1 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Cisco Network Admission Control & the Self Defending Network Initiatvie 802.1x & Identity

13856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved.

Cisco Network Admission Control& the

Self Defending Network Initiatvie

802.1x & Identity Based Networking

Tim Ryan – Cisco SE

© 2001, Cisco Systems, Inc. All rights reserved. 222

Cisco’s Embedded Intelligent Security Evolving with Today’s Threats

Adjunct BasedSecurity

• Adjunct Security Appliances plugged into the Network

• Enhanced Device Security

• Separate Mgt Software

FW

IDS

VPN

2000

IntegratedSecurity

• Security Service Modules Integrated into the Infrastructure

• FW + Intrusion Detection + VPN

• Integrated Mgt Software

FWIDS VPN

2002

Embedded IntelligentSecurity

• Network Wide Security Fully Embedded into Network Infrastructure

• Self Defending, Protecting, Preventing, Healing

• Control of “Who” has Network Access and “What” they can do

Today

FWIDS VPNIdentityL2,3 Hardening,

HIPS


Cisco End-to-End Security Productization

VPN

FW

IDS

Network-Based

Security

FW +VPN

AppFW

SSLVPN

Host-Based

Security

AV

HIDS

Pers. FW

VPN

Behavior/AnomalyIPS/FW

Comprehensive Desktop SolutionIntegration of Capabilities into Converged Appliance/Switch

Intelligent Linkage of Endpoint with Network

In-LineIPS

ID/Trust


Authorized User Quarantine

VLAN

Intelligent Embedded Campus Security“Tighten Down the Hatches”

Authorized User Access to HR

Records

Protects Against Today’sEmerging Attacks:“Man-in-the-middle”

“DHCP Server Spoofing”“IP Address Spoofing”

Cisco CatalystIntegrated Security

Detects And IsolatesInfected Users

Host IPS (CSA) withCisco Identity (IBNS)

“Controlling Who/What getsaccess to the Network and

What they can do”

Cisco Identity BasedNetworking Services (IBNS)

Unauthorized usersDenied Access

Rogue AP’sPrevented

Record “Data”

Man in theMiddle Attack


Unauthorized usersWith Physical Access

(Visitors, “Door Tailgaters” etc)

Unauthorized ExternalWireless Users

Corporate Resources

Authorized User

What if you could… “Control Who’s/What is on your Network?”

• 99% of accessible Network ports are “open”99% of accessible Network ports are “open”


User Identity BasedNetwork Access

Cisco Embedded Security with IBNSDetermining “who” gets access and “what” they can do

User Based Policies Applied(BW, QoS etc)

Campus Network

• Equivalent to placing a Security Guard at each Switch Port

• Only Authorized users can get Network Access

• Unauthorized users can be placed into “Guest” VLANs

• Prevents unauthorized APs

AuthorizedUsers/Devices

UnauthorizedUsers/Devices


Internet Worm Infection

Branch

InternetData Center

• Self propagating worms continue to disrupt business, causing downtime and continual patching

• Non-compliant servers and desktops are common, and they are difficult to detect and contain

• Locating and isolating infected systems is time and resource intensive

RemoteUser

Worm Attack

LAN

WirelessLAN


Diverse Endpoint and User Community

Branch

InternetData Center

• The virus/worm problem is compounded by today’s networked environment

• Multiple types of end users – employees, vendors, contractors, etc.

• Multiple types of endpoints – company desktop, home, server, etc.

• Multiple types of access – wired, wireless, VPN, dial, etc.

RemoteUser

WirelessLAN

LAN

Attack vectors can come from anywhere


Ideal Solution: An Integrated System

Branch

Policy Servers

InternetDeny!

RemoteUser

• Multiple components are required for a complete solution• Endpoint Security solutions knows security condition:

type/compliance/etc• Policy Servers know compliance/access rules• Network access devices (routers, switches) enforce admission

policy

• Virus/worm prevention and containment requires industry collaboration

Compliant Endpoint:

Admit!

Non-Compliant Endpoint:

Quarantine!


Cisco Network Admission Control (NAC)Summary

• Cisco Network Admission Control (NAC) is Cisco-led, industry leading program focused on limiting damage from emerging security threats such as viruses and worms

• In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non-compliant devices

• Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro

• NAC is the first phase of the Cisco Self-Defending Network Initiative, an effort designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats

• These efforts extend Cisco’s ability to provide secure, intelligent networks for customers


Cisco Network Admission Control (NAC)

Hosts Attempting

Network AccessAV Vendor Policy

Server

Security Credential Checking

Cisco Network Access Device

Security Policy Enforcement

Cisco Policy Server

Security Policy Creation

AV Policy Evaluation

Cisco Network Admission Control

Anti- Virus client

Cisco Security

Agent

Cisco Trust Agent

• Based on endpoint security posture, appropriate admission policy will be enforced in the network

• Cisco & NAC co-sponsors to deliver this collaborative solution

Cisco Trust Agent


NAC Program Overview

• Cisco is driving the architectures and specifications, guidelines of NAC

• Initial NAC co-sponsor include the majorAnti-Virus vendors: Network Associates, Symantec, and Trend Micro

• Cisco Security Agent and NAC co-sponsor AV solutions will leverage Cisco Trust Agent for intelligent admission control

• Initial NAC capability to be delivered in Q2 CY04 in Cisco routers

• Future NAC extensions:• More Cisco network devices• More endpoint security software and

endpoint platforms (OSs)• More industry co-sponsors• Solution “opened”, timing and extent

TBD

Broker and SecurityBroker and Security

AV Client CSA

Comms: L2/3 ServiceComms: L2/3 Service

EAP/TLV APIEAP/TLV API

EAP/UDPEAP/UDP EAP/802.1XEAP/802.1X

Cisco Trust Agent


NAC Deployment ScenariosComprehensive Compliance Validation

Main OfficeBranch Office

Internet

Remote Access

Dial-in NAS

RA IPsec VPN

Campus FW

Edge Router

AV ServerAAA Svr

Branch Router

RADIUS (posture)

SSLEAP/UDP

1

1: Branch office complianceEnforce on L3 router and firewall

2EAP/UDP

after IPsec

2: Remote access complianceExtension of “Are You There”

3

TBD

3: Dial-in access compliance

EAP 802.1x (wireless)

4

4: Wireless campus protectionQuarantine with ACLs/VLANS

Extension of 802.1x 5EAP 802.1x

(wired)5: Campus access and data center protection

Quarantine with ACLs/ VLANS

Extension of wired 802.1x • Ubiquitous solution for all connection methods

• Validates all hosts


• Dramatically improved security for non-compliant hosts

• Increased network resilience

• Extended value from Cisco network infrastructure investment

• Increased value of existing investment in AV

NAC Customer Benefits


*Cisco survey, Feb 3-5 2003, 250+ NIDS customers; similar results in a blind survey

General Interest (over 80%)*

NAC Customer Validation

Strategic Interest

•50+ Cisco Enterprise customers pre-briefed on NAC and Self-Defending Network

•Consistently positive feedback

•Interest spans all vertical markets

•Strong desire for acceleration of future phases

•Must include key AV partners


Self-Defending Network Futures: Infection Containment

Server

Desktop

AV Mgmt

NIDS

Policy Svr

Other Virus Detectors(includes network proxy devices)

AV Systems

HIDS

IDS Systems

GatewayCampus

Local L2/L3 DeviceInfected Host Policy SystemVirus Detectors

1. Infected host sends virus data through local L2/L3 device to network

2. Virus detector notices virus data from sender, notifies policy system

3. Policy server determines containment action

4. Policy determines closest local L2/L3 device to infected host & communicates containment action

5. Local L2/L3 device enforces containment action

Isolate!


In addition to securing network access…What else can we do ?

• If you know “who” and “what” are now on the network, what could you do w/ this info ?

• Now:

Cisco 802.1x Extensions

VLAN Assignments

Apply Security Profiles

Specify IP Assignment

Secure IP Telephony

• Future:

Posture & Virus scanning/Quarantine VLAN ?

Dynamic FW control/access/auth ?

IDS + Identity + Mgmt ?


Faculty Dorm Student Off-Campus Student

Cisco Identity- Current and future capabilities…

• Dynamic VLAN Assignment

• Dynamic Security Policy Assignment using ACLs

• Dynamic QoS Assignment using ACLS including dynamic per-user/per-port policing

• IBNS-based User/Port Accounting

CiscoSecure ACS RADIUS

Employee Servers


Employee

Campus Identity – Policy EnforcementFuture Capability: Beyond User Credentials…

• Problem:

How can we leverage Identity to create finer granulations in policy based on more attributes from the user

• Cisco Solution in development:

Attributes such as antivirus host intrusion detection software and .dat file levels can be passed in addition to userid/pw credentials in authentication process to segment “unhealthy” users away from “healthy” ones

• First Phase: Symantec, Network Associates, Trend Micro, Cisco Security Agent

CiscoSecure ACS RADIUS/Policy Server

Employee Servers

StudentQuarantined

VLAN

Access please, my

AV software is version X

Sorry, your AV Software is backlevel


802.1x – Ratified by the IEEE - June 2001

• Open-standards-based protocol for authenticating network clients (or ports) on a user-ID basis. aka"port-level authentication“

• It takes the RADIUS methodology and separates it into three distinct groups: the Supplicant, Authenticator, and Authentication Server.

• IEEE 802.1X provides automated user identification, centralized authentication, key management, and provisioning of LAN connectivity. It even provides support for roaming access in public areas.


802.1x + EAP extensible authentication protocol

• 802.1x builds on an existing protocol called Extensible Authentication Protocol (EAP [RFC 2284])

• By tying EAP into the bigger picture, so to speak. EAP conducts the authentication process. It ties Point-to-Point Protocol (PPP) to the physical layer, OSI Layer 1.

• EAP over LAN (EAPOL) is EAP encapsulated into 802 frames. This is how the Authenticator and Supplicant actually communicate during the authentication process.

• EAP is compatible with Ethernet, Token Ring, 802.11, and other popular network protocols.

• EAP supports many authentication methods such as Kerberos, public key, one-time passwords, etc., and it can utilize Transport Level Security (TLS) and Secure Remote Password (SRP).

http://www.ietf.org/rfc/rfc2284.txt


802.1x provides an architecture for many authentication types and link layersToday EAP-TLS requires the use of Digital Certificates and a Certificate Authority. WinXP, Win 2k, Win 9x and 3rd part clients support this. Future versions will allow for other authentication options.

802.1x


802.1x Open Benefits

• 802.1x was designed to be inexpensive to implement on existing network hardware, utilizing existing network-access infrastructure (RADIUS, LDAP, Active Directory, etc.).

• EAP-compatible RADIUS servers include, among others, Microsoft Windows 2000 Sever (IAS), Cisco ACS, Funk RADIUS and Interlink Networks RADIUS Server. Other vendors that support 802.1x are AirWave, Compaq, Dell, IBM, Intel, Symbol, Toshiba, Telison and Wayport.

• 802.1x protocol requires two distinct steps. First, the Supplicant is authenticated, and then it is authorized access privileges.

• Privileges are distributed in the form of tokens, which can be defined to include anything that may interest a security professional, such as VLAN IDs, rate limits, filters, tunnels, etc.


Extensible Authentication ProtocolSome Common EAP Types

• EAP Cisco Wireless EAP (LEAP)—802.1X EAP authentication type developed by Cisco to provide dynamic per-user, per-session WEP encryption keys.

• PEAP—802.1X EAP authentication type that takes advantage of server-side EAP-TLS and supports a variety of different authentication methods, including logon passwords and one-time passwords (OTPs).

• EAP-TLS –(Transport Layer Security) 802.1X EAP authentication algorithm based on the TLS protocol (RFC 2246).Uses mutual authentication based on X.509 certificates.

• EAP-Message Digest 5 (MD5)—User name-and-password method that incorporates MD5 hashing for more secure authentication.

• EAP-Generic Token Card (GTC)—One of the defined EAP types in RFC 2284, allows OTP authentication.

• EAP-TTLS—Tunneled TLS – authentication from Funk SW.


802.1x EAP Authentication Choices

• LEAP

802.1x framework, password-based authentication, uses MS-CHAP v1

Only advanced authentication solution supported on all major OS’s (Windows, Mac, Linux, etc.)

Cisco in the process of licensing LEAP to other key clients to move it from being “proprietary” to “widely-supported”

• PEAP with One-Time Passwords (“OTP”)

Protected EAP (Creates a PKI based Secure/Encrypted tunnel from AP to Radius Server – allowing for other types of client side authentication)

802.1x framework, certificate-based authentication

PEAP supported by Cisco, Microsoft, & RSA; draft standard proposed to IETF

Creates encrypted tunnel between client and Radius server, similar to VPN

PEAP supported in Cisco ACS Server software ver. 3.1

One-Time Password (“OTP”) is a Cisco enhancement to PEAP, similar to Softoken or OTP cards

PEAP with OTP available from Cisco as a software upgrade on 802.1x-supported client OS’s


Cisco EAP aka Cisco LEAP + 802.1x Authentication Process

Start

challenge

response

broadcast key

username

challenge

response

AP sends client broadcast key, encrypted with session key

AP blocks all requests until Cisco LEAP completes

username

RADIUS server

authenticates client

Request identity

success success

challenge challenge

response response, key

Client authenticates

RADIUS server

key length

Client-supplicant

Access Point (AP) / SWITCH -authenticator RADIUS authentication

server

key

derivekey


EAP-PEAP - Walk Through Example

Start

broadcast key AP sends client broadcast key, encrypted with session key

Authenticator blocks all requests until authentication

completesidentity

Request identity

Encrypted Tunnel Established

key length

clientAP RADIUS

server CertificateAuthority

Server certificate

identity

Server certificateServer Side

Authentication

Client Side

Authentication

LDAP / NDS /OTP

EAP in EAP Authentication (pass Generic Token Card in TLS application data )


Identity Based Networking:What can we do Today!

• Enhanced Port Based Access Control

• Greater flexibility and mobility for a stratified user community

• Enhanced User Productivity

• Added support for converged VoIP networks

• Centralized Management with AAA server

• Wireless Mobility with 802.1X and EAP Authentication Types

• Catalyst Switch Portfolio

• Basic 802.1X Support

• 802.1X with VLANs

• 802.1X with Port Security

• 802.1X with VVID

• 802.1X Guest VLANs

• 802.1X with ACLs


Identity Based Networking Service

• CatOS -- 7.5.1802.1x w/ VLAN Assignment

802.1x w/ VVID

802.1x w/ Guest VLAN

802.1x w/ Port Security

7.6.1

802.1x w/ DHCP

7.7.1 (Target)

802.1x w/ Guest VLAN/port

7.8/8.1 (Target) – Q4CY03

802.1x with ACL/QoS

Identity Based Network Services (IBNS)End-to-End Architecture


• IOS

12.1(13)E

802.1x w/ VLAN Assignment

1HCY04:

802.1x w/VVID

802.1x Guest VLAN

802.1x w/Port Security

802.1x with ACL/QoS

Cisco AironetCatalyst 6500 Catalyst 4000/4500 Catalyst 3550/2950/3750 Cisco ACS Server



• CatOS

7.5.1


8.1 – Q4CY03

802.1x w/ VVID

802.1x w/ Guest VLAN

802.1x w/ Port Security



• IOS12.1(19)EW – June ‘03


802.1x Guest VLAN

Roadmapped

802.1x w/VVID

802.1x w/Port Security

802.1x with ACL/QoS

802.1x Accounting






• 2950/295512.1(12c)EA1


802.1x w/VVID

802.1x w/ Port Sec

12.1(14)EA1

802.1x Guest VLAN

• 3550 (EMI/SMI)12.1(12c)EA1


802.1x w/VVID

802.1x w/ Port Sec

12.1(14)EA1

802.1x Guest VLAN

• 3750 – Aug ‘03802.1x w/ VLAN Assignment

802.1x w/VVID

802.1x Guest VLAN

802.1x w/ DHCP

802.1x w/ ACL/QoS






• Commercial RADIUS & TACACS+

• Scalable to 100K users/8K devices)


• 3.2 Avail NowAppliance

Microsoft Peap

PEAP Proxy

Machine Auth

EAP Type Negotiation

LDAP Multithreading

EAP Performance

Windows password

• 3.3 Avail Q2 ‘04802.1X/IBNS complementary features with Catalyst/Wireless

802.1X Catalyst /IBNS enhancements (guest VLAN, accounting, CRL)

EAP enhancements (LEAP, PEAP v2)

User Quarantine






• AP 350802.1x for AP LAN Access Not Committed

• AP 1100802.1x for AP LAN Access Q1CY04

• AP 1200802.1x for AP LAN Access Q1CY04

• For Wireless Clients Across These Products:

• Multiple VLANs for employees, guests and application specific devices

• Expanded 802.1X Authentication Support for: Cisco LEAP, EAP-TLS, EAP-TTLS, PEAP, EAP-SIM

• Expanded Encryption Support for 802.11i TKIP


Latest LAN Security Threats Targeted by the Catalyst Integrated Security Features

S2

• MAC Address Flooding Attack– Hacking Tool: macof (part of dsniff package)

• SYN floods with random src and dst MAC, random src and dst IP

• After CAM Table Fills, Traffic Flooding Occurs (32K entries)

• Random IP addresses include multicast address space and will eventually cause distribution layer to fail due to excessive processing of multicast routes

• DHCP Rogue Server Attack– Hacking Tool: gobbler or actual rogue DHCP server

• Man in the middle attacks via DNS or IP default GW forging

• DHCP Starvation– Hacking Tool: gobbler

• Depletion of DHCP address space

• ARP Spoofing or ARP Poisoning Attack– Hacking Tool: ettercap, dsniff, arpspoof

• Menu driven discovery of MAC level topology with ARPs and DNS Reverse Name Lookup

• Man in the middle attacks with integrated packet capture and password sniffing


Raising the Bar on Surveillance AttacksMAC-Based Attacks

Port Security Limits MAC Flooding Attack and Locks down Port and

Sends an SNMP Trap

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

“Script Kiddie” Hacking Tools Enable Attackers Flood Switch CAM Tables with Bogus Macs; Turning the VLAN into a “Hub”

and Eliminating Privacy

Switch CAM Table Limit is Finite Number of Mac Addresses

Only 3 MAC Only 3 MAC Addresses Addresses Allowed on Allowed on

the Port: the Port: ShutdownShutdown

132,000 Bogus MACs

Problem:Problem: Solution:Solution:


Port SecurityCutting off MAC-Based Attacks

CatOSset port security 5/1 enableset port security 5/1 port max 3set port security 5/1 violation restrictset port security 5/1 age 2set port security 5/1 timer-type inactivityIOSswitchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity

Solution:Solution:

Port Security (port/interface commands)

• 3 MAC addresses to encompass the phone, the phone switch, the PC• “Restrict” rather than “error disable” to allow only 3, and log more than 3• Aging time 2 and aging type inactivity to allow for phone CDP of 1 min

If violation error-disable, the following log message will be produced:4w6d: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi3/2, putting Gi3/2 in err-disable state


DHCP Attack TypesStarvation Attack: Get whole scope’s addresses

DHCP Client DHCP Server

DHCP Discover (Broadcast) x (Size of DHCP scope)

DHCP Offer (Unicast) x (Size of DHCP scope)

DHCP Request (Broadcast) x (Size of DHCP scope)

DHCP Ack (Unicast) x (Size of DHCP scope)

Gobbler Denial of S

ervice


DHCP Attack TypesRogue Server: MiM or Non Malicious


DHCP Discover (Broadcast)

DHCP Offer (Unicast) from the Rogue

DHCP Request (Broadcast)

DHCP Ack (Unicast) from Rogue possibly with false DNS or Def GW

SiSi

Rogue Server


DHCP SnoopingPrevents Rogue Server and Limits DHCP DoS


SiSi

Rogue Server

Trusted

Untrusted

Untrusted

DHCP Snooping Enabled

• Prevents MiM and limits denial of service (DoS) attacks based on DHCP protocolMalicious—user pretends to be the Network DHCP Server to reply with DNS or GW info to redirect traffic OR user pretends to be multiple DHCP clients to starve the DHCP address pool

Misconfiguration—user configures router (DHCP server) incorrectly

• How it works:For DHCP packets originating from untrusted ports (client ports), DHCP Snooping drops all DHCP OFFER, ACK, NACK, or nonzero giaddr packes (server oriented packets). DHCP Snooping forwards DHCP client requests from untrusted ports and builds a DHCP binding table.

If DHCP server is not local to the Catalyst Switch, trust the uplink port

• DHCP snooping is not equivalent to Option 82 (DHCP Interface tracker)

OK DHCP Responses:

Eg.) offer, ack, nak

BAD DHCP Responses:

Eg.) offer, ack, nak


Dynamic ARP Inspection

• A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP Snooping

• Can also use ARP ACLs to deny (and optionally log) all invalid IP/MAC binding attempts for non-DHCP assigned IP Addresses

• Private VLAN and routed port support coming.

• Prevents attacks that use ARP with an IP not in the binding table in the switch

My GW is10.1.1.1My GW is10.1.1.1

10.1.1.110.1.1.2

I’m your GW:

10.1.1.1

I’m your GW:

10.1.1.1

Not by my binding tableNot by my

binding table 10.1.1.2

Gratuitous ARP to change end device MAC to ARP tables


• Automatically load’s Port ACLs and optionally port security tables with information learned from DHCP requests

• Just like Dynamic ARP inspection, but for IP source address (works without the attack PC using ARP for source address)

• Switch learns IP address and MAC address via DHCP

• Automatically configures a Port ACL for IP address and adds MAC address to port security list for the port. (DHCP server must run Option 82 for this to work if checking IP/MAC)

• Removes ACL and MAC entry when lease expires.

IP Source GuardProtection Against IP Spoofing

Legit 10.1.1.2 Legit 10.1.1.2

10.1.1.110.1.1.2

I’m Sourcing10.1.1.2

I’m Sourcing10.1.1.2

Not by my Port ACL

Not by my Port ACL 10.1.1.2

Manually changing IP Address or using programs to create IP spoofed traffic

3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. 424242

Documents

1 3856_10_2001_c1_X © 2001, Cisco Systems, Inc. All rights reserved. Cisco Network Admission Control & the Self Defending Network Initiatvie 802.1x & Identity