Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

14 March 2008

Network Access/Admission Control

Some reports are stating that 70% of the attacks are internal attacks. So, perimeter Firewalls are Intrusion Prevention Systems are really good in protecting us from external attacks, but what about protecting the users from each other.

But wait a minute, I know what you are thinking of now. "Screw these reports, my employees are decent people, and I believe they don't have mean intentions to harm their company's resources!". Yes, you are right, they may not have mean intentions, but what if their antivirus is not up to date, isn't it possible that they may have a work that they are not aware of that may propagate into your network and cause some damage there? What about P2P applications, don't you warn them of using it as it utilizes all your bandwidth? Do they really listen to you? And what about those guests in your meeting room, or those guys who came today in order to fix some server in your server room, who decided to plug their laptops into your network in order to download some stuff from the internet? Can't they simply send or receive some traffic that they are not supposed to send nor receive?

We were installing the LAN infrastructure of one of the major financial institutes here in Egypt a long while ago, and then I was supposed to find out the best way to deploy such equipments from a security point of view. So, one of there features that we decided to enable on the switches was IEEE 802.1X, which is a protocol used in order to authenticate the hosts and/or the users before giving them access to the network, i.e. Network Access Control solution. But you know what, IEEE 802.1X is really cool, and it may help in solving some of the problems mentioned earlier, but in real life, they never deployed it, and so does many other customers.

Controlling users/hosts access to your network based on their identities is really useful, but not sufficient. We still need more vision and granular control. A certain host may have valid credentials to access your network, but still such host may not be really healthy - doesn't have End-Point Security softwares installed - and giving it access to your network may harm other resources connected to it. What you really need here is a combination of Network Access and Admission Control. And here comes the new trend of network security, NAC. It's a solution that can check the different hosts before giving them to the network, and it can also control the different switches, access points, and create dynamic rules on your firewalls and IPS's in order to granularly control the access given to each host to the various resources in the network based on their identity and security posture.

Some vendors have decided to build on the existing IEEE 802.1X standard in order to make sure that their solution will work in heterogeneous environments where that are different switches and security vendors. Some others decided to create their own proprietary protocols from scratch, some other decided to have their controls and policies in the hosts themselves by having installing agents there instead on relying on the existing infrastructure. And for sure some had mixtures of all the above.

References and Vendors:
Network World, NAC Topics
Got the NAC Blog, Steve Hanna
TechNet, NAP Blog
Cisco Systems, NAC Appliance (Clean Access)
Juniper Networks, Unified Access Control
Microsoft, NAP (Network Access Protection)
Symantec, Network Access Control
McAfee, Network Access Control
CanSentry Networks, Intelligent Switches

Tags: , , ,

3 comments:

  1. Welcome to may world :)

    Allow me to add some corrections to the nice article you have here
    First, 802.1x isn't only for hosts, it also authenticates uses. So technically your sentence would be more accurate if you say, "authenticates accounts before allowing them on the network" since these can be hosts, users, devices, network attached storage, what have you.

    802.1x is really cool indeed, I've spent that last 8 years of my life working with it, and let me tell you, even though it leaves a lot to be desired.. it's still one goddamn great solution

    However, 802.1x is not enough for NAP *NAP is the origin of all these cool technologies, not NAC even though NAP was released AFTER NAC. It was Microsoft's diligent work to roll it out in windows Vista, and soon in XPSP3.
    Nap has the capability to protect your network in 3 different ways. The first is through 802.1x, the second is DHCP and the third is IPSec (There's a forth for VPN, but that's really similar to 802.1x) combining two (or more) of these cool ways means the ultimate security.

    The term security "posture" is one of the worst security terms ever invented! It doesn't mean anything. But, cisco insists on using it while everyone else thinks it's dumb, but that's beside the point :), just thought I would mention it

    As you said, having enough "credentials" to access the network doesn't mean that your client is healthy enough to do network activity. It might still be infected or "compromised", it might also be out of date on its: Service packs, antivirus signature, malwale protection, firewall, the existence of any of the above or simply something like "not having the -stuff-"

    It's clear, that there will be only two. Microsoft NAP, and Cisco NAC. But that's not a bad thing. In fact, NAP and NAC can interact through HCAP, (which is a stupid Cisco Radius-over-http protocol)
    But for once, I'm so glad that Microsoft AND Cisco agreed on something. While Microsoft has the backing of few hundred security vendors (including McAfee, CA, TredMicro...etc), they still maintained the compatibility with Cisco which is awesome

    Here's the best part! Through the Microsoft-Cisco deal, Cisco agreed to stay off the desktop with their crappy end user software, and gave that to Microsoft which in return built EAPHOST which will allow Cisco to use their own versions of EAP protocols on any windows box without screwing up the networking stack like they did over and over in windows XP! (Oh this also means that Cisco gets to distribute their EAP methods through .... yes yes ... windows update to millions of desktops at the same time) So it was a Win-Win for Microsoft and Cisco and a Win-Win for users and administrators!! (Thank god Microsoft-Cisco played like matured adults for ONCE in their history)

    An interesting piece of information to add, there are only two protocols currently that support NAP/NAC: PEAP and EAPFAST. PEAP (v0 and v1) support sending SHA TLV and the so can EAPFAST! Although I would be more inclined to use PEAPv0 for compatibility since it works with both Microsoft IAS/NPS and Cisco ACS (and Juniper/Funk SBR, And RADIATOR...etc ..etc)

    It would be cool to add this blog to your list of references
    NAP Blog http://blogs.technet.com/nap/

    ReplyDelete
  2. Hello Qwaider,

    Thanks for the corrections and comments.

    About the first point, I've fixed it, and yes you're right, it can authenticate the host, the user, or both of them, and the host in this case can be anything from a PC, Hand-held, to to Network Attached Storage.

    I agree that 801.1X is a good security solution, but I believe that people today are supposed to implement NAC, especially that it has far more features than the bare dot1x. Anyway why shall not think of them as two competing technologies, especially that the dot1x protocol can be one element into a NAC framework or solution.

    I am not sure who's before who, so I'll trust you in this. Especially that I am not that aware of MicroSoft's technologies including their NAP. Anyway, what I wanted to say here is that the usage of DHCP and IPSec Tunnels is also implemented in some NAC solutions, and some solutions even depend on the host to protect the network from himself by activating the personal firewall there, why my not be a really good solution, however it can be useful sometimes.

    What I mean by posture here, is the policy or the guidelines that you put in order to decide if a certain PC is permitted to connect to the network or not. This may include the presence of an Antivirus or a personal firewall there, but it's not limited to this, it can also check some value in the registry key, or the date the Antispam was updated, or the presence of a hot fix or patch, you name it. And that's why a combination of the credentials and security posture is needed to know if someone is supposed to have access to the network or not, and this is the value NAC adds compared to a bare dot1x implementation.

    I do not agree that MS-NAP and Cisco-NAC are going to be the only two solutions out there. There are many vendors doing their our implementations, there are aslo some standard bodies such as TCG/TNC and IETF who are trying to come out with NAC Standards. Juniper for example decided to comply with TCG/TNC standard.

    About the agreements between Cisco/MS. The point is that Cisco here want to make use of MS-NAP implementation so that the users won't be forced to install a certain client on their PC in order to implement CNAC. And yes, it's not Cisco only who is doing so, there is a similar agreement between TCG/TNC and Microsoft.

    About the PEAP and EAP-FAST point, please bare in mind that not all the vendors rely on EAP in their implementations. Some do it through HTTP redirection, other use SNMP, etc. Juniper by the way use their own EAP-JUAC.

    Finally, I am really happy that you liked this post and you know what I didn't expect to see someone interested in it. And by the way, I've added the technet-blog you wrote here into the references list.

    ReplyDelete
  3. The TCG/IETF protocol is actually mostly based on the Microsoft NAP, while Cisco continue to do their own thing again (do something, apply to the IETF and claim it's a standard)

    My objection, (and several others in the IETF) on the "Posture" name is that it's ambiguous, it doesn't mean anything! What does it say to the client!? You're sitting incorrectly!?
    The proper naming convention so far has been "Health State" or "Bill of Health", or loosely, "Certificate of health" all can be used to better describe what we're trying to establish here which is, the health of the client.

    1x,IPSec and DHCP are all included in NAP (out of the box). Each one has it's advantage and disadvantages. With DHCP being the easiest to deploy. 1x is in the middle and Ipsec the most complex. But also, the most secure.

    I stand corrected on NAP and NAC being the only ones remaining. I think no one is going anywhere anytime soon. Just because historically that what has been going on.

    Using HTTP and SNMP mean that they're too high up the stack that it will cause issues. for layer 2 and layer three applications. But that's a 1x vs http-hijack argument. really. With 1x being the superior one. But with bad client side support and very poor server side implementations all over (Especially after MS WPS flunked so badly)

    EAP-JUAC is not a standard by a long shot which means they're probably going to rely on their odyssey supplicant to deploy it. Which is a recipe for disaster. However Juniper have partnered with Microsoft and they're solid behind nap. So they're partner/comepetitors on the same front. I love these! It keeps everyone on their toes.
    I'm not sure if EAP-JUAC is going to qualify through Microsoft EAP certification program (as EAPFAST, EAPoUDP from cisco are doing) But I would assume they would probably want to go through it to gain the free download through Windows update feature.

    It's good to see the people interested in NAP/NAC as I sincerely believe that it's going to be a very important aspect of every corporate deployment in the future.

    Some things I would like to mention here is that NAP/NAC has provisions to help the client GET HEALTHY. It instructs the client to go do X or it will do it for the client without intervention. like if the Firewall is off, it will turn it on! If the Virus signature file is old, it will go and update it for them All that good remediation work is done without the user even knowing about it... which is awesome for Network Admins and Domain admins since this frees up all their tech support

    Good post Tareq, it's nice to see some diversity in the articles. This stuff is cutting edge and I have been involved with it for 1/3 of my life now :D

    PS: Cisco isn't always right. Just keep that in mind
    PPS: There's a NAP Client for linux machines now and there's one coming up for Mac, I also hear there are a bunch in the wire for Smartphones and other smartdevices, but can't confirm that. If this wasn't important, no one would have done those

    ReplyDelete