Network Accession Control from a Management Perspective

1
Network Accession Control from a Management
Perspective

• Michael Nowlan
• Information Systems Services
• University of Dublin
• Trinity College
• With thanks to Brian OHora and the Networks
  team, IS Services, TCD

2
What is Network Accession/Admission/Access Control

• Enforces network security policy of an
  organisation
• Method for enforcing user authentication on
  access to network
• Provides end point security assessment to ensure
  compliance with a baseline security posture
• Mechanism for remediation enforcing updates
  periodically or in an emergency situation

3
What is NAC (2)

• A hardware appliance that sits on the network
• Identifies new connections on specific ports
• Checks the new machine for compliance with
  policies
• May quarantine machine for remediation
• Eventually admits or rejects connection
• Enforces access/connection to appropriate network
  or VLAN

4
Title
5
Main Suppliers

• Cisco
• Checkpoint
• Juniper
• Microsoft
• Symantec, McAfee, Sophos, Trend

6
Cisco and Microsoft

• Cisco Clean Access appliance and agent on PC
• Microsoft Network Access Protection
• Combination of Cisco and Microsoft look good
• Microsoft NAP available on Vista and Longhorn
  Server
• Will work well in a homogeneous environment

7
NAC in TCD

• Provide facility for self service first time
  network connection
• Enhance Connectivity
• Tight College Security Policy
• Authentication required
• No anonymous connections to the network

8
NAC in TCD (2)

• Anti Virus software required
• Patch level policies set
• Operating System policies set
• Students in residences require connections
• Plan for device agnosticism
• Xbox, PS3, WII
• Concept of Tolerated, maybe not Supported

9
Growth - Student networking TCD
10
2005/06 Student Connection

• Student submits web form
• Case logged in Helpdesk system
• Public IP address assigned to NIC MAC address
• Machine added to MS AD domain
• Case assigned from User Support to Networks for
  port activation
• Port activated, documentation updated, case
  reassigned User Support
• User scheduled to attend clinic

11
2005/06 Student Connection (2)

• User attends clinic, supplied with custom
  security CD
• Pre Anti Virus scan
• AV E-Pol installation and configuration, OS
  updates
• Network configuration
• Add machine to domain
• Application configuration Browser and Mail
• Case updated and closed, records updated
• 2,000 times automation required

12
2005/06

• User Support staff down 50
• Short term contract staff employed
• Cost in the region of 60,000
• Still connecting machines in early 2006
• Unhappy Users
• Non productive use of cash

13
Find a Solution

• 2006 destined to be the year of the NAC
• 2007 also destined to be the year of the NAC
• Two solutions identified
• Cisco
• Bradford
• In a tender Bradford won

14
Bradford Campus Manager

• Extensively used in US Education
• More than 30 sites in UK
• Sold in UK and Ireland by Khipu
• Integrates with Active Directory mandatory in
  TCD

15
Bradford Campus Manager

• Oct 2006, 1,500 NACs employed worldwide
• Bradford had 300 in 200 customers, many HE
• A Software company
• Grew out of a project to disable network points
  in dormitories after lights out
• Allows connection of multiple OS types and version

16
TCD Self service NAC configuration

• Dual NS 1200/8200 appliance pairs for resilience,
  3000 client user license purchased
• 116 CISCO switches across all residences and 200
  Library communal area wired network points
• Private IP addressing
• MS Active Directory Authentication
• Role based access management - MS AD attribute
• Client browser auto detect proxy settings used
• Ongoing authentication enforced

17
2006/07 Year

• Connect to the network
• Open a web browser, presented with NAC welcome
  page
• Next page - terms and conditions
• Next page OS specific page outlining the web
  browser proxy settings
• Next page - Registration page, name, contact
  number and location
• Download a scanning program to ensure computer is
  compliant
• If not compliant, advised how to self-remediate
• Once computer is compliant, asked to authenticate
  with MS AD credentials to gain admission to
  appropriate network

18
(No Transcript)
19
Problems Encountered

• Very new operating systems not being recognised
• Different anti-virus solutions
• Delays in switching between VLANs
• Routing issues with Private Address Space
• Lack of automatic failover of the two boxes

20
Problems Encountered (2)

• Crashes of the system
• New issues at forced rescan during the year
• Appliance internals complex
• Requires high skill level to manage

21
Connection Growth 2005/06 vs 2006/07
22
2006/07 Experiences

• Generally positive
• Most connections made quickly and trouble free
• Most users connect out of office hours
• Some operating system problems
• Overall satisfactory for students and service
  provider

23
The Next Steps

• Add student WiFi connections
• Review market
• Add staff to NAC (some)
• Add staff WiFi
• Migrate to Private Address Space

24
The Next Steps

• Become device, hardware and operating system
  agnostic
• Eliminate delays in device connection to the
  network
• Buy more licences depending on market review