1. how will nac deal with lying clients?opus1.com › www › presentations ›...

May, 2007

Copyright (c) 2007, Joel Snyder. AllRights Reserved.

Network Access Control:Hard Questions

Joel M SnyderSenior Partner

Opus [email protected]

2

Agenda: Hard Questions about NAC

Questions you need to be able to answerabout NAC regarding…• Lying clients• Denial of Service, MITM, and Eavesdropping Attacks• VPN, Branch, Remote Access, and Wireless• Interdependencies• Integrating NAC with other tools• Value of NAC to the organization

3

1.How will NAC dealwith lying clients?

4

ClientBroker

NetworkAccessRequestor

NetworkAccessAuthority

ServerBroker

PostureValidator

PostureCollector

NetworkEnforcementPoint

The NAC policy servergets its information fromsoftware running on the client

The Enforcement Point getsaddress information fromsoftware running on the client

5

ClientBroker


PostureCollector

You can use scanningof the end point to helpconfirm the type ofdevice

You can use behavioranalysis to detect whenthe device is behaving“uncharacteristically”

Most NAC deployments will have to useMAC authentication for some devices

01010100101 0 10

6

ClientBroker


PostureCollector

TCG/TNC has theTPM strategy tomaximize “softwaretrust”

Behavioral analysisalso works here

Posture assessment relies on theclient to report the results

May, 2007


7

A sub-question: do you care aboutcompliance, or infection?

Software on the PC can tell youwhether the system complies withpolicy, but says nothing aboutwhether the system is infected

External sensors can’t tell you aboutpolicy compliance, but they are verygood at detecting infections

(more about this later) 8

Beware trying to have perfect securityunless you have infinite budget

The amount of

money you are

spending on security The extra security

you get for each

dollar you spend

9

Action Items: Lying Clients

Seek out NAC solutions that can incorporateexternal scanning solutions and IDS/IPSdata

Identify holes in network security caused byMAC authentication, and document how youare plugging them

Balance the cost of end-point securityassessment with the benefits that it brings tothe network

10

2.Are you ready to addanother “P1” critical

service?

11

ClientBroker



ServerBroker

PostureValidator

PostureCollector


This Policy Decision Point isnow critical to anyoneconnecting to the network

12

Policy servers need to be scalable

User thinks that they log in onceper day1000 users = .03 decision/second

End-point security checks inevery 15 minutes1000 users = 1 decision/second

MAC devices are re-authenticated every minute1000 users = 30 decision/second

IDS+SIM+scanner generate 10events a secondevents = 10 decision/second

May, 2007


13

Policy servers need high availability

Can you build an active/active cluster?Are your decision points able to handle multiplelocations?Is the link to the backend database, such as ActiveDirectory LDAP, properly provisioned for HA?

14

Challenges to Reliability RequireBroad Thinking

ClientBroker



ServerBroker

PostureValidator

PostureCollector


Can Enforcement Points surviveloss of policy engine gracefully?What is your policy?

What happens if a misbehaving clientthrashes the network with hundredsor thousands of authentications asecond? Or spins its MAC addressmany times a second?

How will the policy enginebehave while under a DoSattack?

15

Action Items: Critical Services

Select NAC policy engine solutions that have:• Scalability, because you can’t predict how many

decisions/second you need

• High availability, because the network can’t stop working

Review policy on enforcement points whencontact is lost with the policy decision point

Ensure that the link between enforcementpoint, policy decision point, and backendauthentication database, cleanly survivesfailures and “scale up” events

16

3.How will NAC extend

to remote access,branch, and wireless

environments?

17

NAC defines access controls based onidentity and end-point posture

Partners

SSL VPN

IPsec VPN

Branches

What workson the LANshouldbring youvalueeverywhere

18

SSL VPN

IPsec VPN

SSL VPNs did NAC before NAC waseven a buzzword

SSL VPN vendors areideally situated to be partof your NAC solution

No SSL VPN vendor has yetintegrated their policyengine with the NAC engine

Obviously, you want tohave fewer engines andfewer bits of softwarefloating around

May, 2007


19

SSL VPN

IPsec VPN

IPsec VPNs will either haveproprietary or IKE v2-based solutions

Proprietary is easy if your NACvendor is your IPsec vendor…

… and of course you can use L3enforcement

The most interesting futuresolutions build on EAP beingused in 802.1X (most currentNAC solutions) and in IPsecwhen IKE v2 is finally available

20

Branch Offices need NAC even morethan HQ, but have challenges VLANs can’t easily be

propagated to branches,and may have differentmeanings

Remediation services andpolicy engines may haveto be replicated … athigher cost

Branches

Consider pushingNAC “brains”towards HQ or usingL3 enforcement

21

Wireless almost always implies guestaccess of some sort

802.1X is a greatstrategy for LANand WLAN…

but guests willwant captiveportal

22

Action Items: Branch, VPN, Wireless

Aim to reduce number of policy engines andposture checkers you need to manage; lookforward to extend NAC capabilities outside ofthe LAN and WLAN environments

Consider different strategies for enforcementat branches (while preserving same policyengine)

Make sure your IPsec and SSL VPN solutionvendors are “on board” with your NACstrategy

23

4.How much does

NAC depend on thesecurity of yourinfrastructure?

24

When you push security into thenetwork, the network must be secure

The network team muststart treating switches as ifthey are firewalls

Your vendor must startbuilding switches to befirewalls

May, 2007


25

Many NAC solutions can help workaround infrastructure

Internal enforcementpoints can backup andextend switchenforcement

Audit tools (such as IDS)and scan tools canprovide an out-of-bandassurance layer

26

Action Items: Infrastructure Security

Bring together the network operations teamand NAC teams to resolve “infrastructure”issues early• Password management• Bug fixes and software version updating

• Change control and access rights

Deliver the key message: Every switch is afirewall

Evaluate whether your infrastructure is readyto transition from “connection utility” to“enforcement point”

27

5.How well does NAC

interact with theworld around it?

28

“No NAC is an Island”

29

You need to consider NAC’sinteraction with the rest of the world

Layers 8, 9, and 10 The all-important

religious, political, andeconomic layers of theOSI model

(see next hard question)

Layers 3 through 7 NAC is already linked to

end-point security tools What about data sources

such as IDS and IPSevents?

What about data streamsfrom SIMs?

30

NAC can talk to IPS

Watch this one! I couldn’tcheck end-point securityand they’re a “guest” user.

01010100101 0 10

Please scan thisguy and let meknow what you

find out.

Not just IPS/IDS; thiscould also be an NBAD,SIM, or vulnerabilityanalyzer, or other devicewith relevant knowledge

May, 2007


31

IPS (and IDS) could talk to NAC

Hey! That guy over there isacting suspiciously!

IDS says he’s bad.Shut him down.

(or remediate, orre-evaluate end-point posture, etc.)

Subtle Problem: “Change of Authorization”is not within existing protocols, so this is awork in progress for open frameworks

32

NAC integration with external devicesis an evolving story

Howard’s Observation: “NAC is thebouncer at the door. We need morebouncers inside of the bar.”

This integration is especiallycritical to you if end-pointsecurity is one of yourdriving factors for NAC.

33

Other complexities will confound theprocess

HowWindowsAdmins

Think Of Users:NETBIOS names

System Serial numbers

Windows Logins

HowNetworkAdmins

Think Of Users:MAC AddressesIP Addresses

34

Action Items: NAC Communications

Identify your “security sensors” such as IDS,IPS, SIM, Vulnerability Analyzers, and evenNetFlow data.• This will probably overlap in some ways with the

information provided by end-point management tools(Patchlink, BigFix, Altiris, etc.)

Determine where NAC can make use of thisdata and how well your vendor supports it

Look at how NAC can make your networksecurity tools “smarter” by sharinginformation about network users

35

6.How does NAC

change howeveryone thinks

about the network?36

NAC Fundamentally Changes the WayYou Think About the Network

Before:Switching

Infrastructure You plug things in, and

they work

After:Policy Enforcement

Infrastructure You plug things in, and

maybe they work

May, 2007


37

Dealing with a fundamental changerequires layer 8, 9, and 10 support Simple Fact: All Security Creates False

PositivesCatch more bad stuff,block more good stuff

Catch less bad stuff,block less good stuff

38

Keep In Mind The Guiding Principle ofNAC

The Goal of NAC Is to Allow Devices toConnect to the Network.

(Not to Keep Devices off of theNetwork)

J-P’s Principle of NACology:Forewarned is Forearmed

39

Visibility gives you the bestopportunity to avoid problems

What justhappened?

Where is thissystem?

Why did theconnection fail?

What the heck ison the network?

40

Gaining visibility is good networkdiscipline anyway

Network ManagementTools with Discovery:IPMonitor, What’sUp

3rd Party NAC Add-onsfor Inventory: GreatBay, ID Engines

Vulnerability Scannersand Mappers: Nessus,nmap, Sourcefire RNA,Tenable PVS

IDS using Signaturesand NBAD techniques:Mazu, Lancope, & theusual suspects

41

Action Items: Change in Thinking

Socialize the changes that NAC will bringbefore you run into problems and before theystart affecting network usage

Become “forearmed” by making use ofexisting tools for network discovery andvisibility as part of your NAC plans

Where appropriate, add new visibility tools toyour network to support NAC help desk aswell as audit and trust-but-verify functions

42

7.How will you resolveNAC susceptibilityto security attacks?

May, 2007


43

All Security Systems HaveVulnerabilities You Must Understand

CorporateNet

NACPolicy

Server

For Example:An out-of-bandNAC solutionrequiresmanagementlinks betweendevices and thepolicy server.

How is this Secured?Authenticated? Validated?

SSLCertificate?

44

Complex and Cross-Platform SolutionsNeed Extra Care

Impersonation; Loss; Privacy ofInformation

Data Feeds

Certificates and Trusted Roots;Protection of private keys; Renewals

SSL; RADIUS

Registration and impersonationvulnerabilities

Client APIs

Lack of SNMP authentication indevices; clear-text passwords; UDPlossage; change control

SNMP Tools

CLI passwords; clear-textmanagement; credentialmanagement; change control

Command-LineManagement Links

Potential IssuesAreas of Concern

45

Action Items: Security Vulnerabilities

Work with your vendor to identify areas of“linkage” between components where youneed to be concerned

Identify specific training issues for end-usersrelated to potential vulnerabilities (such asSSL certificates)

Get outside help to review securityvulnerabilities and identify areas forincreased vigilance

46

8.How will NAC’s

lifecycle and yourOrganization’s

lifecycles mesh?

47

End-Point Security Assessment isn’t a“yes/no” answer

System isevaluated

Systemloses accessand goesintoquarantine

Systemmust have

remediationof some

type

48

NAC end-point strategy must matchthe organization’s strategy

. Detect . Remediate . Quarantine . Allow .

May, 2007


49

Key Advice: Know When To Throw theBall to the Other Team The Organization must

have infrastructure inplace before you caneven start down the NACpath.

Take a lifecycle view ofend-points.

Don’t fixate on just oneaspect of the cycle (suchas evaluation)

50

Action Items: Lifecycle

Have your end-system lifecycle alreadyimplemented and running before you addNAC to the picture

Ensure that your NAC solution will fullysupport the lifecycle the desktop team hasendorsed

Build management bridges carefully to keepdesktop and network people out of eachother’s hair

51

9.What value doesNAC bring to the

Organization?52

This one, you’re going to have toanswer for yourself But here are some things people have said

they used to build ROI case for NAC

Reduced help-desk calls (after initial spike)Reduced cost of RIAA subpoena answersBetter ability to answer compliance

requirementsReduced cost on Moves/Adds/Changes by

making the network more dynamicReduced load on “high cost” staff by allowing

“lower cost” staff to grant access

Thanks!

Joel SnyderSenior Partner

Opus [email protected]

1. how will nac deal with lying clients?opus1.com › www › presentations ›...

Documents