nercomp SIG

Information about nercomp SIG

Published on June 19, 2007

Author: Belly

Source: authorstream.com

Content

ABC's of Policy Enforcement:  ABC's of Policy Enforcement Kevin Amorin, CISSP Harvard University Topics:  Topics Risks Architectures NAC (Cisco) NAP (Microsoft) TNC (Trusted Computing Group) Components Open Source Problem Statement:  Problem Statement .Edu Environment Open Roaming Laptops Students 44% of attacks originate from systems on the internal network (behind the firewall) VPN Wireless Dial-up 2005 FBI Computer Crime Survey Slide4:  Slide5:  Slide6:  Phishing :  Phishing antiphishing.org Solutions:  Solutions Many commercial products Sygate, Bradford, Enforce, Checkpoint, Infoexpress, iPass, Meetinghouse, Funk,…. Many open source packages PacketFence, Southwestern Netreg, CMU Netreg, NetPass, NoCatAuth, NetSquid,….. No real standards, no interoperability Architecture Solutions NAC, NAP, TNC Architecture Solutions:  Architecture Solutions Cisco Network Admission Control (NAC) Phase 1: Routers – Aug 2004 Phase 2: Switches - Nov 2005 Microsoft Network Access Protection (NAP) Windows Longhorn – Q1 2007 Trusted Computing Group Trusted Network Connect (TNC) Architecture andamp; Basic API - May 2005 Complete Spec – May 2006? Cisco NAC AntiVirus Participants:  Cisco NAC AntiVirus Participants 63 manufacturers (2/06) 22 shipping – 41 in development No other big network companies? www.cisco.com/web/partners/pr46/nac/partners.html Cisco NAC Support:  Cisco NAC Support Identity and Integrity IOS 12.3(8)T Cisco Routers (83x, 18xx, 28xx, 38xx, 1701,1711, 1712, 1721, 1751, 1751-V,1760, 2600XM, 2691, 3640, 3660-ENT, 72xx) Cisco Switches (6500, 4500, 4000, 3750, 3560,3550, 2970, 2955, 2950, and 2940) All APs, VPN 30xx Clean Access/Perfigo is not part of the NAC Framework - 'NAC Appliance' Cisco NAC Co$t:  Cisco NAC Co$t Cisco Network Gear 4500,4000,3xxx,2xxx,$$$ Cisco Secure Access Control Server (ACS) AAA Radius Server + Policy Control Cisco Trust Agent (CTA) 2.0 Windows 4.0, 2000/3, XP, RHEL 3-4 Includes Meetinghouse 802.1x supplicant Free? … Ahhhh wired only… EAP-Fast only MS NAP AntiVirus Participants:  MS NAP AntiVirus Participants 53 manufacturers (2/06) 0 shipping – 53 in development Lots of Cisco competitors Enterasys, Extreme, Foundry, ProCurve (HP), Juniper www.microsoft.com/windowsserver2003/partners/nappartners.mspx Microsoft NAP Support:  Microsoft NAP Support Identity and Integrity NAP Clients Windows Vista client late 2006 Windows XP SP2 + 'update' 2007 NAP Server Windows Longhorn Q2 2007 Total rewrite of Network Access Quarantine Control in Windows 2003 DHCP,VPN, 802.1x (PEAP), IPsec IPSec is the 'strongest' form of NAP Can only talk to healthy clients with 'Health Cert' Microsoft NAP Co$t:  Microsoft NAP Co$t Windows Longhorn Server IAS AAA Radius Server + Policy Control Routing and Remote Access (VPN) Upgrade Windows client cost Minimum windows client is XP+patch (2007) Windows Vista 'better' May require AD Minimal change to network gear TNC AntiVirus Participants:  TNC AntiVirus Participants More then 60 manufacturers 'involved' switch and network equipment manufacturers, security vendors, managed service providers, chip manufacturers Lots of software companies www.trustedcomputinggroup.org/groups/network TNC Support:  TNC Support Identity and Integrity Use of existing network standards 802.1x IPSec Composed of mostly of Software/Appliance companies Missing some big name support from Anti-virus, Network companies Future Trusted Platform module (TPM) integration TNC Co$t:  TNC Co$t TNC Client Funk, Meetinghouse, InfoExpress, iPass, etc… TNC Server (Radius/Policy Server) Funk, Meetinghouse, InfoExpress, iPass, etc… No Vendor lock in? No validation of interoperability The TNC Client and Server 'should' work together if you don’t use the same vendor Supported Network gear Juniper, Extreme, Foundry, Enteresys Cisco NAC Pros/Cons:  Cisco NAC Pros/Cons MS NAP Pros/Cons:  MS NAP Pros/Cons TNC Pros/Cons:  TNC Pros/Cons Methods of Isolation:  Methods of Isolation ACL – Layer 3 Router redirection VLAN – Layer 2 Switch port control IPSec – Health Certificates DHCP – IP subnet overlay networks ARP – Client gateway manipulation 802.1x – IEEE authentication port based access control Generic Components:  Generic Components Identity/ Integrity Identity/Integrity Decision Request Decision/ Request AAA Query Policy Query Cisco NAC Components Example:  Cisco NAC Components Example Radius HCAP (Policy Query) EAP o UDP/ 802.1X EAP-Fast Microsoft NAP Components Example:  Microsoft NAP Components Example Statement of Health (Integrity) Local (Policy Query) 802.1X PEAP Radius TNC Components Example:  TNC Components Example IF-TNCCS (Integrity) IF-IMV (Policy Query) 802.1X EAP Radius Open Source Integration:  Open Source Integration Integrity Policy Query 802.1X Radius Open Source Integration:  Open Source Integration Integrity Policy Query 802.1X Radius Decision/ Request Market Survey:  Market Survey 1/17/06 Infonetics 'Enforcing Network Access Control' Over 1,101% increase over the next three years from $323 million to 3.9 billion 2008 NAC Appliance market will increase 3,062% from 2005 to 2008 NAC network devices will increase almost 1,000% from 2005-2008 'will be a volatile space over the next three years, with significant consolidation in the market' 'Cisco's NAC solution is the most recognized brand of the three main NAC solutions, followed by Microsoft's NAP, and then the Trusted Computing Group's Trusted Network Connect solution in distant third ' Maybe, Maybe not… but either way it will be a fun ride… In Closing:  In Closing Slow……. Very Very Slow…. With 70% of networking market Cisco andamp; NAC will be around to stay Microsoft NAP will be HUGE in 2008 Don’t count out TNC IETF Anyone? I2 NetAuth Working group Security.internet2.edu/netauth strategies, architecture, components, case studies, FAQ Slide31:  References :  References http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c643/cdccont_0900aecd800fdd58.pdf https://www.trustedcomputinggroup.org/groups/network/TNC_Architecture_v1_0_r4.pdf http://www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx

Related presentations


Other presentations created by Belly

Capital budgeting
28. 04. 2008
0 views

Capital budgeting

Nice pics slides
17. 09. 2007
0 views

Nice pics slides

perceptron 2 4 2008
30. 04. 2008
0 views

perceptron 2 4 2008

pham07
18. 04. 2008
0 views

pham07

FC STONE GREAT WALL1
17. 04. 2008
0 views

FC STONE GREAT WALL1

Sauter Nuts Bolt ETFs
16. 04. 2008
0 views

Sauter Nuts Bolt ETFs

UnivOfGuelphNov26th
14. 04. 2008
0 views

UnivOfGuelphNov26th

fujiwara
13. 04. 2008
0 views

fujiwara

Week 08 Finance
10. 04. 2008
0 views

Week 08 Finance

Lct1
09. 04. 2008
0 views

Lct1

outlook
19. 06. 2007
0 views

outlook

Microsoft Windows Vista
19. 06. 2007
0 views

Microsoft Windows Vista

2004 presentation
13. 09. 2007
0 views

2004 presentation

Australian
13. 09. 2007
0 views

Australian

NBB
13. 09. 2007
0 views

NBB

Thilo Ewald ppt
13. 09. 2007
0 views

Thilo Ewald ppt

20031216 NASANIH presentation
05. 10. 2007
0 views

20031216 NASANIH presentation

mna presentation
17. 10. 2007
0 views

mna presentation

lect29 groupwords
18. 10. 2007
0 views

lect29 groupwords

Essential Q Imperialism 2
22. 10. 2007
0 views

Essential Q Imperialism 2

p puska
07. 09. 2007
0 views

p puska

Productivity
07. 09. 2007
0 views

Productivity

honeyPots
13. 09. 2007
0 views

honeyPots

NDB Bensouda
23. 10. 2007
0 views

NDB Bensouda

181105
24. 10. 2007
0 views

181105

METO200Lect19 20
05. 10. 2007
0 views

METO200Lect19 20

oksupercompsymp2006 talk matrow
17. 10. 2007
0 views

oksupercompsymp2006 talk matrow

mareyes
25. 10. 2007
0 views

mareyes

2 01 3
29. 10. 2007
0 views

2 01 3

Online Class Evaluations 8
30. 10. 2007
0 views

Online Class Evaluations 8

1 3Grand father Journey
02. 11. 2007
0 views

1 3Grand father Journey

TuijaKuisma
07. 09. 2007
0 views

TuijaKuisma

Metallsektor
14. 11. 2007
0 views

Metallsektor

insects in out
13. 09. 2007
0 views

insects in out

oasen
16. 11. 2007
0 views

oasen

Unit 10 Scent Theory
17. 11. 2007
0 views

Unit 10 Scent Theory

SPEAR 2004
21. 11. 2007
0 views

SPEAR 2004

danse macabre
22. 11. 2007
0 views

danse macabre

kmutt
13. 09. 2007
0 views

kmutt

NCUR SDT 4 19 05
04. 01. 2008
0 views

NCUR SDT 4 19 05

gerber colloq UICtop feb2002
15. 10. 2007
0 views

gerber colloq UICtop feb2002

Lioi Altered Version
07. 01. 2008
0 views

Lioi Altered Version

Five Halloween Pumpkins audacity
02. 11. 2007
0 views

Five Halloween Pumpkins audacity

smime
07. 10. 2007
0 views

smime

CdF BEC
20. 11. 2007
0 views

CdF BEC

WEB C Schumacher
23. 10. 2007
0 views

WEB C Schumacher

bsb
13. 09. 2007
0 views

bsb

2006052213550876705
03. 01. 2008
0 views

2006052213550876705

1 11
19. 02. 2008
0 views

1 11

Ukraine
20. 02. 2008
0 views

Ukraine

truck tmp1002
27. 02. 2008
0 views

truck tmp1002

ace program plan
29. 02. 2008
0 views

ace program plan

takala
07. 09. 2007
0 views

takala

464 TM12
14. 12. 2007
0 views

464 TM12

ICEBP presentation for ANZCP A
10. 03. 2008
0 views

ICEBP presentation for ANZCP A

aionescu cmc dec06
30. 10. 2007
0 views

aionescu cmc dec06

creationtalk
11. 03. 2008
0 views

creationtalk

Data Mining 2
12. 03. 2008
0 views

Data Mining 2

Omaha Pres for NAP web2
29. 12. 2007
0 views

Omaha Pres for NAP web2

sustainable development part1
26. 03. 2008
0 views

sustainable development part1

Schrage
31. 08. 2007
0 views

Schrage

IHYJP Kickoff Poster
09. 10. 2007
0 views

IHYJP Kickoff Poster

020703 DHCAL
31. 08. 2007
0 views

020703 DHCAL

Vimpel Com
31. 08. 2007
0 views

Vimpel Com

Overland vista uib itforum
19. 06. 2007
0 views

Overland vista uib itforum

OS Notes
19. 06. 2007
0 views

OS Notes

NVIDIA OpenGL on Vista
19. 06. 2007
0 views

NVIDIA OpenGL on Vista

NonAdmin Pilot
19. 06. 2007
0 views

NonAdmin Pilot

New Mexico NETUG WPF
19. 06. 2007
0 views

New Mexico NETUG WPF

MSAM Launch Vista Final Updated
19. 06. 2007
0 views

MSAM Launch Vista Final Updated

MOSS WF Talk
19. 06. 2007
0 views

MOSS WF Talk

More Online Games
19. 06. 2007
0 views

More Online Games

MHay Wireless
19. 06. 2007
0 views

MHay Wireless

Marl WSUS3
19. 06. 2007
0 views

Marl WSUS3

mail list news
19. 06. 2007
0 views

mail list news

Lenovo UofU
19. 06. 2007
0 views

Lenovo UofU

Lecture II
19. 06. 2007
0 views

Lecture II

Smith F09
13. 10. 2007
0 views

Smith F09

35508
26. 02. 2008
0 views

35508

pinar
19. 06. 2007
0 views

pinar

pgp
19. 06. 2007
0 views

pgp

pessner
19. 06. 2007
0 views

pessner

Overview Presentation
19. 06. 2007
0 views

Overview Presentation

North Dakota Annuity Deck
19. 06. 2007
0 views

North Dakota Annuity Deck

Rutland Presentation plenary4
31. 08. 2007
0 views

Rutland Presentation plenary4

NAMI NC 112707
07. 01. 2008
0 views

NAMI NC 112707

finland poster
07. 09. 2007
0 views

finland poster

sample
27. 09. 2007
0 views

sample

dtk
13. 09. 2007
0 views

dtk

Phenotyping Oxford
17. 10. 2007
0 views

Phenotyping Oxford

dog breeding
19. 11. 2007
0 views

dog breeding

5th trondhiem
29. 11. 2007
0 views

5th trondhiem

policies regs
28. 12. 2007
0 views

policies regs

GetuHailu
13. 09. 2007
0 views

GetuHailu

genealogy
01. 10. 2007
0 views

genealogy

net info 050928
19. 06. 2007
0 views

net info 050928

chap7
15. 10. 2007
0 views

chap7

Rafael Guillen CCAD SIAM mar06
22. 10. 2007
0 views

Rafael Guillen CCAD SIAM mar06

na3 Russia
31. 08. 2007
0 views

na3 Russia

Sois Global Programs3 12 04
31. 08. 2007
0 views

Sois Global Programs3 12 04

sacha
31. 08. 2007
0 views

sacha

amm pres valdez lacnic
22. 10. 2007
0 views

amm pres valdez lacnic

nwnt
19. 06. 2007
0 views

nwnt

STAR shielding 2
13. 11. 2007
0 views

STAR shielding 2

voiceline overview
17. 10. 2007
0 views

voiceline overview

gross PPT
07. 04. 2008
0 views

gross PPT

WP1a
15. 10. 2007
0 views

WP1a

Microarray Data Standard
07. 11. 2007
0 views

Microarray Data Standard

Lim Badejo Dell Presentation 1
19. 06. 2007
0 views

Lim Badejo Dell Presentation 1

HongKong Punkka Salo
07. 09. 2007
0 views

HongKong Punkka Salo

Dvoretsky
31. 08. 2007
0 views

Dvoretsky

qm1 web
03. 01. 2008
0 views

qm1 web

IAPS
07. 09. 2007
0 views

IAPS

yalestudy
28. 09. 2007
0 views

yalestudy

digvlsideslec1
12. 10. 2007
0 views

digvlsideslec1

mead
13. 09. 2007
0 views

mead

bashmakov
31. 08. 2007
0 views

bashmakov