NAC « b20c:c011:5:b109::/64

Tag Archives: NAC

Juniper and a general NAC architecture

Posted on February 17, 2012 by cbroccoli

As the final NAC vendor, I decided to look at Juniper. At the end of 2011 Gartner posted their new magic quadrant report for NAC, which Juniper (who of course is in the Leader’s quadrant) kindly published for the general public (go to www.juniper.net if you would like a copy). Surprisingly, Cisco was also up in the leaders quadrant. Curiously, HP was not included in the report even though they seem to have a fairly well rounded solution. What I found most interesting about the report is the point that BYOD will be a driving force which may actually bring this wave of ANC products into the mainstream, something which to date, has not yet happened.

In looking at the Juniper model, and comparing it to the other two, it would seem that they all have converged on the same general architecture, even if the underlying protocols or implementations are different. The architecture is illustrated in the following diagram:

The central control system from Juniper is the IC series Unified Access Control appliances. These devices interact with layer 2 switches and AD to provide the dot1x authentication as well as Juniper secuirty devices (SSL VPN, firewalls) to provide the egress enforcement of the policies. From the literature, it looks however, like the system is not as dynamic as the ISE from Cisco. Policies are dynamically loaded onto the firewalls for egress filtering, but the policy is statically configured with the users IP address. So even if it is loaded dynamically, it needs to be set up in advance. Cisco applies the SGTs to the packets, which decouples the policy from the IP address, which is great.

Juniper does seem to support multiple NAC clients, including Microsoft statements of health. The Junos Pulse client is available for Windows with some other dynamic clients available for linux and MACs. There is a Pulse client for mobile devices (iOS, Android) but unfortunately this client does not support NAC for internal access. It is however an interesting product for mobile device managment and remote access vpn to an enterprises network. The MDM solution is a SaaS service provided by Juniper.

For a single management console, Juniper has their NSM (Network and Security Manager). This console allows the admin to manage the IC appliances from a central location where switches and other devices are managed from.

HP IMC with UAM and EAD Modules

Posted on February 15, 2012 by cbroccoli

No Comments

HP has comparable solutions to the Cisco ISE solution, however, these solutions are integrated into their overall network management system, IMC. Unfortunately for Cisco, their mangaement systems have allways been randomly devleoped and do not integrate into an overall management framework. IMC is a comprehensive element manager for network component covering all of the FCAPS domains. It can be hierarchically implemented to support over 20’000 nodes. I thought that the following demo was an easy way to get an overview of the product and what it can do: http://h17007.www1.hp.com/us/en/demos/hpnw001.aspx

The two components which provide the dot1x and NAC services are User Access Manager (UAM) and Endpoint Admission Defense (EAD). Each can be purchased as modules which are add-ons to the base IMC platform. Unfortunately, it is very difficult to understand all of the features available, since the documentation is only available in some scripted screen shot videos and much of the options and features are omitted. Also being able to understand what alternative scenarios other than the ones presented in these videos is not possible.

UAM is a AAA/RADIUS server which provides the dot1x authentiction using a variety of methods. It supports integration with AD, supports machine certificates for TLS authentication, etc. From what I can see it seems to be a fairly complete package.

EAC manages the posture of the client, based on the iNODE NAC client. EAC and iNODE also manage the remediation. Access to the productive and remediation networks are controlled using dynamic access lists.

The iNODE intelligent client is the HP 802.1x / NAC supplicant which works together with UAM and EAD to perform the dot1x authentication and determine the posture of a client before it gets access to the network. There is no specific documentation about using Windows7 dot1x supplicant to support authentication nor is there any information about integration with the NAP architecture for posture checking. Both would be needed if you didn’t want to install the iNODE client.

Cisco ISE Group Policies and Profiling

Posted on February 14, 2012 by cbroccoli

No Comments

Cisco recently released the ISE (Identity Service Engine, middle of 2010) and a number of interesting features have become available which would increase the security posture of a network. The ISE is the next generation of the Cisco ACS. The ISE can be implemented as an appliance or as a VM. See http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_overview.html for more information.

Two of the features, group tags/policies and endpoint profiling are discussed here. Other intersting features, include the in-line posture checking (placed behind WLCs and RAS VPN gateways) and the guest access service. Posture assessment is still performed using a NAC agent installed on the client (Windows or MAC).

The new group policy feature allows for what looks like a simple method of filtering traffic at the edge of the network (LAN switch port). So, in addition to implementing a firewall at the edge of a secuirty zone (between trusted and untrusted networks) you can filter within the trusted network to allow access to specific servers to groups of users. The ISE can profile devices on the network. Profiling would primarily be used when open access to the network is in place and you are unsure of what is c onnecting to your network. However, in some instances, where you have a 802.1x implementation and want to monitor your network to get a better understanding of what types of end devices are installed using the profiler functionality may make sense.

Security Group Policies:

In addition to basic vlans assignment, the switch port can be configured to support group policies. Once a user authenticates to the network using 802.1x (any method, similar to ACS), the ISE can then download policies to the switches which determine what kind of access the devices would have to the network. In this case, the user would be assigned to the appropriate VLAN and then a security group tag would be applied. The Security Group Tag (SGA) is a 16-bit single label indicating the classification of a source in the SGA domain, appended to an Ethernet frame or IP packet. By inserting the group tag at the network ingress, the users packets can be filtered at any egress point, allowing for dynamic access control to resource. Tags can be assigned to different users in the same VLAN which allows for a simplified topology but granular access control. Tags can be assigned statically based on IP address directly on the switch or via the ISE for central management. The ISE would assign the tags based on a successful 802.1x or MAB authentication.

The following document was used as a reference. It describes the configuration of a Trustsec environment. It is based on ACE but I am assuming that the ISE could also be used.

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.pdf

Device Profiling:

Profiles can be generated from a variety of sources, including Netflow, DHCP requsets, DNS requests, SNMP traps, SNMP queries, etc. The switches just need to be configured to send the information to the ISE where the profiles will be matched and the database will be populated. From this database you can generate reports. It is not very clear whether you can define actions based on these profiles (e.g. block) or if it is just a source of information.