Network Access Control

MSIT 458 – The Chinchillas

Agenda

• Introduction of Problem• Pros and Cons of Existing Security Systems• Possible Solutions• Recommended Solution• Solution Implementation• Final Recommendation

2

Introduction of Problem

3

The ProblemViruses, worms, and botnets are often spread by unknowing

victims. These victims may be your own network users.

How can the network be protected from your own users?4

The Problem

5

Pros and Cons of Existing Security Systems

6

Endpoint Security

ProsCentrally managed anti-virus can identify workstations without updated virus definitions.Local firewall policy enforcement cannot be disabled by end users.

ConsAnti-virus software slows machine performance to the point where users disable automatic updates and stop scans. There is no way to prevent users from altering the anti-virus software. Only users with VPN access have the protection provided by local firewall policy enforcement.There is no anti-spyware or host intrusion prevention solution deployed. 7

Symantec anti-virus deployed to individual workstations and servers in the data centerCisco personal firewall software installed on laptops with remote access enabled

IdentityFour distinct user directories:

Authentication• Access request forms required for creation of user accounts in each directory• Written password policy requires strong passwords and password expiration

maintained/enforced separately in each directory Authorization• Authorization policies maintained in each directory by local administrators• Manual process for account termination, user access must be removed from

each directoryAccounting • Weekly directory access reviews compared against termination reportsPros

Reduced risk when an account in one directory is compromisedCons

Policies cannot be maintained or enforced centrallyLots of passwords to keep track of → “loose” password managementMaintenance and SOX compliance nightmare

8

My

Passwords

Network SecurityPort-based 802.1Q virtual local area networks(VLANs) for network and user segregationPros

Separate broadcast domains for trusted internal users anduntrusted guest users – groups unable to communicate directly

Trusted internal PCs cannot contract viruses from untrusted guest PCsUntrusted guest users are unable to access private internal serversUse of VLAN Trunking Protocol eases VLAN management

ConsNo measure to prevent untrusted guests from connecting to private portsMisconfiguration of a port will provide trusted network accessUse of separate subnets leads to inefficient use IP address spaceSwitches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc. 9

Gap Analysis in Current Solution

• Policies for endpoint security are not enforceable• Users are not authenticated before access to the

network. Identification is instead performed by the application

• Several entry points: wireless, wired and VPN• Different types of users: full-time employees,

vendors, partners and guests• VLAN assignment is not dictated by identity or

security posture10

Possible Solutions

11

Improve Endpoint Security

• Deploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilities

• Define and enforce policies that do not allow end users to disable these protections

• Deploy personal firewall software to all computers, not only VPN enabled systems

• Design an employee education campaign stressing the importance of maintaining up to date security software definitions

12

Improve Identity

13

Identity Based Authentication

√Valid Credentials

Invalid/No Credentials

X

CorporateNetwork

No Access

Authorized User

Unauthorized ExternalWireless User

Corporate Resources

Identity Store Integration

802.1X

Improve Network Security

14

Virtual Private Networks• Provided by vendors such as Cisco and F5• Ensures confidentiality and integrity,

but only for point to point connections

Intrusion Detection and Prevention Systems• Provided by vendors such as Sourcefire, 3Com, and IBM• Able to use both predefined (and regularly updated) signatures and

statistics to detect and prevent attacks• May cost tens of thousands of dollars per Gbps of inspection with no

guaranteed return

Firewalls• Provided by vendors such as Check Point, Juniper Networks, etc.• Control what hosts can access on other networks by port, protocol, or

IP address• Unless installed on every PC, not useful between hosts on internal

LANs

MANAGEMENT NIG

HTMARE!

Comprehensive Solution

15

THE GOAL

NAC Server gathers and assesses user/device information

Username and password Device configuration and vulnerabilities

Noncompliant deviceor incorrect login

Access denied Placed to quarantine for remediation

Device is compliant Placed on “certified devices list” Network access granted

NAC Server

NAC Manager

End user attempts to access network

Initial access is blocked Single-sign-on or web login

AuthenticationServer

1

2

3a3bQuarantine

Role

Intranet/Network

Recommended Solution

16

Industry Analyst Viewpoint on NAC Vendors

17Image Source: Gartner

NAC Vendor Comparison

18

Cisco NAC Juniper UAC Microsoft NAPUser/Device Authentication ✔ ✔ ✔

Device Posture ✔ ✔ ✔Remediation Full support Limited Very LimitedFull OS Support MS, Mac OSX Only MS Only MS

Guest Access Portal Full support No temporary

IDs No support

Microsoft NAP Juniper UAC Cisco NACDevice Posture Assessment Full support Full support Full support

User/Device Authentication

Requires MS RADIUS

Requires group mapping support

Integrates w/ current

infrastructure

Remediation Very Limited Full support Full support

Full OS Support Only MS MS, Mac OSX MS, Mac OSXGuest Access Portal

Requires 3rd party

No temporary logins Full support

Asset Management None Manual Automated

Solution Implementation

19

Total Cost of Ownership

Number of users supported: Up to 10,000, including guests

Initial Hardware/Software Cost = $125,000Implementation Cost = $25,000Maintenance Cost = $72,000 per yearPower & Cooling Cost = $3,000 per year

TCO = $150,000 + $75,000 per year = $225,000 initial year costTCO ≈ $500,000 after 5 years

20

ROI Information

21

• Fewer infections result in fewer incidents and help desk calls

Man Hours Cost/hourIdentifying and locating non-compliant machine

.66 $75/hr

Bringing non-compliant machine into compliance

1 $75/hr

Potential cost savings per non-compliant user $125

• The break-even point is 4,000 incidents over 5 years.

Potential Loss by Industry

22

Industry Revenue/Employee HourEnergy $569.20Manufacturing $134.20Retail $244.37Banking $130.52Media $119.74Total Industry Average $205.55

Source: http://www.competitivereviews.com/metasecurity.pdf

Feasibility Analysis

23

• Already a Cisco network, so NAC would simply be an add-on to current network

• Entry points can easily be identified• Anti-virus and other end-point protections

already deployed to users• Non-compliance problems currently occur at a

rate of 6 per day, indicating a positive ROI on a potential NAC investment

Final Recommendation

24

We conclude that a comprehensive NAC system such as Cisco’s Network Admission Control

would be a better investment than piecemeal improvements to the company’s current

network security systems.

Questions?

25