USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Technical Whitepaper
USP NETWORK AUTHENTICATION SYSTEM
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Content
Executive Summary Solution overview Roadmap Technical information Overview of terms Technical Information 3 4 8 9 11 12
Contact
Louis Oetiker United Security Providers Bahnhofstrasse 4 P.O. Box 3073 Gümligen Switzerland louis.oetiker@united-security-providers.ch www.united-security-providers.ch Adrian Sieber United Security Providers Bahnhofstrasse 4 P.O. Box 3073 Gümligen Switzerland adrian.sieber@united-security-providers.ch www.united-security-providers.ch
Page 2
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Executive Summary
NAS • Network access security • Verification and management of device access • Device authentication based on 802.1x and MAC addresses Securing the network access is more and more becoming a challenge for companies. Especially in large, wide-linked networks conventional means are no longer sufficient to trace who connects his device to the network. The danger is obvious: viruses, worms and other malware can spread out almost unhindered. External users, for instance, want to connect their mobile devices just for ‘a minute’ in your meeting room to get internet access or employees take their private devices and connect them to the network. The USP Network Authentication System (NAS) from United Security Providers identifies and verifies in-house devices and prevents unauthorised access to the network by recognising devices that are not registered and reacts with a number of possible actions to such an access violation (for instance operator alarm, creation of a trouble ticket, transfer of the device into a quarantine zone, blocking of access). The authentication of devices can be done via IEEE 802.1x or alternatively, via MAC-addresses. Both approaches can be flexibly combined. The use of NAS offers the following benefits: • • • • • Access and integrity of devices can be verified and managed. The solution is ready to be implemented today, even if the infrastructure is not fully ready to support IEEE 802.1x. The system enables a step by step migration to the IEEE 802.1x standard. Up to date information at any moment on active devices within the network (location, connection, IP-address etc.) Access to the network is managed through a set of rules which can be adapted flexibly to requirements Information identified by the system can be used to optimise the quality of the inventory database or to enforce a central purchasing policy.
Page 3
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Solution overview
Overview
Initial situation
The USP Network Authentication System (NAS) from United Security Providers not only prevents unauthorised access to the network by recognising unauthorised devices and taking a number of possible actions to an access violation but also verifies in-house devices for their integrity as well as their identity. The NAS ensures supervision and protection of the network access and prevents that unknown devices can access the network. Known devices report their current system condition to the NAS which ensures that no in-house devices are overcome due to missing or old system components. Additionally, the NAS gives customers an ongoing up to date overview of connected and authorised devices. Through easy integration into existing infrastructure the NAS secures company networks fast and reliably.
• Initial situation • Verified network access • Overview devices of
• Policy decisions • User interface • Import interface
• Reporting
Controlled access to your network
Several options to verify the network access are supported by the NAS: • • 802.1x: devices activate access to the network via IEEE 802.1x, the authentication is normally done through digital certificates (EAP-TLS). MAC authentication: as an alternative to 802.1x devices can also be identified by their MAC-address. All authorised MACaddresses are listed in the central NAS database, such devices can be connected to any port within the network. Hybrid mode: 802.1x and MAC-authentication as a base protection can flexibly be combined to protect ports. It is also possible to introduce 802.1x step by step only in certain parts of the network. 802.1x port with MAC-bypassing. This is a special mode to support devices that are not 802.1x capable. If the NAS recognises that a device does not create an 802.1x communication, then the port switches to MAC-authentication after a specified time interval.
•
•
Irrespective of the mechanism used, all information about the newly connected device is fed into the system database. This ensures the availability of up to date information on active devices within the network at any time.
Page 4
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Wireless 802.1x supplicant
Terminal Terminal only with 802.1x supplicant MAC Address Terminal only with MAC Address
Access Point 802.1x Authenticator Company Network Management Network
Redundant Server Central NAS 4.0Server with Database Authentication Server (RADIUS)
Picture 1: How NAS works
Device overview
The NAS uses different information sources to deliver a complete picture on the devices within the network. • • • • SNMP traps of network devices, to know as soon as possible about changes of a device status (connection and disconnection of devices). Frequent scans of switches and routers through SNMP to obtain the MAC address, switch port and used IP address. Frequent import from the DNS via zone transfer, to provide IP addresses with a matching DNS name. Interpretation of information from the 802.1x authentication dialog, combination of the data with information from the SNMP scan.
Page 5
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
•
Query on the device health status by using the new standard protocol IF-TNCCS-SOH. For instance, the SoH (Statement of Health) reports submitted by the client include data on availability and stand of the virus protection and the status of Microsoft update functions.
The information is bundled in the NAS database. It can be used for policy decisions as well as for reports.
Policy decisions
The NAS Policy Module takes on the role of a Policy Decision Point (PDP): Information received from the device are analysed by a flexibly definable set of rules in order to decided whether the device is allowed to communicate on the network or not. If a device does not have the desired status or only partially fulfils it, different measures can be taken. • • • • • Logging of non-compliant devices, which can then be analysed through reports. Release of a script, which leads to different actions (for instance sending of an email or opening of a trouble ticket). Relocation of the switch port into a different VLAN (quarantine VLAN or guest VLAN). Semi-automatic blocking of switch ports (only occurs after confirmation through a network operator). Automatic blocking of switch ports, respectively no enabling of such port in the case of 802.1x ports
The NAS set of rules enables the selective use of these measures which can depend, for instance, on the type of device or its position within the network. The differentiation can be defined at the switch level as well as through the help of predefined switch port groups.
User-interface
The user-interface is a Web GUI with a role based rights model. Depending on the role of the user, the following functions are available: • • • Helpdesk role: Is able to see the list of non-conform devices and enable network access for blocked or quarantined devices. Network-support role: In addition, is able to perform simple changes to rule settings as well as modifications to the list of supervised switches and routers. Administrator role: In addition, is also able to change any configuration settings as well as adapt the NAS set of rules, add users, delete users and define roles.
If modifications to the set of rules are applied, the user is presented with an impact analysis to show the effect of his changes. Only after confirmation by the user do these changes take effect, ensuring that disruptions due to accidental errors are avoided.
Page 6
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Import interface
Network management and inventory systems can be integrated with minimal effort. This means supervised switches and routers do not have to be managed in a further system if they are already catalogued in an NMS. The NAS provides a standardised import interface, which is based on the transfer of flat files from the source system to the NAS server. The data can be transferred at any time and is then uploaded to NAS in a timely manner.
Reporting
Data that has been collected in the NAS database can be analysed in an existing reporting tool (for instance Business Objects) or in the NAS Web GUI.
NAS Report
Number of known, unknown und newly unknown devices
Date from 12.09.2006 till 23.09.2006 In % of total 34.87% 34.13% 32.62% 33.25% 31.51% 29.46% 29.90% 28.63% 26.29% 24.18% 22.58% 20.38% Newly unknown In % of total 152 0.53% 133 0.45% 70 0.23% 88 0.28% 52 0.16% 87 0.27% 49 0.15% 73 0.21% 85 0.25% 88 0.26% 68 0.20% 45 0.13%
Date 12.09.2006 13.09.2006 14.09.2006 15.09.2006 16.09.2006 17.09.2006 18.09.2006 19.09.2006 20.09.2006 21.09.2006 22.09.2006 23.09.2006
Total 28502 29416 29957 31456 31841 32065 33425 33963 33989 34112 34455 34521
Known 18564 19375 20186 20997 21808 22619 23430 24241 25052 25863 26674 27485
Unknown 9938 10041 9771 10459 10033 9446 9995 9722 8937 8249 7781 7036
Picture 2: Example of a NAS-Report
Page 7
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Roadmap
The NAS roadmap is aligned with the Network Access Control (NAC) Vision by Gartner:
Gartner’s NAC Model
Preventive
Policy
Devices Users
Baseline
Agent-Based Agentless
"Operationalize"
Maintain
Access Control
Allow Quarantine Block
Filter Packets Firewall Reconfiguration ARP Modification
Contain
Mitigate Monitor
Install Patches Update Antivirus Repair
Reactive
Node State Change Anomaly Detection
Picture 3: Gartner's NAC (Network Access Control) model The roadmap for the next releases looks as follows: Availability Immediately Functionality • Policy Module, set of rules, port groups • MAC Authentication (without access limitation to certain switch ports) • SNMP trap handling • MAC and IP scanning • DNS zone transfer • Web GUI • Reporting with external reporting tools • Inventory import interface • • In Web GUI integrated reporting Management of supervised switches and routers within the Web GUI and via import interface Authentication via IEEE 802.1x Hybrid-mode MAC authentication and 802.1x 802.1x with MAC-bypassing Radius-proxy functionality Support for SoH messages
October 2007
January 2008
• • • •
June 2008
•
Page 8
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
•
•
Verification of end point compliance through use of standard protocol IFTNCCS-SOH Integration of end point compliance into the set of rules and policy decision
Technical information
Network devices
Switches/router: base functionality VLAN configuration, quarantine VLAN, recognition of VoIP Ports Generally all managed switches and routers with support for SNMP v1 or v2c
• • •
Cisco IOS release level >= 12.1 Cisco CatOS release level >= v6.4 Generally support for further manufacturers through additional switch adapters
Web GUI
Web browser All modern Web browser (Internet Explorer, Firefox, etc.)
Client
Agentless To obtain the status of health from the client, SoH messages are used. SoH is integrated into the client operating system. A roll-out of an additional agent is not necessary The following operating systems support SoH: • • Windows XP SP3 available at the end of 07 Windows Vista
Operating systems
Quantity information
Number of devices Dependent on the sizing of the hardware. The largest productive installation supervises approx. 50,000 devices. Depending on the sizing of the hardware. The largest productive installation supervises approx. 2,300 switches and 800 routers. Depending on the sizing of the hardware. The largest productive installation processes up to
Number of switches and routers Number of SNMP
Page 9
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
traps per minute Geographical size of the supervised network
600 SNMP link up/link down traps during peakperiods Generally unlimited. However, the average latency time should be below approx. 200 ms.
Page 10
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Overview of terms
Ethernet switch A central network point which provides LAN connection to devices. IEEE-standard for secure network authentication A 48-bit identifier for an ethernet interface Network Authentication System Simple Network Management Protocol, a network protocol to supervise and administer network points A type of alarm message which is being sent through SNMP from a central network point (switch) to the NAS. This will be sent for instance, when a device has connected to a switch. Statement of Health, a message on the health status of a device Virtual LAN
IEEE 802.1x MAC-address NAS SNMP
SNMP Trap
SoH
VLAN
Page 11
�USP Network Authentication System
Copyright © 2007 United Security Providers
January 2008
Version 2.3
Technical Information
Communication with networkinfrastructure • SNMP v1, v2c oder v3 (standard: SNMP v2c) • SNMP Traps • SNMP MIB-II (IP-MIB, IF-MIB, Bridge-MIB) • SNMP Q-Bridge-MIB or vendor specific MIBs for VLAN information • IEEE 802.1x • IEEE 802.1Q VLAN • Dynamic VLAN Assignment • DNS Zone Transfer (RFC 1995) IEEE 802.1x Support • IEEE 802.1x RADIUS (RFC 3580) • EAP (RFC 3748, RFC 2716) • RADIUS Proxy Support User-Interface • HTTPS, SSLv3/TLS (RFC 4346) • Web-GUI with role based authorisation model • Predefined role model: Helpdesk, Support, Admin, Reporting Management-Interface • Management Web-GUI (HTTPS) • SSHv2 • Central configuration management with WebGUI Performance und Availability • Mirrored data management in different locations possible • Multi-Threaded-Architecture, good scaleability for mulitcore CPUs • One central NAS system can handle thousands of switches/routers ten thousands of devices. The maximum of the controlled network size depends of used hardware and latency in the network. Logging and Alerting • All important events are logged (logfiles and logtable in database) • Forwarding of log messages and alerts by syslog and or SNMP trap • Event-Scripting with any action possible (i.e. sending of E-Mails/SMS or opening of a trouble-ticket in a trouble-ticket system) Interfaces for Data Exchange • Import interface for multiple independent source systems • JDBC, ODBC, SQL, XML • Import of flatfiles (CSV files) via SFTP Reporting • Integrated reporting-engine in web-GUI • Outputformat HTML, PDF or textfiles • Connection to other reporting tools possible e.g. Business Objects, Crystal Reports etc. Platforms and Operating Systems • Java-platform, standard edition, version 5 or higher • Servlet 2.4/JSP 2.0 web container (e.g. Tomcat 5.x) Linux, UNIX or Windows Server
Page 12
�