Network Access ControlDevice Registration

1
Network Access Control/Device Registration

• Systems, solutions, and products

2
Foreword
This presentation is not meant to be
comprehensive, but rather to introduce the
concept of Network Access Control and the
motivation behind its adoption/development. I
will not talk in-depth on any one
product/solution, and I am specifically shorting
the TOAD discussion in hopes that Steve (who will
do a much better job) can find some time to talk
about it at least in brief.
3
Motivation

• While perhaps the majority of malicious traffic
  originates from without ones network,
  network/security administrators are feeling the
  pressure to
• protect users against peer users
• protect the world from users (authorized or
  otherwise)
• provide accountability for use of network
  resources
• track users for QoS and support?
• protect network resources from casual abusers
• and break-ins by users (authorized or
  otherwise)
• BOTNETS! Seth Hall of
  Steves security
• 
  groups presentation

4
Basic Forms

• The most basic forms these Network Access Control
  systems take on are
• Control
• inline vs.
  out-of-band
• bridging, routing configuring
  routes
• on
  user access routers
• Authorization
• client-based vs. agentless
• require VS, rely on
  network scanning,
• patches
  monitoring

5
The Players

• While not by any means exhaustive, here is a list
  of the more recognizable products/services
  available in implementing Network Access Control
  (in no particular order)
• Perfigo
• (SecureSmart gt
• Clean Access(Cisco))
  http//www.perfigo.com
• Bradford S/W
• (Campus Manager) http//www.bradford-
  sw.com/product/tutorial.htm
• StillSecure
• (SafeAccess)
  http//www.stillsecure.com/
• Vernier Networks
• (Edgewall)
  http//www.verniernetworks.com
• 
  
• All have the same advantage support contract

6
The Players(contd freebies)

• There are also a number of Open Source products
  available which, while perhaps not idealized, are
  well-suited to managing the problem of Network
  Access Control.
• Advantage Its free!
• You can make it do
  whatever you want!
• Extensible/Scalable!
• Disadvantage No support contract
• Decision-makers (risk
  analyzers) dont feel
• good about
  un-supported software
• NetReg Automated DHCP Registration System
• NoCatAuth Authenticating Gateway Server
• many more?
• Also, tools like tc, bridge, iptables, pf,
  interface aliasing, bogus DNS, VMPS,
• WCCP (redirection), gated, policy-based DHCP
  (netreg?), ..

7
Perfigo

• Perfigos Securesmartserver/manager were bought
  by Cisco Systems last quarter, and have changed
  their name to CleanAccess. This is a distinction
  principally in name, but a few (not worth
  mentioning) changes were made.
• Perfigo also offers Clean Machines an agent
  for authentication/authorization
• It is an inline (routing/bridging) solution which
  allows for VLAN-retagging (which makes it sound
  out-of-band its not)
• Im told Perfigo (Cisco) offer an out-of-band
  solution, but there is no documentation to my
  knowledge, and based on experience, I tend to
  doubt its a bona fide out-of-band solution.
  Dont sue me if Im wrong!

8
Perfigo
Image lifted from perfigo-case-study.pdf,
courtesy googles cache dont have original URL
(lost ) )
9
Bradford S/W

• Campus Manager
• out-of-band solution which works well with a
  good number of vendors and models makes VLAN
  assignments on switches for end-users based on
  authentication and authorization
• not bad but Bradford are not helpful in terms
  of custom development and want to overcharge for
  every service (no free trial!? Per diem!?!?)
• not kerberos-compatible
• VLAN assignments by telnet??
• port-monitoring by SNMP TRAPs??

10
Bradford S/W Campus Manager
Maybe not exactly port-based?
11
StillSecure (SafeAccess)

• SafeAccess is a client-based Network
  Authentication solution as such, I devoted
  little time to it (A residential network can
  hardly dictate what software/OS a user must run
  in order to access network resources)
• There is an agentless system, but it relies on
  WINDOWS RPC CALLs for authorization OUT OF THE
  QUESTION.
• AND theres an ActiveX control which can operate
  in place of the client, but this ultimately no
  better.
• Points for honesty, on their part.

12
StillSecure (SafeAccess)
13
Vernier NetworksEdgewall

• Vernier Networks Edgewall (7000 series)
• NIDS/scanner/authentication/authorization
  intended for wireless networks
• Why? Unclear seems equally suited to wired
  networks
• Nebulous, tempting claims
• Ambiguous white paper
• This is true of all of the products here featured
  though
• Detects/removes rogue WAPs ?

14
Vernier NetworksEdgewall
15
Vernier NetworksEdgewall
16
Vernier NetworksEdgewall
17
NetReg

• DHCP registration system
• Baseline network access control - authenticates
  users who do not know how to circumvent it
  (circumventable)
• Quarantines by providing unusable lease!
• Insufficient for the network security admins
  warm, happy feeling

18
NetReg
One may as well develop ones own DHCP
registration system its easy!
19
NoCatAuth

• NoCatAuth is a very interesting grass-roots
  (quoted from NoCatNet)
• Network Access Control System, intended for
  wireless but equally suited to wired
  environments
• Two parts Gateway, Authentication Server
• Gateway simply follows traffic rules and routes
  untrusted HTTP requests to the Authentication
  Server.
• If user authenticates against Authentican Server
  successfully, the Auth server tells (secure
  ticket) the Gateway to change rules for the
  host (IP-based in some implementations) Ideal
  would be switch/port/MAC/(IP) combination
• OARNet/OSU have developed a very successful,
  highly scalable somewhat commercial (correct me?)
  implementation of the NoCatAuth system which is
  used widely by OIT client departments, Student
  Computing Centers, etc. etc.
• ResNet flirted with the TOAD but have
  (temporarily?) moved off that track. ?

20
NoCatAuth
21
VMPS

• VLAN Membership Policy Server
• An oft-overlooked and powerful means of
  monitoring and dynamically assigning access
  rights to network-oncoming hosts
• Database-driven
• MAC/switch/port combination associated with a
  VLAN
• 1 .Frame is seen by switch
• 2. Switch queries VMPS(d) for information about
  VLAN assignment for this combination
• 3. Users access is based on VLAN membership
  perhaps VLAN access-maps, interVLAN routing,
  multiple-interface servers with presence and ACLs
  for each interface (VLAN), etc, etc
• But requires trunking straight to user port,
  multiple users on the same port can create
  difficulties between eachother in an
  authentication race. One bad host? One blocked
  port.

22
Conclusion
While all the problems/solutions have not been
discussed, I hope that it is clear, there is no
out-of-box turn-key solution. While the
salesmen makes their claims steadfastly and
without regard for actual fact, it should be
borne in mind that no solution, without
modification, is likely to solve the problems of
Network Access Control in custom (and probably
heterogeneous) environments.
23
Credits
All stolen images are cited with the URL where
they can be found. If any images were used
without implied consent, I will remove them )
24
Questions
Questions about Network Access Control are much
more interesting than questions about
ResNet. Steve can probably pick up the slack if
need be?