You are on page 1of 32
令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全 Willy Huang Product/Technical Manager Cisco
令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全 Willy Huang Product/Technical Manager Cisco
令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全 Willy Huang Product/Technical Manager Cisco

令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全

令人愛恨交加的無線 網路, 如何用 NAC 讓 天空更安全

Willy Huang Product/Technical Manager Cisco Systems Taiwan Ltd. wihuang@cisco.com

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

議程 11 無線網路的安全概論 2 NAC 與無線網路的整合 3 NAC 在無線網路如何運作 4 Flash demo

議程

11
11

無線網路的安全概論

2 NAC 與無線網路的整合

3 NAC 在無線網路如何運作

4 Flash demo

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

無線網路安全迷思   • A single rogue access point creates enormous risk   No Wi-Fi =

無線網路安全迷思

 

A single rogue access point creates enormous risk

 

No Wi-Fi = Good Security

Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc.) don’t address

Perpetrated unknowingly often by your own employees

Wrong!

A Handheld Walk-Around Survey Is Sufficient (i.e. AirMagnet)

Wrong!

I Use 802.11i, WPA or VPN, so My Network Is Secure

Not at all!

Would you turn on your firewall only periodically?

Not practical for branch or remote offices with no local IT personnel

Laborious and expensive

Only protects authorized clients and infrastructure

No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3

為何無線網路較易攻擊 ? “Open air” No physical barriers to intrusion Standard 802.11 protocol Well-documented

為何無線網路較易攻擊?

“Open air”

No physical barriers to intrusion

Standard 802.11 protocol

Well-documented and -understood

Target of most common attacks against WLAN networks:

management frames

Unlicensed

Easy access to inexpensive technology

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Wired Security

Inc. All rights reserved. Cisco Confidential Wired Security Physical Security Enterprise Network Wireless Access

Physical Security

Enterprise Network Wireless Access Outside Physical or Wired Boundaries
Enterprise
Network
Wireless Access Outside
Physical or Wired Boundaries

4

思科無線網路安全方案 Integrated WLAN security foundation Strong user aut hentication (Cisco ® EAP/EAP-FAST

思科無線網路安全方案

Integrated WLAN security foundation

Strong user authentication (Cisco ® EAP/EAP-FAST and 802.1X integration) Strong transport encryption (802.11i and WPA/WPA2)

Wireless and NAC single-sign-on

Role-based access Client device validation; posture assessment and remediation

Rogue detection through automatic RF monitoring

Detect and prevent unauthorized wireless activities

Unified wired and wireless IPS

Threat mitigation Comprehensive security protection

5 5 C97-408586-00 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. © 2007 Cisco
5 5
C97-408586-00
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco Confidential
階段性無線網路安全 Implementation Considerations Critical: WLAN Security Fundamentals Urgent: Traffic and

階段性無線網路安全

Implementation Considerations

Critical: WLAN Security Fundamentals

Urgent: Traffic and Access Control

Strong user authentication (802.1X, Cisco EAP/EAP-FAST, ACS)

Device posture assessment (NAC)

Role-based network access (NAC)

Strong transport encryption (802.11i, AES, TKIP, MFP, WPA/WPA-2)

Threat mitigation (Unified wired and wireless IPS)

Detection and prevention of rogue access points, clients, special-purpose networks, DoS, etc. (audits, RF scanning, wireless IPS)

Recommended: Endpoint Protection

 

Best Practice: Network Visibility

Endpoint connection policy and status (WLAN controller, NAC, MFP)

Comprehensive WLAN security management (wireless control system)

Endpoint malware mitigation (Cisco Security Agent)

Security event analysis and correlation (Cisco Security MARS)

Threat-alert distribution (Cisco Security Agent + IPS + Cisco Security MARS)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

6

企業等級的無線安全防護 • Standardized • Optimized for Enterprise Wi-Fi Protected • Broad Adoption

企業等級的無線安全防護

• Standardized • Optimized for Enterprise Wi-Fi Protected • Broad Adoption Access (“WPA”) • Tested
Standardized
Optimized for Enterprise
Wi-Fi
Protected
Broad Adoption
Access
(“WPA”)
Tested for Interoperability
Wi-Fi Protected Access:
TKIP
802.1X
+
• Mandates TKIP Encryption +
MIC + 802.1X Authentication
MIC
• Required as of Aug.’03
Encryption: TKIP + MIC
• Temporal Key Integrity Protocol
• Message Integrity Check
• Successor to WEP encryption
CCX
CCX Program:
Program
• Cisco Compatible eXtensions
• Ensures interoperability for a
variety of 802.1X authentication
types, including LEAP & PEAP
Authentication
Encryption

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

7

無線入侵偵測與阻絕 On-channel attack detected Off channel rogue detected AP contains rogue client Off

無線入侵偵測與阻絕

On-channel attack detected

Off channel rogue detected AP contains rogue client Off channel ad hoc net detected AP contains ad

802.11a Channel 153 Rogue AP

net detected AP contains ad 802.11a Channel 153 Rogue AP RF Containment 802.11g Channel 1 Ad
RF Containment 802.11g Channel 1 Ad Hoc client RF Containment
RF Containment
802.11g Channel 1
Ad Hoc client
RF Containment

802.11g Channel 6 Attacker

802.11g Channel 1 Ad Hoc client

802.11g Channel 6 Attacker 802.11g Channel 1 Ad Hoc client 802.11a Channel 153 Rogue client hoc

802.11a Channel 153 Rogue client

hoc net

802.11g Channel 6 Valid client

802.11a Channel 152 Valid client

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

8

思科整合入侵偵測 / 防禦 Unified Intrusion Prevention: Layer 2 through Layer 7 Cisco WLAN Controller Cisco

思科整合入侵偵測/防禦

Unified Intrusion Prevention: Layer 2 through Layer 7

Cisco WLAN Controller Cisco Access Point 4. Client Shun 2. Deep Packet Enterprise Inspection 1.
Cisco WLAN Controller
Cisco Access Point
4. Client Shun
2.
Deep
Packet
Enterprise
Inspection
1.
Network
Malicious
3. Query IPS
Traffic
Event and Client Shunning:
1. Client to access point or controller
2. Controller traffic to IPS
3. Controller query IPS
4. Shun implemented by controller

Cisco ASA 5500 with IPS

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

9

階段性無線網路安全架構 Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest

階段性無線網路安全架構

UntrustedTrusted

PublicWiredWireless

Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with
Untrusted Trusted Public Wired Wireless Cisco Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with

Cisco

Security Agent Internet Guest Anchor Controller Cisco ASA 5500 with IPS Module Manager Enterprise Cisco
Security
Agent
Internet
Guest Anchor
Controller
Cisco ASA 5500
with IPS Module
Manager
Enterprise
Cisco
Cisco NAC
Agent
Appliance
Server
Server

Cisco NAC

Appliance

Security

WPA2 MFP
WPA2
MFP

Cisco WLAN Controller

802.1X SSC
802.1X
SSC

WCS

Cisco

Security

MARS

Cisco Access Point Guest
Cisco
Access
Point
Guest
Endpoint Protection • Host intrusion prevention • Endpoint malware mitigation

Endpoint Protection

• Host intrusion prevention

• Endpoint malware mitigation

Traffic and Access Control • Device posture assessment • Dynamic, role-based network access and managed

Traffic and Access Control

• Device posture assessment

• Dynamic, role-based network access and managed connectivity

• WLAN threat mitigation with IPS/IDS

WLAN Security Fundamentals • Strong user authentication • Strong trans port encryption • RF monitoring

WLAN Security Fundamentals

• Strong user authentication

• Strong transport encryption

• RF monitoring

• Secure guest access

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

完整的無線安全防護方案 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Physical User and

完整的無線安全防護方案

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential

Physical User and Device Tracking; Location Based Security

Data 802.11i; VPN;

Tracking; Location Based Security Data 802.11i; VPN; User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS RF
Tracking; Location Based Security Data 802.11i; VPN; User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS RF

User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS

RF Coverage Area and Interference Avoidance, wIDS, Rogue detection

Area and Interference Avoidance, wIDS, Rogue detection Application Network Access Control; Firewall

Application Network Access Control; Firewall

Presentation_ID

11

參考資料 For more information about Cisco Secure Wireless Solution, visit: http://www.cisco.com/wirelesssecurity For

參考資料

For more information about Cisco Secure Wireless Solution, visit:

http://www.cisco.com/wirelesssecurity

For more information about Cisco NAC, visit:

http://www.cisco.com/go/nac

For more information about Cisco Wireless products, visit:

http://www.cisco.com/go/wireless

For more information about the Cisco Unified Wireless Network, visit:

Presentation_ID

http://www.cisco.com/go/unifiedwireless

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

議程 11 無線網路的安全概論 2 NAC 與無線網路的整合 3 NAC 在無線網路如何運作 4 Flash demo

議程

11 無線網路的安全概論

2
2

NAC 與無線網路的整合

3 NAC 在無線網路如何運作

4 Flash demo

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13

NAC 與無線網路的 整合 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

NAC 與無線網路的 整合

NAC 與無線網路的 整合

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Cisco NAC Appliance 針對無線網路的應用 Presentation_ID Endpoint Compliance Network access only for

Cisco NAC Appliance 針對無線網路的應用

Presentation_ID

Endpoint Compliance

Network access only for

compliant

devices

CAMPUS BUILDING 1

Wireless Compliance

Secured network access only for compliant wireless

devices

802.1Q WIRELESS BUILDING 2
802.1Q
WIRELESS BUILDING 2
Intranet Access Compliance Ensure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.
Intranet Access Compliance
Ensure hosts are hardened prior to
connecting to ERP, HRIS, BPM, etc.
VPN User Compliance
Intranet access only for
compliant remote access
users
IPSec
access only for compliant remote access users IPSec CONFERENCE ROOM IN BUILDING 3 Guest Compliance Restricted

CONFERENCE ROOM IN BUILDING 3

Guest Compliance Restricted internet access only for guest users INTERNET
Guest Compliance
Restricted internet
access only for
guest
users
INTERNET

In-band

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

IT 人員的痛 Top Customer Pain Points* Role-based access control Enforce endpoint policy requirements Guests and

IT人員的痛

Top Customer Pain Points* Role-based access control Enforce endpoint policy requirements Guests and unmanaged
Top Customer Pain Points*
Role-based
access
control
Enforce endpoint
policy
requirements
Guests and
unmanaged
users
Cisco NAC applies
access and posture
policies based on roles
Cisco NAC assesses,
quarantines, and
remediates noncompliant
endpoints
Cisco NAC
authenticates and
controls guest and
unmanaged assets

Secured Remote Access

Secured Remote Access

Secured Wireless Access

Secured Wireless Access

Secured LAN Access

Secured LAN Access

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

* Source: Current Analysis, July 2006

16

Cisco NAC 解決無線網路管理者的難題 Presentation_ID 實施 roles-based 的存取控制 Cisco NAC Appliance

Cisco NAC 解決無線網路管理者的難題

Presentation_ID

NAC 解決無線網路管理者的難題 Presentation_ID 實施 roles-based 的存取控制 Cisco NAC Appliance

實施 roles-based 的存取控制

Cisco NAC Appliance 可以依據使用者身份, 檢驗無線 用戶的網路存取規則與安全政策要求

用戶的網路存取規則與安全政策要求 有效處理訪客與 unmanaged users Cisco NAC Appliance

有效處理訪客與 unmanaged users

Cisco NAC Appliance 可以強制認證與控管訪客以及 非本機構的人員以及設備對無線網路的存取

非本機構的人員以及設備對無線網路的存取 強制實施用戶端 (endpoint) 安全政策 Cisco NAC

強制實施用戶端 (endpoint) 安全政策

Cisco NAC Appliance 評估隔離修補不符合安全政策 的無線用戶端 (endpoint)

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Source: Current Analysis, July 2006

17

Cisco NAC Appliance 強化 Cisco 無線方案 Cisco NAC Appliance 提供一個企業等級的 NAC

Cisco NAC Appliance 強化 Cisco 無線方案

Cisco NAC Appliance 提供一個企業等級的 NAC 與集中管理解決方案, 可以完全適用於 LAN, WLAN, VPN 與 Remote Offices

Cisco NAC Appliance 針對 managed 與 unmanaged 的無線設備提供一個 完善的 NAC 方案

Cisco 無線方案提供無線存取管理

Cisco NAC Appliance 提供安全政策規則自動更新, 合作安全廠商的軟 體狀態驗證 / 修補, 以及 role based 存取控制

Cisco 無線方案提供認證與 role based vlan mapping

Cisco NAC Appliance 提供 wired 與 wireless 訪客的整合管理

Cisco 無線方案提供無線訪客登入網頁與管理

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

Cisco NAC Appliance 主動執行安全政策 All-in-One Policy Compliance and Remediation Solution 認證 Enforces

Cisco NAC Appliance 主動執行安全政策

Cisco NAC Appliance 主動執行安全政策 All-in-One Policy Compliance and Remediation Solution 認證 Enforces
Cisco NAC Appliance 主動執行安全政策 All-in-One Policy Compliance and Remediation Solution 認證 Enforces

All-in-One Policy Compliance and Remediation Solution

All-in-One Policy Compliance and Remediation Solution 認證 Enforces authorization policies and privileges

認證

Enforces authorization policies and privileges

Supports multiple user roles

掃描安全漏洞 & 評估安全狀態

user roles 掃描安全漏洞 & 評估安全狀態 Agent scan for required versions of hotfixes, AV, and other
user roles 掃描安全漏洞 & 評估安全狀態 Agent scan for required versions of hotfixes, AV, and other

Agent scan for required versions of hotfixes, AV, and other software

Network scan for virus and worm infections and port vulnerabilities

隔離

Isolate non-compliant devices from rest of network

隔離 Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user

MAC and IP-based quarantine effective at a per-user level

更新 & 修補

Network-based tools for vulnerability and threat remediation

Help-desk integration

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

Cisco NAC Appliance 的產品組合 Cisco NAC Appliance Manager (NAM) 讓管理人員,

Cisco NAC Appliance 的產品組合

Cisco NAC Appliance Manager (NAM)

讓管理人員, 技術支援人員依其不同權限,

集中管理 NAC

Cisco NAC Appliance Server (NAS)

網路存取的管制機制

Cisco NAC Appliance Agent (NAA)

免費的 client, 負責進行 device-based registry 掃描並收集 設備的安全狀態

Rule-set 更新

可以自動在您指定的時間進行 anti-virus, 重大 hot-fixes 以及其他 applications 資訊的更新

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

M G R
M
G
R
資訊的更新 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential M G R 20
資訊的更新 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential M G R 20
資訊的更新 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential M G R 20

20

Cisco NAC Appliance: In-Band 模式 L3/L4 過濾隔離 支援 roles-based 存取控制

Cisco NAC Appliance: In-Band 模式

L3/L4 過濾隔離

支援 roles-based 存取控制

支援依據不同使用者身份的頻寬 管理(e.g. “Guests" 或 “Quarantine")

非常適合 port-based 存取控制無法 實施的訪客環境:

Hubs Wireless APs VoIP phones Shared media ports Non-Cisco environments

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
NAC Appliance Server
NAC Appliance Server

NAC Appliance Manager

M

G

R

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M

21

Cisco NAC Appliance In-Band 模式 : 訪客 支援 roles-based 存取控制 “ Guest" to http/s only,

Cisco NAC Appliance In-Band 模式: 訪客

支援 roles-based 存取控制

Guest" to http/s only, “Trainee" to lab servers only

支援依據不同使用者身份的頻寬管理

Guest" has 200kb/s downstream, “Consultant" has 400kb/s downstream

針對不符合安全政策的 L3/L4 過濾隔離

Quarantine" access to windows update only

以 Radius 認證為基礎的稽核, 紀錄 login / logout, 以登入時間為基準的訪客計費紀錄

非常適合 port-based 存取控制無法實施的訪 客環境:

Hubs, Wireless APs, VoIP phones

Shared media ports and Non-Cisco environments

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
NAC Appliance Server
NAC Appliance Server

NAC Appliance Manager

M

G

R

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M
2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC Appliance Server NAC Appliance Manager M

22

議程 11 無線網路的安全概論 2 NAC 與無線網路的整合 3 NAC 在無線網路如何運作 4 Flash

議程

11

無線網路的安全概論

2

NAC 與無線網路的整合

3
3

NAC 在無線網路如何運作

4 Flash demo

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

NAC 在無線網路如 何運作 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24

NAC 在無線網路如 何運作

NAC 在無線網路如 何運作

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24

Cisco NAC Appliance 在無線網路的運作 Role: “Unauthenticated” Auth Server I P : 1 0 . 1

Cisco NAC Appliance 在無線網路的運作

Role: “Unauthenticated”

Auth Server

IP: 10.1.1.25

WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50

NAC Appliance Manager IP: 10.1.1.30

Laptop M IP: 192.168.50.3 G R Intranet Server L3 Switch IP: 10.10.10.10 IP: 192.168.10.1 NAC
Laptop
M
IP: 192.168.50.3
G
R
Intranet Server
L3 Switch
IP: 10.10.10.10
IP: 192.168.10.1
NAC Appliance Server
IP: 192.168.10.2
DNS Server
NAC Enforcement
Point
Radius Accounting
Server
IP: 10.1.1.26
IP: 10.20.20.20
1. Wireless user connects to WLC via LWAPP and authenticates to Auth Server (any auth
methods including 802.1x)
2. Wireless user obtains IP address from Auth Server
3. WLC forwards Radius accounting login info to CAS
4. Wireless user opens a browser and is redirected to download the NAC Agent (if they don’t
already have it loaded)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

25

Cisco NAC Appliance 在無線網路的運作 cont. Role: “Quarantine” WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2

Cisco NAC Appliance 在無線網路的運作 cont.

Role: “Quarantine”

WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50 Auth Server IP: 10.1.1.25 Laptop IP:
WLC
192.168.60.3 MgmtVLAN 60
192.168.50.2 User Traffic VLAN 50
Auth Server
IP: 10.1.1.25
Laptop
IP: 192.168.50.3
NAC Appliance Manager
IP: 10.1.1.30
M
G
R
L3 Switch
IP: 192.168.10.1
Intranet Server
NAC Appliance Server
IP: 192.168.10.2
IP: 10.10.10.10
NAC Enforcement
Point
Radius Accounting
Server
IP: 10.1.1.26
DNS Server
IP: 10.20.20.20
5. The Agent queries the NAC Appliance Server to discover if the wireless user is
authenticated (which it will be by the radius accounting previously sent)
6. The Agent performs posture assessment and forwards results to the Server to make the
network admission decision.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential

26

Cisco NAC Appliance 在無線網路的運作 cont. 8. NAC Server forwards posture report to NAC Manager. 9.

Cisco NAC Appliance 在無線網路的運作 cont.

8. NAC Server forwards posture report to NAC Manager. 9. Manager determines that the user
8. NAC Server forwards posture report to NAC Manager.
9. Manager determines that the user is NOT in compliance and instructs
the Server to put the laptop into the “Quarantine Role.”
10. NAC Manager sends remediation steps to NAC Agent.
Auth Server
Laptop
WLC
192.168.60.3 MgmtVLAN 60
192.168.50.2 User Traffic VLAN 50
IP: 10.1.1.25
NAC Appliance Manager
M
IP: 10.1.1.30
G
R
L3 Switch
Intranet Server
IP: 192.168.10.1
IP: 10.10.10.10

IP: 192.168.50.3

NAC Appliance Server IP: 192.168.10.2

NAC Enforcement Point

DNS Server

IP: 10.20.20.20

Radius Accounting Server IP: 10.1.1.26

Role: “Quarantine”

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

27

Cisco NAC Appliance 在無線網路的運作 cont. Role: “Quarantine” Auth Server WLC 192.168.60.3 MgmtVLAN 60

Cisco NAC Appliance 在無線網路的運作 cont.

Role: “Quarantine”

Auth Server

WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50 IP: 10.1.1.25 NAC Appliance Manager IP:
WLC
192.168.60.3 MgmtVLAN 60
192.168.50.2 User Traffic VLAN 50
IP: 10.1.1.25
NAC Appliance Manager
IP: 10.1.1.30
M
Laptop
G
IP: 192.168.50.3
R
Intranet Server
L3 Switch
IP: 10.10.10.10
IP: 192.168.10.1
NAC Appliance Server
IP: 192.168.10.2
Radius Accounting
DNS Server
NAC Enforcement
Point
Server
IP: 10.1.1.26
IP: 10.20.20.20
11. NAC Agent displays access time remaining in “Quarantine Role” for remote user
12. The Agent guides remote user through step-by-step remediation with one-click update for
remediation
13. The Agent informs the NAC server that the wireless user has been successfully remediated
14. The NAC Server provides the user with an Acceptable User Policy (AUP) agreement
28
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco NAC Appliance 在無線網路的運作 cont. Role: “Wireless” Auth Server I P : 1 0 .

Cisco NAC Appliance 在無線網路的運作 cont.

Role: “Wireless”

Auth Server

IP: 10.1.1.25

WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50

NAC Appliance Manager IP: 10.1.1.30

User Traffic VLAN 50 NAC Appliance Manager IP: 10.1.1.30 M Laptop G IP: 192.168.50.3 R Intranet
M Laptop G IP: 192.168.50.3 R Intranet Server L3 Switch IP: 10.10.10.10 IP: 192.168.10.1 NAC
M
Laptop
G
IP: 192.168.50.3
R
Intranet Server
L3 Switch
IP: 10.10.10.10
IP: 192.168.10.1
NAC Appliance Server
IP: 192.168.10.2
DNS Server
NAC Enforcement
Point
Radius Accounting
Server
IP: 10.1.1.26
IP: 10.20.20.20
15. Upon AUP acceptance, the NAC Appliance Server assigns remote user to the “Wireless”
role
16. NAC Appliance Server puts IP address of remote user into “Online User” list
17. Wireless user is now allowed to access to the Intranet server.

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

29

Cisco NAC Agent 引導介面 正在執行漏洞掃描 (types of checks depend on user role) 不符合安全政策

Cisco NAC Agent 引導介面

正在執行漏洞掃描 (types of checks depend on user role) 不符合安全政策 執行修補 4. 30
正在執行漏洞掃描
(types of checks depend on user role)
不符合安全政策
執行修補
4.
30
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
體驗整合 NAC 的無線網路 The Network Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco

體驗整合NAC的無線網路

The Network Is the Platform for Life’s Experiences

Presentation_ID

Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco
Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco
Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco
Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco
Is the Platform for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential
Cisco Confidential
for Life’s Experiences Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31 31
31 31
31 31
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

Presentation_ID

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

32