Network Access Control NAC - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Network Access Control NAC

Description:

2. Posture agent performs scan on Endpoint and returns scan results in XML over HTTPS ... using network-based scans attempt to discover vulnerabilities ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 24
Provided by: sethgol5
Category:
Tags: nac | access | control | network | scan

less

Transcript and Presenter's Notes

Title: Network Access Control NAC


1
Network Access Control (NAC)
  • Arun George

2
Agenda
  • The IPS-Secured Network
  • Introducing Network Access Control v4.1
  • TippingPoint Advantages

3
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
4
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
5
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
Application Control Restricts and logs
application activity based on company
policy Enables IT to be proactive vs. reactive
Allows business applications to be prioritized
over other personal programs
6
IPS-Secured Networks
Bi-Planar Network
IPS Policy Enforcement Point
Control Plane
L2 Access Switches
L3 Core Switches
L3 Distribution Switches
Connectivity Plane
Attack Control Prevents internal and external
malicious attacks to your business
24/7 Proactively blocks employees from
unknowingly spreading viruses and worms causing
business downtime Prevents data theft and damage
Access Control Allows only the users/machines
that you want on the network Restricts, blocks,
or quarantines based on policy Uniform approach
for all types of endpoints and OSs Provides
compliance reporting
Application Control Restricts and logs
application activity based on company
policy Enables IT to be proactive vs. reactive
Allows business applications to be prioritized
over other personal programs
7
How TippingPoint NAC Works
Access Control
Application Control
Attack Control
Device / User Identification
  • Enforcement
  • User, Device, Flow
  • Quarantine, Block, Alert

Device Health Check
User / Device Access Rights
8
Introducing TippingPoint NAC 4.1
Protect every network entry Multiple Enforcement
Options provide the right type of enforcement at
each entry point. Different enforcement types can
be centrally managed for the different types of
users, endpoints, and network topologies within
the enterprise
Provide constant protection Endpoints can be
continually checked with posture compliancy rules
that stay up-to-date with automated update
service. Create Set and forget policies by
version or date.
Gain network insight Collect information
regarding your endpoints. Correlated reports
displaying when, where, and who accessed your
network provide tools for troubleshooting and
regulatory compliancy
Versatile, proven solution With different
enforcement types and powerful roles-based policy
creation, customers can ease into NAC
implementations and grow into the solution
appropriate for them.
9
Different Users, Different Endpoints, Different
Needs
Trust Level
10
Enforcement Tradeoffs
11
Combining Enforcements
  • Combining enforcement types together can enhance
    security, provide additional flexibility.
  • Reduces the weaknesses of each enforcement
  • Requires central management of every enforcement

12
TippingPoint NAC 4.1
13
TippingPoints Inline Enforcement
Edge VLAN
Core VLAN
1. NPE sees traffic from, new endpoint
4. Traffic is allowed, blocked, or redirected to
captive webportal
x
AAA Server
LDAP
Active Directory
2. NPE reports new endpoint to NPS
3. NPS sends access rules for endpoint
14
How 802.1x Enforcement Works
  • Receive EAP request (encapsulated in RADIUS)
  • EAP Type is automatically determined

2. Determine MAC/Location/Realm
3. Authenticate User
AAA Server
7. Send EAP Response with appropriate RADIUS
Attributes (VLAN, ACL, etc)
LDAP
Active Directory
4. Learn group membership
6. Determine Network Actions
5. Determine Security Role
15
How DHCP Enforcement Works
1. Endpoint sends DHCP request
3. TippingPoint plugin on DHCP Server receives
policies from NPS
2. Router forwards DHCP request to DHCP Server
5. Endpoint opens browser, Nameservice returns
NPS IP
  • 4. TippingPoint plugin overwrites response when
    necessary with
  • Static Routes for Captive Web Portal/Remediation
    Sites
  • DNS set to NPS
  • No Gateway
  • Can be implemented without VLANs or in the
    quarantine or remediation VLAN
  • 4.1 Plugin available for Microsoft Windows
    2000/2003

16
TippingPoint Enforcement Advantages
  • Inline
  • Can be installed logically because its VLAN
    aware. NAC Solutions developed as a switch may
    require a physical inline deployment that
    escalates the number of devices necessary and
    limit HA to be dependent on spanning tree
  • Provides granular access control per connection
  • 802.1X and DHCP
  • Other NAC Solutions deployed out-of-band rely on
    switch infrastructure to send traps and may push
    new switch configurations on the fly reliant on
    firmware support. TippingPoint uses
    standards-based approaches to ensure network
    compatibility
  • Solutions developed as a switch or gateway only
    offer inline enforcement as part of their NAC
    solution. TippingPoint can offer inline
    enforcement only where it is appropriate given
    the deployment and user profiles.
  • 802.1X offers protection down to the edge port,
    while DHCP deploys without any changes to network
    infrastructure.

17
How Posture Collection Works
1. Endpoint downloads client (dissolvable or
persistent based on role)
Systray icon displays by color quarantine status
2. Posture agent performs scan on Endpoint and
returns scan results in XML over HTTPS
3. NPS determines compliancy based on Endpoint
compliancy with Posture rules. Results sent to
agent and creates network action. Posture agent
can force new DHCP or 802.1x request
4. Posture agent delivers change delta in scan
results during heartbeat.
5. NPS determines any compliancy changes and
sends updates to agent and network actions if
necessary
Remediation options displayed on client
18
Posture Collection Advantages
  • TippingPoints NAC Posture client
  • Does not require administrative access
  • NAC Solutions utilizing Microsofts RPC port or
    install as a full application require
    administrative access
  • Is not blocked by personal firewall software
  • NAC Solutions using network-based scans attempt
    to discover vulnerabilities by assessing open
    ports on the endpoint. Personal firewall
    software blocks these network-based scans from
    learning important information about the
    endpoints compliancy.
  • Is browser independent
  • NAC Solutions using ActiveX are limited to
    support Internet Explorer browser versions only.
  • Supports Apple, Linux, Microsoft
  • Many NAC Solutions only support Microsoft OS
    versions

19
User Directory Integration Advantages
  • Not all NAC Solutions integrate directly with
    LDAP or Active Directory
  • TippingPoint can mix and match multiple
    authentication methods with multiple
    authentication servers on the same network
  • Not all NAC Solutions can match on groups without
    changes to the external user directory
  • TippingPoint learns group membership and user
    account details during authentication without
    requiring any new policies or changes to user
    accounts in the user directories
  • Not all NAC Solutions can create defaults,
    causing an administrator to create policies for
    every group in the external authentication server
  • Roles-based policies uses filters and matches to
    create defaults or collapse multiple groups into
    the same policy

20
TippingPoint Advantages
  • Multiple Enforcement Options. Other vendors will
    need to advocate that DHCP, 802.1x, or Inline
    enforcement by itself is the one perfect
    enforcement type. TippingPoint gives the
    flexibility to utilize the appropriate
    enforcement or combinations thereof under
    centralized management to provide a superior
    solution.
  • Multi-OS Posture Agent. TippingPoint posture
    agent does not require administrative access
    unlike vendors using RPC, is browser independent
    unlike vendors using ActiveX, can be used as
    persistent or dissolvable unlike vendors with
    only thick clients, and does not rely on any
    network-based scans that can be thwarted by
    personal firewalls.
  • Extended Posture Vendor Support and Update
    Service. TippingPoint offers posture checks for
    antivirus, antispyware, and personal firewall
    software with built-in support for 100's of
    vendors with policies that update automatically.
  • Secure Guest Access. TippingPoint offers a clean
    guest-user experience with a customized captive
    portal, dissolvable posture agent, and specific
    access controls
  • Integration with Intrusion Prevention.
    TippingPoint will offer integration of network
    access control into its award-winning
    best-in-breed IPS products to provide 360 degree
    coverage.

21
Substantial Growth in NAC Market
Network Access Control Market
  • WW Mfg revenue for NAC enforcement grows 1,101,
    from 323 million to 3.9 billion between 2005
    and 2008
  • Network integrated NAC enforcement (Routers,
    Switches etc)
  • 21 of all switches
  • 10 for routers in 2008
  • NAC enforcement Appliances (IPS, F/W)
  • 16 for security appliances
  • By 2008, NAC appliances will support over 30M
    users
  • Each NAC appliance will support low thousands of
    users

Source Infonetics, Gartner and Yankee Group
Research
22
Selected TippingPoint NAC Customers
Healthcare
Higher Education
K-12
Airports
Department of Veterans Cyber Security
Government
Enterprise
23
Philadelphia School District
  • District gt300 K-12 Schools
  • Network Over 25,000 APs (multiple vendors)
    360 buildings 4 OC-192 rings in the backbone
  • Problem
  • Limited amount of IT staff located in central
    office to manage entire network
  • Need to automate management of entire AP network
  • Access control and other security support for
    numerous device types
  • Needs
  • Centralized management of infrastructure,
    security and users / applications
  • Solution needs to scale with size of network
  • Time / location-based management policies
  • Want access control and audit trails for wired
    ports

24
The Boeing Company
  • Size 34 Regions, 340 Campuses / Buildings
  • Problem
  • Multiple contractors and consultants visiting
    Boeing locations
  • Driven by CIO and VP level requirements
  • Needs
  • Multi-tiered guest access critical to operations
  • Various guest user types that have specific
    network and application access requirements
  • Self-registration with automated approval process
    and provisioning management
  • Detailed audit trails
  • Support for internal user access management

25
Thank You
Write a Comment
User Comments (0)
About PowerShow.com