Category Archives: Networking

HP IMC with UAM and EAD Modules

Posted on by cbroccoli
No Comments

HP has comparable solutions to the Cisco ISE solution, however, these solutions are integrated into their overall network management system, IMC.   Unfortunately for Cisco, their mangaement systems have allways been randomly devleoped and do not integrate into an overall management framework.  IMC is a comprehensive element manager for network component covering all of the FCAPS domains.  It can be hierarchically implemented to support over 20’000 nodes.  I thought that the following demo was an easy way to get an overview of the product and what it can do:  http://h17007.www1.hp.com/us/en/demos/hpnw001.aspx

The two components which provide the dot1x and NAC services are User Access Manager (UAM) and Endpoint Admission Defense (EAD).   Each can be purchased as modules which are add-ons to the base IMC platform.    Unfortunately, it is very difficult to understand all of the features available, since the documentation is only available in some scripted screen shot videos and much of the options and features are omitted.  Also being able to understand what alternative scenarios other than the ones presented in these videos is not possible.

UAM is a AAA/RADIUS server which provides the dot1x authentiction using a variety of methods.  It supports integration with AD, supports machine certificates for TLS authentication, etc.  From what I can see it seems to be a fairly complete package.

EAC manages the posture of the client, based on the iNODE NAC client.  EAC and iNODE also manage the remediation.   Access to the productive and remediation networks are controlled using dynamic access lists.

The iNODE intelligent client is the HP 802.1x / NAC supplicant which works together with UAM and EAD to perform the dot1x authentication and determine the posture of a client before it gets access to the network.   There is no specific documentation about using Windows7 dot1x supplicant to support authentication nor is there any information about integration with the NAP architecture for posture checking.  Both would be needed if you didn’t want to install the iNODE client.

Categories: NAC, Networking | Tags: ,

Cisco ISE Group Policies and Profiling

Posted on by cbroccoli
No Comments

Cisco recently released the ISE (Identity Service Engine, middle of 2010) and a number of interesting features have become available which would increase the security posture of a network.  The ISE is the next generation of the Cisco ACS.  The ISE can be implemented as an appliance or as a VM.  See http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html for more information.

Two of the features, group tags/policies and endpoint profiling are discussed here.  Other intersting features, include the in-line posture checking (placed behind WLCs and RAS VPN gateways) and the guest access service.    Posture assessment is still performed using a NAC agent installed on the client (Windows or MAC).

The new group policy feature allows for what looks like a simple method of filtering traffic at the edge of the network (LAN switch port).  So, in addition to implementing a firewall at the edge of a secuirty zone (between trusted and untrusted networks) you can filter within the trusted network to allow access to specific servers to groups of users.    The ISE can profile devices on the network.    Profiling would primarily be used when open access to the network is in place and you are unsure of what is c onnecting to your network.   However, in some instances, where you have a 802.1x implementation and want to monitor your network to get a better understanding of what types of end devices are installed using the profiler functionality may make sense.

Security Group Policies:

In addition to basic vlans assignment, the switch port can be configured to support group policies.    Once a user authenticates to the network using 802.1x (any method, similar to ACS), the ISE can then download policies to the switches which determine what kind of access the devices would have to the network.  In this case, the user would be assigned to the appropriate VLAN and then a security group tag would be applied.   The Security Group Tag (SGA) is a 16-bit single label indicating the classification of a source in the SGA domain, appended to an Ethernet frame or IP packet.  By inserting the group tag at the network ingress, the users packets can be filtered at any egress point, allowing for dynamic access control to resource.  Tags can be assigned to different users in the same VLAN which allows for  a simplified topology but granular access control.   Tags can be assigned statically based on IP address directly on the switch or via the ISE for central management.  The ISE would assign the tags based on a successful 802.1x or MAB authentication.

The following document was used as a reference.  It describes the configuration of a Trustsec environment.  It is based on ACE but I am assuming that the ISE could also be used.

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.pdf

Device Profiling:

Profiles can be generated from a variety of sources, including Netflow, DHCP requsets, DNS requests, SNMP traps, SNMP queries, etc.   The switches just need to be configured to send the information to the ISE where the profiles will be matched and the database will be populated.  From this database you can generate reports.  It is not very clear whether you can define actions based on these profiles (e.g. block) or if it is just a source of information.

Categories: NAC, Networking | Tags: ,

IPv6 Migration Resources

Posted on by cbroccoli
No Comments

In looking into ways to deploy NAT64/DNS64 on the network, I ran into a couple of interesting products which would make either a home migration to IPv6 or an Enterprise migration to IPv6 easier.

The first product is the D-Link DIR-825 wireless LAN router for home users.  The router is IPv6 Ready and supports 6to4 and 6in4 tunneling.  This router would alow someone at home to run dual stack on their home network and connect either to hosts on the IPv4 Internet or the IPv6 Internet automatically.  Retail price at Digitec is CHF 113.00.

The second product is the F5 BigIP load balancer.  This product has an IPv6 Gateway functionality which supports NAT64/DNS64 to help with client and server migrations within an enterprise.  Since this product is in use as the standard loadbalancer at my current enployer, this could be a viable path to move customers to IPv6.  I found an interesting white paper on their migration scenario:  Controlling your Migration to IPv6.

Finally, I have been reading up on the Vyatta network operating system.  It would seem like a lot of companies are interested in using this OS in their products to provide base tunneling, routing and security capabilities without having to develop them themselves.  Citrix is using this software as the basis for their Netscaler Cloud Bridge solution and Riverbed is using it to add routing and firewalling capabilities to their Steelhead appliances.  Since Vyatta has an open source version wich runs on VMWare Player, I think I will give it a try and see how it works.  It should provide full routing functionality, firewalling and its latest version (6.1) is IPv6 certified and may even support NAT64.  If that is the case, then I can give that a try as well.

Categories: IPv6, Networking | Tags: