SOSPG2 Implementing Network Access Controls

Nate Isaacson

Security Solution Architect

Nate.Isaacson@cdw.com

Offer – Pa Agenda

The BYOD Challenges

NAC terms

The Big Picture

NAC Solutions and Deployment

What about outside the Enterprise?

The “New Normal”

MOBILE GROWTH RATE

MOBILE GROWTH RATE

The Evolving Workplace Landscape

YOUR USERS HAVE NEW EXPECTATIONS

VIRTUALIZATION NEXT GENERATION

WORKFORCE DEVICE

PROLIFERATION

NEXT GENERATION WORKFORCE

Work Is No Longer a Place You Go to

Work

People Are Willing to Take a Pay Cut as Long

as They Are Able to Work from Home

70% percent of end users admit to

breaking IT policy to make their lives easier

Need Anywhere, Anytime, Any Device Access

The Burden Falls on IT

TOP OF MIND CONCERNS

• Am I hindering my workforce from being competitive?

• How do I retain top talent?

• How do I ensure compliance with SOX, HIPAA, etc?

• Can I handle partners, consultants, and guests appropriately?

CHANGING WORKFORCE

Intelligent Access Wherever it is Needed

THE BORDERLESS NETWORK

R=RoO x SLE An Authorized Person

An Approved Device

In a Secure Way

Anyone

Any Device

Anywhere

Anytime

Borderless Networks

As Needed

NAC and Security Acronyms

NAC

- Network Access Control

ISE (Cisco NAC)

- Identity Services Engine

DLP

- Data Loss Prevention

Glossary

NAC and Security Acronyms

PKI

- Public Key Infrastructure

CA

- Certificate Authority

CRL

- Certificate Revocation List

Glossary

NAC and Security Acronyms

ACL

- Access Control List

dACL

- Dynamic Access Control List

CoA

- Change of Authorization

Glossary

NAC and Security Acronyms

MDM

- Mobile Device Management

802.1x

- NAC authentication protocol

MAB

- MAC Authentication Bypass

Glossary

STOP AND THINK

What are we trying to do with NAC?

A: Secure the Network

B: Prevent Malware

C: Maintain Regulatory Compliance

D: Secure Sensitive Data

E: All the above

Policy

Technology Procedure

1. Malicious insiders

2. Well-meaning insiders

3. Malicious intarweb hax0rz

4. Lost or stolen media

5. Dissemination of data

6. Mobile devices

7. BAs, suppliers, vendors,

partners

8. Cloud/SaaS providers

9. Virtual offices

10. Wireless data transfers

11. Advanced Persistent

Threats

8 7

9

6

5

2

1

10

11

4

3

http://webstore.ansi.org/phi

Top Data Threats

The Big Picture • Outgoing Email Poses the Biggest Threat

to Sensitive Data

• Monitor Usage of Sensitive Data

• Enforce Password

• Enforce Data Encryption

• Jailbreak Detection

• Should Unknown Devices Access Sensitive Data?

• Fingerprint approved devices

NAC

PKI

MDM

DLP

• Control Access to the Private Network

• Manage Guest Access

Traditional Approach to BYOD

Guest Network

Wireless

Conference Room ports

Problematic for Wired ports

SSL VPN (Application portal)

Still a viable solution

Virtual Desktop

Citrix, Remote Desktop, VDI, etc.

Still a viable solution

Provision

Secure

Apps & Content

Monitor

Support

Retire

Mobile Device Management

Mobile Device Management • User Groups & Roles

• Remove/Hide Unwanted Apps

• WiFi & VPN Settings

• Push Apps & Content

• Email, Contacts, & Calendars

• Enforce Password

• Enforce Data Encryption

• OS Updates

• Jailbreak Detection

• Private App Store

• Apple VPP Distribution

• Web Apps & Clips

• Homegrown

• Content Locker

Apps & Content

Secure

Provision

Mobile Device Management • Device Check-Ins

• Asset Tracking & Reporting

• Geo-location

• Remote Lock

• Remote Password Reset

• Self Service

• Jailbreak Detection

• Lost/Stolen Device

• Selective Wipe

• Full Wipe Retire

Support

Monitor

How Do I Control Who and What Access the Network?

Internet

“Printers should only ever communicate internally.”

“Employees should be able to access everything but have no access on personal devices.”

Wireless LAN

Controller

Access Point Policy

Services

Switch

Campus

Network

“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”

Internal Resources

EVOLVING POLICIES IN A MOBILE WORLD

TYPICAL POLICY OPTIONS

Permit Access

Deny Access

• Low maintenance • High risk

• Low maintenance • Low risk

Simplified, Scalable Access

Policy

Converged Monitoring and Troubleshooting

Unified Access

Management

• Low maintenance • Low risk

I have an iPad.

Can I get on

the network? Centralized

Policy Engine

Employee

Tailor Access by Scenario

Devices in the New Enterprise A Spectrum of Possibilities & New Trust Equation

User Owned Unmanaged

User Owned

Enterprise Managed

Enterprise Owned

Enterprise Managed

Trust the Device

Trust the User

Trust the App

Trust the File System

Deploying NAC - Step 1

Develop a Written Policy

Approved Devices List

OS, Disk Encryption, etc.

Access Methods Allowed

Guest Policy

BYOD/MDM Policy

What is a Certificate?

Credential that binds your

name to an identity

You must be vetted by a

trusted authority to get it

It provides you access or

privileges to communities

People who did not give it to

you are willing to trust it’s

contents

How Do You Manage Certificates? One option is to self-manage with readily available tools

Certificate Software & Hardware

&%$#!

Not easy to use Not always Multi-platform? Difficult to Scale?

Microsoft MDM’s

Symantec Managed PKI Service

The Leading Cloud PKI Platform…And It Just Got Better

Deploy PKI applications quickly & easily with no up-front capital investment

Cost-Effective

Deliver consistent, automated, and easy-to-use operation across platforms Simple

Deliver and manage multiple PKI applications from a unified platform Flexible

Build on the proven reliability of the longest-running commercial PKI platform Scalable

NAC Then and Now

Then

Pass/Fail (NOT flexible)

Few devices supported

802.1x

Inline devices created

bottlenecks

Expensive

Overall – painful and not

practical

Now

Very Flexible

Most devices support

802.1x

No more inline devices

Affordable

Overall – Works as

advertised

Evaluating NAC solutions

What Authentication Methods supported

AAA (802.1x)

MAC Authentication (MAB)

Guest management

How are Policies Enforced

Inline Appliance

Endpoint Agent

Network Layer (dynamic VLAN or ACL)

Evaluating NAC solutions

Vendor Alignment – HUGE factor

Cisco network – Cisco ISE

Aruba Wireless – Aruba ClearPass

Juniper Network – Juniper UAC

MDM integration

Don’t under estimate the value of MDM

Wired and Wireless Capabilities

There may be discrepancies

Don’t assume same features for both

Deploying NAC – Step 2

What happens IF… You lock down

the Network on Day 1

Test and Pilot use cases

Deploy in Monitor Mode

Evaluate Authentication Success

and failures

Evaluate what policies would be

assigned, prior to enforcement

Walk before you Run

Identity Services Engine (ISE)

• Centralized Policy

• AAA Services

• Device Profiling

• Posture Assessment

• Guest Access Services

• Distributed Enforcement

• Centralized Monitoring

and Reporting

ACS

NAC

Profiler

NAC

Guest

NAC

Manager

NAC

Server

Identity

Services

Engine

Authentication

IEEE 802.1X

Standard for link layer authentication and access control

Components: supplicant (client), authenticator (switch), and AAA server

Uses Extensible Authentication Protocol (EAP) to transport authentication info.

MAC Auth Bypass (MAB)

Authenticate using the client’s MAC address

For devices that don’t support 802.1X (no supplicant), such as printers.

Web Authentication

For clients that don’t support 802.1X (no supplicant), but are capable for interactive HTTP authentication

Cisco TrustSec

IEEE

802.1X

MAC

Authentication

Web

Authentication

THE IDENTITY BASED ACCESS ARCHITECTURE

Location

Identity Context

Employee Server Posture

802.1X, Web Authentication, MAC Authentication Bypass (MAB), Profiling

Authorization and Enforcement

Contractor Access Type Device Type Guest

Data Integrity and Confidentiality

VLAN, DACL, Security Group Access, Identity Firewall

Broad Access Limited Access Guest/Internet

MACSec (802.1AE)

VLAN ACL

Policy and Reporting

DIFFERENTIATED DEVICE PROFILES

Users, on the same wireless network, can be associated to

different wired networks after authentication

Employee using a corporate laptop with their AD user id

assigned to “Full network access”

Employee using personal iPad/iPhone with their AD user id

assigned to “Internet only”

CAPWAP CAPWAP

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication 1

Accept with VLAN 30 2

EAP Authentication 3

Accept with VLAN 40 4

ISE

Corporate

Resources

Internet

Employee

Employee

Deploying NAC

Flexibility

We can Stack multiple authentication methods to

deal with anything that comes along

EASY

Wireless Auth

Guest Auth

More Complex

Wired Auth

Onboarding

Authentication

Deploying NAC

One policy fits all?

Don’t lump multiple use cases into a single policy

Break out use cases to individual policies

Taylor default behavior

Conference Rooms – default to guest

Cubicle ports – default to private network

Device Authentication vs User Authentication

Device Identity takes precedence for security policy

Device Certificates make it easy (MDM, MS-CA, etc.)

Authentication

Guest Access

ISE Guest Server

URL-REDIRECT

Guest

Sponsor

Sponsor Portal

• Customizable portal

• Create multiple accounts

• Sponsor sets group/ID store

• Time profiles

• Users account notification

• Email

• Print

• SMS

Guest Portal

• Change password

• Change password at first

login

• Download posture client

• Self service

• Device registration

Deploying NAC

Can reference multiple User Databases

AD

Local(guest DB)

Web Auth is great for sporadic guest access

Web Auth is not great for Daily access

Get’s annoying fast

Look at device registration for daily users

MAB in the backgraound

Web Authentication

Device Profiling

Cisco ISE Profiler

• Discovers and Profiles (classifies) each

endpoint using the network

• Monitors for changing endpoint identity

attributes

• Maintains a database of all endpoints on

the network

• Profiling is based on data from: • SNMP

• DNS

• RADIUS accounting

• NMAP

iPad

Custom

Template

• Netflow

• CDP

• DHCP

• Web Auth

• IOS Sensor

Deploying NAC

Great for onboarding New/Unknown devices

IP Phones

Printers

End User devices

Reporting on the Install base

Prevent MAC Spoofing

Profiling

Posture Assessment

ISE Endpoint Posture Assessment

• The Cisco NAC Agent is used for endpoint checks

• Thick client on managed machines

• Thin client via ActiveX or Java

• Access is controlled via ACL’s or VLAN assignments delivered by RADIUS

• Quarantine

• Role-based access

• Periodic reassessment

• Available checks include:

• Antivirus condition

• Antispyware condition

• File condition

• Registry condition

• Application condition

• Service condition

• Automated and manual remediation

Deploying NAC

Posture Assessment should be backed up by a written

policy that you intend to enforce

Don’t posture assess just for fun, it’s not!

Deploying NAC Agents adds difficulty

Web Agent

Great for onboarding, bring device under management

Not great for daily access

Consider your other solutions in place for managing

endpoints

Posture Assessment

ISE Topology

Typical Enterprise Deployment (10,000 endpoints or more)

Typical SMB Deployment

(Under 5000 endpoints)

Deploying NAC

Insist on Redundancy

Centralized Deployments

Cheaper

More Practical

Need WAN redundancy or a Fail Open policy

Scalability

Distributable services/node types

Load distribution is fairly easy

Architecture

Deploying NAC

Engage an Architect for design before committing

Run a POC

if you or provider have uncertainty

If your requirements are complex

Leverage an experienced partner

Or be prepared for a slow painful deployment

To Avoid mistakes made by others

Ensure a proven real-world deployment

Avoid the Pitfalls

Deploying NAC

Test the Use cases, make sure they make sense

Looks good on paper

Might not look good in practice

Avoid the Pitfalls

Questions