USP NETWORK AUTHENTICATION SYSTEM - MobileIron

USP NETWORK AUTHENTICATION SYSTEM

Copyright © 2014 United Security Providers Version 2.9

Technical Whitepaper

USP Network Authentication System™

Seite 2

Copyright © 2014 United Security Providers


Version 2.9

Content

Executive Summary 3

The Solution 4

Technical Data Sheet 13

Contact

United Security Providers

Stauffacherstrasse 65/15

3014 Bern

Switzerland

Phone: +41 31 959 02 02

Fax: +41 31 959 02 59

[email protected]

www.network-access-control.ch

www.united-security-providers.ch

mailto:[email protected]

http://www.network-access-control.ch/

http://www.united-security-providers.ch/

Seite 3



Version 2.9

Executive Summary

Securing the network access is an ever increasing challenge for compa-

nies. Especially in large, widely-linked networks conventional means are no longer sufficient to control the devices accessing the network.

The resulting danger is obvious: Due to the lack of control visitors like

external consultants easily gain access to confidential data. Contaminat-ed Devices spread viruses, worms and other malware almost unhindered.

The usage of private devices increases the hardware diversity, and there-fore the error-proneness and the costs of the entire infrastructure.

The USP Network Authentication System™ (NAS) identifies and verifies all devices connected to the company’s network and regulates their ac-cess by either restricting them to the resources they are authorized for. Unauthorised access to the network is thus eliminated reliably.

Depending on the defined policy the system can react to an access viola-tion through an unauthorized device in different ways, for example trans-ferring the device into a quarantine zone, blocking the access, triggering of alarms.)

The use of NAS offers the following benefits:

Access and integrity of devices can be verified and managed The network access policy is defined by a set of rules which can be

easily and flexibly adapted to individual needs. Access to the network is managed through a set of rules which can

be adapted flexibly to requirements Up to date information at any moment on active devices within the

network (location, connection, IP-address etc.) Simple and intuitive configuration of policy. A reliable Guest Network

Service throughout the organisation can be set up with only few clicks for instance.

Information identified by the system can be used to optimise the

quality of the inventory database, to enforce a central purchasing

policy or to support internal cost allocation. Endpoint compliance can be established The solution is agentless and functions in all network topologies not

limited to network components (switches, routers) of particular manufacturers.

The Solution supports the IEEE 802.1X Standard.

The solution can be put into operation within hours and delivers val-uable information from the very first day due to integrated reporting features.

NAS

Network ac-

cess security

Verification and manage-ment of device access

Immediate and complete

overview of network and deployed de-vices

Seite 4



Version 2.9

The Solution

Overview

The USP Network Authentication System™ is a central out-of-band and

Network Access Control solution (NAC) that executes access control en-forcement based on rule based policies, vendor independent and without

the need for an end point agent. The stable and field-proven solution also provides a role based Web GUI in multiple languages, comprehensive in-tegrated reporting and the connection to inventory systems.

The USP Network Authentication System™ entirely supports the leading

network vendors, like Cisco, Nortel, 3COM, Enterasys, HP, etc. Due to the fact that the USP Network Authentication System works without an agent, end points don’t have to meet any special requirements.

Our solution is available as a hardware or virtual appliance (ESX) or as a software solution. The USP Network Authentication System Appliance is

based on standard rack server architecture, equipped with redundant hard disks and redundant power supplies. This architecture enables a ro-bust operation as those parts can be swapped during runtime. The appli-ance is extremly scalable. Larger customers of ours monitor more than

50’000 end points i.e. devices and over 3’000 switches with a standard sized hardware appliance.

Optionally the appliance can be operated in a redundant high availability setup.

Standard interfaces to monitor the appliance externally (SNMP, Syslog, SMTP) and integrated functions for monitoring, automated backups, re-stores and periodic software updates enable easy integration in existing infrastructures and simplify daily operation.

NAS ensures that the access to your network is monitored and protected. NAS prevents unknown end points gaining access to your network infra-

structure. Furthermore our customers benefit from continuously updated overviews of connected and authorized devices.

NAS can easily be deployed and integrated in existing infrastructures and secures enterprise and medium networks fast and reliable.

Controlled access to your network

The USP Network Authentication System™ (NAS) by United Security Pro-viders does not only prevent unauthorized access to the corporate net-work. It can do much more.

Only known and authenticated devices are admitted to the productive

network. Unknown devices or devices that could not be successfully au-thenticated (through 802.1X / EAP) are blocked immediately. Depending on the configuration, lock out is done by either port-shutdown or setting

a quarantine VLAN. Temporarily authorised (i.e. external) and guests de-vices are individually treated and optionally moved to a separate guest VLAN. The VLANs for production, quarantine and guests can be either

Overview

Controlled network ac-cess

Overview of all devices

Policy-based admission

Dynamic VLAN management

Verification of end point compliance

friendly gra-phic user in-

terface

Reporting

Monitoring and Alerting

Import and export inter-face

Seite 5



Version 2.9

configured globally or locally on a per switch basis. Additionally it is pos-sible to create specific production VLANs for certain devices. Idle ports

can be assigned a default VLAN. A device can also be locked by actually locking of the access ports.

Picture 1: How NAS works

Device authentication

The end point authentication is done by either using IEEE 802.1x or MAC

addresses. Of course both solutions can be flexible combined with each other.

802.1x: devices activate access to the network via IEEE 802.1x,

the authentication is normally done through digital certificates (EAP-TLS).

MAC authentication: as an alternative to 802.1X, devices can al-

so be identified by their MAC-address. All authorised MAC-addresses are listed in the central NAS data base, the devices with one of those registered MAC adresses can be connected to any port within the network.

Hybrid mode: 802.1X and MAC-authentication as a base protec-tion can be combined flexibly to protect ports. It is also possible

to introduce 802.1X step by step only in certain parts of the network.

802.1X port with MAC-Bypassing: is an optional mode to support devices that are not 802.1X compliant. If NAS recognises, that a

Seite 6



Version 2.9

device does not initiate an 802.1X / EAP request within a speci-fied time interval, the access decision will be based on MAC-authentication.

The possibility of executing MAC and 802.1X authentication in hybrid

mode at the same time is a contributing factor of the solution. This ena-bles great flexibility in deploying 802.1X and allows the consecutive in-troduction of the 802.1X standard. The vendor independent MAC bypass

mechanism furthermore enables the connection of legacy devices via 802.1X ports.

Regardless of the mechanism used, all information about newly connect-ed devices is fed to the NAS database. This ensures the availability of up to date information on active devices within the network at any time.

Device overview

The NAS uses various information sources to provide a complete picture on the devices within the network.

SNMP traps of network devices, to know as soon as possible about changes of a device status (connection and disconnection

of devices).

Regular scans of switches and routers through SNMP to obtain the MAC address, the switch port and used IP address.

Regular import from the DNS via zone transfer, to provide IP addresses with a matching DNS name.

Interpretation of information from the 802.1x authentication dia-log, combination of the data with information from the SNMP scan.

All information is bundled in the NAS database and is used for policy de-cisions as well as reporting.

Policy decisions

The detected end point information received from the device is analysed

by a flexible and definable set of rules in order to decide whether the device is allowed to communicate over the local network or not.

If a device does not have the desired status or only partially fulfils the defined rules, different measures can be taken:

Moving the switch port to another VLAN (e.g.: various produc-

tive VLANs, quarantine VLANs or guest VLANs) Automatic blocking of switch ports, respectively disablement of

such a port in the case of 802.1x ports Semi-automatic blocking of switch ports (only occurs after con-

firmation through a network operator). MAC bypass on a 8021.X port

Logging of non-compliant devices, which can then be analysed through reports.

Seite 7



Version 2.9

Alarm dispatch via SNMP, Syslog or email in case of noncompli-ant devices accessing the network.

The NAS rule set allows selective deployment of the mentioned measures, depending on the type of device, its location within the net-

work or its tenant affiliation.

The rules gear into each other for network areas, switches or any group

of individual access ports. This allows the easy establishment of corpo-rate policies that are refinable where ever necessary.

The rule editor and the policy manager are/represent two efficient and

well-arranged tools that allow the user to manage the rule set easily and intuitively in the Web GUI. .

Picture 2: Rules editor and policy manager

Dynamic VLAN Management

Dynamic VLAN Management allows very flexible network access handling

when devices connect to the network. Depending on multiple criteria, devices and end points are moved to the desired VLAN zone:

Location specific access:

A large variety of VLANs can be configured for different parts of the net-work, varying from lock out, quarantine, guest admission and productive VLANs. Network parts can be defined and adjusted to a fine granularity (down to individual the ports if necessary)

Device specific access:

It is possible to orchestrate the access for certain device types specifical-ly. For example, printers or other hardware can be placed in specifically

designated VLANs separated from productive VLANs for typical end users

Seite 8



Version 2.9

(Laptops other mobile clients or workstations). If necessary, each indi-vidual device can be determined for a different VLAN

Specific multi-tenant access:

The incorporation of tenant information (of end points and network

parts) provides a variety of different access rule possibilities to desig-nated or foreign networks. This enables employees on business trips to

gain constricted access to branch offices. End points will be moved to their designated network, for example their home VLAN (according pro-ductive VLAN) and to the guest VLAN in other foreign network segments.

Endpoint Compliance

In order to grant network access, the configuration state of the endpoint is determined (end point compliance). This ensures that only end points get admitted to the network, that possess a valid and up to date config-uration. Furthermore the deployment of virus scanners or the validity of operating system patches can be enforced. Via health profiles, a target

health state can be defined for end points. Virus protection-, anti spy-ware-, firewall- and OS-information can be used to determine end point, state of health. Health profiles are comprised of various policies that need to be complied with in order for an end point to be classified as “healthy”. Health profiles also define which actions are to be taken if the

end point does not comply with from the target state of health.

Within the health profile, time limits can be defined that will trigger an

alarm or lock out any device that does not comply with the defined tar-get health state.

Within the system, different health profiles can be used that can be allo-cated for individual devices or groups of devices. Furthermore it is pos-sible to use several health profiles for different network segments.

End point health information

The end point state of health is determined via a scanner that inspects

the devices, as soon as they are connected to the network or in periodic intervals. Devices and end points can be also inspected via a generic import mechanism from a foreign system

Health-Scanner

The NAS integrated health scanner inspects the end point state of health via WMI (Windows Management Instrumentation). Optionally,

end points can be scanned to obtain the following Information: Virus protection-, anti spyware-, firewall- and OS-information

Generic health-import Interface

In addition to the integrated scanner, it is possible to receive end point health information via the health-import interface from foreign systems by using CSV files. With the generic health import interface, existing health monitoring systems can be incorporated as a source for obtaining

the health state of end points.

Seite 9



Version 2.9

Multitenancy

The system allows for administration and operation to be mapped to varying system parts with several tenants.

For that purpose, parts of the network and registered end points can be

optionally allocated to freely definable tenants. For each user of the USP

Network Authentication SystemTM, tenant allocation is determined.

The assigned rights can only be utilized by the user within the designat-ed tenant.

Via the Web GUI, users can only view network parts for which they are authorised. This allows the restriction of information for users on a “need to know” basis. Users can only view the information that they re-

quire to fulfill their tasks.

Furthermore, users can only activate or temporarily register devices within the allocated tenant. This allows the distribution of operational roles in large organisations.

Mobile devices

In the era of consumerization, an increasing number of employees are

using their mobile devices in the day-to-day business. These devices are a security concern if connected to the corporate network. NAS inte-grates with leading mobile device management systems such as Mo-bileIron so that the security is not compromised when mobile devices access resources on the corporate network.

NAS is thus enabled to access device identification and health status da-

ta of mobile devices. Access to the corporate network is only granted to devices that are registered and that have an up-to date and valid con-figuration.

User-interface

The user-interface is a Web GUI with a role based rights model. The

Web GUI as well as all the reports and the user documentation are available in several languages.

Depending on the role of the user, the following functions are available:

Helpdesk role: Is able to see the list of non-compliant devices and enable network access for blocked or quarantined devices.

Network-support role: In addition, is able to perform simple

changes to rule settings as well as modifications to the list of supervised switches and routers.

Administrator role: In addition, is also able to change any con-figuration settings as well as adapt the NAS set of rules, add us-ers, delete users and define roles.

Monitoring role: for requesting the status (NAS Health Check) for NAS Processes, Trap handling and NAS daemon only

Reporting role: generate and view reports and log files for end

points, network devices and operational analysis such as user reports, MAC tracker etc.

Seite 10



Version 2.9

If modifications to the rule sets are applied, the user is presented with an impact analysis showing the effects of his changes. Only after confir-

mation by the user, the changes take effect, ensuring that disruptions due to accidental errors are avoided.

Reporting

NAS historicises all events occurring in the monitored network. There-

fore the data can be used to supervise network access control for both, current and past events. An integrated reporting engine generates pa-rameterised reports that support the IT staff in monitoring or auditing network access, device compliance or user behaviour. Reports can also be created automatically at scheduled intervals, using predefined pa-rameters.

The reports provide statistical views and allow to selectively pin down

the actions of single devices, network components. The generated re-ports are available in various standard formats.

Picture 3: Example of a NAS-Report

Seite 11



Version 2.9

Alarming & Monitoring

All events within the network and the USP Network Authentication Sys-

tem™ are stored in an internal data base and can be dispatched, option-ally, via E-Mail, Syslog or SNMP. This functionality allows an easy inte-gration in existing monitoring systems.

Due to the flexible configurable forwarding of dispatches, an administra-tor can be notified about the lock out of a client before the employee concerned can get to the phone. The alarming and permissive mode in-forms about the new connection of unknown devices within data centre operations.

The integrated monitoring allows easy monitoring of the appliance inclu-sive hardware, operating system and application. Furthermore the con-figured applications and networking components are monitored too. If

for example a switch is not addressable via SNMP for a given period, an alarm dispatch is triggered immediately.

Picture 4: Core status and monitoring

Seite 12



Version 2.9

Redundancy

In a redundant operation setup there are two appliances in ac-

tive/ passive mode. While the active appliance scans and handles

the incoming SMNP traps, the other appliance is in passive mode

and ignores all signals. Operational data of the active appliance

is continuously transferred (synchronisation) to the passive ap-

pliance, so that both appliances have the same data status.

Both appliances monitor each other using heartbeat (via TCP/IP).

Through this mechanism the passive appliance recognizes if the

other has malfunctioned and takes over seamlessly. The change-

over can be done manually.

The appliances can be placed in different places and network

segments as they have their own IP addresses.

Distributed Architectures

In certain cases it does make sense to deviate from centralistic

approaches. This is the case, when various locations connected

with unreliable WAN links have a demand for high availability,

for instance. It is possible to operate the USP Network Authenti-

cation System™ in line with a distributed architecture in order to

distribute network monitoring via multiple appliances.

Administration and reporting can still be managed centrally in

such a setup.

Interfaces

Existing network management- and inventory systems can be in-

tegrated with little effort. In this way, monitored switches and

routers do not have to be administered in a further system as

the data is already available in NMS.

NAS offers a standardised import interface that is based on the

transfer of flat files from the source systems to the NAS server.

The data can be transferred at any given time. In case there is

no inventory, the necessary end point and network component

data can be stored within the NAS and administered via the Web

GUI.

There is also the possibility to export inventory- as well as oper-

ating data to comma separated value files (CSV). This can for

example be used to build an inventory out of current network

data or to edit relevant operating data in a third-party tool.

Combined with scheduled reporting it is even possible to auto-

matically synchronize data between NAS and external inventory-

or network management systems.

Seite 13



Version 2.9

Technical Data Sheet Communication with network-infrastructure • SNMP v1, v2c oder v3 (standard: SNMP v2c) • SNMP Traps • SNMP MIB-II (IP-MIB, IF-MIB, Bridge-MIB)

• SNMP Q-Bridge-MIB or vendor specific

MIBs for VLAN information • IEEE 802.1x • IEEE 802.1Q VLAN • Dynamic VLAN Assignment • DNS Zone Transfer (RFC 1995) IEEE 802.1x Support

• IEEE 802.1x RADIUS (RFC 3580) • EAP (RFC 3748, RFC 2716) • RADIUS Proxy Support User-Interface • HTTPS, SSLv3/TLS (RFC 4346)

• Web-GUI with role based authorisation model

• Predefined role model: Helpdesk, Support, Admin, Reporting

• Supported languages: English, German Management-Interface • Management Web-GUI (HTTPS)

• SSHv2 • Central configuration management with Web-GUI

Performance and Availability • Mirrored data management in different locations

• Multi-Threaded-Architecture, scalability for multicore CPUs

• One central NAS system can handle thousands of switches/routers ten thousands of devices The maximum of the controlled network size depends of used hardware and latency in the

network.

Logging and Alerting • Integrated event monitor solution to control

the appliance’s hardware, operating system and application services. It incorporates an event viewer with Alert tracking functionality

and graphical display of the systems re-

sources usage. • All important events are logged (logfiles and

logtable in database) • Forwarding of any log messages and any

alerts by syslog and or SNMP trap • Event-Scripting with any action possible (i.e.

sending of E-Mails/SMS or opening of a trou-

ble-ticket in a trouble-ticket system) Interfaces for Data Exchange • Import interface for multiple independent

source systems • JDBC, ODBC, SQL, XML

• Import of flatfiles (CSV files) via SFTP

• Export of flatfiles (CSV files) • MobileIron import interface Reporting • Integrated reporting-engine in web-GUI • Scheduled Reporting

• Outputformat HTML, PDF, CSV • Connection to other reporting tools possible

e.g. Business Objects, Crystal Reports etc. Platforms for Software Suite • Java-platform, standard edition, version 5 or

higher

• Servlet 2.4/JSP 2.0 web container (e.g. Tomcat 5.x)

Linux or UNIX operating systems Appliance • Standard Rackserver

• Intel Xeon QuadCore CPU, 8GB RAM • 2 Hotplug 73GB SAS Harddisks RAID 1 • 2 Hotplug Power Supplies

Documents

USP NETWORK AUTHENTICATION SYSTEM - MobileIron