Solved

Network Access Control Solution

Posted on 2008-10-08
11
931 Views
Last Modified: 2013-11-29
Hi All,

I have done much research on Network Access Control (NAC) and will now ask the experts for their thoughts on how to help me in the way I would like to see NAC handled on my network.

Problem:

Preventing unauthorised "anythings" from:

1. Getting an IP address from my DHCP server, Period.
2. Ensuring those users with enough smarts to add (an IP they found not in use) to their "anything" not being able to communicate to the network as it has not been authorised by the "gateway NAC Server" by the MAC being added by IT STaff.

Being "authorised" to me would mean the device would have its MAC added to a "list" and referenced or an agent installed on the workstations which poses an issue for printers, scanners and other misc legit devices.

My basic thinking would have been to

1. Add reservations using known MAC's
2. Add the rest of the IP's not in use to a Windows Box TCP/IP thus making them "in use" ??

A DHCP exclusion range would not stop a device connecting that had put in valid IP details.

Does anyone know of open source or commecial software that fits this bill? or a method?

Aalborg.

0
Comment
Question by:AI-SYD
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 7

Assisted Solution

by:namol
namol earned 50 total points
ID: 22675738
I always like to advertise FreeNac. http://freenac.net/, if you're running Cisco gear. Also to play devil's advocate, why would you base your NAC control solely off of MAC address when it can be easily faked with various Windows programs or from the command line on mac/linux clients?
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 50 total points
ID: 22702646


You should deploy dot1x, it allows you to authenticate users/systems to access your network. Unauthorized users can be segemented to guest or unauthorized vlans where you can implement seperate security policies.

harbor235 ;}
0
 
LVL 6

Accepted Solution

by:
clearacid earned 200 total points
ID: 22746516
I try to avoid dot1x and NACs that are in DHCP mode...... Here's why.....

dot1x is complicated if you are running different hardware - in my case we have all cisco equipment - but at my location we use a lot of unmanaged linksys workgroup switches to enable more ports in a room (very hard to manage......)

DHCP works well but - the workaround is to configure a static ip address which then bypasses your nac.

The solution I ended up getting was forescout NAC www.forescout.com which has built in IPS/IDS and NAC all in the box.  

It runs on linux (so very very very customizable), you can push various scripts, perform host checks, features have virtual firewalling (can isolate a host within a segment from other hosts within the same segment), built in honeypots that integrate with IDS/IPS - very very low cost.......  

Also has usb storage device detection and ability to disable.

I've had it for about a month so far and it's been working really great.


0
 
LVL 6

Expert Comment

by:clearacid
ID: 22746520
Also - forescout works by spanning all vlans....  I have a 6509 core switch and we just spanned all vlans and configured the NAC to check network traffic.
0
 

Author Comment

by:AI-SYD
ID: 22753762
reviewing thanks for adding comments
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 22759942
Symantec's NAC solution is a good one, the software cost's but the windows DHCP NAC Component is actually thrown in for free, just install on your windows dhcp servers.
802.1x can be very effective, and there are some bypass's such as mac address cloning... but that causes some havoc on the network depending on what mac was cloned, a printer mac address being cloned wouldn't be a big deal, you could easily poison arp this way with no major side effects
Having a cert installed on the pc's is the best way to use 802.1x, and you can still allow "dumb" devices such as network printers and faxes to be access by either excluding them or by saying only this mac on this port.
So with 802.1x you can have the mac address alone be good enough, you can have the mac as well as a username/password authentication scheme, or you can have a cert be present in the 802.1x client and do a combination of the above.
The cisco feature "port security" is a MAC address only feature you can use also:
http://www.cisco.com/en/US/docs/switches/lan/catalyst5000/catos/5.x/configuration/guide/sec_port.html#wp1019841
but "port secured" ports cannot be configured 802.1x, nor can trunks, span ports or etherchannel (unless etherchannel is removed first)

802.1x tries to address the static IP issue if you have no DHCP or you have a NAC-DHCP that only allows the known good MAC's to gain an IP.
Most NAC's try to help your administration needs by having you install a client on your known good hardware and from there you don't need to maintain a MAC white-list the client will vouch for the PC and still need the user to authenticate as they normally do, and some NAC's go further and do some checking on the host to see if its properly patched and has the latest AV dat's. And if not, the host isn't allowed to login on the normal subnet/vlan until those issues are remediated. And the host is allowed to connect to a subnet/vlan that only allows it to get dat's or allows it to get patches.

Cisco's nac is complex but works well with their equipment, Symantec's NAC requires synamtec AV (SEP [endpoint protection]they call it) so both are on the costly side. You can again, run 802.1x in a variety of ways, and you can disable/shutdown unused ports etc...
-rich
0
 
LVL 7

Expert Comment

by:ALNMOO
ID: 22931710
If you don't want to use neither dot1x nor DHCP mode then I think what you need is either in line mode or SNMP/CLI mode.

The in line mode is to place NAC appliance between access switches & distribution layer any traffic that not comply with your policy will be blocked. because of the location of the appliance in the network and there is no agent, the solution will check only application traffic (it will not check application installed in a host). the best on this is Consentry www.consentry.com

For SNMP/CLI mode, you will connect the NAC server in the core and give it a right permissions on all edge switches to configure switchs based in the policy. Bradford Networks is good in this field.

note that more than 50% of imelpmented NAC soultions are mixed by more than mode or vendor.

     
0
 

Author Comment

by:AI-SYD
ID: 23667568
I will attempt to resolve this issue with in two weeks, still in progress and an important task.
0
 

Author Comment

by:AI-SYD
ID: 23964542
Bump, any other input would be appreciated. thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 23964615
I've actually ditched Symantec in the 11th hour, their hardware started to fail all over the place, called customers after bugging and bugging them for testimonials, and no customer (10 in total) had anything good to say about the hardware. And no one was running NAC the way we thought it should work, which we came to find out is because symantec's nac can't run they way a NAC should. Cisco failed our Proof Of Concept as well, for different reasons.
We have tested in the past 5 days, a product that is working much better, and doesn't require 802.1x. As described above by me, 802.1x is a protocol that ensures folks can't assign static ip's to themselves without first authenticating with a username/password. Same for dhcp, they don't get a dhcp ip either until they have validated.
PacketFence, the product I think we will be going with, doesn't rely on 802.1x (which can be a costly affair if you have older network gear). PacketFence can ue 802.1x as well as SnmpTraps, which has the main benefit of not needing to have the latest and greatest switch gear.
http://www.packetfence.org/en/home.html
So far I'm impressed with this opensource offering, it is linux based, but using the VM-Player image it was very easy to setup.
-rich
0
 

Author Comment

by:AI-SYD
ID: 23976394
I appreciate all responses so far and have aimed to have this questions closed in 1 month, I appreciate everyone patience but it takes time to test the suggestions made.

If you have a suggestion please submit it.

Thanks

Aalborg
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now