Network Access ControlApproaches

ExperiencesFuture Issues

John Hayward PhdJohn.C.Hayward@wheaton.eduWheaton College

No Access Control

The goodThe Bradfordand the ugly

John Hayward PhdJohn.C.Hayward@wheaton.eduWheaton College

Agenda

• Background Experienceso Blaster fall 2003 - responseo Network Registration 2004-2007

• Approaches to NAC o DHCPo Arp manipulationo Switch port manipulation

• Verifying Security Policieso Internal / External scans - Monitoring complianceo Quality of scano Range of Policies

• Bradford Experienceso 2007- 2009o Documentation, Support, Version, Wireless, etc

• Current and future issueso Virtualization, Non computer devices

Background Experiences - Fall 2003

Context• Blaster just before Fall Term Aug 11 • Sent E-mail notification to all students to get

computer updated - MS had a patch available July 16 earlier

• Over 2000 computers owned and administered by students

• Registration system for students• Students on different network than Employees• Access to internet via IIS proxy server• Flat network

Results• Good:

o Employees unaffectedo Students with patch could register (exceptions)

Background Experiences - Fall 2003

Results• Bad :

o Any unpatched computer in registration was nailed by the virus and became a carrier

o Issue with proxy server or MS update server attacked with dos difficult to obtain update

• Uglyo So much traffic on our radio connections to some

apartments they were effectively lost networking

Response• Student lab workers distributed CD with patch and

removal tools• Hand monitoring/shutdown ports which had

malware• Some students were not on network for 3 weeks

Background Experiences -2004

Design Goals (Spring)• Require current patches• Require Sophos• Require Sophos Def current• Require last scan current and no virus• Allow Registration if requirements satisfied• Registration machines should be isolated from each

other• Turn on Auto Updates

Results - Good:• Web registration site with security checks• Shavlik command line check of patch levels bought

by MS and available via MBSA• Download bat to check - MBSA in command line,

check sohpos status and return results

Background Experiences -2004-05

Results - Bad:• MS unleashed SP2 Aug 6 - Blaster 2• Decided to require SP2• Problems with IIS proxy server or MS site• Design linear - hard for users to follow

Fall 2004 - good security - rough user experienceFall 2005 redesign site• After turning on updates One button CheckMe• Results of success failure on same page

Fall 2005 - good security OK user experience• Returning Great -Freshmen some challenges

Background Experiences -2006-07

Fall 2006• Fully implemented remote preregistration• Fairly smooth

Spring 2007• New Director of Computing Services• Wanted professional support with lower internal

resources to support home grown solution• MBSA was taking longer - loosing command line

facilities• Vista was had come• Many students had their own virus programs• Read reports - seriously considered

o Open source packet fence zero efforto Commercial Bradford Networks

• Bradford Selected - Experiences later in talk

NAC Approaches

Getting Attention of User• DHCP

o Homegrown Network Registrationo Clients use DHCP to get IPo Database keeps track of who is and is not

registered - if not registered give IP and subnet for registration

o After passing security Policy give production IPo What about hard coded IP???

• Arp Manipulationo Packet Fence can use thiso Server monitors apr announcementso If not registered poison arp to direct packets to

server

NAC Approaches

Getting Attention of User (cont)• Port Vlan Switching

o Bradford (and later Packet Fence) use thiso Switch sends trap to server on linkupo Server asks switch for mac addresso Server switches to correct vlan - if not registered

then registration vlano Server needs to know how to operate switch

• Inline servero Packet Fence can use thiso Server acts a router to rest of networko Single point of failure?

• All approaches provide special DNS to achieve captive portal

NAC Approaches

Verifying Security Policy• Internal scanning

o Registration Scans� Bradford dissolvable agent� home grown - batch file

o Periodic scans - require software on client� Bradford persistent agent - scheduled scans� Patchlink - Bradford and homegrown

• External scanso Bradford can use nessuso Packet Fence can use snorto Can be independent of NAC

NAC Approaches

Verifying Security Policy• Scan quality

o Light and quicker (Bradford)� Check registry entires� Check AV/AS def versions

o Deeper (more intense) Homegrown� Use MBSA Shavlik - use CAB/xml file to

determine patches - check actual validity of patches

� Verify last AV scan had clean report

Range of Security Policy• Bradford 20+ AV, 20+AS• Bradford individual registry keys• Bradford check for software

NAC Bradord Experience

Fall 2007• Preparation work started spring 2007

o All switches had to be adjusted for Bradford� Traps programmed� Self discovery help populate topology

• Orientation lab summer 2007o Goal was to have network configure by end of labo Problem we did not have network mapping

finished before labo Practiced examples on "practice lab" environment

not our production networko Helped some but not effective as it could be

NAC Bradord Experience

Fall 2007• Over 600 freshmen arriving Aug 2007

o Finally had networking mappedo Bradforized the dorm switcheso Discovered scanning not working 1 week before

bulk of freshmen arrivingo Bradford support worked remotely - Networking

staff put in lots of extra hourso Registration scanning issue resolved less than 30

minutes before Freshmen started to use network!

NAC Bradord Experince

2007-2008• Scheduled scanning to require policy compliance

o Put some machines in quarantine and then move them back to production

o Some machines not being scannedo Quickly gave up on scheduled scans - no way to

require compliance other than re-register!• Discover High Availability fail over did not work

Fall 2008• New 2.0.x client - support for more AV - transparent

update• Upgraded server 4.x shortly before fall• Discovered transparent update did not work

NAC Bradord Experince

Fall 2008 (cont)• If more than 22 AV clients checked then old client

reported inconsistent results - some passed without having required - others failed having all required -backed off on allowed AV

• Vista issues - eventually resolved

2009• AVG 8.0 definitions changed require upgrade to

2.0.3.8 client• AVG 8.5 definitions changed Bradford working on it

(3-4-2009)• Attempted upgrade client - proposed to be

transparent failed • Earlier fail over assumed both servers went down -

seems to be resolved but db not synced

NAC Bradord Experience

Support• Now web interface - before phone call only• Support people generally try to be helpful varying

level of competency• Support normally focus on configuration issues

more complicated issues referred to engineers which you don't have direct access to

• Support thin during fall just before school starts

Documentation• Documentation looks nice• Lacks conceptual model - says link goes to this page• Lacks how to do x• Rapid version changes - documentation not current• Overloads terms - What is a scan? depends• Command Line way out of date

NAC Bradord Experience

Versions• Large number of version - 4.0 started this fall we are

at 4.0.1.50 now upgrading to 4.0.3.x• Some required due to new mac addresses for non

computer devices and new switches.

Administration• Organization of GUI non intuitive - Campus manager

configuration in network topology.• Requires more effort to support than home grown• Up to 4.0.3.x server only administrators could

manually register problem machines - now operators can be granted that privilege.

• Massive number of number of alarms going off (apparently required to have an action associated with an event) - hard to see what is important

NAC Bradord Experince

Broken Items• Role based port mapping fails - work around• Still don't have scanning working reliably

Wireless• Continuing issues with Meru wireless and Bradford

related to registration -> production vlan switching -we tell users to reboot

Support for other vendors hardware• Supports an amazing number of switches• Large number of AV/AS• Many game controllers, other non computer IP

devices - Need to keep versions current

Trouble shooting• Client cannot initiate scan - no information on client

NAC Future Issues

Non Computer Nodes• Existing facility to register devices by mac addr• Only approved vendor mac prefix addresses allowed

o Requires keeping server current version oro Requires manual entry of allowed mac prefix

• Some devices need generic USB Ethernet - These are not on vendor prefix list - how to know if device or computer?

NAC Future Issues

Virtualization and Port Management• vmware, xen, virtual box, virtual PC • Networking - two approaches - Bridge - NAT• Bridge - now multiple mac addresses from same port

o New mac - port moved to registration - other VMs loose network access

• NAT - now possibly multiple OSs from same mac addresso How do we know all VMs satisfy security policies?

• How to support Faculty with VMs who need to be on employee, student and lab vlans?

• Vlan switching needs to be on the node if at all.

Questions?

Thank you !