Deploying Cisco Network Admission Control (NAC) · NAC Server Foundation: Out of Band 1. Multi-Gig...

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Deploying Cisco Network Admission Control (NAC)

Haider Pasha, CISSPConsulting SE Manager, Advanced Technologies Africa & Levant

2

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Agenda1. NAC Overview2. General Design and Deployment3. NAC Profiler4. Guest Access5. Q & A

3


What Is Network Admission Control?

Please enter username:

devicesecurity

networksecurity

identity

Who is the user?Is s/he authorized?What role does s/he get?

NACNACIs MS patched? A/V or A/S exists?Is it running?Are services on?Do required files exist?

Plus

Is policy established? Are non-compliantdevices quarantined? Remediation needed?Remediation available?

PlusUsing the network to enforce policies ensures that incoming devices are compliant.

SiSi SiSi

4


Cisco NAC Components

NAC Manager NAC Agent orWeb Agent

Centralized management, configuration, reporting, and

policy store

Posture, services and enforcement

No-cost client for device-based scans.

SSC

PostureLayer

ACS

802.1x Supplicant Ruleset Updates

NAC Server

Access policy system for 802.1x termination

and identity based access control

802.1x supplicant via CSSC or Vista

embedded supplicant

Scheduled automatic rulesets for anti-virus, Microsoft hot-fixes and

other applications

NetworkAccessDevices

NACServicesLayer NAC Profiler NAC Guest

Aggregatesdata from Collectorto determine role

and privileges

Collects networkdata to determine

device type

Full-featured guest provisioning

server

NAC Collector

Infra-structureLayer

5


Cisco NAC Appliance Partnerships

NAC Appliance Supports Policies for 300+ Applications, including These Vendors:

Cisco NAC is committed to protecting customer’s investments in partner applications

6


NAC Solution Sizing and Platforms

NAC Management Components

Lite Manager(up to 3 Servers)

Std Manager(up to 20 Servers)

Super Manager(up to 40 Servers)

NAC Server Components

Guest Server Profiler ServerAdditionalNAC Services

Hardware PlatformLegend:

Appliance: 100,250, or 500

users

ISR Network Module

50 or 100 usersAppliance: 1500,

2500, or 3500 users

Users = online,concurrent

ISR NM

3310

3350

3390

7


User Machine Server

Certified and Logged On

NAC Overview: Process Flow

Manager

URL Redirect to Weblogin

DHCP Request

Connect via TCP (443)

UDP Discover (8905, 8906)

Agent Performs Posture Assessment

Download NAC Agent Agent download (80)

Download Policy to AgentAgent checks and rules, XML (443)Plugins enabled (443)

Pre-connect (1099)

User Login (443)

Report (443)

Session and heartbeat timer (443)Logged out

Connect request (1099)

Connect Response (8955, 8956)

Server Performs Access Enforcement

Open Web browser (if no agent)

8


NAC Use Cases

1. Distributed architecture deployment

2. NAC Server is in Bridged (Virtual Gateway) or Routed (Real-IP Gateway) mode

3. Users are Layer 2 (L2) or Layer 3 (L3) adjacent to NAC Server.

4. NAC Server is Inline (IB) all the time or can be Out-of-Band (OOB). OOB NAC Server is Inline only during NAC Posture and remediation.

9



10


NAC Server Foundation: Bridge Mode

1. Direct Bridging: Frame Comes In, Frame Goes Out

2. VLAN IDs are either passed through untouched or mapped from A to B

3. DHCP and Client Routes point directly to network devices on the Trusted side

4. NAC Server is an IP passive bump in the wire, like a transparent firewall

11


NAC Server Foundation: Routed Mode

1. NAC Server is Routing, Packet Comes In, Packet Goes Out

2. VLAN IDs terminate at the Server, no pass-through or mapping

3. DHCP and Client Routes usually point to the Server for /30

4. NAC Server is an active IP router, can also NAT outbound packets *

* Be aware of NAT performance limitations

12


NAC Server Foundation: In Band

1. Easiest deployment option

2. NAC Server is Inline (in the data path) before and after posture assessment

3. Supports any switch, any hub, any AP

4. Role Based Access Control Guest, Contractor, Employee

5. ACL Filtering and Bandwidth Throttling

13


NAC Server Foundation: Out of Band

1. Multi-Gig Throughput deployment option

2. NAC Server is Inline for Posture Assessment Only

3. Supports most common Cisco Switches **

4. Port VLAN Based and Role Based Access Control

5. ACL Filtering and Bandwidth Throttling for Posture Assessment Only

NAC Manager Controls Port using SNMP

14


Out-of-Band Process Flow

Network

vlan 110

vlan 10,30Vlan Mapping v110 v10

dot1q trunkv10, v110

v10 or v110

DHCP Servervlan 10 scope

10.10.0.5 – 10.10.0.254

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

vlan 900

10.30.0.2

1. PC is attached to the network

2. Switch sends mac address via snmp to the NAC Manager

15



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1

v110


10.10.0.5 – 10.10.0.254

3. NAC Manager verifies if PC is ‘Certified’. If PC not certified, NAC Manager instructs switch to assign port to Authentication Vlan

PC gets DHCP IP address in vlan 10subnet due to DHCP/DNS trafficpassing through the NAC Server

using Vlan Mapping

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

vlan 900

10.90.0.2

10.30.0.2

16



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1


10.10.0.5 – 10.10.0.254

4. All traffic from PC flows to the NAC Server, NAC Server enforces network access restrictions

5. PC goes through Authentication, Posture Assessment and Remediation

v110

vlan 900

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

10.30.0.2

17



Network

vlan 110



IP : 10.10.0.10DG: 10.10.0.1

v10


10.10.0.5 – 10.10.0.254

6. NAC Server informs NAC Manager that PC is ‘Certified’

7. NAC Manager instructs switch to assign port to ‘Access’ vlan based on Port mapping or User Role Assignment

8. PC is allowed access to network

vlan 900

SVIsv10: 10.10.0.1v900: 10.90.0.1v30: 10.30.0.1

10.90.0.2

10.30.0.2

18


Complete layer 2 network

VLAN 130 VLAN 140 VLAN 150

Access

CollapsedCore /

Distribution

Access

VLAN 120 VLAN 160VLAN 110

SiSi SiSi

VLAN’s 40, 50, 60

VLAN’s 140, 150, 160

VLAN’s 10, 20, 30

VLAN’s 110, 120, 130

19


Core

VLAN 10 – DataVLAN 11 – VoiceVLAN 16 – Auth

T

USVR-1 (Active)

T

USVR-2 (Standby)

200

300

200

300

VLAN 200 – 10.0.1.0/24VLAN 300 – 10.0.2.0/24NAC Manager: 10.10.10.10

.4

.4 .5

.5

Network TopologyCampus Routed Access Design

HSRP

VLAN 100 used for L3 peering

SVI 300 SVI 300

SVI 200 SVI 200

1. Replace the L3 Routed Link between Distribution Layer Devices with a L2 etherchannel trunk

Carry only 3 VLANs on the trunk: Trusted, Untrusted and RP peering

Establish L3 peering via SVI 100

2. Maintain L3 Routed Links between access and distribution layers

3. HSRP is used between Untrusted SVIs (200) and Trusted SVIs (300)

D1 D2

L3 L3

100,200,300

20


Central Site Inband NAC Server

1. No Access to Central Site without meeting policy

2. Remote segmentation depends on WAN technology

3. Point to Point networks can hairpin traffic through NAC Server to segment remotes

4. MPLS or meshed networks cannot segment remote branches

Evaluate RequirementsThe easiest and fastest method of

deployment if it meets needs.

IP Network

Central SiteResourcesNAC

Manager

NAC Server

21


Remote Site NAC Server or Network Module (In-band or OOB)

1. Minimal network changes (same as campus deployment)

2. Remote segmentation, or port segmentation using OOB

3. Full feature support - keep ip address (vgw), /30s etc

4. Deploy In-Band for both wired and wireless users

5. Deploy Out-Of-Band for wired only deployments

Optimal SolutionProvides all the functions of a campus

deployment, contrast with cost

IP Network

NAC Server Network Module

for ISROR

NAC Manager

22


Central Site out of Band NAC Server (L3 OOB)

1. NAC Server deployed at the centre2. Traffic from the Auth VLAN must be

restricted to NAC Server, Remediation Services etc

3. Remote segmentation is controlled through either

Access Control ListsPolicy Based RoutingSeparate MPLS VPNGRE tunnels, IPSec, etc

Port based controlPort based control with central NAC

Server comes with increased deployment complexity

IP Network

RemediationResourcesNAC

Manager

NAC Server

23


L3 OOB with Access Control Lists

10.1.1.0/24

IP Network

192.168.2.0/24UnauthenticatedVLAN

AVServer

WindowsUpdateServer

1. User connects laptop to the network

192.168.1.0/24AuthenticatedVLAN

NAC Manager

NAC Server

24



10.1.1.0/24

IP Network


AVServer

WindowsUpdateServer

1. User connects laptop to the network2. Switch tells the NAC Manager which

puts the port in the unauthenticated VLAN


NAC Manager

NAC Server

25



10.1.1.0/24

IP Network


AVServer

WindowsUpdateServer



3. NAC Agent on users PC sends discovery packet to the NAC Manager


NAC Manager

NAC Server

26



10.1.1.0/24

IP Network


AVServer

WindowsUpdateServer



3. NAC Agent on users PC sends discovery packet to the NAC Manager

4. NAC Server intercepts discovery packet and goes through authentication, posture checking, remediation etc with client.


NAC Manager

NAC Server

27


What If the PC Has a Worm/Virus/Malware?

1. If the PC has a worm it could send traffic into the network infecting other devices

2. However the ACL on the unauthenticated vlan should stop all unnecessary communication.

3. Like the temporary filter on the NAC appliance traditionally does.

10.1.1.0/24

IP Network


AVServer

WindowsUpdateServer


interface fa0.[unauthenticated vlan]ip access-group nac-filter in

ip access-list extended nac-filterremark Allow traffic to remediation networkpermit ip any 10.1.1.0 0.0.0.255remark Permit to local remediation serverspermit ip any 192.168.1.[wsus,av,etc] 0.0.0.0

NAC Manager

NAC Server

28



10.1.1.0/24

IP Network


AVServer

WindowsUpdateServer

5. Lastly the NAC Manager changes the switch port of the PC to the authenticated VLAN


NAC Manager

NAC Server

29


NAC Appliance for Remote Users

Central Site

Branch OfficeCorporate Users

IPSec VPN

Home OfficeUnmanaged Desktop

Account ManagerMobile User

SSL Tunnel VPN

Supply PartnerExtranet

IPSec VPN

Multi-Hop IP

1. Extends policy enforcement and compliance to remote access and VPN users

2. Extends enforcement to site-to-site VPN partners

3. Leverages VPN sign-on for single-sign-on

1. Supports IPSec and SSL Tunnel VPNs2. Supports site-to-site VPNs3. Supports VPN user single-sign-on

BenefitsFeatures

30


Cisco NAC for Wireless Users

1. Enables central deployment mode2. Extends enforcement to any wireless networks3. End user devices can be several hops away4. Leverages 802.1x sign-on for single-sign-on

1. Supports 802.1q trunking2. Supports thin or thick wireless 802.11 APs3. Supports Wireless user single-sign-on

BenefitsFeatures

Central Site

Wireless NetworkLWAPP Users

LWAPP

Wireless NetworkWLSM Guest

Users802.1q

GRE

802.1q

Campus BuildingWireless Users

31



32


Non-PC Endpoint Devices

An enterprise LAN is comprised of myriad endpoint types.Most are undocumented (think DHCP).

Enterprises without VoIPWired Endpoints Distribution

50%Windows

50%Other

33%Windows

33%IP phones

33%Other

Enterprises with VoIPWired Endpoints Distribution

33


Cisco NAC Profiler: Secure Automation

Cisco NACProfiler

PCs Non-PCsUPS Phone Printer AP

Dis

cove

ryM

onito

ring

Endpoint ProfilingDiscover all network endpoints by type and locationMaintain real time and historical contextual data for all endpoints

Behavior MonitoringMonitor the state of the network endpointsDetect events such as MAC spoofing, port swapping, etc.

Automated process populates devices into the NAC Manager; and subsequently, into appropriate NAC policy

34


NAC Manager

NAC API

NAC Server with NAC Collector License

NAC Profiler Server

1. NAC Collector aggregates collection of relevant data (e.g. phones, printers, badge reader, modalities) and send to NAC Profiler Server

2. NAC Collector continuously monitor behavior of profiled devices (spoofing behavior) and updates Profiler Server

Windows AD

AAA Server

Understanding NAC Profiler

SPAN/TRAP/NETFLOW

etc

3. NAC Profiler Server profiles device and automatically adds/deletes/modifies MAC/IP on NAC Manager and places it in the NAC filter list (allow, deny, ignore, or “role”).

35



36


4 Key Components of Guest Access

GUESTThe visitor who needs network access (usually internet only)

SPONSORThe internal user who wants to be able to provide internet access to her guest

NETWORK ENFORCEMENT DEVICEThe device that authenticates the guest and grants network access

NAC GUEST SERVEREnables sponsor to create guest account; audits; provisions account on network enforcement device

37


3 Ways of Guest Notification

Send accountinformation viaprint-out, email,or SMS

38


NAC Manager

Internet,E-mail, VPN, etc.

5. Guest enters temp access code generated by SGA Appliance

How It Works with - NAC

EnterpriseNetwork

Connect screen

3. Guest starts Web browser

4. NAC Appliance redirects to login page

6. NAC Appliance put the user in the Specific Role

CiscoNAC Guest Server

1. Employee creates account for Guest

2. Adds Guest Info to NAC Mgr via APINAC server

39



40


Recommended Reading1. Continue your Networkers at

Cisco Live learning experience with further reading from Cisco Press

2. Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store

41


Breakout Session Evaluation Form

Your session feedback is valuable

Please take the time to complete the breakout evaluation form and hand it to the member of staff

by the door on your way out

Thank you!

42


43


Backup Slides

44


Cisco NAC Innovation

Governance

2003 2008

2004: $92m

2006: $207m

Secure Guest

UserIdentity

DeviceProfilingWho

areyou?

What’son yourdevice?

What otherdevices areconnected?

Who else isconnecting?

What are theconditionsof access?

2005: $131m

2007: $354m

2008: $570m

Market Size

(source: IDC

, June 2007)Va

lue-

Add

PostureAssessment

45


Basic NAC Components

1. NAC Manager (Clean Access Manager)Centralizes management for administrators,

support personnel, and operators

2. NAC Server (Clean Access Server)Serves as enforcement point for network

access control

3. NAC Agent (Clean Access Agent)Optional lightweight client for device-based

registry scans in unmanaged environments

4. Rule-set UpdatesScheduled automatic updates for anti-virus,

iti l h t fi d th li ti

46


Cisco NAC Appliance Partnerships

NAC Appliance Supports Policies for 300+ Applications, including These Vendors:

Cisco NAC is committed to protecting customer’s investments in partner applications

47


User Machine Server

Certified and Logged On

NAC Overview: Process Flow

Manager

URL Redirect to Weblogin

DHCP Request

Connect via TCP (443)

UDP Discover (8905, 8906)

Agent Performs Posture Assessment

Download NAC Agent Agent download (80)

Download Policy to AgentAgent checks and rules, XML (443)Plugins enabled (443)

Pre-connect (1099)

User Login (443)

Report (443)

Session and heartbeat timer (443)Logged out

Connect request (1099)

Connect Response (8955, 8956)

Server Performs Access Enforcement

Open Web browser (if no agent)

48


Agent Options: Web and Persistent

49


NAC Server Foundation: Layer 2 Mode and Layer 3 Mode

1. NAC Servers have two client access deployment modelsLayer 2 Mode

Layer 3 Mode

2. Any NAC Server can be configured for either method, but a NAC Server can only be one at a time

3. Deployment mode selection is based on whether the client is Layer 2 adjacent to the NAC Server

50


NAC Server Foundation: Layer 2 Mode

1. Client is Layer 2 Adjacent to the Server

2. MAC address is used as a unique identifier

3. Supports both VGW and Real IP GW

4. Supports both In Band and Out of Band

5. Most common deployment model for LANs

51


NAC Server Foundation: Layer 3 Mode

1. Client is NOT Layer 2 Adjacent to the NAC Server

2. IP Address is used as a unique identifier

3. Supports both VGW and Real IP GW

4. Supports In Band Mode

5. Needed for WAN and VPN

52


NAC Server Foundation:Bridge Or Router?

1. NAC Servers at the most basic level can pass traffic in one of two ways:Bridged Mode = Virtual Gateway (VGW)

Routed Mode = Real IP Gateway / NAT Gateway (RIPGW)


3. Gateway mode selection affects the logical traffic path

4. Does not affect whether a NAC Server is in Layer 2 mode, Layer 3 mode, In Band or Out of Band

53


NAC Server Foundation:In Band and Out of Band

1. NAC Servers have two traffic flow deployment modelsIn Band

Out of Band


3. Selection is based on whether the customer wants to remove the NAC Server from the data path

4. NAC Server is ALWAYS inline during Posture Assessment

54


NAC Appliance for Remote Users

Central Site

Branch OfficeCorporate Users

IPSec VPN

Home OfficeUnmanaged Desktop

Account ManagerMobile User

SSL Tunnel VPN

Supply PartnerExtranet

IPSec VPN

Multi-Hop IP

1. Extends policy enforcement and compliance to remote access and VPN users

2. Extends enforcement to site-to-site VPN partners

3. Leverages VPN sign-on for single-sign-on

1. Supports IPSec and SSL Tunnel VPNs2. Supports site-to-site VPNs3. Supports VPN user sign-on

BenefitsFeatures

55


Deploy VPN with Single Sign On (SSO)

1. User logs in using IPSEC or SSL VPN client.

2. VPN server sends Radius Accounting packet to NAC Server

3. NAC Server performs SSO for that user based on the Accounting packet

4. NAC Server can optionally be configured to forward that Accounting packet to another Radius server

56


Cisco NAC for Wireless Users

1. Enables central deployment mode2. Extends enforcement to any wireless networks3. End user devices can be several hops away4. Leverages 802.1x sign-on for single-sign-on

1. Supports 802.1q trunking2. Supports thin or thick wireless 802.11 APs3. Supports Wireless user single-sign-on

BenefitsFeatures

Central Site

Wireless NetworkLWAPP Users

LWAPP

Wireless NetworkWLSM Guest

Users802.1q

GRE

802.1q

Campus BuildingWireless Users

57


Wireless with Single Sign On (SSO)

WLC performs Authentication

WLC sends Radius

Accounting to NAC Server

58


Core


T

USVR-1 (Active)

T

USVR-2 (Standby)

200

300

200

300.4

.4 .5

.5

Enforcing Auth Traffic Through CASUse of Policy-Based Routing

Apply policy route-map

Apply policy route-map

1. Common ACL/route-map to be defined independently from the network deployment (Multilayer or Routed Access)ip access-list extended NACS-PBR

deny udp any host <DHCP_IP> eqbootpcpermit ip 10.1.10.0 0.0.0.255 anypermit ip 10.1.20.0 0.0.0.255 any!

route-map NACS-PBR permit 10match ip address CAS-PBRset ip next-hop 10.0.1.10

1. Policy route-map applied to Auth SVIs (Multilayer design) or to the routed interface (Routed Access design)

2. Traffic is always policy routed to the active NAC Server (since it “owns” the VIP 10.0.1.10)

D1 D2

100,200,300

59


Core


Virtualization using ACE/CSM1. ACE uses a single Virtual IP to load

balance authentication sessions to the NAC Appliances’ Untrusted Interfaces

2. ACE Virtual Server IP servicing the Farm of NAC Appliances in the Data Center is the D/G IP next-hop for all traffic in the Authentication VLAN.

3. Traffic from client in Auth VLAN can be sent to directed to ACE Virtual IP using

MPLS VPN

PBRs

VRF Lite

Discovery Host (Agent only)

4. Class-map on ACE can control interesting traffic

5. Interface “Health Probes” used on ACE to detect status of NAC servers

D1 D2

Ace Module

Data Center

Discovery Host

10.10.42.1

ACE VIP address

Ace Module

To ACE VIP

10.10.42.1

CAM

60


Physical Topology

Ace module on Cat 6K

L3-OOB: Does not require bi-directional symmetric traffic through NAC servers

Host based traffic rules not applicable

61


Virtualization using ACE/CSM – L3 OOB

1. Traffic on the Auth VLAN is routed to the ACE Virtual IP servicing Untrusted interfaces of NAC Server

2. NAC Server SSL Certificate should be generated using Untrustedinterface IP address (Otherwise NAC Server redirects user to Trusted interface )

3. Configure ACLs to deny UDP 8906 packets from the clients to the Untrusted network of the NAC Server on Access VLAN

62


Remote Site Summary

1. Work out real requirements – simplest deploymentmay offer needed security with easy deployment

2. Deploy remote NAC Server for easy deployment, fullfeature set and ease of management

3. Layer 3 OOB for centralized deployments wherecontrol to the port is needed

4. For Layer 3 OOB deployments ACLs are recommended to ease the deployment

63


Collector Modules

Receives NetFlow data directly from switches or other NetFlow data sources

NetRelay

Active profiling module that attempts to open ports on user defined networks to actively generate traffic for analysis

NetInquiry

Passive network traffic analyzer that gleans useful profiling information from network traffic

NetWatch

Receives port link state changes and New MAC notifications from edge devices useful for profiling and behavior analysis

NetTrap

SNMP module that polls edge devices for specific information pertaining to connected devices, port states and other useful data for endpoint profiling and behavior analysis.

NetMap

64


End Point Discovery

1. Gathers information about the endpoints associated with that NAC Server.

2. Information gathered includes data from SNMP, Network Traffic Analysis, and/or Active Profiling.

3. Distributed Collector model ensures that only pertinent traffic is forwarded to NAC Profiler Server (NPS).

65


Use Collected data to match profile

66


Action When Profile Matches

67


Login to NAC manager to confirm action

68


Device added to NAC Manager Filter List

69


View Profiled data from NAC Manager

70


Detailed View from within NAC Manager

71


Behavior Monitoring

What happens when a PC tries to spoof the MAC address of the Printer?

Behavior monitoring understands that this is NOT a printer anymore and hence the device is removed from “Printer” role on NAC Manager

72


Cisco NAC Profiler Components

NAC Profiler ServerAggregates and classifies data from Collectors and managesdatabase of endpoint information. Updates the Cisco NAC Manager (CAM) list to place end points intoappropriate access Roles.

Sold as a new 3350 appliance.

CollectorNAC Collector Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling

Sold as a license; Module is Co-resident with NACServer (CAS) running 4.1.2 and above

73


Behavior Monitoring

Following Device removed from list by NAC Profiler Server.

74


Sponsor Portal: Overview

75


Sponsor Interface Customization

Change the entire interface

76


Corporate Logo Customization

Rebrand with your corporate logo

77


Audit and Reports

SponsorInformation

GuestInformation

AccountInformation

78


Report Details

Report Details

Deploying Cisco Network Admission Control (NAC) · NAC Server Foundation: Out of Band 1. Multi-Gig...

Documents

Transcript of Deploying Cisco Network Admission Control (NAC) · NAC Server Foundation: Out of Band 1. Multi-Gig...