Xavier Gonzez

[email protected]
Oct 2013
Network access control and
management solution
@opennac
2
11/12/13 @opennac
Summary

Current situation
Current situation

What is openNAC?
What is openNAC?

What does openNAC can do?

What does openNAC can do?

openNAC architecture
openNAC architecture

openNAC components
openNAC components

openNAC services
openNAC services

Contact us
Contact us
3
11/12/13 @opennac
openNAC solution

2 year+ of active development 2 year+ of active development

Opensource Network Access Control solution Opensource Network Access Control solution

nterprise support services availa!le nterprise support services availa!le

CentO" !ased CentO" !ased

4
11/12/13 @opennac
Current situation

Corporate network access management is Corporate network access management is

poorly controlled poorly controlled

#o!ile Workers$ %sers !ecome more mo!ile #o!ile Workers$ %sers !ecome more mo!ile

#ore type of di&erents devices like #ore type of di&erents devices like
"martphones' ta!lets'$$$ "martphones' ta!lets'$$$

(his scenarios generate security and availa!ility (his scenarios generate security and availa!ility
pro!lems due to non controlled )AN access pro!lems due to non controlled )AN access

(he security of the workstations is constantly (he security of the workstations is constantly
threatened !y new vulnera!ilities threatened !y new vulnera!ilities

"ecurity' network management and monitoring "ecurity' network management and monitoring
tools of e*pensive and poorly integrated tools of e*pensive and poorly integrated
5
11/12/13 @opennac
What is openNAC?

Network Access Control for corporate )AN + WAN Network Access Control for corporate )AN + WAN
environments environments

na!les na!les authentication authentication' ' authorization authorization and and audit audit
policy,!ased all access to network policy,!ased all access to network

#ultivendor solution #ultivendor solution

-ased on open source components and self, -ased on open source components and self,
development development

-ased on industry standards such as .ree/adius' -ased on industry standards such as .ree/adius'
012$2*' ldap' $$$ 012$2*' ldap' $$$

*tensi!le' new features can !e incorporated *tensi!le' new features can !e incorporated

asily integrated with e*isting systems asily integrated with e*isting systems

3t provides value added services such as con4guration 3t provides value added services such as con4guration
management' network' !ackup con4gurations' Network management' network' !ackup con4gurations' Network
5iscovery and Network #onitoring 5iscovery and Network #onitoring
6
11/12/13 @opennac
What does openNAC can do?

Corporate network access !ased on a set of

Corporate network access !ased on a set of
rules 6access policy7
rules 6access policy7

(he availa!ility of Noti4cations or

(he availa!ility of Noti4cations or
8uarantine to users regardless of the client
8uarantine to users regardless of the client
device 6via !rowser7
device 6via !rowser7

Access accounting and audit

Access accounting and audit

/eal time monitoring of users' allowing to

/eal time monitoring of users' allowing to
instantly locate users' ip' mac' switch' port
instantly locate users' ip' mac' switch' port
and physical location
and physical location

9alue,added services such as monitoring'

9alue,added services such as monitoring'
discovery and con4guration of network
discovery and con4guration of network
infrastructure
infrastructure
7
11/12/13 @opennac
Features

Authentication of 012$2* ena!le devices

Authentication of 012$2* ena!le devices

Authentication !ackend !ased on ldap or A5

Authentication !ackend !ased on ldap or A5

"upport to detect rogue devices using

"upport to detect rogue devices using
012$2* or "N#: traps
012$2* or "N#: traps

-ulk con4guration of network devices using

-ulk con4guration of network devices using
module onNetConf
module onNetConf

-ulk !ackup of con4guration of network

-ulk !ackup of con4guration of network
devices using module onNet-ackup
devices using module onNet-ackup

5etection of os' antivirus' 4rewall and os

5etection of os' antivirus' 4rewall and os
updates of devices conected to enforce an
updates of devices conected to enforce an
access policy
access policy
8
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC
"
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC

Access /e;uestor
Access /e;uestor
"et of client devices such as
"et of client devices such as
:Cs' "martphones' (a!lets'
:Cs' "martphones' (a!lets'
printers' others$
printers' others$
5i&erent types of O" such as
5i&erent types of O" such as
Windows' )inu*' #acO"' 3O"'
Windows' )inu*' #acO"' 3O"'
Android' etc $$$
Android' etc $$$

Wired )AN' Wi.i' 9:N

Wired )AN' Wi.i' 9:N
#$
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC

:olicy nforcement :oint

:olicy nforcement :oint
Network access for all
Network access for all
devices that connect to
devices that connect to
the network 6dge
the network 6dge
Network7
Network7
Composed !y wired )AN
Composed !y wired )AN
and Wi,.i e;uipment
and Wi,.i e;uipment
6Access :oints7
6Access :oints7
#ultivendor
#ultivendor
##
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC

:olicy 5ecision :olicy 5ecision

:oint :oint
"ervice that "ervice that
allows system allows system
to take policy to take policy
decisions that decisions that
apply to each apply to each
type of access type of access
!ased on !ased on
identity' identity'
device' device'
location' location'
time' $$$ time' $$$
#2
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC

#etadata Access :oint

#etadata Access :oint
"ervice that stores all
"ervice that stores all
data relating to
data relating to
incoming events
incoming events
All information is
All information is
related to each other in
related to each other in
order to ma*imi<e the
order to ma*imi<e the
utility
utility
/eal time access to the
/eal time access to the
information
information
#3
11/12/13 @opennac
onNAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata
Access
Point
(MAP)
Eternal
!ensors
onNAC
onNAC

*ternal "ensors
*ternal "ensors
"ervices such as 35" sensors or
"ervices such as 35" sensors or
4rewalls that can !oth provide
4rewalls that can !oth provide
new information to the platform
new information to the platform
as consulting onNAC
as consulting onNAC
information to make !etter
information to make !etter
decisions
decisions
#4
11/12/13 @opennac
openNAC components
#5
11/12/13 @opennac
Modular architecture

All information is stored in a C#5-

All information is stored in a C#5-

8ueue,!ased' allowing for greater scala!ility

8ueue,!ased' allowing for greater scala!ility
and tracea!ility
and tracea!ility

9ery =e*i!le identity !ackend' ldap'

9ery =e*i!le identity !ackend' ldap'
data!ases' etc $$$
data!ases' etc $$$

-ased in a /"( A:3s

-ased in a /"( A:3s

.rontend we! !ased in 5O>O

.rontend we! !ased in 5O>O

"criptea!le command line

"criptea!le command line
#6
11/12/13 @opennac
onNAC Component
#7
11/12/13 @opennac
onNAC description

3s the main module' with the services of

3s the main module' with the services of
Authentication' Authori<ation and Audit
Authentication' Authori<ation and Audit
:roduct
:roduct

na!les 012$2? authentication or captive

na!les 012$2? authentication or captive
we! portal for all devices
we! portal for all devices

All security policy is de4ned and applied in

All security policy is de4ned and applied in
this module
this module

/ogue devices detection

/ogue devices detection
#8
11/12/13 @opennac
onNAC screenshots
Overall dash!oard
#"
11/12/13 @opennac
onNAC screenshots
"tate of users logged into the platform
2$
11/12/13 @opennac
onNAC screenshots - Policy
Comprehensive security policy to apply to all users
2#
11/12/13 @opennac
onNAC screenshots - Policy
22
11/12/13 @opennac
onNAC screenshots - CM!
23
11/12/13 @opennac
onN"#$SC% component
24
11/12/13 @opennac
onN"#$SC%

Allows discovery of network devices

Allows discovery of network devices

"tore discovered devices in the C#5-

"tore discovered devices in the C#5-

#aintains the inventory updated

#aintains the inventory updated

5iscover the network topology' detecting

5iscover the network topology' detecting
devices without redundant links
devices without redundant links

Allows periodic discovery tasks

Allows periodic discovery tasks

8ueue,!ased
8ueue,!ased

Allows you to e*port the results to csv

Allows you to e*port the results to csv
25
11/12/13 @opennac
onN"#C%NF component
26
11/12/13 @opennac
onN"#C%NF component

Network ;uipment Con4gurator allows you

Network ;uipment Con4gurator allows you
to de4ne con4guration templates and apply
to de4ne con4guration templates and apply
them to sets of network e;uipment
them to sets of network e;uipment

.rontend we! or We! "ervice

.rontend we! or We! "ervice

-ased on a service ;ueue to ensure

-ased on a service ;ueue to ensure
tracea!ility and integrity of any action
tracea!ility and integrity of any action

9ery useful for applying settings to large

9ery useful for applying settings to large
amount of network e;uipment
amount of network e;uipment

9ery useful to install and con4gure NAC

9ery useful to install and con4gure NAC
service
service
27
11/12/13 @opennac
onN"#C%NF Screenshots - #emplate
Create a con4guration template to send
a group of network devices
%omands to send
!ni''ets
28
11/12/13 @opennac
onN"#C%NF Screenshots - e&ices
;uipment selection
(et)or* de+ice list
2"
11/12/13 @opennac
onN"#C%NF Screenshots - 'esults
9iewing the results of con4guration tasks
3$
11/12/13 @opennac
onN"#!AC()P component
3#
11/12/13 @opennac
onN"#!AC()P

#ake !ackups and automatic archiving of

#ake !ackups and automatic archiving of
network devices con4gurations
network devices con4gurations

Allows programming device groups

Allows programming device groups
copies
copies

Allows de4ne retention policy

Allows de4ne retention policy

-ased on a service ;ueue to ensure

-ased on a service ;ueue to ensure
tracea!ility and integrity of any action
tracea!ility and integrity of any action
32
11/12/13 @opennac
onN"#!AC()P
"election of devices to perform !ackups
33
11/12/13 @opennac
onN"#!AC()P
5isplay planning !ackups
34
11/12/13 @opennac
onM%N component
35
11/12/13 @opennac
onM%N

#onitoring is provisioned automatically

#onitoring is provisioned automatically
from the C#5-
from the C#5-

#onitoring pro4les availa!le !ased on

#onitoring pro4les availa!le !ased on
device type
device type

/eal time network devices status

/eal time network devices status

@enerates alerts if any of the parts of the

@enerates alerts if any of the parts of the
network is not working properly
network is not working properly
36
11/12/13 @opennac
onN"#M%N
9iewing the status of a network computer
37
11/12/13 @opennac
onCM! component
38
11/12/13 @opennac
onCM!

(he module C#5- is the repository of all

(he module C#5- is the repository of all
information of the inventory
information of the inventory

Allows you to easily share information with

Allows you to easily share information with
other platforms
other platforms

3t stores all the !asic elements that use the

3t stores all the !asic elements that use the
platform as network devices' security rules'
platform as network devices' security rules'
networks' groups' 9)AN' $$$
networks' groups' 9)AN' $$$
3"
11/12/13 @opennac
onM"#A'"P% component
4$
11/12/13 @opennac
onM"#A'"P%

#(A5A(A Access :oint server module #(A5A(A Access :oint server module

3t uses protocol 3.,#A: 3t uses protocol 3.,#A:

4#
11/12/13 @opennac
openNAC ser&ices

"ecurity Consulting "ecurity Consulting

"et architecture and methodology appropriate for a "et architecture and methodology appropriate for a
client to improve the security of access and client to improve the security of access and
authori<ation from your network authori<ation from your network

/oll out /oll out

openNAC setups in companies and organi<ations openNAC setups in companies and organi<ations

"upport "upport

A*2B support to openNAC installations A*2B support to openNAC installations

5evelopment and customi<ation 5evelopment and customi<ation

Creating speci4c modules and functionality to Creating speci4c modules and functionality to
customers customers
"upport new infrastructure "upport new infrastructure

3ntegration 3ntegration
3ntegrating the solution with third tools 3ntegrating the solution with third tools
42
11/12/13 @opennac
Contact

httpC++www$opennac$org httpC++www$opennac$org

info@opennac$org info@opennac$org

(witterC @opennac (witterC @opennac