SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...

48
SOSPG2 Implementing Network Access Controls Nate Isaacson Security Solution Architect [email protected]

Transcript of SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing...

Page 1: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

SOSPG2 Implementing Network Access Controls

Nate Isaacson

Security Solution Architect

[email protected]

Page 2: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Offer – Pa Agenda

The BYOD Challenges

NAC terms

The Big Picture

NAC Solutions and Deployment

Page 3: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

What about outside the Enterprise?

The “New Normal”

Page 4: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

MOBILE GROWTH RATE

Page 5: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

MOBILE GROWTH RATE

Page 6: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

The Evolving Workplace Landscape

YOUR USERS HAVE NEW EXPECTATIONS

VIRTUALIZATION NEXT GENERATION

WORKFORCE DEVICE

PROLIFERATION

NEXT GENERATION WORKFORCE

Work Is No Longer a Place You Go to

Work

People Are Willing to Take a Pay Cut as Long

as They Are Able to Work from Home

70% percent of end users admit to

breaking IT policy to make their lives easier

Need Anywhere, Anytime, Any Device Access

Page 7: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

The Burden Falls on IT

TOP OF MIND CONCERNS

• Am I hindering my workforce from being competitive?

• How do I retain top talent?

• How do I ensure compliance with SOX, HIPAA, etc?

• Can I handle partners, consultants, and guests appropriately?

CHANGING WORKFORCE

Page 8: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Intelligent Access Wherever it is Needed

THE BORDERLESS NETWORK

R=RoO x SLE An Authorized Person

An Approved Device

In a Secure Way

Anyone

Any Device

Anywhere

Anytime

Borderless Networks

As Needed

Page 9: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

NAC and Security Acronyms

NAC

- Network Access Control

ISE (Cisco NAC)

- Identity Services Engine

DLP

- Data Loss Prevention

Glossary

Page 10: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

NAC and Security Acronyms

PKI

- Public Key Infrastructure

CA

- Certificate Authority

CRL

- Certificate Revocation List

Glossary

Page 11: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

NAC and Security Acronyms

ACL

- Access Control List

dACL

- Dynamic Access Control List

CoA

- Change of Authorization

Glossary

Page 12: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

NAC and Security Acronyms

MDM

- Mobile Device Management

802.1x

- NAC authentication protocol

MAB

- MAC Authentication Bypass

Glossary

Page 13: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

STOP AND THINK

What are we trying to do with NAC?

A: Secure the Network

B: Prevent Malware

C: Maintain Regulatory Compliance

D: Secure Sensitive Data

E: All the above

Page 14: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Policy

Technology Procedure

1. Malicious insiders

2. Well-meaning insiders

3. Malicious intarweb hax0rz

4. Lost or stolen media

5. Dissemination of data

6. Mobile devices

7. BAs, suppliers, vendors,

partners

8. Cloud/SaaS providers

9. Virtual offices

10. Wireless data transfers

11. Advanced Persistent

Threats

8 7

9

6

5

2

1

10

11

4

3

http://webstore.ansi.org/phi

Top Data Threats

Page 15: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

The Big Picture • Outgoing Email Poses the Biggest Threat

to Sensitive Data

• Monitor Usage of Sensitive Data

• Enforce Password

• Enforce Data Encryption

• Jailbreak Detection

• Should Unknown Devices Access Sensitive Data?

• Fingerprint approved devices

NAC

PKI

MDM

DLP

• Control Access to the Private Network

• Manage Guest Access

Page 16: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Traditional Approach to BYOD

Guest Network

Wireless

Conference Room ports

Problematic for Wired ports

SSL VPN (Application portal)

Still a viable solution

Virtual Desktop

Citrix, Remote Desktop, VDI, etc.

Still a viable solution

Page 17: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Provision

Secure

Apps & Content

Monitor

Support

Retire

Mobile Device Management

Page 18: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Mobile Device Management • User Groups & Roles

• Remove/Hide Unwanted Apps

• WiFi & VPN Settings

• Push Apps & Content

• Email, Contacts, & Calendars

• Enforce Password

• Enforce Data Encryption

• OS Updates

• Jailbreak Detection

• Private App Store

• Apple VPP Distribution

• Web Apps & Clips

• Homegrown

• Content Locker

Apps & Content

Secure

Provision

Page 19: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Mobile Device Management • Device Check-Ins

• Asset Tracking & Reporting

• Geo-location

• Remote Lock

• Remote Password Reset

• Self Service

• Jailbreak Detection

• Lost/Stolen Device

• Selective Wipe

• Full Wipe Retire

Support

Monitor

Page 20: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

How Do I Control Who and What Access the Network?

Page 21: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Internet

“Printers should only ever communicate internally.”

“Employees should be able to access everything but have no access on personal devices.”

Wireless LAN

Controller

Access Point Policy

Services

Switch

Campus

Network

“Guest and partners are only allowed bandwidth constrained Internet access via wireless.”

Internal Resources

EVOLVING POLICIES IN A MOBILE WORLD

Page 22: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

TYPICAL POLICY OPTIONS

Permit Access

Deny Access

• Low maintenance • High risk

• Low maintenance • Low risk

Simplified, Scalable Access

Policy

Converged Monitoring and Troubleshooting

Unified Access

Management

• Low maintenance • Low risk

I have an iPad.

Can I get on

the network? Centralized

Policy Engine

Employee

Tailor Access by Scenario

Page 23: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Devices in the New Enterprise A Spectrum of Possibilities & New Trust Equation

User Owned Unmanaged

User Owned

Enterprise Managed

Enterprise Owned

Enterprise Managed

Trust the Device

Trust the User

Trust the App

Trust the File System

Page 24: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC - Step 1

Develop a Written Policy

Approved Devices List

OS, Disk Encryption, etc.

Access Methods Allowed

Guest Policy

BYOD/MDM Policy

Page 25: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

What is a Certificate?

Credential that binds your

name to an identity

You must be vetted by a

trusted authority to get it

It provides you access or

privileges to communities

People who did not give it to

you are willing to trust it’s

contents

Page 26: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

How Do You Manage Certificates? One option is to self-manage with readily available tools

Certificate Software & Hardware

&%$#!

Not easy to use Not always Multi-platform? Difficult to Scale?

Microsoft MDM’s

Page 27: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Symantec Managed PKI Service

The Leading Cloud PKI Platform…And It Just Got Better

Deploy PKI applications quickly & easily with no up-front capital investment

Cost-Effective

Deliver consistent, automated, and easy-to-use operation across platforms Simple

Deliver and manage multiple PKI applications from a unified platform Flexible

Build on the proven reliability of the longest-running commercial PKI platform Scalable

Page 28: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

NAC Then and Now

Then

Pass/Fail (NOT flexible)

Few devices supported

802.1x

Inline devices created

bottlenecks

Expensive

Overall – painful and not

practical

Now

Very Flexible

Most devices support

802.1x

No more inline devices

Affordable

Overall – Works as

advertised

Page 29: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Evaluating NAC solutions

What Authentication Methods supported

AAA (802.1x)

MAC Authentication (MAB)

Guest management

How are Policies Enforced

Inline Appliance

Endpoint Agent

Network Layer (dynamic VLAN or ACL)

Page 30: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Evaluating NAC solutions

Vendor Alignment – HUGE factor

Cisco network – Cisco ISE

Aruba Wireless – Aruba ClearPass

Juniper Network – Juniper UAC

MDM integration

Don’t under estimate the value of MDM

Wired and Wireless Capabilities

There may be discrepancies

Don’t assume same features for both

Page 31: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC – Step 2

What happens IF… You lock down

the Network on Day 1

Test and Pilot use cases

Deploy in Monitor Mode

Evaluate Authentication Success

and failures

Evaluate what policies would be

assigned, prior to enforcement

Walk before you Run

Page 32: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Identity Services Engine (ISE)

• Centralized Policy

• AAA Services

• Device Profiling

• Posture Assessment

• Guest Access Services

• Distributed Enforcement

• Centralized Monitoring

and Reporting

ACS

NAC

Profiler

NAC

Guest

NAC

Manager

NAC

Server

Identity

Services

Engine

Page 33: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Authentication

IEEE 802.1X

Standard for link layer authentication and access control

Components: supplicant (client), authenticator (switch), and AAA server

Uses Extensible Authentication Protocol (EAP) to transport authentication info.

MAC Auth Bypass (MAB)

Authenticate using the client’s MAC address

For devices that don’t support 802.1X (no supplicant), such as printers.

Web Authentication

For clients that don’t support 802.1X (no supplicant), but are capable for interactive HTTP authentication

Cisco TrustSec

IEEE

802.1X

MAC

Authentication

Web

Authentication

Page 34: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

THE IDENTITY BASED ACCESS ARCHITECTURE

Location

Identity Context

Employee Server Posture

802.1X, Web Authentication, MAC Authentication Bypass (MAB), Profiling

Authorization and Enforcement

Contractor Access Type Device Type Guest

Data Integrity and Confidentiality

VLAN, DACL, Security Group Access, Identity Firewall

Broad Access Limited Access Guest/Internet

MACSec (802.1AE)

VLAN ACL

Policy and Reporting

Page 35: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

DIFFERENTIATED DEVICE PROFILES

Users, on the same wireless network, can be associated to

different wired networks after authentication

Employee using a corporate laptop with their AD user id

assigned to “Full network access”

Employee using personal iPad/iPhone with their AD user id

assigned to “Internet only”

CAPWAP CAPWAP

Same-SSID

802.1Q Trunk

VLAN 30

VLAN 40

EAP Authentication 1

Accept with VLAN 30 2

EAP Authentication 3

Accept with VLAN 40 4

ISE

Corporate

Resources

Internet

Employee

Employee

Page 36: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Flexibility

We can Stack multiple authentication methods to

deal with anything that comes along

EASY

Wireless Auth

Guest Auth

More Complex

Wired Auth

Onboarding

Authentication

Page 37: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

One policy fits all?

Don’t lump multiple use cases into a single policy

Break out use cases to individual policies

Taylor default behavior

Conference Rooms – default to guest

Cubicle ports – default to private network

Device Authentication vs User Authentication

Device Identity takes precedence for security policy

Device Certificates make it easy (MDM, MS-CA, etc.)

Authentication

Page 38: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Guest Access

ISE Guest Server

URL-REDIRECT

Guest

Sponsor

Sponsor Portal

• Customizable portal

• Create multiple accounts

• Sponsor sets group/ID store

• Time profiles

• Users account notification

• Email

• Print

• SMS

Guest Portal

• Change password

• Change password at first

login

• Download posture client

• Self service

• Device registration

Page 39: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Can reference multiple User Databases

AD

Local(guest DB)

Web Auth is great for sporadic guest access

Web Auth is not great for Daily access

Get’s annoying fast

Look at device registration for daily users

MAB in the backgraound

Web Authentication

Page 40: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Device Profiling

Cisco ISE Profiler

• Discovers and Profiles (classifies) each

endpoint using the network

• Monitors for changing endpoint identity

attributes

• Maintains a database of all endpoints on

the network

• Profiling is based on data from: • SNMP

• DNS

• RADIUS accounting

• NMAP

iPad

Custom

Template

• Netflow

• CDP

• DHCP

• Web Auth

• IOS Sensor

Page 41: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Great for onboarding New/Unknown devices

IP Phones

Printers

End User devices

Reporting on the Install base

Prevent MAC Spoofing

Profiling

Page 42: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Posture Assessment

ISE Endpoint Posture Assessment

• The Cisco NAC Agent is used for endpoint checks

• Thick client on managed machines

• Thin client via ActiveX or Java

• Access is controlled via ACL’s or VLAN assignments delivered by RADIUS

• Quarantine

• Role-based access

• Periodic reassessment

• Available checks include:

• Antivirus condition

• Antispyware condition

• File condition

• Registry condition

• Application condition

• Service condition

• Automated and manual remediation

Page 43: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Posture Assessment should be backed up by a written

policy that you intend to enforce

Don’t posture assess just for fun, it’s not!

Deploying NAC Agents adds difficulty

Web Agent

Great for onboarding, bring device under management

Not great for daily access

Consider your other solutions in place for managing

endpoints

Posture Assessment

Page 44: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

ISE Topology

Typical Enterprise Deployment (10,000 endpoints or more)

Typical SMB Deployment

(Under 5000 endpoints)

Page 45: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Insist on Redundancy

Centralized Deployments

Cheaper

More Practical

Need WAN redundancy or a Fail Open policy

Scalability

Distributable services/node types

Load distribution is fairly easy

Architecture

Page 46: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Engage an Architect for design before committing

Run a POC

if you or provider have uncertainty

If your requirements are complex

Leverage an experienced partner

Or be prepared for a slow painful deployment

To Avoid mistakes made by others

Ensure a proven real-world deployment

Avoid the Pitfalls

Page 47: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Deploying NAC

Test the Use cases, make sure they make sense

Looks good on paper

Might not look good in practice

Avoid the Pitfalls

Page 48: SOSPG2ilta.personifycloud.com/webfiles/productfiles/1501877/... · 2013. 8. 27. · Implementing Network Access Controls ... EVOLVING POLICIES IN A MOBILE WORLD . TYPICAL POLICY OPTIONS

Questions