Network Access Control NAC

1
Network Access Control (NAC)

• Arun George

2
Agenda

• The IPS-Secured Network
• Introducing Network Access Control v4.1
• TippingPoint Advantages

3
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
4
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
5
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
Application Control Restricts and logs
application activity based on company
policy Enables IT to be proactive vs. reactive
Allows business applications to be prioritized
over other personal programs
6
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
Access Control Allows only the users/machines
that you want on the network Restricts, blocks,
or quarantines based on policy Uniform approach
for all types of endpoints and OSs Provides
compliance reporting
Application Control Restricts and logs
application activity based on company
policy Enables IT to be proactive vs. reactive
Allows business applications to be prioritized
over other personal programs
7
How TippingPoint NAC Works
Access Control
Application Control
Attack Control
Device / User Identification

• Enforcement
• User, Device, Flow
• Quarantine, Block, Alert

Device Health Check
User / Device Access Rights
8
Introducing TippingPoint NAC 4.1
Protect every network entry Multiple Enforcement
Options provide the right type of enforcement at
each entry point. Different enforcement types can
be centrally managed for the different types of
users, endpoints, and network topologies within
the enterprise
Provide constant protection Endpoints can be
continually checked with posture compliancy rules
that stay up-to-date with automated update
service. Create Set and forget policies by
version or date.
Gain network insight Collect information
regarding your endpoints. Correlated reports
displaying when, where, and who accessed your
network provide tools for troubleshooting and
regulatory compliancy
Versatile, proven solution With different
enforcement types and powerful roles-based policy
creation, customers can ease into NAC
implementations and grow into the solution
appropriate for them.
9
Different Users, Different Endpoints, Different
Needs
Trust Level
10
Enforcement Tradeoffs
11
Combining Enforcements

• Combining enforcement types together can enhance
  security, provide additional flexibility.
• Reduces the weaknesses of each enforcement
• Requires central management of every enforcement

12
TippingPoint NAC 4.1
13
TippingPoints Inline Enforcement
Edge VLAN
Core VLAN
1. NPE sees traffic from, new endpoint
4. Traffic is allowed, blocked, or redirected to
captive webportal
x
AAA Server
LDAP
Active Directory
2. NPE reports new endpoint to NPS
3. NPS sends access rules for endpoint
14
How 802.1x Enforcement Works

• Receive EAP request (encapsulated in RADIUS)
• EAP Type is automatically determined

2. Determine MAC/Location/Realm
3. Authenticate User
AAA Server
7. Send EAP Response with appropriate RADIUS
Attributes (VLAN, ACL, etc)
LDAP
Active Directory
4. Learn group membership
6. Determine Network Actions
5. Determine Security Role
15
How DHCP Enforcement Works
1. Endpoint sends DHCP request
3. TippingPoint plugin on DHCP Server receives
policies from NPS
2. Router forwards DHCP request to DHCP Server
5. Endpoint opens browser, Nameservice returns
NPS IP

• 4. TippingPoint plugin overwrites response when
  necessary with
• Static Routes for Captive Web Portal/Remediation
  Sites
• DNS set to NPS
• No Gateway

• Can be implemented without VLANs or in the
  quarantine or remediation VLAN
• 4.1 Plugin available for Microsoft Windows
  2000/2003

16
TippingPoint Enforcement Advantages

• Inline
• Can be installed logically because its VLAN
  aware. NAC Solutions developed as a switch may
  require a physical inline deployment that
  escalates the number of devices necessary and
  limit HA to be dependent on spanning tree
• Provides granular access control per connection
• 802.1X and DHCP
• Other NAC Solutions deployed out-of-band rely on
  switch infrastructure to send traps and may push
  new switch configurations on the fly reliant on
  firmware support. TippingPoint uses
  standards-based approaches to ensure network
  compatibility
• Solutions developed as a switch or gateway only
  offer inline enforcement as part of their NAC
  solution. TippingPoint can offer inline
  enforcement only where it is appropriate given
  the deployment and user profiles.
• 802.1X offers protection down to the edge port,
  while DHCP deploys without any changes to network
  infrastructure.

17
How Posture Collection Works
1. Endpoint downloads client (dissolvable or
persistent based on role)
Systray icon displays by color quarantine status
2. Posture agent performs scan on Endpoint and
returns scan results in XML over HTTPS
3. NPS determines compliancy based on Endpoint
compliancy with Posture rules. Results sent to
agent and creates network action. Posture agent
can force new DHCP or 802.1x request
4. Posture agent delivers change delta in scan
results during heartbeat.
5. NPS determines any compliancy changes and
sends updates to agent and network actions if
necessary
Remediation options displayed on client
18
Posture Collection Advantages

• TippingPoints NAC Posture client
• Does not require administrative access
• NAC Solutions utilizing Microsofts RPC port or
  install as a full application require
  administrative access
• Is not blocked by personal firewall software
• NAC Solutions using network-based scans attempt
  to discover vulnerabilities by assessing open
  ports on the endpoint. Personal firewall
  software blocks these network-based scans from
  learning important information about the
  endpoints compliancy.
• Is browser independent
• NAC Solutions using ActiveX are limited to
  support Internet Explorer browser versions only.
• Supports Apple, Linux, Microsoft
• Many NAC Solutions only support Microsoft OS
  versions

19
User Directory Integration Advantages

• Not all NAC Solutions integrate directly with
  LDAP or Active Directory
• TippingPoint can mix and match multiple
  authentication methods with multiple
  authentication servers on the same network
• Not all NAC Solutions can match on groups without
  changes to the external user directory
• TippingPoint learns group membership and user
  account details during authentication without
  requiring any new policies or changes to user
  accounts in the user directories
• Not all NAC Solutions can create defaults,
  causing an administrator to create policies for
  every group in the external authentication server
• Roles-based policies uses filters and matches to
  create defaults or collapse multiple groups into
  the same policy

20
TippingPoint Advantages

• Multiple Enforcement Options. Other vendors will
  need to advocate that DHCP, 802.1x, or Inline
  enforcement by itself is the one perfect
  enforcement type. TippingPoint gives the
  flexibility to utilize the appropriate
  enforcement or combinations thereof under
  centralized management to provide a superior
  solution.
• Multi-OS Posture Agent. TippingPoint posture
  agent does not require administrative access
  unlike vendors using RPC, is browser independent
  unlike vendors using ActiveX, can be used as
  persistent or dissolvable unlike vendors with
  only thick clients, and does not rely on any
  network-based scans that can be thwarted by
  personal firewalls.
• Extended Posture Vendor Support and Update
  Service. TippingPoint offers posture checks for
  antivirus, antispyware, and personal firewall
  software with built-in support for 100's of
  vendors with policies that update automatically.
• Secure Guest Access. TippingPoint offers a clean
  guest-user experience with a customized captive
  portal, dissolvable posture agent, and specific
  access controls
• Integration with Intrusion Prevention.
  TippingPoint will offer integration of network
  access control into its award-winning
  best-in-breed IPS products to provide 360 degree
  coverage.

21
Substantial Growth in NAC Market
Network Access Control Market

• WW Mfg revenue for NAC enforcement grows 1,101,
  from 323 million to 3.9 billion between 2005
  and 2008
• Network integrated NAC enforcement (Routers,
  Switches etc)
• 21 of all switches
• 10 for routers in 2008
• NAC enforcement Appliances (IPS, F/W)
• 16 for security appliances
• By 2008, NAC appliances will support over 30M
  users
• Each NAC appliance will support low thousands of
  users

Source Infonetics, Gartner and Yankee Group
Research
22
Selected TippingPoint NAC Customers
Healthcare
Higher Education
K-12
Airports
Department of Veterans Cyber Security
Government
Enterprise
23
Philadelphia School District

• District gt300 K-12 Schools
• Network Over 25,000 APs (multiple vendors)
  360 buildings 4 OC-192 rings in the backbone
• Problem
• Limited amount of IT staff located in central
  office to manage entire network
• Need to automate management of entire AP network
• Access control and other security support for
  numerous device types
• Needs
• Centralized management of infrastructure,
  security and users / applications
• Solution needs to scale with size of network
• Time / location-based management policies
• Want access control and audit trails for wired
  ports

24
The Boeing Company

• Size 34 Regions, 340 Campuses / Buildings
• Problem
• Multiple contractors and consultants visiting
  Boeing locations
• Driven by CIO and VP level requirements
• Needs
• Multi-tiered guest access critical to operations
• Various guest user types that have specific
  network and application access requirements
• Self-registration with automated approval process
  and provisioning management
• Detailed audit trails
• Support for internal user access management

25
Thank You