Cisco Handout 3

, NAC
Willy Huang Product/Technical Manager Cisco Systems Taiwan Ltd. wihuang@cisco.com

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential

No Wi-Fi = Good Security
Wrong!
A single rogue access point creates enormous risk Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc.) dont address Perpetrated unknowingly often by your own employees
A Handheld Walk-Around Survey Is Sufficient (i.e. AirMagnet) Wrong!
Would you turn on your firewall only periodically? Not practical for branch or remote offices with no local IT personnel Laborious and expensive
I Use 802.11i, WPA or VPN, so My Network Is Secure Not at all!

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
Only protects authorized clients and infrastructure No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)
Cisco Confidential
?
Wired Security
Open air
No physical barriers to intrusion
Physical Security
Standard 802.11 protocol

Well-documented and -understood Target of most common attacks against WLAN networks: management frames
Enterprise Network
Unlicensed
Easy access to inexpensive technology
Wireless Access Outside Physical or Wired Boundaries

Integrated WLAN security foundation
Strong user authentication (Cisco EAP/EAP-FAST and 802.1X integration) Strong transport encryption (802.11i and WPA/WPA2)
Wireless and NAC single-sign-on

Role-based access Client device validation; posture assessment and remediation
Rogue detection through automatic RF monitoring

Detect and prevent unauthorized wireless activities
Unified wired and wireless IPS

Threat mitigation Comprehensive security protection
C97-408586-00 Presentation_ID
2006 Cisco Systems, Inc. All rights reserved. 2007
Cisco Confidential

Implementation Considerations
Critical: WLAN Security Fundamentals
Strong user authentication (802.1X, Cisco EAP/EAP-FAST, ACS) Strong transport encryption (802.11i, AES, TKIP, MFP, WPA/WPA-2) Detection and prevention of rogue access points, clients, special-purpose networks, DoS, etc. (audits, RF scanning, wireless IPS)
Urgent: Traffic and Access Control

Device posture assessment (NAC) Role-based network access (NAC) Threat mitigation (Unified wired and wireless IPS)
Recommended: Endpoint Protection

Endpoint connection policy and status (WLAN controller, NAC, MFP) Endpoint malware mitigation (Cisco Security Agent) Threat-alert distribution (Cisco Security Agent + IPS + Cisco Security MARS)
Best Practice: Network Visibility

Comprehensive WLAN security management (wireless control system) Security event analysis and correlation (Cisco Security MARS)
Presentation_ID
Cisco Confidential

Standardized Optimized for Enterprise Broad Adoption Tested for Interoperability
Wi-Fi Protected Access:
Mandates TKIP Encryption + MIC + 802.1X Authentication Required as of Aug.03
Wi-Fi Protected Access (WPA)

Authentication Encryption
802.1X
TKIP + MIC
Encryption: TKIP + MIC

Temporal Key Integrity Protocol Message Integrity Check Successor to WEP encryption
CCX Program
CCX Program:
Cisco Compatible eXtensions Ensures interoperability for a variety of 802.1X authentication types, including LEAP & PEAP
7
On-channel attack detected 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF
802.11a Channel 153 Rogue client
802.11g Channel 1 Ad Hoc client
802.11g Channel 6 Valid client
802.11g Channel 6 Attacker
802.11a Channel 152 Valid client
Presentation_ID
Cisco Confidential
/
Unified Intrusion Prevention: Layer 2 through Layer 7
Cisco WLAN Controller Cisco Access Point
4. Client Shun 2. Deep Packet Inspection 3. Query IPS
Enterprise Network
1. Malicious Traffic
Event and Client Shunning:

1. Client to access point or controller 2. Controller traffic to IPS 3. Controller query IPS 4. Shun implemented by controller
Cisco ASA 5500 with IPS

Untrusted Public
Cisco Security Agent
Endpoint Protection
Host intrusion prevention Endpoint malware mitigation
Internet
Guest Anchor Controller Cisco ASA 5500 with IPS Module WCS Enterprise Cisco NAC Appliance Server Cisco WLAN Controller Cisco Security MARS
Wired
Cisco NAC Appliance Manager Cisco Security Agent Server
Traffic and Access Control

Device posture assessment Dynamic, role-based network access and managed connectivity WLAN threat mitigation with IPS/IDS
Trusted
Wireless
Cisco Access Point 802.1X WPA2 MFP

Guest
WLAN Security Fundamentals

Strong user authentication Strong transport encryption RF monitoring Secure guest access
SSC
Presentation_ID
Cisco Confidential
10

Physical User and Device Tracking; Location Based Security Data 802.11i; VPN;
RF Coverage Area and Interference Avoidance, wIDS, Rogue detection
User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS Application Network Access Control; Firewall
Presentation_ID
Cisco Confidential
11

For more information about Cisco Secure Wireless Solution, visit:
http://www.cisco.com/wirelesssecurity
For more information about Cisco NAC, visit:

http://www.cisco.com/go/nac
For more information about Cisco Wireless products, visit:

http://www.cisco.com/go/wireless
For more information about the Cisco Unified Wireless Network, visit:
http://www.cisco.com/go/unifiedwireless
12
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
Cisco Confidential
13
NAC
Presentation_ID
Cisco Confidential
14
Cisco NAC Appliance

Endpoint Compliance Wireless Compliance
Secured network access only for compliant wireless devices Network access only for compliant devices
CAMPUS BUILDING 1
802.1Q
Intranet Access Compliance

Ensure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.
WIRELESS BUILDING 2
Guest Compliance
Restricted internet access only for guest users
VPN User Compliance

Intranet access only for compliant remote access users
INTERNET
CONFERENCE ROOM IN BUILDING 3

IPSec
In-band
15
IT
Top Customer Pain Points*
Role-based access control
Enforce endpoint policy requirements
Guests and unmanaged users
Cisco NAC applies access and posture policies based on roles
Cisco NAC assesses, quarantines, and remediates noncompliant endpoints
Cisco NAC authenticates and controls guest and unmanaged assets
Secured Remote Access
Secured Wireless Access
Secured LAN Access
* Source: Current Analysis, July 2006

16
Cisco NAC
roles-based
Cisco NAC Appliance ,
unmanaged users
Cisco NAC Appliance
(endpoint)
Cisco NAC Appliance (endpoint)
Source: Current Analysis, July 2006
17
Cisco NAC Appliance Cisco

Cisco NAC Appliance NAC , LAN, WLAN, VPN Remote Offices Cisco NAC Appliance managed unmanaged NAC
Cisco
Cisco NAC Appliance , / , role based

Cisco role based vlan mapping
Cisco NAC Appliance wired wireless

Cisco
Presentation_ID
Cisco Confidential
18
Cisco NAC Appliance

All-in-One Policy Compliance and Remediation Solution
Enforces authorization policies and privileges Supports multiple user roles
Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level
&
Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections and port vulnerabilities
&
Network-based tools for vulnerability and threat remediation Help-desk integration
Presentation_ID
Cisco Confidential
19
Cisco NAC Appliance

Cisco NAC Appliance Manager (NAM)
, , NAC
M G R
Cisco NAC Appliance Server (NAS)
Cisco NAC Appliance Agent (NAA)

client, device-based registry
Rule-set
anti-virus, hot-fixes applications
Presentation_ID
Cisco Confidential
20
Cisco NAC Appliance: In-Band

L3/L4 roles-based (e.g. Guests Quarantine) port-based :
Hubs Wireless APs VoIP phones Shared media ports Non-Cisco environments
NAC Appliance Manager
M G R
NAC Appliance Server
Presentation_ID
Cisco Confidential
21
Cisco NAC Appliance In-Band :

roles-based
Guest
to http/s only, Trainee to lab servers only

Guest
NAC Appliance Manager
M G R
has 200kb/s downstream, Consultant has 400kb/s downstream
L3/L4
Quarantine
access to windows update only
NAC Appliance Server
Radius , login / logout, port-based :

Hubs, Wireless APs, VoIP phones Shared media ports and Non-Cisco environments
Presentation_ID
Cisco Confidential
22
1 2 3 4
Presentation_ID
NAC
NAC
Flash demo
Cisco Confidential
23
NAC
Presentation_ID
Cisco Confidential
24
Cisco NAC Appliance

Role: Unauthenticated
Laptop IP: 192.168.50.3
WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Auth Server IP: 10.1.1.25

M G R
NAC Appliance Manager IP: 10.1.1.30
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Radius Accounting Server IP: 10.1.1.26
1. 2. 3. 4.
Wireless user connects to WLC via LWAPP and authenticates to Auth Server (any auth methods including 802.1x) Wireless user obtains IP address from Auth Server WLC forwards Radius accounting login info to CAS Wireless user opens a browser and is redirected to download the NAC Agent (if they dont already have it loaded)
Presentation_ID
Cisco Confidential
25
Cisco NAC Appliance cont.

Role: Quarantine
Laptop IP: 192.168.50.3

M G R
L3 Switch IP: 192.168.10.1
NAC Appliance Server IP: 192.168.10.2
Intranet Server IP: 10.10.10.10 Radius Accounting Server IP: 10.1.1.26
NAC Enforcement Point
DNS Server IP: 10.20.20.20
5. 6.
The Agent queries the NAC Appliance Server to discover if the wireless user is authenticated (which it will be by the radius accounting previously sent) The Agent performs posture assessment and forwards results to the Server to make the network admission decision.
Presentation_ID
Cisco Confidential
26

8. 9. NAC Server forwards posture report to NAC Manager. Manager determines that the user is NOT in compliance and instructs the Server to put the laptop into the Quarantine Role.
Role: Quarantine
10. NAC Manager sends remediation steps to NAC Agent.
Laptop IP: 192.168.50.3

M G R
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10 Radius Accounting Server IP: 10.1.1.26
Presentation_ID
Cisco Confidential
27

Role: Quarantine

M G R
Laptop IP: 192.168.50.3
L3 Switch IP: 192.168.10.1
11. NAC Agent displays access time remaining in Quarantine Role for remote user 12. The Agent guides remote user through step-by-step remediation with one-click update for remediation 13. The Agent informs the NAC server that the wireless user has been successfully remediated 14. The NAC Server provides the user with an Acceptable User Policy (AUP) agreement
Presentation_ID
Cisco Confidential
28

Role: Wireless

M G R
Laptop IP: 192.168.50.3
L3 Switch IP: 192.168.10.1
15. Upon AUP acceptance, the NAC Appliance Server assigns remote user to the Wireless role 16. NAC Appliance Server puts IP address of remote user into Online User list 17. Wireless user is now allowed to access to the Intranet server.
Presentation_ID
Cisco Confidential
29
Cisco NAC Agent
(types of checks depend on user role)
4.
Presentation_ID
Cisco Confidential
30
NAC
The Network Is the Platform for Lifes Experiences
Presentation_ID
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32

Cisco Handout 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Handout 3

Uploaded by

Copyright:

Available Formats

, NAC

Willy Huang Product/Technical Manager Cisco Systems Taiwan Ltd. wihuang@cisco.com

2006 Cisco Systems, Inc. All rights reserved.

A Handheld Walk-Around Survey Is Sufficient (i.e. AirMagnet) Wrong!

I Use 802.11i, WPA or VPN, so My Network Is Secure Not at all!

Standard 802.11 protocol

Wireless and NAC single-sign-on

Rogue detection through automatic RF monitoring

Unified wired and wireless IPS

2006 Cisco Systems, Inc. All rights reserved. 2007

Urgent: Traffic and Access Control

Recommended: Endpoint Protection

Best Practice: Network Visibility

2006 Cisco Systems, Inc. All rights reserved.

Wi-Fi Protected Access (WPA)

Encryption: TKIP + MIC

802.11a Channel 153 Rogue client

802.11g Channel 1 Ad Hoc client

802.11g Channel 6 Valid client

802.11g Channel 6 Attacker

802.11a Channel 152 Valid client

2006 Cisco Systems, Inc. All rights reserved.

4. Client Shun 2. Deep Packet Inspection 3. Query IPS

Event and Client Shunning:

Cisco NAC Appliance Manager Cisco Security Agent Server

Traffic and Access Control

Cisco Access Point 802.1X WPA2 MFP

WLAN Security Fundamentals

2006 Cisco Systems, Inc. All rights reserved.

RF Coverage Area and Interference Avoidance, wIDS, Rogue detection

2006 Cisco Systems, Inc. All rights reserved.

For more information about Cisco NAC, visit:

For more information about Cisco Wireless products, visit:

2006 Cisco Systems, Inc. All rights reserved.

2006 Cisco Systems, Inc. All rights reserved.

Cisco NAC Appliance

Intranet Access Compliance

VPN User Compliance

CONFERENCE ROOM IN BUILDING 3

Role-based access control

Enforce endpoint policy requirements

Guests and unmanaged users

Cisco NAC applies access and posture policies based on roles

Cisco NAC assesses, quarantines, and remediates noncompliant endpoints

Cisco NAC authenticates and controls guest and unmanaged assets

Secured Remote Access

Secured Wireless Access

Secured LAN Access

* Source: Current Analysis, July 2006

Cisco NAC Appliance Cisco

Cisco NAC Appliance , / , role based

Cisco NAC Appliance wired wireless

2006 Cisco Systems, Inc. All rights reserved.

Cisco NAC Appliance

Enforces authorization policies and privileges Supports multiple user roles

2006 Cisco Systems, Inc. All rights reserved.

Cisco NAC Appliance

Cisco NAC Appliance Server (NAS)

Cisco NAC Appliance Agent (NAA)

2006 Cisco Systems, Inc. All rights reserved.

Cisco NAC Appliance: In-Band

NAC Appliance Server

2006 Cisco Systems, Inc. All rights reserved.

Cisco NAC Appliance In-Band :