nercomp SIG


Presentation Description

No description available.


Presentation Transcript

ABC's of Policy Enforcement: 

ABC's of Policy Enforcement Kevin Amorin, CISSP Harvard University


Topics Risks Architectures NAC (Cisco) NAP (Microsoft) TNC (Trusted Computing Group) Components Open Source

Problem Statement: 

Problem Statement .Edu Environment Open Roaming Laptops Students 44% of attacks originate from systems on the internal network (behind the firewall) VPN Wireless Dial-up 2005 FBI Computer Crime Survey




Phishing : 



Solutions Many commercial products Sygate, Bradford, Enforce, Checkpoint, Infoexpress, iPass, Meetinghouse, Funk,…. Many open source packages PacketFence, Southwestern Netreg, CMU Netreg, NetPass, NoCatAuth, NetSquid,….. No real standards, no interoperability Architecture Solutions NAC, NAP, TNC

Architecture Solutions: 

Architecture Solutions Cisco Network Admission Control (NAC) Phase 1: Routers – Aug 2004 Phase 2: Switches - Nov 2005 Microsoft Network Access Protection (NAP) Windows Longhorn – Q1 2007 Trusted Computing Group Trusted Network Connect (TNC) Architecture andamp; Basic API - May 2005 Complete Spec – May 2006?

Cisco NAC AntiVirus Participants: 

Cisco NAC AntiVirus Participants 63 manufacturers (2/06) 22 shipping – 41 in development No other big network companies?

Cisco NAC Support: 

Cisco NAC Support Identity and Integrity IOS 12.3(8)T Cisco Routers (83x, 18xx, 28xx, 38xx, 1701,1711, 1712, 1721, 1751, 1751-V,1760, 2600XM, 2691, 3640, 3660-ENT, 72xx) Cisco Switches (6500, 4500, 4000, 3750, 3560,3550, 2970, 2955, 2950, and 2940) All APs, VPN 30xx Clean Access/Perfigo is not part of the NAC Framework - 'NAC Appliance'

Cisco NAC Co$t: 

Cisco NAC Co$t Cisco Network Gear 4500,4000,3xxx,2xxx,$$$ Cisco Secure Access Control Server (ACS) AAA Radius Server + Policy Control Cisco Trust Agent (CTA) 2.0 Windows 4.0, 2000/3, XP, RHEL 3-4 Includes Meetinghouse 802.1x supplicant Free? … Ahhhh wired only… EAP-Fast only

MS NAP AntiVirus Participants: 

MS NAP AntiVirus Participants 53 manufacturers (2/06) 0 shipping – 53 in development Lots of Cisco competitors Enterasys, Extreme, Foundry, ProCurve (HP), Juniper

Microsoft NAP Support: 

Microsoft NAP Support Identity and Integrity NAP Clients Windows Vista client late 2006 Windows XP SP2 + 'update' 2007 NAP Server Windows Longhorn Q2 2007 Total rewrite of Network Access Quarantine Control in Windows 2003 DHCP,VPN, 802.1x (PEAP), IPsec IPSec is the 'strongest' form of NAP Can only talk to healthy clients with 'Health Cert'

Microsoft NAP Co$t: 

Microsoft NAP Co$t Windows Longhorn Server IAS AAA Radius Server + Policy Control Routing and Remote Access (VPN) Upgrade Windows client cost Minimum windows client is XP+patch (2007) Windows Vista 'better' May require AD Minimal change to network gear

TNC AntiVirus Participants: 

TNC AntiVirus Participants More then 60 manufacturers 'involved' switch and network equipment manufacturers, security vendors, managed service providers, chip manufacturers Lots of software companies

TNC Support: 

TNC Support Identity and Integrity Use of existing network standards 802.1x IPSec Composed of mostly of Software/Appliance companies Missing some big name support from Anti-virus, Network companies Future Trusted Platform module (TPM) integration

TNC Co$t: 

TNC Co$t TNC Client Funk, Meetinghouse, InfoExpress, iPass, etc… TNC Server (Radius/Policy Server) Funk, Meetinghouse, InfoExpress, iPass, etc… No Vendor lock in? No validation of interoperability The TNC Client and Server 'should' work together if you don’t use the same vendor Supported Network gear Juniper, Extreme, Foundry, Enteresys

Cisco NAC Pros/Cons: 

Cisco NAC Pros/Cons

MS NAP Pros/Cons: 

MS NAP Pros/Cons

TNC Pros/Cons: 

TNC Pros/Cons

Methods of Isolation: 

Methods of Isolation ACL – Layer 3 Router redirection VLAN – Layer 2 Switch port control IPSec – Health Certificates DHCP – IP subnet overlay networks ARP – Client gateway manipulation 802.1x – IEEE authentication port based access control

Generic Components: 

Generic Components Identity/ Integrity Identity/Integrity Decision Request Decision/ Request AAA Query Policy Query

Cisco NAC Components Example: 

Cisco NAC Components Example Radius HCAP (Policy Query) EAP o UDP/ 802.1X EAP-Fast

Microsoft NAP Components Example: 

Microsoft NAP Components Example Statement of Health (Integrity) Local (Policy Query) 802.1X PEAP Radius

TNC Components Example: 

TNC Components Example IF-TNCCS (Integrity) IF-IMV (Policy Query) 802.1X EAP Radius

Open Source Integration: 

Open Source Integration Integrity Policy Query 802.1X Radius

Open Source Integration: 

Open Source Integration Integrity Policy Query 802.1X Radius Decision/ Request

Market Survey: 

Market Survey 1/17/06 Infonetics 'Enforcing Network Access Control' Over 1,101% increase over the next three years from $323 million to 3.9 billion 2008 NAC Appliance market will increase 3,062% from 2005 to 2008 NAC network devices will increase almost 1,000% from 2005-2008 'will be a volatile space over the next three years, with significant consolidation in the market' 'Cisco's NAC solution is the most recognized brand of the three main NAC solutions, followed by Microsoft's NAP, and then the Trusted Computing Group's Trusted Network Connect solution in distant third ' Maybe, Maybe not… but either way it will be a fun ride…

In Closing: 

In Closing Slow……. Very Very Slow…. With 70% of networking market Cisco andamp; NAC will be around to stay Microsoft NAP will be HUGE in 2008 Don’t count out TNC IETF Anyone? I2 NetAuth Working group strategies, architecture, components, case studies, FAQ


References : 


authorStream Live Help