Efficient and easy-to-use

network access control and

dynamic vlan management

Date: 4.12.2007 http:// F r e e N A C . n e t Copyright @2007, Swisscom

1
 Connection to the enterprise LAN is often (too) easy

LAN sockets may be located in open work spaces:

 Open-plan offices
 Meeting rooms
 Hallways and printing corners
 Unlocked wiring closets

(Too) many people may have physical access to

LAN ports:
 Employees
 Visitors
 Cleaning staff, Electricians, etc.

NOTES:
The enterprise LAN needs to be easy to use and reliable, however:
Many people (visitors, employees, cleaners, temporary staff) may have physical access to the
offices
Network sockets may be located in “open” work spaces, or meeting rooms.
Network connections may not be documented

Mobility requires more flexibility and security

The amount of Laptops in companies is growing
Potentially more than one user per Network Socket (often there are more ‘hubs’ or small
unmanaged switches than expected)
Re-organizations are more frequent, so the network needs to easily adapt

2
 The need for dynamic LAN management

Ethernet cabling is difficult to change

and expensive.
 Is Cabling documented?
 Does LAN management allow easy segmentation of
PCs/Devices?
 Can Visitors / Externals be given LAN access safely and
easily?
 Is cabling dynamically used, or cables reserved per
segment?

NOTES:
Current cabling should be dynamically used:
•on the appropriate network
•when needed
•without the need for (expensive) manual intervention or reconfiguration

LAN management should allow easy segmentation of PCs/Devices

•e.g. Printer zone, office zone, lab1, lab2, External zone
•segments should be configurable by helpdesk/1st level support, not Switch specialists

3
 The need for network access control

Enterprises may be faced with the following problems:

Do we know what is on the LAN? Live inventory?

How do we authorise or block end devices?
How do we enforce LAN access security policies?

NOTES:
Access Control
“Foreign” laptops (or desktops, webcams, …), connected to the enterprise LAN, represent a potential security
risk.
Security/access rights should be managed. Limit access to devices we know and have some trust
in.

Live inventory:
Access control means having an up-to-date inventory of end devices.
It may also mean having an inventory of the topology of the LAN (which switches, hubs, routers, end
devices etc. in which rooms) including a cabling plan.
The following questions then arise:
• How can we manage our inventory efficiently? Especially if we have many end devices?
•Can we prevent having multiple inventories – one for network access control and one for
hardware management / (financial) accounting? Can we integrate these inventories?

4
The need for Compliance with security or governance
standards

Management System Governance

ISO 27000
SOX

BS 7799 ISO 17799

IT Security
BSI
COBIT ITIL
IT

NOTES:
Is compliance with security standards such as: Information Security Management System
(ISO17799), Sarbanes-Oxley (SOX 404), important for you?
Is compliance with IT management/Governance standards: ITIL, etc. an issue?

NAC can help to:

-limit access to network resources
-provide tracking of what devices were on the network, where, when
-provide a live inventory of devices, and link it to static inventory
-provide compliance reports tying together Network, User, Device information.

5
 The Solution: NAC

Technology: Access is granted based on the MAC address (or 802.1x)

and an appropriate Virtual LAN assigned.

NOTES:
HOW IT WORKS:
•The Switch detects a new PC and requests authorisation from NAC via the VMPS
protocol, which checks its Database and refuses or grants access based on the MAC
address
•802.1x is supported with User Authentication in the Windows Domain or
Certificates, and Vlan assignment based on MAC address
•VMPS mode: only for Cisco Switches and any kind of network device (PC,
Printers, IP phones, Webcams, etc)

NAC can directly replace other VMPS solutions, or manual “port based MAC lists”
with major improvements in ease of use.

6
 Features
Dynamic (location based) virtual LAN assignment
LAN port access control
Automated end-device inventory
Switch port programming
Can work with Hubs/un-managed switches
Friendly User Interface
Enterprise features:
• Linking of enterprise information sources: Users (AD), Devices: (MS-
SMS), Anti-virus, DNS, Router tables, static inventory
• Redundancy, load balancing, advanced monitoring and alerting
• Documentation of LAN cabling
• ‘Emergency off’ for disaster response
7

NOTES:
SQL database provides scalability, flexibility and easier integration, and allows
querying of live network inventory:
•external databases can be linked in, to integrate into your Workflow and
processes: user databases (Active Directory, DireX, XML), end-device
databases (MS-SMS), MS-WSUS, Anti-Virus (McAfee), DNS, Routers (MAC/IP
tables via SNMP), switch (port restarts / detection of unmanaged devices) and
customer in-house static inventory databases
•scanning module to identify operating system version and open ports
•scanning module to identify devices on unmanaged or ‘static’ switch ports
•“emergency off” tool for disaster recovery
•redundancy: 1 master and many slaves allow high availability and load
distribution (we come back to this in 3 slides)

Live inventory:
•VMPS managed devices and unmanaged devices (switches scanned via SNMP):
Mac, I.P. Address, Hostname
•Operating System & Hostname: via nmap scanning
•Cross reference data in external databases such as MS-SMS, WSUS, McAfee EPO.

7
 NAC Benefits

No software needed on end devices

Allows a more dynamic, efficient LAN/cabling
Proven technology: in production since 2004.
GUI can be used by helpdesk, Cisco expertise is not needed
Extensible: open interfaces optimal Workflow integration
OpenSource
NAC works with (legacy & new) Cisco switches
More efficient than „manual port-based access“ or VMPS
Easier to implement than classical 802.1x
8

NOTES:
•no software is currently needed on end devices
•Open: Open Standards, open source, open review – integrate NAC more easily into your Workflows
and existing Processes
•NAC works with (even old) Cisco switches (Other vendors many be added on request, or as custom
developments)
•Customers who already use „manual port-based access“ will save time and gain effectiveness
•A dynamic network allows
Better use of available switch ports (efficiency, cost savings)
quick configuration of new ports, can be configured by Helpdesk
easier switch configuration (ports are dynamic)
less changes in cabling during re-organisations
•Extensible: add your own modules, or interfaces to your Systems to better integrate MAC into your
Processes and Workflow.
•NAC runs on standard hardware & Operating Systems (Linux/Unix)

8
 Reducing the Risk of Unauthorised LAN access

NAC offers cost-effective

significant risk reduction
without affecting Business
operations

NAC will continue to evolve

lowering risk further (e.g.
using 802.1x and ‘health
checking’) while allowing
customers to migrate
smoothly.
9

NOTES:
•802.1x offers stronger device authentication, but is more complex and requires newer switches.
NAC strives to offer the best of both worlds: mac-address and 802.1x support.
-Currently we can integrate the Patch status from Microsoft WSUS and McAfee EPO.
-Long term, our aim is to use a standards based pre and post-connect security checking, such as TNC
(Trusted Network Connect)

9
 Architecture

10

NOTES:
The minimal components required are a VMPS or 802.1x capable switch and one NAC master server

10
 Architecture

11

NOTES:
NAC consists of
One Master server with Database and Control programs
Optionally: one or more slave servers for redundancy and load distribution
In a fully integrated environment, NAC requires:
Syslog messages from switches
Access to an email server for delivery of alerts
Access to DNS for discovering names associated IP addresses
Optionally: SNMP read/write access to switches (to restart ports and scan for unmanaged end devices)
Optionally: SNMP read access to routers (to query MAC/IP tables)
Optionally: Interface to Enterprise Static Inventory, User, Device, Inventory, MS-SMS, MS-Wsus, McAfee
EPO, or other database

NAC is remotely configured via a Windows-based GUI, that may be installed on one or more a Windows PC or
via a Web-based interface.

11
 Usage scenarios: Where can I use NAC?

12

NOTES
NAC is useful Where you need efficient cable/port management and/or LAN access control:
•Research and development units: with many subnets, and need to build dynamic subnets quickly.
•Workstation LANS
•Meeting rooms
•Rooms exposed to the public, or non-company employees
•Large Open Floor Plan offices
•During re-organisations to better track and control network access

Where is NAC not needed? (i.e. Dynamic Ports are not needed, but automated port scanning/documentation is
still useful)
•Physically secured Server rooms
•DMZs (for vmps mode: mac based identification is probably not secure enough, however 802.1x may be
interesting.)

12
Summary

Swisscom NAC
enables LAN access control, live inventory and dynamic
vlan management
requires no software on clients
works today
in heterogeneous environments
allows integration into your IT processes/tools via open
interfaces.

13

13
Appendix: Optional slides

14

14
 How NAC works
If Unknown, access is denied
or limited to quarantine

If OK, access to
Corporate Network

15

How version 2 works..

15
How NAC works: vmps mode

16

16
 17

NOTES:
Version 2.1 Summer ‘06:
•nmap scanning modules, OS detection
•Linking to McAfee EPO Anti-virus server
•Linking to Microsoft SMS (systems management server)
•Support of Virtual Machines as client, and also as NAC servers!
Version 2.2 Mar’07:
•ldap integration into MS Active Directory
•Detection and inventory of other devices on the network not actively managed.
•Auto documentation of when ports were last used, with what vlan, and mode.
•Automated switch discovery for initial installations
•802.1x support for Wired LANs
Version V3.0 Nov.07:
•configuration of switch ports from the windows GUI
•configuration of NAC server options from the windows GUI
•Automated switch scanning for unmanaged systems
•Microsoft WSUS, McAfee EPO integration
•Complete code object-oriented rewrite, for better reliability, separation of features, and ease of
adding new features.
•New Policy interface with pre and post-connect methods.

17
Network Authentication with “802.1x”

The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using
cryptographic techniques it provides higher security. 802.1x authenticate the user or the
device
• BUT:
 new switches are usually required
 Vendor interoperability
 complexity (support, supplicants, certificate management, ..)
 cost
 interaction with Hubs.

 NAC includes 802.1x since V2.2

 802.1x and MAC address can be combined, by for example authenticating the user via
Domain Logon and the Device via MAC address allow a Vlan assignment based on the
device identification (MAC address), not the user name.

18

18
Problems With Cisco “VMPS” and “MAC Port”
Authentication

If the above products are already in use for limiting LAN access already, what are
the limitations?

Lack of management features

• Monitoring
• Alerting
• Ease of use
• GUI
• User & device DB integration

Lack of support from Cisco

19

19
 What does the User Interface look like?

20

NOTES:
This is one view in the Windows GUI from Version 2.1.
There are also dedicated Web GUIs for specific tasks.

20
 Windows GUI: system details

21

In blue is the crucial MAC information: mac address and the vlan we assign.

In red is information about where the end-device was last seen, and where.

21
 Windows GUI: system details

22

•The Nmap scanning module can detection operating system version and open ports. It can scan one device
immediately, or the list of IPs in the NAC database on a scheduled basis.
•If the McAfee EPO module is enabled, the operating system of end devices, as reported by McAfee, and the
current Anti-Virus status, can be displayed.
•Beside the Anti-Virus tab, we also se an “inventory”, which is where we link to you in-house static Inventory
Database, if required.

22
Windows GUI: Switch & Ports

23

23
 NAC also shows switch/port usage
Switch

Port

Patch

PC

24

NOTES:
A Web GUI that maps switch port usage in the last 24 hours.
We see one device on port 2/13, it is connected via cable X04.012 in room 4.16,
where the PC murderdrool is attached and this PC is assigned to the Use ‘ALLGAE’
We also see a printer on port 2/24

24
Web GUI: edit mode

25

25
 What do automated Email Alerts look like?

26

NOTES:
A new device has been connected to the network (port 2/40 switch sw0303), but not authorised.
-it was in room 3.16
-on Cable socket X 03.013 (this is the name written on the socket in the wall)
-in this room the users Schenker, Wyler and Berger have their offices
-The user TGDSCED1 has been documented as using this cable
The ‘super-users’ defined for this switch are Schädler and Rappo, so they receive the Alert,
along with the NAC Administrators.

26