executive summery - siddharta sahasiddhartasaha.weebly.com/uploads/3/7/7/9/3779388/... · network...

© Siddharta Saha

Downloaded from http://siddhartasaha.weebly.com

1

Executive Summery

In the last quarter of century the world has seen a tremendous growth in IT and IT enabled

services. IT infrastructure of any organization is the most precious since business process of

today’s world is based totally on IT. Conventionally IT infrastructure of any organization

comprises of desktop clients, servers, storage, printers, networking equipments, IP Phones etc.

As Information Technology has grown, various types of threats on such valuable assets and data

have also increased exponentially. Viruses, hackers, intruders are some of the big threats. Luckily

there are applications and practices to combat against such evils and keep your IT enabled

business process secure. But network administrators and security engineer find it often

challenging to secure their infrastructure in spite of having adopted the recommended security

norms. This is because many times such standards are not implemented to the fullest. Or the

security appliance is not tuned properly to provide adequate level of security. Moreover

traditional security practices have lot of dependencies on the end users. For example all clients in

the network may be loaded with anti viruses but daily updates may be dropped by a general user

because he thinks, “it would take a lot of time and I have important works to do”. This is a

common approach of end users in almost every organization. This is to remember at this point

that an outdated anti virus is as bad as having none. The end user in this case has not only made

itself vulnerable but brought treats to the entire organization. Moreover traditional security

solutions work on the clients that are already connected to the network and have sufficient

access to cause trouble in the infrastructure. This situation is very dangerous if the nature of

threat is new to the security system. These “zero day” attacks may not be prevented by

traditional security system.

IT managers find it very difficult to avoid such situations and deploy security polices in all the

equipments and users across all the hierarchy.

There are two well-known approaches to address these issues developed by two major IT Giant

Microsoft Corporation and Cisco Systems which shall be discussed in the following sections.

1) Network Access Protection (NAP) by Microsoft Corporation.

2) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access

Control in some of the literatures)

© Siddharta Saha


2

Index

Introduction …………………………………………………………………………………………………………. 3

Network Access Protection (NAP) ………………………………………………………………………. 4

Network Access Control (NAC) ……………………………………………………………………………. 7

Case Study …………………………………………………………………………………………………………. 9

Conclusion …………………………………………………………………………………………………………. 13

Reference …………………………………………………………………………………………………………. 14

© Siddharta Saha


3

Introduction

With the number of threats increasing day by day IT managers often finds it very difficult to keep

the security level of the connected client up to the desired level. Even spending so much on

protecting the resources from the external source of attack it is a big task to secure the network

from the internal threats. Outdated anti virus, non patched OS etc bring element of threat to the

entire network.

Even if the policy and the procedure in place IT managers find it difficult to enforce

the policy on the end users.

There are two well-known approaches to address these issues developed by two major IT Giant

Microsoft Corporation and Cisco Systems

3) Network Access Protection (NAP) by Microsoft Corporation.

4) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access

Control in some of the literatures)

Both of the technologies implement the same basic philosophy in their own

way. Any client is tested against the security polices to find out its compliance. Only after the

client successfully complies with the security standards it is allowed inside the network.

Otherwise it may be diverted to a special remediation zone where security polices would be

enforced on it to make it safe for the actual IT infrastructure. Or the client shall be allowed a very

limited access to the resources. Otherwise access to the network and resources may be out right

rejected due to noncompliance.

In the following sections we shall discuss about both of the technologies, their components and

the way various policies can be implemented. At the end we shall also document a case study

based on one of these technology.

© Siddharta Saha


4

Network Access Protection (NAP) Network Access Protection is new technology developed by Microsoft Corporation to protect the

IT assets of any organization from threats that may have been caused by lose security policy

deployment such as inadequate access restriction on access to the resources, compromised client

stations etc. It also aims to reduce the burden on the security and networking team of the

organization, reduce the operational cost and increase availability.

The way it works

Components Depending on the type of enforcement policy organization chose to deploy some or all of the

components described below may be installed.

Network Policy Server (NPS): In this server health check and validation policies are defined. The

definition of the policy may differ as per the enforcement type and policy is adapted by the

organization. SoH sent by the clients are validated in it. Microsoft Windows Longhorn and above

are capable of being NPS. An NPS has the following functional units

System Health Validator (SHV) to validate SoH

Active Directory (AD) to store information about the user accounts and their network

access profiles.

Health Policy (HP) to define exact policy for specific enforcement plan.

Admin Sever takes the actual decision about the fate of the client based on the feedback

from the SHV.

© Siddharta Saha


5

NAP Agent:

Remediation Server (RS): A Remediation Server offers limited access to the client that has failed

to comply with the policy due to improper SoH. It allows such end devices to download/ install

patches/ updates that are required to improve the SoH to comply with the policy. An RS may be

implemented in a single server or a group of servers and may have the following components.

DNS server

Proxy server (only allowing web access to the Microsoft and anti virus site)

A local anti virus update mirror inside the intranet.

Enforcement options

© Siddharta Saha


6

Network Access Control by Cisco Systems

NAC essentially has the same philosophy as NAP; “do not allow any device to enter into the

network unless it complies with the security policy of the organization”. The architecture and

implementation is also somewhat similar. But in NAC may define not only whom to give access

but also how the client would be able to access the network. It addresses the requirement of any

organization by offering following features.

Role based access control:

Guest Access: It provides access policy definitions and access restriction for the guest

users. Like a manager comes from a business partner, he should be allowed internet

access after health checkup.

Client device security enforcement: Any device should qualify as per the security policy of

the organization before it is granted access in the network.

Remediation: Help noncompliant clients to improve the help status so that it qualifies to

enter into the network.

Control of peripheral and non PC devices:

© Siddharta Saha


7

Components of NAC

Depending on the policy adapted by the organization a NAC may have some or all of the

following components.

NAC server: It is the heart of the NAC environment. It does the device health checks and enforces

policy laid by administrator on the end devices. Can be deployed in L2 ( locally) or at L3 (globally)

network.

NAC Manager: It managers the NAC server and provides web based user interface to the

administrator for creating and managing NAC policies. It also allows to manage the user like

creating role based policies and user authentication.

© Siddharta Saha


8

Case Study

Pinnacle School of Business Management (PSBM) is a top notch institution for

Business studies. Each year a large number of students enroll for both residential and part time

courses on various topics of business management. It also offers distant learning e-courses to the

students who can not attend the class room. The school has full WiFi coverage inside the campus

including hostels.

Students access various course materials by using laptops and tablets.

Residential students use their laptops at classrooms and dormitories and the evening students

also bring their laptops in the campus. Both of the groups of users access digital library online

that has a wide range of books and other electronic study materials.

Students of distant learning courses connect to the e-learning server through

IPSec and also access the digital library.

Concerns: Though the IT team offers to install anti virus to the laptops of resident users free of cost

some of them either do not install it thinking it would make the laptop slow.

Many students turn off the regular updates as it may slow their surfing speed.

Students often do not scan the removable media because they are “ in hurry”

Evening students bring their laptops, which they use at home and their office networks

and do not update the OS patches and anti virus.

Remote students also access the network by IPSec but there is no control over their

sanity in terms of virus and Trojans.

All such users create a lot of problems in the network. Even after

spending huge amount on the firewall and anti virus software the network Administrator of

PSBM can not rest in peace. The clients with outdated anti virus , OS patch and other security

holes not only compromising their own security but also putting the network and other IT

resources at stake.

© Siddharta Saha


9

In one recent incident a laptop of one student from Marketing Dept. was infected by a

“MAC spoofing” virus. It spoofed the gateway address and diverted all outbound traffic to itself.

All traffic to the internet stopped. It stuff found it a Herculean task to identify and remove the

culprit. It was found that the anti virus would have easily removed the virus but the anti virus

definition of the laptop was not updated since last 2 months!

Solution The dean of the PSBM decided to enforce the security policy on all clients that wants to access

the IT resources of the school. The message was loud and clear “NO COMPLIANCE, NO ACCESS”.

The IT team of PSBM has come up with a solution to deploy Microsoft NAP in their network. The

selected NAP instead of Cisco NAC for two reasons. The network of PSBM has equipments not

only from Cisco but from other vendors also. The existing servers of school are running on

Windows 2008 Sever ™ and so the deployment of NAP would be easy and time saving.

Policy and Enforcement.

© Siddharta Saha


10

The way the systems work at PSBM

IP Sec Enforcement

802.1x Enforcement

NAP agent of laptop/ tablet send request for access to the 802.1x access point. Along with

the SoH.

SoH is validated as per the health policy (HP) at NPS.

© Siddharta Saha


11

If the client complies with the policy then they are allowed to access the network and

resources as per user roles and privileges defined by the Active Directory.

All the non complaint clients are sent to the remediation zone.

The remediation zone has a DNS server and Proxy server. The proxy server allows limited

web access to the clients (only to the website of major anti virus vendors and Microsoft,

Apple etc) so that they can improve their SoH.

Components used:

Results: Results are quite stunning the incidents of virus and worm spread inside the network ha reduced

by 97%. Now the students are more careful about OS antivirus and other security updates

because now they have understood clearly “NO COMPLIANCE, NO ACCESS”.

© Siddharta Saha


12

Conclusion Traditional security solutions work on the clients that are already connected to the network and

have sufficient access to cause trouble in the infrastructure. This situation is very dangerous if the

nature of threat is new to the security system. These “zero day” attacks may not be prevented by

traditional security system.

IT managers find it very difficult to avoid such situations and deploy

security polices in all the equipments and users across all the hierarchy.

Microsoft Network Access Protection and Cisco Network Admission

Control is new breed of security enforcement system which eliminated many problems of

traditional security systems. Having any or both of the system inside an enterprise network does

not eliminate the necessarily of a traditional firewall or anti virus. Rather enforcing end users to

adhere to the policies and norms that are laid by the administrator of the network.

executive summery - siddharta sahasiddhartasaha.weebly.com/uploads/3/7/7/9/3779388/... · network...

Documents