Network Admission Control to WLAN at WIT - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Network Admission Control to WLAN at WIT

Description:

Is s/he authorised? What role does s/he get? NAC. Is OS patched? Does A/V or A/S exist? ... Authenticate & Authorise. Enforces authorisation policies and privileges ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 20
Provided by: aidanm9
Category:

less

Transcript and Presenter's Notes

Title: Network Admission Control to WLAN at WIT


1
Network Admission Control to WLANat WIT
  • Presented by Aidan McGrath B.Sc. M.A.

2
Why deploy a wireless LAN?
  • Can be seen to be behind the technology by
    potential students if not deployed.
  • Keep up with technology demands of modern
    students.
  • It will happen anyway, so why not take control
    from the start.
  • Students used to mobile phones, so why not mobile
    computing?
  • Reduce demand on providing more PCs which then
    need to be replaced.

3
What are the challenges of a WLAN?
  • Disappearing security boundaries expose internal
    infrastructure and assets.
  • To ensure policy compliance for all endpoint
    devices seeking network access.
  • Providing sufficient access points how
    many/where?
  • Does one size fit all?

4
What are the solutions?
  • Turn on service and hope for the best no
    checking of laptops for vulnerabilities.
  • Manual intervention to assess laptops for risks.
  • Automatic posture assessment of laptop at time of
    connection network admission control (NAC).

5
Network Admission Control (NAC)
Use the network to enforce policies to ensure
that incoming devices are compliant.
  • Who is the user?
  • Is s/he authorised?
  • What role does s/he get?

identity
device security
network security
NAC
6
All-in-One Policy Compliance and Remediation
Solution
Authenticate Authorise Enforces authorisation
policies and privileges Supports multiple user
roles
Quarantine Isolate non-compliant devices from
rest of network MAC and IP-based quarantine
effective at a per-user level
Scan Evaluate Agent scan for required versions
of hotfixes, AV, and other software Network scan
for virus and worm infections and port
vulnerabilities
Update Remediate Network-based tools for
vulnerability and threat remediation Help-desk
integration
7
Cisco NAC Appliance (Cisco Clean Access)
Components
Clean Access Server (CAS) Serves as an in-band or
out-of-band device for network access
control Clean Access Manager (CAM) Centralises
management for administrators, support personnel,
and operators Clean Access Agent Optional
lightweight client for device-based registry
scans in unmanaged environments Rule-set
Updates Scheduled automatic updates for
anti-virus, critical hot-fixes and other
applications
8
Clean Access Sampling of Pre-Configured Checks
Critical Windows Updates Windows XP, Windows
2000, Windows 98, Windows ME
Anti-Virus Updates
Anti-Spyware Updates Other 3rd Party Checks
9
Product User Flow Overview
The Goal
End user attempts to access a Web page or uses an
optional client Network access is blocked until
wired or wireless end user provides login
information
1.
Authentication Server
Clean Access Manager
Clean AccessServer
2.
User isredirected to a login page Clean Access
validates username and password, also performs
device and network scans to assess
vulnerabilities on the device
Intranet/Network
3b.
Device is clean Machine gets on certified
devices list and is granted access to network
Device is noncompliant or login is
incorrect User is allowed 30min limited access to
appropriate remediation sites
3a.
Quarantine
10
Screen Shots (MS Client)
Login Screen
Scan is performed (types of checks depend on user
role)
Scan fails
Remediate
4.
11
Screen Shots (Web browser non MS)
Scan is performed (types of checks depend on user
role/OS)
Login Screen
Guided self-remediation
12
Process Flow Wireless Access
Role Unauthenticated
WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User
VLAN 50
Auth Server IP 10.1.1.25
Clean Access Manager IP 10.1.1.30
Laptop IP 192.168.50.3
Intranet Server
L3 Switch IP 192.168.10.1
Clean Access Server IP 192.168.10.2
Radius Accounting Server IP 10.1.1.26
DNS Server IP 10.20.20.20
NAC Enforcement Point
  • Wireless user connects to WLC via LWAPP (open
    authentication)
  • Wireless user obtains IP address from WLC
  • Wireless user opens a browser and is redirected
    to download the Clean Access Agent (if they dont
    already have it loaded)

13
Process Flow Network Admission Control 1
Auth Server (Radius) IP 10.1.1.25
Role Unauthenticated
Clean Access Manager IP 10.1.1.30
Laptop IP 192.168.1.150
Internet Web Server
Clean Server IP 192.168.1.2
Router IP 192.168.1.1
DNS Server
NAC Enforcement Point
  • CAS determines that laptop MAC address is not in
    certified device list not logged on recently
  • CAS puts laptop into the Unauthenticated Role
  • Laptop gets an IP address from DHCP server, but
    can not get past CAS acting as IP filter.
  • Laptop user opens a browser and is redirected to
    a SSL based weblogin page.
  • User enters credentials
  • User is asked to download the Clean Access Agent.

14
Process Flow NAC 2
Role Temporary
  • CAS forward posture report to CAM.
  • CAM determines that the laptop is NOT in
    compliance and instructs the CAS to put the
    laptop into the Temporary Role.
  • CAM sends remediation steps to Clean Access Agent.

Auth Server IP 10.1.1.25
Laptop IP 192.168.1.150
Clean Access Manager IP 10.1.1.30
Internet Web Server
Router IP 192.168.1.1
Clean Access Server IP 192.168.1.2
NAC Enforcement Point
DNS Server IP 10.20.20.20
  • Clean Access Agent performs posture assessment
    and forwards them to the CAS to make network
    admission decision.

15
Process Flow NAC 3
Role Temporary
Auth Server IP 10.1.1.25
Laptop IP 192.168.1.150
Clean Access Manager IP 10.1.1.30
Internet Web Server
Clean Access Server IP 192.168.1.2
Router IP 192.168.1.1
NAC Enforcement Point
DNS/DHCP Server IP 10.20.20.20
  • Clean Access Agent displays access time remaining
    in Temporary Role for laptop.
  • CCA Agent guides user step-by-step through
    remediation.
  • Patches can be downloaded from update sites such
    as https//liveupdate.symantec.com or
    http//windowsupdate.microsoft.com
  • CCA Agent informs CAS that the laptop has been
    successfully remediated.

16
Process Flow NAC 4
Role Clean
Auth Server IP 10.1.1.25
Laptop IP 192.168.1.150
Clean Access Manager IP 10.1.1.30
Internet Web Server
Router IP 192.168.1.1
Clean Access Server IP 192.168.1.2
NAC Enforcement Point
DNS Server IP 10.20.20.20
  • CAS puts MAC address of laptop into Certified
    Device list.
  • CAS assigns laptop to the Clean Role for 24
    hour period.
  • Laptop is now allowed to complete access to the
    Internet.

17
WIT Wireless Network
LWAPP Encrypted Tunnel
AP Network VLAN 216
WLAN Network VLAN 215
Clean Access Manager
Cisco ACS Server
Trusted WLAN DMZ
Aironet 1100 AP
Clean Access Server
Un trusted WLAN DMZ
ASA 5550
L3 6513 Switch
Cisco 4400 Wireless LAN Controller
Laptop
18
WIT Wireless Network Future Developments
  • Out of band wired access
  • Nesus vulnerability scanner http//www.nessus.org/
    for Mac OS X, Linux, Solaris and FreeBSD

19
WIT Wireless Network - Partners
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Network Admission Control to WLAN at WIT" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!