• Low maintenance • Low risk
Simplified, Scalable Access
Policy
Converged Monitoring and Troubleshooting
Unified Access
Management
• Low maintenance • Low risk
I have an iPad.
Can I get on
the network? Centralized
Policy Engine
Employee
Tailor Access by Scenario
![Page 23: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/23.jpg)
Devices in the New Enterprise A Spectrum of Possibilities & New Trust Equation
User Owned Unmanaged
User Owned
Enterprise Managed
Enterprise Owned
Enterprise Managed
Trust the Device
Trust the User
Trust the App
Trust the File System
![Page 24: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/24.jpg)
Deploying NAC - Step 1
Develop a Written Policy
Approved Devices List
OS, Disk Encryption, etc.
Access Methods Allowed
Guest Policy
BYOD/MDM Policy
![Page 25: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/25.jpg)
What is a Certificate?
Credential that binds your
name to an identity
You must be vetted by a
trusted authority to get it
It provides you access or
privileges to communities
People who did not give it to
you are willing to trust it’s
contents
![Page 26: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/26.jpg)
How Do You Manage Certificates? One option is to self-manage with readily available tools
Certificate Software & Hardware
&%$#!
Not easy to use Not always Multi-platform? Difficult to Scale?
Microsoft MDM’s
![Page 27: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/27.jpg)
Symantec Managed PKI Service
The Leading Cloud PKI Platform…And It Just Got Better
Deploy PKI applications quickly & easily with no up-front capital investment
Cost-Effective
Deliver consistent, automated, and easy-to-use operation across platforms Simple
Deliver and manage multiple PKI applications from a unified platform Flexible
Build on the proven reliability of the longest-running commercial PKI platform Scalable
![Page 28: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/28.jpg)
NAC Then and Now
Then
Pass/Fail (NOT flexible)
Few devices supported
802.1x
Inline devices created
bottlenecks
Expensive
Overall – painful and not
practical
Now
Very Flexible
Most devices support
802.1x
No more inline devices
Affordable
Overall – Works as
advertised
![Page 29: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/29.jpg)
Evaluating NAC solutions
What Authentication Methods supported
AAA (802.1x)
MAC Authentication (MAB)
Guest management
How are Policies Enforced
Inline Appliance
Endpoint Agent
Network Layer (dynamic VLAN or ACL)
![Page 30: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/30.jpg)
Evaluating NAC solutions
Vendor Alignment – HUGE factor
Cisco network – Cisco ISE
Aruba Wireless – Aruba ClearPass
Juniper Network – Juniper UAC
MDM integration
Don’t under estimate the value of MDM
Wired and Wireless Capabilities
There may be discrepancies
Don’t assume same features for both
![Page 31: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/31.jpg)
Deploying NAC – Step 2
What happens IF… You lock down
the Network on Day 1
Test and Pilot use cases
Deploy in Monitor Mode
Evaluate Authentication Success
and failures
Evaluate what policies would be
assigned, prior to enforcement
Walk before you Run
![Page 32: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/32.jpg)
Identity Services Engine (ISE)
• Centralized Policy
• AAA Services
• Device Profiling
• Posture Assessment
• Guest Access Services
• Distributed Enforcement
• Centralized Monitoring
and Reporting
ACS
NAC
Profiler
NAC
Guest
NAC
Manager
NAC
Server
Identity
Services
Engine
![Page 33: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/33.jpg)
Authentication
IEEE 802.1X
Standard for link layer authentication and access control
Components: supplicant (client), authenticator (switch), and AAA server
Uses Extensible Authentication Protocol (EAP) to transport authentication info.
MAC Auth Bypass (MAB)
Authenticate using the client’s MAC address
For devices that don’t support 802.1X (no supplicant), such as printers.
Web Authentication
For clients that don’t support 802.1X (no supplicant), but are capable for interactive HTTP authentication
Cisco TrustSec
IEEE
802.1X
MAC
Authentication
Web
Authentication
![Page 34: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/34.jpg)
THE IDENTITY BASED ACCESS ARCHITECTURE
Location
Identity Context
Employee Server Posture
802.1X, Web Authentication, MAC Authentication Bypass (MAB), Profiling
Authorization and Enforcement
Contractor Access Type Device Type Guest
Data Integrity and Confidentiality
VLAN, DACL, Security Group Access, Identity Firewall
Broad Access Limited Access Guest/Internet
MACSec (802.1AE)
VLAN ACL
Policy and Reporting
![Page 35: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/35.jpg)
DIFFERENTIATED DEVICE PROFILES
Users, on the same wireless network, can be associated to
different wired networks after authentication
Employee using a corporate laptop with their AD user id
assigned to “Full network access”
Employee using personal iPad/iPhone with their AD user id
assigned to “Internet only”
CAPWAP CAPWAP
Same-SSID
802.1Q Trunk
VLAN 30
VLAN 40
EAP Authentication 1
Accept with VLAN 30 2
EAP Authentication 3
Accept with VLAN 40 4
ISE
Corporate
Resources
Internet
Employee
Employee
![Page 36: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/36.jpg)
Deploying NAC
Flexibility
We can Stack multiple authentication methods to
deal with anything that comes along
EASY
Wireless Auth
Guest Auth
More Complex
Wired Auth
Onboarding
Authentication
![Page 37: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/37.jpg)
Deploying NAC
One policy fits all?
Don’t lump multiple use cases into a single policy
Break out use cases to individual policies
Taylor default behavior
Conference Rooms – default to guest
Cubicle ports – default to private network
Device Authentication vs User Authentication
Device Identity takes precedence for security policy
Device Certificates make it easy (MDM, MS-CA, etc.)
Authentication
![Page 38: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/38.jpg)
Guest Access
ISE Guest Server
URL-REDIRECT
Guest
Sponsor
Sponsor Portal
• Customizable portal
• Create multiple accounts
• Sponsor sets group/ID store
• Time profiles
• Users account notification
• SMS
Guest Portal
• Change password
• Change password at first
login
• Download posture client
• Self service
• Device registration
![Page 39: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/39.jpg)
Deploying NAC
Can reference multiple User Databases
AD
Local(guest DB)
Web Auth is great for sporadic guest access
Web Auth is not great for Daily access
Get’s annoying fast
Look at device registration for daily users
MAB in the backgraound
Web Authentication
![Page 40: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/40.jpg)
Device Profiling
Cisco ISE Profiler
• Discovers and Profiles (classifies) each
endpoint using the network
• Monitors for changing endpoint identity
attributes
• Maintains a database of all endpoints on
the network
• Profiling is based on data from: • SNMP
• DNS
• RADIUS accounting
• NMAP
iPad
Custom
Template
• Netflow
• CDP
• DHCP
• Web Auth
• IOS Sensor
![Page 41: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/41.jpg)
Deploying NAC
Great for onboarding New/Unknown devices
IP Phones
Printers
End User devices
Reporting on the Install base
Prevent MAC Spoofing
Profiling
![Page 42: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/42.jpg)
Posture Assessment
ISE Endpoint Posture Assessment
• The Cisco NAC Agent is used for endpoint checks
• Thick client on managed machines
• Thin client via ActiveX or Java
• Access is controlled via ACL’s or VLAN assignments delivered by RADIUS
• Quarantine
• Role-based access
• Periodic reassessment
• Available checks include:
• Antivirus condition
• Antispyware condition
• File condition
• Registry condition
• Application condition
• Service condition
• Automated and manual remediation
![Page 43: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/43.jpg)
Deploying NAC
Posture Assessment should be backed up by a written
policy that you intend to enforce
Don’t posture assess just for fun, it’s not!
Deploying NAC Agents adds difficulty
Web Agent
Great for onboarding, bring device under management
Not great for daily access
Consider your other solutions in place for managing
endpoints
Posture Assessment
![Page 44: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/44.jpg)
ISE Topology
Typical Enterprise Deployment (10,000 endpoints or more)
Typical SMB Deployment
(Under 5000 endpoints)
![Page 45: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/45.jpg)
Deploying NAC
Insist on Redundancy
Centralized Deployments
Cheaper
More Practical
Need WAN redundancy or a Fail Open policy
Scalability
Distributable services/node types
Load distribution is fairly easy
Architecture
![Page 46: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/46.jpg)
Deploying NAC
Engage an Architect for design before committing
Run a POC
if you or provider have uncertainty
If your requirements are complex
Leverage an experienced partner
Or be prepared for a slow painful deployment
To Avoid mistakes made by others
Ensure a proven real-world deployment
Avoid the Pitfalls
![Page 47: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/47.jpg)
Deploying NAC
Test the Use cases, make sure they make sense
Looks good on paper
Might not look good in practice
Avoid the Pitfalls
![Page 48: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS](https://reader033.fdocuments.us/reader033/viewer/2022060907/60a163a7a2396440541d3551/html5/thumbnails/48.jpg)
Questions