Waterford Institute of Technology WIT
Download
Report
Transcript Waterford Institute of Technology WIT
Network Admission Control to WLAN
at WIT
Presented by: Aidan McGrath B.Sc. M.A.
1
Why deploy a wireless LAN?
•
•
•
•
•
Can be seen to be behind the technology by potential
students if not deployed.
Keep up with technology demands of modern students.
It will happen anyway, so why not take control from the
start.
Students used to mobile phones, so why not mobile
computing?
Reduce demand on providing more PCs which then need
to be replaced.
2
What are the challenges of a WLAN?
•
•
•
•
Disappearing security boundaries expose internal
infrastructure and assets.
To ensure policy compliance for all endpoint devices
seeking network access.
Providing sufficient access points – how many/where?
Does one size fit all?
3
What are the solutions?
•
•
•
Turn on service and hope for the best – no checking of
laptops for vulnerabilities.
Manual intervention to assess laptops for risks.
Automatic posture assessment of laptop at time of
connection – network admission control (NAC).
4
Network Admission Control (NAC)
Use the network to enforce policies to ensure that incoming
devices are compliant.
Who is the user?
identity
Is s/he authorised?
What role does s/he get?
Please enter username:
device
security
Is OS patched?
Does A/V or A/S exist?
Is it running?
Are services on?
Do required files exist?
NAC
network
security
Si
Si
Is policy established?
Are non-compliant
devices quarantined?
Is remediation required?
Is remediation available?
5
All-in-One Policy Compliance and
Remediation Solution
Authenticate & Authorise
Enforces authorisation
policies and privileges
Supports multiple user roles
Scan & Evaluate
Agent scan for required
versions of hotfixes, AV, and
other software
Network scan for virus and
worm infections and port
vulnerabilities
Quarantine
Isolate non-compliant devices
from rest of network
MAC and IP-based quarantine
effective at a per-user level
Update & Remediate
Network-based tools for
vulnerability and threat
remediation
Help-desk integration
6
Cisco NAC Appliance (Cisco Clean Access)
Components
Clean Access Server (CAS)
Serves as an in-band or out-of-band device for network
access control
Clean Access Manager (CAM)
Centralises management for administrators, support
personnel, and operators
Clean Access Agent
Optional lightweight client for device-based registry scans
in unmanaged environments
Rule-set Updates
Scheduled automatic updates for anti-virus, critical hot-fixes
and other applications
7
Clean Access:
Sampling of Pre-Configured Checks
Critical Windows Updates
Windows XP, Windows 2000,
Windows 98, Windows ME
Anti-Virus Updates
Anti-Spyware Updates
Other 3rd Party Checks
Cisco
Security
Agent
8
Product User Flow Overview
The Goal
1. End user attempts to access a
Web page or uses an optional
client
Network access is blocked until wired or
wireless end user provides login
information
2. User is
redirected to a login page
Clean Access
Server
Clean Access validates
username and password, also
performs device and network
scans to assess vulnerabilities
on the device
3a. Device is noncompliant
or login is incorrect
User is allowed 30min limited access to
appropriate remediation sites
Authentication
Server
Clean Access
Manager
Intranet/
Network
3b. Device is “clean”
Quarantine
Machine gets on “certified
devices list” and is granted
access to network
9
Screen Shots (MS Client)
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
4.
10
Screen Shots (Web browser – non MS)
Login
Screen
Scan is performed
(types of checks depend on user role/OS)
Guided self-remediation
11
Process Flow: Wireless Access
Role: “Unauthenticated”
WLC
192.168.60.3 MgmtVLAN 60
192.168.50.2 User VLAN 50
Laptop
IP: 192.168.50.3
Clean Access Server
IP: 192.168.10.2
Auth Server
IP: 10.1.1.25
Clean Access Manager
IP: 10.1.1.30
Intranet Server
L3 Switch
IP: 192.168.10.1
NAC Enforcement
Point
DNS Server
IP: 10.20.20.20
Radius Accounting
Server
IP: 10.1.1.26
1. Wireless user connects to WLC via LWAPP (open authentication)
2. Wireless user obtains IP address from WLC
3. Wireless user opens a browser and is redirected to download the Clean Access
Agent (if they don’t already have it loaded)
12
Process Flow: Network Admission Control 1
Auth Server (Radius)
IP: 10.1.1.25
Clean Access Manager
IP: 10.1.1.30
Role: “Unauthenticated”
Laptop
IP: 192.168.1.150
Clean Server
IP: 192.168.1.2
NAC Enforcement
Point
Router
IP: 192.168.1.1
Internet
Web Server
DNS Server
1.
CAS determines that laptop MAC address is not in “certified device” list – not logged on
recently
2.
CAS puts laptop into the “Unauthenticated Role
3.
Laptop gets an IP address from DHCP server, but can not get past CAS acting as “IP filter.”
4.
Laptop user opens a browser and is redirected to a SSL based weblogin page.
•
User enters credentials
•
User is asked to download the Clean Access Agent.
13
Process Flow: NAC 2
Role: “Temporary” 6. CAS forward posture report to CAM.
•
7.
CAM determines that the laptop is NOT in compliance and
instructs the CAS to put the laptop into the “Temporary Role.”
CAM sends remediation steps to Clean Access Agent.
Auth Server
IP: 10.1.1.25
Laptop
IP: 192.168.1.150
Clean Access Manager
IP: 10.1.1.30
Clean Access Server
IP: 192.168.1.2
NAC Enforcement
Point
5.
Router
IP: 192.168.1.1
Internet
Web Server
DNS Server
IP: 10.20.20.20
Clean Access Agent performs posture assessment and forwards them to the
CAS to make network admission decision.
14
Process Flow: NAC 3
Role: “Temporary”
Auth Server
IP: 10.1.1.25
Laptop
IP: 192.168.1.150
Clean Access Manager
IP: 10.1.1.30
Clean Access Server
Router
IP: 192.168.1.2
IP: 192.168.1.1
NAC Enforcement
Point
8.
9.
Internet
Web Server
DNS/DHCP Server
IP: 10.20.20.20
Clean Access Agent displays access time remaining in “Temporary Role” for laptop.
•
CCA Agent guides user step-by-step through remediation.
•
Patches can be downloaded from update sites such as https://liveupdate.symantec.com
or http://windowsupdate.microsoft.com
CCA Agent informs CAS that the laptop has been successfully remediated.
15
Process Flow: NAC 4
Role: “Clean”
Laptop
IP: 192.168.1.150
Auth Server
IP: 10.1.1.25
Clean Access Manager
IP: 10.1.1.30
Clean Access ServerRouter
IP: 192.168.1.1
IP: 192.168.1.2
NAC Enforcement
Point
Internet
Web Server
DNS Server
IP:
10.20.20.20
10. CAS puts MAC address of laptop into “Certified Device” list.
•
CAS assigns laptop to the “Clean Role” for 24 hour period.
•
Laptop is now allowed to complete access to the Internet.
16
WIT Wireless Network
LWAPP Encrypted Tunnel
AP Network VLAN 216
Internet
WLAN Network VLAN 215
Clean Access Manager
Cisco ACS Server
Trusted WLAN DMZ
Aironet 1100 AP
L3 6513 Switch
Clean Access Server
ASA 5550
Un trusted WLAN DMZ
Cisco 4400 Wireless LAN Controller
Laptop
17
WIT Wireless Network Future Developments
•
•
Out of band wired access
Nesus vulnerability scanner http://www.nessus.org/ for
Mac OS X, Linux, Solaris and FreeBSD
18
WIT Wireless Network - Partners
19