nercomp SIG

56 %
44 %
Information about nercomp SIG

Published on June 19, 2007

Author: Belly


ABC's of Policy Enforcement:  ABC's of Policy Enforcement Kevin Amorin, CISSP Harvard University Topics:  Topics Risks Architectures NAC (Cisco) NAP (Microsoft) TNC (Trusted Computing Group) Components Open Source Problem Statement:  Problem Statement .Edu Environment Open Roaming Laptops Students 44% of attacks originate from systems on the internal network (behind the firewall) VPN Wireless Dial-up 2005 FBI Computer Crime Survey Slide4:  Slide5:  Slide6:  Phishing :  Phishing Solutions:  Solutions Many commercial products Sygate, Bradford, Enforce, Checkpoint, Infoexpress, iPass, Meetinghouse, Funk,…. Many open source packages PacketFence, Southwestern Netreg, CMU Netreg, NetPass, NoCatAuth, NetSquid,….. No real standards, no interoperability Architecture Solutions NAC, NAP, TNC Architecture Solutions:  Architecture Solutions Cisco Network Admission Control (NAC) Phase 1: Routers – Aug 2004 Phase 2: Switches - Nov 2005 Microsoft Network Access Protection (NAP) Windows Longhorn – Q1 2007 Trusted Computing Group Trusted Network Connect (TNC) Architecture andamp; Basic API - May 2005 Complete Spec – May 2006? Cisco NAC AntiVirus Participants:  Cisco NAC AntiVirus Participants 63 manufacturers (2/06) 22 shipping – 41 in development No other big network companies? Cisco NAC Support:  Cisco NAC Support Identity and Integrity IOS 12.3(8)T Cisco Routers (83x, 18xx, 28xx, 38xx, 1701,1711, 1712, 1721, 1751, 1751-V,1760, 2600XM, 2691, 3640, 3660-ENT, 72xx) Cisco Switches (6500, 4500, 4000, 3750, 3560,3550, 2970, 2955, 2950, and 2940) All APs, VPN 30xx Clean Access/Perfigo is not part of the NAC Framework - 'NAC Appliance' Cisco NAC Co$t:  Cisco NAC Co$t Cisco Network Gear 4500,4000,3xxx,2xxx,$$$ Cisco Secure Access Control Server (ACS) AAA Radius Server + Policy Control Cisco Trust Agent (CTA) 2.0 Windows 4.0, 2000/3, XP, RHEL 3-4 Includes Meetinghouse 802.1x supplicant Free? … Ahhhh wired only… EAP-Fast only MS NAP AntiVirus Participants:  MS NAP AntiVirus Participants 53 manufacturers (2/06) 0 shipping – 53 in development Lots of Cisco competitors Enterasys, Extreme, Foundry, ProCurve (HP), Juniper Microsoft NAP Support:  Microsoft NAP Support Identity and Integrity NAP Clients Windows Vista client late 2006 Windows XP SP2 + 'update' 2007 NAP Server Windows Longhorn Q2 2007 Total rewrite of Network Access Quarantine Control in Windows 2003 DHCP,VPN, 802.1x (PEAP), IPsec IPSec is the 'strongest' form of NAP Can only talk to healthy clients with 'Health Cert' Microsoft NAP Co$t:  Microsoft NAP Co$t Windows Longhorn Server IAS AAA Radius Server + Policy Control Routing and Remote Access (VPN) Upgrade Windows client cost Minimum windows client is XP+patch (2007) Windows Vista 'better' May require AD Minimal change to network gear TNC AntiVirus Participants:  TNC AntiVirus Participants More then 60 manufacturers 'involved' switch and network equipment manufacturers, security vendors, managed service providers, chip manufacturers Lots of software companies TNC Support:  TNC Support Identity and Integrity Use of existing network standards 802.1x IPSec Composed of mostly of Software/Appliance companies Missing some big name support from Anti-virus, Network companies Future Trusted Platform module (TPM) integration TNC Co$t:  TNC Co$t TNC Client Funk, Meetinghouse, InfoExpress, iPass, etc… TNC Server (Radius/Policy Server) Funk, Meetinghouse, InfoExpress, iPass, etc… No Vendor lock in? No validation of interoperability The TNC Client and Server 'should' work together if you don’t use the same vendor Supported Network gear Juniper, Extreme, Foundry, Enteresys Cisco NAC Pros/Cons:  Cisco NAC Pros/Cons MS NAP Pros/Cons:  MS NAP Pros/Cons TNC Pros/Cons:  TNC Pros/Cons Methods of Isolation:  Methods of Isolation ACL – Layer 3 Router redirection VLAN – Layer 2 Switch port control IPSec – Health Certificates DHCP – IP subnet overlay networks ARP – Client gateway manipulation 802.1x – IEEE authentication port based access control Generic Components:  Generic Components Identity/ Integrity Identity/Integrity Decision Request Decision/ Request AAA Query Policy Query Cisco NAC Components Example:  Cisco NAC Components Example Radius HCAP (Policy Query) EAP o UDP/ 802.1X EAP-Fast Microsoft NAP Components Example:  Microsoft NAP Components Example Statement of Health (Integrity) Local (Policy Query) 802.1X PEAP Radius TNC Components Example:  TNC Components Example IF-TNCCS (Integrity) IF-IMV (Policy Query) 802.1X EAP Radius Open Source Integration:  Open Source Integration Integrity Policy Query 802.1X Radius Open Source Integration:  Open Source Integration Integrity Policy Query 802.1X Radius Decision/ Request Market Survey:  Market Survey 1/17/06 Infonetics 'Enforcing Network Access Control' Over 1,101% increase over the next three years from $323 million to 3.9 billion 2008 NAC Appliance market will increase 3,062% from 2005 to 2008 NAC network devices will increase almost 1,000% from 2005-2008 'will be a volatile space over the next three years, with significant consolidation in the market' 'Cisco's NAC solution is the most recognized brand of the three main NAC solutions, followed by Microsoft's NAP, and then the Trusted Computing Group's Trusted Network Connect solution in distant third ' Maybe, Maybe not… but either way it will be a fun ride… In Closing:  In Closing Slow……. Very Very Slow…. With 70% of networking market Cisco andamp; NAC will be around to stay Microsoft NAP will be HUGE in 2008 Don’t count out TNC IETF Anyone? I2 NetAuth Working group strategies, architecture, components, case studies, FAQ Slide31:  References :  References

Add a comment

Related presentations

Related pages

NERCOMP, Inc. | NorthEast Regional Computing Program

NERCOMP cultivates communities of practice around information and technology, promotes strategic partnerships, and advances innovation and leadership in ...
Read more

NERCOMP SIG Master Guide -

SIG Selection Process. Lisa of NERCOMP sends out an annual request for proposals to the IRs (Institutional Representative), to the Board members and to ...
Read more


NERCOMP . SIG Schedule . September 2010 through June 2011 . As of September 8, 2010. September 16, 2010 – Four Points Sheraton in Norwood, MA . 1. Career ...
Read more

NERCOMP SIG - Academics - Home - Hamilton College

NERCOMP SIG. In the past year, Hamilton College, Colgate University, and St. Lawrence University, supported by a NITLE Instructional Innovation Fund grant ...
Read more

Call for Presentations for a 2013 NERCOMP SIG |

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's ...
Read more

Call for Presentations for a May 2013 NERCOMP SIG ...

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's ...
Read more

Notes from the NERCOMP Workshop: Sakai SIG

Notes from the NERCOMP Workshop: Sakai SIG. September 23, 2004 College of the Holy Cross, Worcester, Massachusetts. Background.
Read more


Top 5 Reasons to Propose a NERCOMP Workshop- NERCOMP focuses on connecting, learning and growing – all through the interactions and volunteer efforts of ...
Read more

Login stub page | NERCOMP, Inc.

NERCOMP About Us; Membership; Events; Vendor Licensing; Job Board; 100 Western Boulevard, Glastonbury, CT 06033 | 860-345-2081 | ...
Read more

NERCOMP-SIG Presentation - December 2, 2008

Abstract Dartmouth faculty in diverse departments including Government, Art History, Arabic, Writing, Native American Studies and Women Studies were ...
Read more