Archive for the ‘nac’ tag
Keeping The Network Clean
In today’s environment of mobile computing and the increasing integration of consumer electronics with the corporate network, it has become a necessity to plan accordingly in order to mitigate the risk this presents.
Whether it be an iPhone or guest laptop connecting via wireless or using an unused network port, brings new challenges to network administrators who need, not only be aware of what is on their network but also prevent an un-managed device from infecting other devices on the network.
The situation grows in complexity in higher education where the inherent open network environment becomes a juggling act balancing network security and open access. Students do not patch and fail to run current anti-virus.
Network Access Control, which is more commonly referred to by the acronym NAC, is the most hyped term in networking today. It’s also one of the least understood.
Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define & implement a policy that describes how to secure access to a network nodes by devices when they initially attempt to access the network[citation needed]. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.
The idea behind Network Access Control (NAC) is to implement a set of pre-admission rules and post-admission controls over where users can go and what they can do. Kind of like an in-versed firewall framework on steroids.
What’s important to understand is the Network Access Control (NAC) is not a device or appliance that is dropped in on the network, but rather a structure that needs to be deployed throughout the enterprise network.
The goals that Network Access Control aims to address can be distilled into three categories.
- Identity Management – Which includes device registration, authentication and role based access.
- Endpoint Compliance – The ability to prevent devices that lack anti-virus, patches or host prevention software from accessing the corporate network to prevent putting other computers at risk.
- Policy Enforcement – Provides the ability to enforce company-specific policies in either block, notify or report mode and integration with other solutions to identify and disable unauthorized activities.
Different vendors take different approaches in order to accomplish these goals, were policies are enforced on a pre-admission vs. a post-admission basis, software clients are installed on the users computer vs. scanning those computers in an effort to gather information to automate decision making at the time the policy is enforced, and finally out-of-band vs. in-line solutions.
In 2005 I started experimenting with Network Access Control technology and came across an open-source solution called NetReg.
NetReg is an in-line, pre-admission, client-less Network Access Control solutions. The system sits between the users and the network. Identity management is accomplished by authenticating the user through a website against an LDAP server and storing in a database the username, the IP address assigned and the devices MAC address.
Endpoint compliance is achieved by 2 dynamic DHCP address pools; one for unregistered (unknown hosts) with non-routable IP addresses (network/Internet blocked) and the second for registered (known hosts) with routable IP addresses (network/Internet accessible). A bogus DNS server prevents users from accessing anything but certain websites where a user can download anti-virus and patches for remediation purposes.
Nessus vulnerability scanning software periodically scans devices to determine if these should be quarantined until they have met the established acceptable use policy. If a computer in the unregistered network is found to be non-compliant, it is notified and only when appropriate action has been taken will the computer be assigned a valid routable IP address. If the computer has already been assigned a valid IP address then it is blocked.
Some of the shortfalls of this approach were the inability to determine which patches were missing and firewalled clients are not checked.
Netreg which was originally developed by Southwestern University at Georgetown branched out into several versions and currently the only one being maintained is by Carnegie Mellon here.
Finally is important to note that there is no silver bullet when it comes to security and there are always ways to get around a system. A thought that came to mind was how these products deal with printers, VoIP phones, gaming consoles, etc, when it comes to registration and how by changing one’s MAC address to mimic a VoIP phone or printer vendor would bypass the authentication.
In researching when writing this blog, I came across another open source solutions started in 2007 called PacketFence which I will take a closer look at.
Major Commercial Solutions:
Open Source Solutions:
Sources:
Wikipedia
Gartner Market Scope for NAC 2008
Educause 2008
This years Educause conference took place in Orlando, Florida.
Educause is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. Membership is open to institutions of higher education, corporations serving the higher education information technology market, and other related associations and organizations.
The association provides a social networking Connect site that supports blogs, wikis, podcasts and other platforms for IT professionals to generate and find content and to engage their peers; professional development opportunities; print and electronic publications, including e-books, monographs, and the magazines Educause Quarterly (EQ) and Educause Review[1]; strategic policy advocacy; teaching and learning initiatives; applied research; special interest discussion groups; awards for leadership and transformative uses of information technology; and a Resource Center for IT professionals in higher education.
Major initiatives of Educause include the Core Data Service, the Educause Center for Applied Research (ECAR), the Educause Learning Initiative (ELI), Net@EDU (advanced networking), the Educause Policy Program, and the Educause/Internet2 Computer and Network Security Task Force. In addition, Educause manages the .edu Internet domain under a contract with the U.S. Department of Commerce.[1]
The current membership of Educause comprises more than 2,000 colleges, universities, and educational organizations, including 200 corporations, with 16,500 active members.
Below are pictures from the conference:
My schedule at the conference:
Tuesday, October 28, 2008
- Full Day Seminar – Cloud Computing Made Simple and Affordable: Using the Virtual Computing Lab (VCL) to Provide an Effective, Powerful, and Economical Rich Services Environment
Wednesday, October 29, 2008
- Discussion Session : Cloud Computing
- Emerging Technologies : Crafting a Campus Identity: First-Year Students, Residential Life, and Social Networking
- Discussion Session : Business Continuity Management
- Leadership and Management : Top-Ten “Gotchas” for the New CIO
- Networking and Infrastructure : High Availability and Server Consolidation with Virtualization
- Discussion Session : Policy and Law
Thursday, October 30, 2008
- Leadership and Management : IT Matters, but Information Resources Matter More
- Emerging Technologies : Developing Low-Cost Applications Using Offshore Companies
- Discussion Session : Network Management
- Enterprise Systems : CRM Adventures: Three Perspectives
- Networking and Infrastructure : Structuring Authentication Across the Campus Community
- Lightning Round Session : Security and Privacy Lightning Round
- Teaching and Learning : Are You Ready? A Systematic Approach to Training New Help Desk Staff
- Enterprise Systems : SOA Built on Open Source Web Service Technologies
- Networking and Infrastructure : Deployment of a Virtualized Server Grid
- Security and Privacy : Network Admission Control: A Survey of Approaches
Friday, October 31, 2008
- Enterprise Systems : IT Disaster Recovery Within the Framework of Business Continuity Planning
- Leadership and Management : Deploying an Open Source, Online Evaluation System: Multiple Experiences
Overall I thought it was an excellent conference, there weren’t as many people this year as previous ones.
The exhibit hall was fun as always. Some exhibits were great and others sucked which brings up another subject. Marketing.
There were two exhibits that stood out amongst the crowd. The first one from Bradford Networks and the other from Trapeze Networks. These guys not only gathered leads, but engaged their prospective customers allowing them to deliver their sales pitch. Two companies that I will definitely be following up with.
Other companies that did well on their marketing pitch were Turning Technologies, Novell, CDW, Zimbra, Elluminate, and Microsoft. Although the only thing Microsoft had going for itself was as great demo on a smart-board of Image Composite Editor.
Microsoft Image Composite Editor is an advanced panoramic image stitcher. The application takes a set of overlapping photographs of a scene shot from a single camera location and creates a high-resolution panorama incorporating all the source images at full resolution. The stitched panorama can be saved in a wide variety of formats, from common formats like JPEG and TIFF to multi-resolution tiled formats like HD View and Silverlight Deep Zoom.
The things that characterized the good exhibits can be summarized in a few words. They were accessible, had an inviting environment, gave away free stuff (like free iTouch and laptops every hour) and had either professionals or very seasoned sales people giving the presentations.
On the other side of the coin, were the very big and expensive exhibits which just didn’t deliver.
Some that deserve mention are AT&T which has a very expensive three environment exhibit representing campus life and U-Verse all over the place. Alcatel-Lucent had a not very inviting exhibit and their staff sat down most of the time. Citrix was just offering a $5 Starbucks card for filling out a survey. Cognos had a closed exhibit that wasn’t inviting to anyone.
Its not that these companies were cheap, which they were; but they are spending a lot of money for lead generation when they could also be qualifying the leads and delivering their product demos to a captive audience.
