SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Deploying Network Admission Control

SEC-2010

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

1

Agenda
        Overview General Design and Deployment Campus Design Remote Office Design NAC Profiler Guest Access Coming Soon!! Q&A

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

Cisco NAC Overview

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

2

What Is Network Admission Control?
Using the network to enforce policies ensures that incoming devices are compliant.
 Who is the user?  Is s/he authorised?  What role does s/he get?
Plus

us Pl

identity
Please enter username:

 Is MS patched?  A/V or A/S exists?  Is it running?  Are services on?  Do required files exist?
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved.

device security

NAC
Si

network security
Si

 Is policy established?  Are non-compliant devices quarantined?  Remediation needed?  Remediation available?
5

Cisco Public

Cisco NAC Innovation

What other devices are connected?

Who else is connecting?

(source: IDC, June 2007)

Market Size

Value-Add

What’s on your device? Who are you?

Secure Guest
2008: $354m

Device Profiling
2007: $207m

Posture Assessment
2005: $131m 2004: $92m

User Identity

2003
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

2008
6

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

3

Basic NAC Components
 NAC Manager (Clean Access Manager)
Centralises management for administrators, support personnel, and operators

 NAC Server (Clean Access Server)
Serves as enforcement point for network access control

 NAC Agent (Clean Access Agent)
Optional lightweight client (OR web based Client) for device-based registry scans

 Rule-set Updates
Scheduled automatic updates for anti-virus, critical hot-fixes and other applications
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

7

Identity Authentication + NAC Services
Base NAC System

Integrated NAC Services Reduce ongoing operational costs

SSC

Identity Authentication
 User & device auth  Network reach isolation (L2 & L3)  Device mobility in the network  SSO, web, 802.1x
SEC-2010

Posture Services
 Managed Device Posture  Unmanaged Device Scanning  Remediation

Profiling Services
 Device Profiling

Guest Services

+

+

 Behavioural Monitoring  Device Reporting

+

 Guest & Registration Portals  Role-based AUP  Provisioning & Reporting
8

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

4

Cisco NAC Appliance Partnerships
Cisco NAC is committed to protecting customer’s investments in partner applications
NAC Appliance Supports Policies for 300+ Applications, including These Vendors:

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

NAC Solution Sizing and Platforms
NAC Management Components
Lite Manager
(up to 3 Servers) Hardware Platform Legend: ISR NM 3310 3350

Std Manager
(up to 20 Servers)

Super Manager
(up to 40 Servers)

NAC Server Components
ISR Network Module 50 or 100 users

3390

Appliance: 100, 250, or 500 users

Appliance: 1500, 2500, or 3500 users

Users = online, concurrent

Additional NAC Services

Guest Server

Profiler Server

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

5

Process Flow—Protocol Exchange
User Machine Server Manager
M G R

DHCP Request Open Web browser (if no agent) URL Redirect to Weblogin Download Clean Access Agent

Pre-connect (1099) Connect request (1099) Connect Response (8955, 8956) Agent download (80)

UDP Discover (8905, 8906) Connect via TCP (443) Download Policy to Agent Agent Performs Posture Assessment Server Performs Access Enforcement
Certified and Logged On

User Login (443) Agent checks and rules, XML (443)

Report (443)
11

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agent Options: Web and Persistent

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

6

Cisco NAC Design & Deployment

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

NAC Deployment Options
 Distributed architecture deployment  CAS is in Bridged (Virtual Gateway) or Routed (Real-IP Gateway) mode  Users are Layer 2 (L2) or Layer 3 (L3) adjacent to CAS.  CAS is Inline (IB) all the time or can be Out-of-Band (OOB). OOB CAS is Inline only during NAC Posture and remediation.

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

7

NAC Server Foundation: Bridge Or Router?
 NAC Servers at the most basic level can pass traffic in one of two ways:
Bridged Mode = Virtual Gateway (VGW) Routed Mode = Real IP Gateway / NAT Gateway (RIPGW)

 Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Gateway mode selection affects the logical traffic path  Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

NAC Server Foundation: Bridge Mode
 Direct Bridging: Frame Comes In, Frame Goes Out  VLAN IDs are either passed through untouched or mapped from A to B  DHCP and Client Routes point directly to network devices on the Trusted side  NAC Server is an IP passive bump in the wire, like a transparent firewall

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

8

NAC Server Foundation: Routed Mode
 NAC Server is Routing, Packet Comes In, Packet Goes Out  VLAN IDs terminate at the Server, no pass-through or mapping  DHCP and Client Routes usually point to the Server for /30  NAC Server is an active IP router, can also NAT outbound packets *

* Be aware of NAT performance limitations
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

NAC Server Foundation: Layer 2 Mode and Layer 3 Mode
 NAC Servers have two client access deployment models
Layer 2 Mode Layer 3 Mode

 Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Deployment mode selection is based on whether the client is Layer 2 adjacent to the NAC Server

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

9

NAC Server Foundation: Layer 2 Mode
 Client is Layer 2 Adjacent to the Server  MAC address is used as a unique identifier  Supports both VGW and Real IP GW  Supports both In Band and Out of Band  Most common deployment model for LANs
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

19

NAC Server Foundation: Layer 3 Mode
 Client is NOT Layer 2 Adjacent to the NAC Server  IP Address is used as a unique identifier  Supports both VGW and Real IP GW  Supports In Band Mode  Needed for WAN and VPN deployments
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

20

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

10

NAC Server Foundation: In Band and Out of Band
 NAC Servers have two traffic flow deployment models
In Band Out of Band

 Any NAC Server can be configured for either method, but a NAC Server can only be one at a time  Selection is based on whether the customer wants to remove the NAC Server from the data path  NAC Server is ALWAYS inline during Posture Assessment

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

NAC Server Foundation: In Band
 Easiest deployment option  NAC Server is Inline (in the data path) before and after posture assessment  Supports any switch, any hub, any AP  Role Based Access Control Guest, Contractor, Employee  ACL Filtering and Bandwidth Throttling
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

22

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

11

NAC Server Foundation: Out of Band
 Multi-Gig Throughput deployment option  NAC Server is Inline for Posture Assessment Only  Supports most common Cisco Switches **  Port VLAN Based and Role Based Access Control  ACL Filtering and Bandwidth Throttling for Posture Assessment Only

NAC Manager Controls Port using SNMP

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Out-of-Band Process Flow
Network
DHCP Server vlan 10 scope 10.10.0.5 – 10.10.0.254 SVIs v10: 10.10.0.1 v900: 10.90.0.1 v30: 10.30.0.1

10.30.0.2 vlan 10,30 Vlan Mapping v110  v10

vlan 900

vlan 110 dot1q trunk v10, v110

10.90.0.2

v10 or v110

1.

PC is attached to the network

2.

Switch sends mac address via snmp to the NAC Manager

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

12

Out-of-Band Process Flow
Network
DHCP Server vlan 10 scope 10.10.0.5 – 10.10.0.254 SVIs v10: 10.10.0.1 v900: 10.90.0.1 v30: 10.30.0.1

10.30.0.2 vlan 10,30 Vlan Mapping v110  v10

vlan 900

vlan 110 dot1q trunk v10, v110

10.90.0.2

3.

NAC Manager verifies if PC is ‘Certified’. If PC not certified, NAC Manager instructs switch to assign port to Authentication Vlan

v110

PC gets DHCP IP address in vlan 10 subnet due to DHCP/DNS traffic passing through the NAC Server using Vlan Mapping

IP : 10.10.0.10 DG: 10.10.0.1
Cisco Public

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

25

Out-of-Band Process Flow
Network
DHCP Server vlan 10 scope 10.10.0.5 – 10.10.0.254 SVIs v10: 10.10.0.1 v900: 10.90.0.1 v30: 10.30.0.1

10.30.0.2 vlan 10,30 Vlan Mapping v110  v10

vlan 900

vlan 110

10.90.0.2

dot1q trunk v10, v110

4.
v110

5.
IP : 10.10.0.10 DG: 10.10.0.1
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

All traffic from PC flows to the NAC Server, NAC Server enforces network access restrictions PC goes through Authentication, Posture Assessment and Remediation
26

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

13

Out-of-Band Process Flow
Network
DHCP Server vlan 10 scope 10.10.0.5 – 10.10.0.254 SVIs v10: 10.10.0.1 v900: 10.90.0.1 v30: 10.30.0.1

10.30.0.2 vlan 10,30 Vlan Mapping v110  v10

vlan 900

vlan 110

10.90.0.2

dot1q trunk v10, v110

6.

NAC Server informs NAC Manager that PC is ‘Certified’

v10

7.

NAC Manager instructs switch to assign port to ‘Access’ vlan based on Port mapping or User Role Assignment
© 2008 Cisco Systems, Inc. All rights reserved.

8.
IP : 10.10.0.10 DG: 10.10.0.1
Cisco Public

PC is allowed access to network

SEC-2010

27

Network Design: L2 Out of Band, VGW with IP Phones

Vlan 900

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

14

NAC Appliance for Remote Users
Central Site
Supply Partner Extranet
IPSec VPN

Multi-Hop IP

SSL Tunnel VPN

Account Manager Mobile User

IPSec VPN

Branch Office Corporate Users
Features
 Supports IPSec and SSL Tunnel VPNs  Supports site-to-site VPNs  Supports VPN user sign-on

Home Office Unmanaged Desktop

Benefits
 Extends policy enforcement and compliance to remote access and VPN users  Extends enforcement to site-to-site VPN partners  Leverages VPN sign-on for single-sign-on

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Deploy VPN with Single Sign On (SSO)

 User logs in using IPSEC or SSL VPN client.  VPN server sends Radius Accounting packet to NAC Server  NAC Server performs SSO for that user based on the Accounting packet  NAC Server can optionally be configured to forward that Accounting packet to another Radius server
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

30

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

15

Cisco NAC for Wireless Users
Central Site

802.1q LWAPP GRE 802.1q

Wireless Network WLSM Guest Users

Wireless Network LWAPP Users

Campus Building Wireless Users
Features
 Supports 802.1q trunking  Supports thin or thick wireless 802.11 APs  Supports Wireless user single-sign-on    

Benefits
Enables central deployment mode Extends enforcement to any wireless networks End user devices can be several hops away Leverages 802.1x sign-on for single-sign-on

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

Wireless with Single Sign On (SSO)
WLC performs Authentication

WLC sends Radius Accounting to NAC Server

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

16

Cisco NAC Campus Design

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

33

Complete Layer 2 Network

Access

VLAN’s 40, 50, 60 VLAN’s 140, 150, 160 VLAN’s 10, 20, 30 VLAN’s 110, 120, 130

Si

Si

Collapsed Core / Distribution

Access
VLAN 110 VLAN 120 VLAN 130 VLAN 140 VLAN 150 VLAN 160

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

17

Network Topology
Campus Multilayer Design  Replace the L3 Routed
VLAN 100 used for L3 peering

Core

Link between Distribution Layer Devices with a L2 etherchannel trunk
D2
.5 300 T 200 U .5 SVR-2 (Standby)

D1
.4

SVI 300 100,200,300 SVI 300 T 300
U
SVR-1 (Active)

Carry only 3 VLANs on the trunk: Trusted, Untrusted and RP peering Establish L3 peering via SVI 100

.4

200 SVI 200
,1 10

HSRP
1, 16

SVI 200

VLAN 200 – 10.0.1.0/24 VLAN 300 – 10.0.2.0/24 NAC Manager: 10.10.10.10

 Topology remains loop free  HSRP is used between Untrusted SVIs (200) and Trusted SVIs (300)

10

,1

1, 16

VLAN 10 – Data VLAN 11 – Voice VLAN 16 – Auth
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

35

Network Topology
Campus Routed Access Design
VLAN 100 used for L3 peering

Core

D1
.4

D2
.5 300 T 200 U .5 SVR-2 (Standby)

 Replace the L3 Routed Link between Distribution Layer Devices with a L2 etherchannel trunk
Carry only 2 VLANs on the trunk: Trusted, Untrusted and RP peering Establish L3 peering via SVI 100

SVI 300 100,200,300 SVI 300 T 300
U
SVR-1 (Active)

.4

200 SVI 200

HSRP

SVI 200

L3

L3

VLAN 200 – 10.0.1.0/24 VLAN 300 – 10.0.2.0/24 NAC Manager: 10.10.10.10

VLAN 10 – Data VLAN 11 – Voice VLAN 16 – Auth
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

 Maintain L3 Routed Links between access and distribution layers  HSRP is used between Untrusted SVIs (200) and Trusted SVIs (300) 36

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

18

Enforcing Auth Traffic Through CAS
Use of Policy-Based Routing
 Common ACL/route-map to be defined independently from the network deployment (Multilayer or Routed Access)
.5 300 T 200 U .5 SVR-2 (Standby) ip access-list extended NACS-PBR deny udp any host <DHCP_IP> eq bootpc permit ip 10.1.10.0 0.0.0.255 any permit ip 10.1.20.0 0.0.0.255 any ! route-map NACS-PBR permit 10 match ip address CAS-PBR set ip next-hop 10.0.1.10

Core

D1
.4
T U

D2
100,200,300

300 200

SVR-1 (Active)

.4

Apply policy route-map

Apply policy route-map

VLAN 10 – Data VLAN 11 – Voice VLAN 16 – Auth
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

 Policy route-map applied to Auth SVIs (Multilayer design) or to the routed interface (Routed Access design)  Traffic is always policy routed to the active NAC Server (since it “owns” the VIP 10.0.1.10)
37

Traffic Load Balancing (CEF/GLBP)

Core

D1
.4
T U

D2
100,200,300 .5 300 T

300 200

 Upstream Auth traffic directed to D/L device connected to the Standby NAC Server uses the transit link to reach the Active NAC Server
Suboptimal path but only for limited amount of traffic

SVR-1 (Active)

.4

200 U .5 SVR-2 (Standby)

 Downstream Auth traffic bypasses the NAC Server
This is the direction where most traffic is flowing (patching, remediation, etc..)

 If downstream traffic doesn’t go through the NAC Server, then host policies will not work
VLAN 10 – Data VLAN 11 – Voice VLAN 16 – Auth
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Additional pbr for dns return traffic may be configured for this
38

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

19

Virtualisation using ACE/CSM
Data Centre
CAM

 ACE uses a single Virtual IP to load balance authentication sessions to the NAC Appliances’ Untrusted Interfaces  ACE Virtual Server IP servicing the Farm of NAC Appliances in the Data Centre is the D/G IP next-hop for all traffic in the Authentication VLAN.  Traffic from client in Auth VLAN can be sent to directed to ACE Virtual IP using

To ACE VIP 10.10.42.1 Ace Module

Ace Module

Core D1 D2

MPLS VPN PBRs VRF Lite Discovery Host (Agent only)
Discovery Host 10.10.42.1 ACE VIP address

 Class-map on ACE can control interesting traffic  Interface “Health Probes” used on ACE to detect status of NAC servers

VLAN 10 – Data VLAN 11 – Voice VLAN 16 – Auth
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

Physical Topology
 L3-OOB: Does not require
bi-directional symmetric traffic through NAC servers  Host based traffic rules not applicable
Ace module on Cat 6K

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

20

Virtualisation using ACE/CSM – L3 OOB

 Traffic on the Auth VLAN is routed to the ACE Virtual IP servicing Untrusted interfaces of NAC Server  NAC Server SSL Certificate should be generated using Untrusted interface IP address (Otherwise NAC Server redirects user to Trusted interface )  Configure ACLs to deny UDP 8906 packets from the clients to the Untrusted network of the NAC Server on Access VLAN
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

41

Cisco NAC Remote Branch Deployments

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

21

Deployment Options for Remote Sites
Central Site Inband Server
• Easy Deployment behind central site wan router • No network changes to remotes • Doesn’t provide local segmentation

Remote Server (Inband or OOB)
• Easy Deployment locating Server on the remote site • Smallest Server priced for 100 users • Provides full functionality

Central Site OOB Server
• More complicated network design • NAC Server located at central site • Authentication vlan traffic needs to be segmented across the WAN using network controls

Different options suit different networks, from SOHO to branch to multi-site campus networks.
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

Central Site Inband NAC Server
NAC Manager

Central Site Resources

NAC Server

 No Access to Central Site without meeting policy  Remote segmentation depends on WAN technology  Point to Point networks can hairpin traffic through NAC Server to segment remotes  MPLS or meshed networks cannot segment remote branches

IP Network

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Evaluate Requirements The easiest and fastest method of deployment if it meets needs. 44

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

22

Remote Site NAC Server or Network Module (In-band or OOB)
 Minimal network changes (same as campus deployment)  Remote segmentation, or port segmentation using OOB  Full feature support - keep ip address (vgw), /30s etc  Deploy In-Band for both wired and wireless users
NAC Manager

 Deploy Out-Of-Band for wired only deployments
NAC Server Network Module for ISR OR

IP Network

Optimal Solution Provides all the functions of a campus deployment, contrast with cost
Cisco Public

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

45

Central Site out of Band NAC Server (L3 OOB)
NAC Manager

Remediation Resources

NAC Server

 NAC Server deployed at the centre  Traffic from the Auth VLAN must be restricted to NAC Server, Remediation Services etc  Remote segmentation is controlled through either
Access Control Lists Policy Based Routing Separate MPLS VPN GRE tunnels, IPSec, etc

IP Network

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Port based control Port based control with central NAC Server comes with increased deployment complexity 46

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

23

L3 OOB with Access Control Lists
NAC Manager

AV Server 10.1.1.0/24

1.

User connects laptop to the network

NAC Server

Windows Update Server

IP Network

192.168.1.0/24 Authenticated VLAN

192.168.2.0/24 Unauthenticated VLAN
47

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

L3 OOB with Access Control Lists
NAC Manager

AV Server 10.1.1.0/24

1. 2.

User connects laptop to the network Switch tells the NAC Manager which puts the port in the unauthenticated VLAN

NAC Server

Windows Update Server

IP Network

192.168.1.0/24 Authenticated VLAN

192.168.2.0/24 Unauthenticated VLAN
48

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

24

L3 OOB with Access Control Lists
NAC Manager

AV Server 10.1.1.0/24

1. 2.

User connects laptop to the network Switch tells the NAC Manager which puts the port in the unauthenticated VLAN NAC Agent on users PC sends discovery packet to the NAC Manager

3.
NAC Server

Windows Update Server

IP Network

192.168.1.0/24 Authenticated VLAN

192.168.2.0/24 Unauthenticated VLAN
49

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

L3 OOB with Access Control Lists
NAC Manager

AV Server 10.1.1.0/24

1. 2.

User connects laptop to the network Switch tells the NAC Manager which puts the port in the unauthenticated VLAN NAC Agent on users PC sends discovery packet to the NAC Manager NAC Server intercepts discovery packet and goes through authentication, posture checking, remediation etc with client.

3.
NAC Server

Windows Update Server

4.

IP Network

192.168.1.0/24 Authenticated VLAN

192.168.2.0/24 Unauthenticated VLAN
50

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

25

What If the PC Has a Worm/Virus/Malware?
NAC Manager

AV Server 10.1.1.0/24

NAC Server

Windows Update Server

 If the PC has a worm it could send traffic into the network infecting other devices  However the ACL on the unauthenticated vlan should stop all unnecessary communication.  Like the temporary filter on the NAC appliance traditionally does.

interface fa0.[unauthenticated vlan] ip access-group nac-filter in ip access-list extended nac-filter remark Allow traffic to remediation network permit ip any 10.1.1.0 0.0.0.255 remark Permit to local remediation servers permit ip any 192.168.1.[wsus,av,etc] 0.0.0.0
192.168.1.0/24 Authenticated VLAN

IP Network

192.168.2.0/24 Unauthenticated VLAN
51

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

L3 OOB with Access Control Lists
NAC Manager

AV Server 10.1.1.0/24

5.

Lastly the NAC Manager changes the switch port of the PC to the authenticated VLAN

NAC Server

Windows Update Server

IP Network

192.168.1.0/24 Authenticated VLAN

192.168.2.0/24 Unauthenticated VLAN
52

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

26

Remote Site Summary
 Work out real requirements – simplest deployment may offer needed security with easy deployment  Deploy remote NAC Server for easy deployment, full feature set and ease of management  Layer 3 OOB for centralised deployments where control to the port is needed  For Layer 3 OOB deployments ACLs are recommended to ease the deployment

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Cisco NAC Profiler

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

27

Non-PC Endpoint Devices
An enterprise LAN is comprised of myriad endpoint types. Most are undocumented (think DHCP).
Enterprises without VoIP
Wired Endpoints Distribution

Enterprises with VoIP
Wired Endpoints Distribution

50% Windows

50% Other

33% Windows

33% IP phones

33% Other

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

Cisco NAC Profiler: Secure Automation
PCs Non-PCs UPS Phone Printer AP

Cisco NAC Profiler

Endpoint Profiling Discover all network endpoints by type and location Maintain real time and historical contextual data for all endpoints Behaviour Monitoring Monitor the state of the network endpoints Detect events such as MAC spoofing, port swapping, etc.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Discovery

Monitoring

Automated process populates devices into the NAC Manager; and subsequently, into appropriate NAC policy

SEC-2010

56

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

28

Cisco NAC Profiler Components
NAC Profiler Server
Aggregates and classifies data from Collectors and manages database of endpoint information. Updates the Cisco NAC Manager (CAM) list to place end points into appropriate access Roles. Sold as a new 3350 appliance.

NAC Collector
Collector

Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling Sold as a license; Module is Co-resident with NAC Server (CAS) running 4.1.2 and above

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Understanding NAC Profiler
3. NAC Profiler Server profiles device and automatically adds/deletes/modifies MAC/IP on NAC Manager and places it in the NAC filter list (allow, deny, ignore, or “role”).
NAC Manager NAC API NAC Profiler Server

Windows AD
SPAN/TRAP /NETFLOW etc

AAA Server NAC Server with NAC Collector License

1. 2.

NAC Collector aggregates collection of relevant data (e.g. phones, printers, badge reader, modalities) and send to NAC Profiler Server NAC Collector continuously monitor behaviour of profiled devices (spoofing behaviour) and updates Profiler Server

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

29

Collector Modules
NetMap
SNMP module that polls edge devices for specific information pertaining to connected devices, port states and other useful data for endpoint profiling and behaviour analysis. Receives port link state changes and New MAC notifications from edge devices useful for profiling and behaviour analysis Passive network traffic analyser that gleans useful profiling information from network traffic Active profiling module that attempts to open ports on user defined networks to actively generate traffic for analysis Receives NetFlow data directly from switches or other NetFlow data sources

NetTrap

NetWatch

NetInquiry

NetRelay

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

 Gathers information about the endpoints associated with that NAC Server.  Information gathered includes data from SNMP, Network Traffic Analysis, and/or Active Profiling.

End Point Discovery

 Distributed Collector model ensures that only pertinent traffic is forwarded to NAC Profiler Server (NPS).
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

60

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

30

Use Collected data to match profile

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Action When Profile Matches

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

31

Login to NAC manager to confirm action

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

63

Device added to NAC Manager Filter List

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

64

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

32

View Profiled data from NAC Manager

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

Detailed View from within NAC Manager

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

33

Behaviour Monitoring

What happens when a PC tries to spoof the MAC address of the Printer? Behaviour monitoring understands that this is NOT a printer anymore and hence the device is removed from “Printer” role on NAC Manager
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

67

Behaviour Monitoring

Following Device removed from list by NAC Profiler Server.

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

34

Cisco NAC Guest Access

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Managing the Guest User Lifecycle
PROVISIONING
SMS Email Print-out

NOTIFICATION

MANAGEMENT

REPORTING

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

35

4 Key Components of Guest Access
GUEST
The visitor who needs network access (usually internet only)

SPONSOR
The internal user who wants to be able to provide internet access to her guest

NETWORK ENFORCEMENT DEVICE
The device that authenticates the guest and grants network access

NAC GUEST SERVER
Enables sponsor to create guest account; audits; provisions account on network enforcement device
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

71

How It Works with - NAC
1. Employee creates account for Guest 3. Guest starts Web browser 4. NAC Appliance redirects to login page 5. Guest enters temp access code generated by SGA Appliance
NAC server Enterprise Network Internet, E-mail, VPN, etc. Cisco NAC Guest Server

Connect screen

2. Adds Guest Info to NAC Mgr via API

NAC Manager

6. NAC Appliance put the user in the Specific Role

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

36

How It Works with - WLC
1. Employee creates account for Guest 2. Guest starts Web browser 3. WLC redirects to login page
4. Guest enters temp access code

Login Page

Cisco NAC Guest Server

generated by SGA Appliance
Enterprise Network

5. WLC send the access-request Auth Success
Internet, E-mail, VPN, etc.

WLC

6. Guest is allowed on the network

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

3 Ways of Guest Notification
Send account information via print-out, email, or SMS

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

37

Sponsor Portal: Overview

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

Sponsor Interface Customisation

Change the entire interface
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

76

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

38

Corporate Logo Customisation

Rebrand with your corporate logo

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

Audit and Reports
Sponsor Information Guest Information Account Information

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

39

Report Details

Report Details

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

Cisco NAC Coming Soon

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

40

Introducing MAC Posture
!! Posture assess your MAC Users now !!

NEW!

Note: This is a Mock-Up UI. May not match the final UI
81

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

CAM Policy Sync
Synchronise policies between your NAC Managers

NEW!

Maintain consistent policies across all your managers

Note: This is a Mock-Up UI. May not match Final UI
SEC-2010 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

82

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

41

Q and A

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Recommended Reading
 Continue your Cisco Networkers learning experience with further reading from Cisco Press  Check the Recommended Reading flyer for suggested books

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

42

Recommended Security Demos
Continue your Cisco Networkers learning experience by visiting the following Security Demos located in the World of Solutions
 CS-MARS  Cisco Security Manager (CSM)  Adaptive Security Appliances (ASA)  Cisco Intrusion Prevention System (IPS)  Embedded Security in Cisco Network Devices and Endpoints  Ironport – Email and Web Secure Management Portfolios

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

Meet the Expert
 Make the most of your time at Cisco Networkers by meeting one-on-one with a Cisco Expert. This is an invaluable opportunity so don’t miss out!  Visit the Meeting Centre in the World of Solutions to select your topic of interest, your preferred expert in that field and to set up a specific time to meet onsite.

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

86

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

43

Complete Your Online Session Evaluation
 Win fabulous prizes by giving us your feedback!  Go to the Internet stations located throughout the Convention Centre to complete your session evaluation.

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

SEC-2010

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

© 2008, Cisco Systems, Inc. All rights reserved. SEC-2010

44

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.