Upload
paipai6664
View
43
Download
6
Tags:
Embed Size (px)
Citation preview
, NAC
Willy Huang Product/Technical Manager Cisco Systems Taiwan Ltd. [email protected]_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
1
1 2 3 4Presentation_ID
NAC
NAC
Flash demo
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
No Wi-Fi = Good SecurityWrong! A single rogue access point creates enormous risk Traditional security measures (firewall, wired IDS/IPS, VPNs, NAC, etc.) dont address Perpetrated unknowingly often by your own employees
A Handheld Walk-Around Survey Is Sufficient (i.e. AirMagnet) Wrong!
Would you turn on your firewall only periodically? Not practical for branch or remote offices with no local IT personnel Laborious and expensive
I Use 802.11i, WPA or VPN, so My Network Is Secure Not at all!Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.
Only protects authorized clients and infrastructure No impact on unauthorized infrastructure (i.e. rogue APs) or unauthorized connections (i.e. ad hoc networks)
Cisco Confidential
3
?Wired Security
Open airNo physical barriers to intrusion
Physical Security
Standard 802.11 protocolWell-documented and -understood Target of most common attacks against WLAN networks: management frames
Enterprise Network
UnlicensedEasy access to inexpensive technologyWireless Access Outside Physical or Wired BoundariesPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
4
Integrated WLAN security foundationStrong user authentication (Cisco EAP/EAP-FAST and 802.1X integration) Strong transport encryption (802.11i and WPA/WPA2)
Wireless and NAC single-sign-onRole-based access Client device validation; posture assessment and remediation
Rogue detection through automatic RF monitoringDetect and prevent unauthorized wireless activities
Unified wired and wireless IPSThreat mitigation Comprehensive security protection
C97-408586-00 Presentation_ID
2006 Cisco Systems, Inc. All rights reserved. 2007
Cisco Confidential
5
Implementation ConsiderationsCritical: WLAN Security FundamentalsStrong user authentication (802.1X, Cisco EAP/EAP-FAST, ACS) Strong transport encryption (802.11i, AES, TKIP, MFP, WPA/WPA-2) Detection and prevention of rogue access points, clients, special-purpose networks, DoS, etc. (audits, RF scanning, wireless IPS)
Urgent: Traffic and Access ControlDevice posture assessment (NAC) Role-based network access (NAC) Threat mitigation (Unified wired and wireless IPS)
Recommended: Endpoint ProtectionEndpoint connection policy and status (WLAN controller, NAC, MFP) Endpoint malware mitigation (Cisco Security Agent) Threat-alert distribution (Cisco Security Agent + IPS + Cisco Security MARS)
Best Practice: Network VisibilityComprehensive WLAN security management (wireless control system) Security event analysis and correlation (Cisco Security MARS)
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Standardized Optimized for Enterprise Broad Adoption Tested for InteroperabilityWi-Fi Protected Access: Mandates TKIP Encryption + MIC + 802.1X Authentication Required as of Aug.03
Wi-Fi Protected Access (WPA)Authentication Encryption
802.1X
TKIP + MIC
Encryption: TKIP + MIC Temporal Key Integrity Protocol Message Integrity Check Successor to WEP encryption
CCX ProgramPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
CCX Program: Cisco Compatible eXtensions Ensures interoperability for a variety of 802.1X authentication types, including LEAP & PEAP7
On-channel attack detected 802.11a Channel 153 Off channel rogue detected Rogue AP AP contains rogue client Off channel ad hoc net detected AP contains ad 802.11g Channel 1 hoc net Ad Hoc client ent inm onta CRF Containment RF
802.11a Channel 153 Rogue client
802.11g Channel 1 Ad Hoc client
802.11g Channel 6 Valid client
802.11g Channel 6 Attacker
802.11a Channel 152 Valid client
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
/Unified Intrusion Prevention: Layer 2 through Layer 7Cisco WLAN Controller Cisco Access Point
4. Client Shun 2. Deep Packet Inspection 3. Query IPS
Enterprise Network
1. Malicious Traffic
Event and Client Shunning:1. Client to access point or controller 2. Controller traffic to IPS 3. Controller query IPS 4. Shun implemented by controllerCisco ASA 5500 with IPSPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
9
Untrusted PublicCisco Security Agent
Endpoint Protection Host intrusion prevention Endpoint malware mitigation
InternetGuest Anchor Controller Cisco ASA 5500 with IPS Module WCS Enterprise Cisco NAC Appliance Server Cisco WLAN Controller Cisco Security MARS
Wired
Cisco NAC Appliance Manager Cisco Security Agent Server
Traffic and Access Control Device posture assessment Dynamic, role-based network access and managed connectivity WLAN threat mitigation with IPS/IDS
Trusted
Wireless
Cisco Access Point 802.1X WPA2 MFPGuest
WLAN Security Fundamentals Strong user authentication Strong transport encryption RF monitoring Secure guest access
SSC
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Physical User and Device Tracking; Location Based Security Data 802.11i; VPN;
RF Coverage Area and Interference Avoidance, wIDS, Rogue detection
User/Device X.509; 802.1X (RADIUS); Web-Auth; IDS Application Network Access Control; Firewall
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
For more information about Cisco Secure Wireless Solution, visit:http://www.cisco.com/wirelesssecurity
For more information about Cisco NAC, visit:http://www.cisco.com/go/nac
For more information about Cisco Wireless products, visit:http://www.cisco.com/go/wireless
For more information about the Cisco Unified Wireless Network, visit:http://www.cisco.com/go/unifiedwirelessPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
12
1 2 3 4Presentation_ID
NAC
NAC
Flash demo
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
NAC
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Cisco NAC Appliance Endpoint Compliance Wireless ComplianceSecured network access only for compliant wireless devices Network access only for compliant devices
CAMPUS BUILDING 1802.1Q
Intranet Access ComplianceEnsure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.
WIRELESS BUILDING 2
Guest ComplianceRestricted internet access only for guest users
VPN User ComplianceIntranet access only for compliant remote access usersINTERNET
CONFERENCE ROOM IN BUILDING 3Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPSec
In-band
15
ITTop Customer Pain Points*
Role-based access control
Enforce endpoint policy requirements
Guests and unmanaged users
Cisco NAC applies access and posture policies based on roles
Cisco NAC assesses, quarantines, and remediates noncompliant endpoints
Cisco NAC authenticates and controls guest and unmanaged assets
Secured Remote Access
Secured Wireless Access
Secured LAN Access
* Source: Current Analysis, July 2006Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
16
Cisco NAC roles-based Cisco NAC Appliance ,
unmanaged usersCisco NAC Appliance
(endpoint) Cisco NAC Appliance (endpoint)Source: Current Analysis, July 2006Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
17
Cisco NAC Appliance Cisco Cisco NAC Appliance NAC , LAN, WLAN, VPN Remote Offices Cisco NAC Appliance managed unmanaged NAC Cisco
Cisco NAC Appliance , / , role based Cisco role based vlan mapping
Cisco NAC Appliance wired wireless Cisco
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Cisco NAC Appliance All-in-One Policy Compliance and Remediation SolutionEnforces authorization policies and privileges Supports multiple user roles
Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level
& Agent scan for required versions of hotfixes, AV, and other software Network scan for virus and worm infections and port vulnerabilities
& Network-based tools for vulnerability and threat remediation Help-desk integration
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Cisco NAC Appliance Cisco NAC Appliance Manager (NAM), , NACM G R
Cisco NAC Appliance Server (NAS)
Cisco NAC Appliance Agent (NAA) client, device-based registry
Rule-set anti-virus, hot-fixes applications
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Cisco NAC Appliance: In-Band L3/L4 roles-based (e.g. Guests Quarantine) port-based :Hubs Wireless APs VoIP phones Shared media ports Non-Cisco environmentsNAC Appliance ManagerM G R
NAC Appliance Server
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Cisco NAC Appliance In-Band : roles-based Guest
to http/s only, Trainee to lab servers onlyGuestNAC Appliance ManagerM G R
has 200kb/s downstream, Consultant has 400kb/s downstream
L3/L4 Quarantine
access to windows update only
NAC Appliance Server
Radius , login / logout, port-based :Hubs, Wireless APs, VoIP phones Shared media ports and Non-Cisco environments
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
1 2 3 4Presentation_ID
NAC
NAC
Flash demo
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
NAC
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Cisco NAC Appliance Role: UnauthenticatedLaptop IP: 192.168.50.3WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Auth Server IP: 10.1.1.25M G R
NAC Appliance Manager IP: 10.1.1.30
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Radius Accounting Server IP: 10.1.1.26
1. 2. 3. 4.
Wireless user connects to WLC via LWAPP and authenticates to Auth Server (any auth methods including 802.1x) Wireless user obtains IP address from Auth Server WLC forwards Radius accounting login info to CAS Wireless user opens a browser and is redirected to download the NAC Agent (if they dont already have it loaded)
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Cisco NAC Appliance cont.Role: QuarantineWLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Laptop IP: 192.168.50.3
Auth Server IP: 10.1.1.25M G R
NAC Appliance Manager IP: 10.1.1.30
L3 Switch IP: 192.168.10.1
NAC Appliance Server IP: 192.168.10.2
Intranet Server IP: 10.10.10.10 Radius Accounting Server IP: 10.1.1.26
NAC Enforcement Point
DNS Server IP: 10.20.20.20
5. 6.
The Agent queries the NAC Appliance Server to discover if the wireless user is authenticated (which it will be by the radius accounting previously sent) The Agent performs posture assessment and forwards results to the Server to make the network admission decision.
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Cisco NAC Appliance cont.8. 9. NAC Server forwards posture report to NAC Manager. Manager determines that the user is NOT in compliance and instructs the Server to put the laptop into the Quarantine Role.
Role: Quarantine
10. NAC Manager sends remediation steps to NAC Agent.
Laptop IP: 192.168.50.3
WLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Auth Server IP: 10.1.1.25M G R
NAC Appliance Manager IP: 10.1.1.30
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10 Radius Accounting Server IP: 10.1.1.26
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Cisco NAC Appliance cont.Role: QuarantineWLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Auth Server IP: 10.1.1.25M G R
NAC Appliance Manager IP: 10.1.1.30
Laptop IP: 192.168.50.3
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Radius Accounting Server IP: 10.1.1.26
11. NAC Agent displays access time remaining in Quarantine Role for remote user 12. The Agent guides remote user through step-by-step remediation with one-click update for remediation 13. The Agent informs the NAC server that the wireless user has been successfully remediated 14. The NAC Server provides the user with an Acceptable User Policy (AUP) agreement
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Cisco NAC Appliance cont.Role: WirelessWLC 192.168.60.3 MgmtVLAN 60 192.168.50.2 User Traffic VLAN 50
Auth Server IP: 10.1.1.25M G R
NAC Appliance Manager IP: 10.1.1.30
Laptop IP: 192.168.50.3
L3 Switch IP: 192.168.10.1
Intranet Server IP: 10.10.10.10
NAC Appliance Server IP: 192.168.10.2 NAC Enforcement Point DNS Server IP: 10.20.20.20
Radius Accounting Server IP: 10.1.1.26
15. Upon AUP acceptance, the NAC Appliance Server assigns remote user to the Wireless role 16. NAC Appliance Server puts IP address of remote user into Online User list 17. Wireless user is now allowed to access to the Intranet server.
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Cisco NAC Agent (types of checks depend on user role)
4.
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
NAC
The Network Is the Platform for Lifes Experiences
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Presentation_ID
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32