I said I need to write about this because this is such a great topic. What I’m talking about here is Enterprise & Campus LAN security. Here’s the situation:
You have a Microsoft Windows based enterprise network with over 2,000 clients and a campus LAN (mostly wired switches supporting 20-50 users per location). You are asked for a good way to secure this network to prevent intrusions or other unauthorized access to the network (I say good way, instead of best way because there is no best way, ever).
So, this is something I’ve come across. There’s so many things you can do on the switch level. We could setup MAC filtering. For me, this is way too time consuming. With over 2,000 clients you’ll have people come and go and bring new computers, its a hassle and it just never does work right. Plus, your network is STILL exposed, especially to MAC spoofing.
VMPS (Policy Server based on MAC) is similar to MAC filtering, I’ve used it and it works however there are vulnerabilities to this day that Cisco will not address since they’re deprecating this technology (I believe).
You could set-up a port-security profile on all the switches. This works pretty well but it DOES require a lot of effort and time. Ports will shut off or not work, port-security will trigger sometimes when there’s no real threat so again, this is too time consuming. Also, when new computers are added you need to activate those ports, it’s hard to manage effectively. I’ve used this and I had to loosen the port-security profile to make it worthwhile.
An even better solution to those would be to use Wired 802.1x. Using 802.1x is pretty good in the environment described above. The way it works is that when a computer is ready to be placed on the network, a technician ensures its compliance and if found compliant, that computer is awarded a certificate (a digital certificate is placed on the hard drive). All switch ports in the campus are configured to check with a RADIUS server to allow connections. When the compliant computer is plugged in a certificate check is performed by the RADIUS server (this will be your Active Directory DC or Certificate Server running RADIUS). The Cisco switch just acts as a proxy, passing the information back and forth. During this time only connections used to authorize the client are performed. Once the server gives the OK to the switch, the port is activated for full communications. Voila! Of course, the downside here is that a technician must install that certificate. There’s ways to install it automatically but then who’s checking to see if the client is updated and compliant? Anyway this method is great, but of course, requires a network engineer and the systems counter-part to work together.
Finally, this brings us to NAP and NAC, Network Access Protection and Network Admission Control, respectively. NAC is the networking component and is utilized on several Cisco devices (the switch, Access Control Server, NAC device). It can be used by itself, without NAP and vice-versa.
NAC works much like Wired 802.1x whereby a client is given very limited access to the network for the purpose of authorization. NAC checks the client against a policy you define. Lets say that you’re deploying NAC & NAP. In this case, Microsoft’s NAP will validate the client and the Cisco switch will act as a proxy. With NAP you define a policy as well and rather than being limited by a GO or NO-GO, you can create categories such as “Quarantine” where your enterprise patch management can get the client up to date, to compliance. Once compliant, a “health certificate” is issued through NAC to the client and the Cisco switch allows full network access. The important in deploying NAC, even though its MOSTLY acting as a proxy is that it transfers all this data securely, using 802.1x or EAPoverUDP. I’m leaving out a lot of details, but that’s the point.
I should mention that NAP is a feature of Windows Server 2008 and Vista and I don’t know if MS has released versions for Windows Server 2003 and XP. However, you can still use NAC instead of NAP almost the same way. Cisco develops a client (Cisco Trust Agent or something like that).
So what’s so great?? With this solution its almost impossible to introduce non-authorized clients to your network. It also makes it hard to introduce authorized clients with out-of-date anti-virus or missing patches. You’re basically one step closer to the automated enterprise network.