DIDW: An Identity-Based Approach to Network Access Control
-Special thanks to Roy Chua for taking notes on this session I participated in on Tuesday-
Panel
ESG
- Jon Oltsik – introducing
ConSentry – Jeff Prince
- Secure internal LAN, not rip replace
- Full user visibility and mitigation
- Here – identity key to their closing of businessSanjay Uppal – CEO of Caymas- Identity control appliances
- Have been doing for some time now
- How it all comes together, two important categories coming togetherSean Convery – CTO of Identity Engines- Network identity management platform
- User is center of identity in enterprise
- Bring user directories to the network – to make meaningful decisions
- Works with new devices as well as existing equipmentPaul Sangster – Chief standards officer at Symantec- Security and integrity protection for enterprises
- Co-chair of TNC group
- Working on NAC open standards
Definition of Network Identity
Paul Sangster
- establishing set of attributes with regard to things on network
- From NIC card to laptop to human
- And authorized to get on network
- Identity – ties into integrity and event managementSean Convery- Network ID used to be MAC and IP addresses
- Talked about spreadsheets and IP = user
- Mobility has made MAC and IP more difficult
- Seeing prevalence of user-centric identity
- From simple auth to 802.1XSanjay - Practical and then future
- 2-factor, client certs – one aspect
- Other aspect – integrity of device – combination of multiple ID
- Practical – integrity of device
- User – username, password, token
- Future – combination of twoJeff Prince- Knowing users and machines connecting to network
- Trick (as Sean put) – bind users to IP and MAC
- How to make user-readable, and location-based – bob, using machine X in office 12
- Location is important as wellCisco and MSFT were invited to participate but declined
Jon: implementation is difficult
Many supplicants, devices, EAP strategies
What to help people ease into solution
Jeff Prince
- Been in networking long time
- Things that become pervasive on network – easy to deploy, cost effective, high performance
- Cisco NAC – good vision, impossible to implement
- ConSentry want to execute that vision – e.g. rip out L2 switchesSean Convery- Cisco not quick to release NAC specifications
- Seeing lots of interest in preserving infrastructure built out
- Seeing disparity in making enforcement technologies
- From enterprise – deploying 6, 8, 10 different things – hard
- Need central authoring and policy point
- Trying to put all eggs in one technology basket is troublesome long term
- Particularly due to lack of standardsPaul Sangster- See difficulty in deploying – e.g. AV, desktop FWs – people turning it off
- IT needs centralized point of control – and when joining, want to make sure that the machine is healthy and to do so periodically
- Customers tell them this is very difficult but customers don’t want to take the wrong step – don’t want to step up until see long term future of spaceSanjay Raja- Agree that Cisco and MSFT is not open enough
- Don’t agree with vision of NAC – network admission control
- Customers are asking, after you get admitted, where can you go
- Shouldn’t be limited to just network, but applications as well
- NAC should be access control done in the network, as opposed to, to the networkJon: who supports TNC, and why hasn’t everyone in audience heard of it
Paul Sangster
- Communication – Cisco and MSFT have large PR budget and voices
- TNC – many large companies, focused message is hardJeff Prince- Biggest frustration – CSCO not member
- Own 80% not adhere to standard, neuter standard
- User community put pressure on CSCO to join
- Best way is to drive standards between endpoint and networkSean Convery - Not failure of TNC
- But failure of any architecture for NAC overall
- Have had problems deploying NAC framework at Cisco
- Customers are coming and saying NAC with AV, and firewall and .dat files are good
- Want to know who’s coming on network first, and then along with everything elseSanjay Uppal- Agreed, how to integrate client with network
- Should have defined protocol for not 802.1X but others
- Captive portal and web-based login first, and then do bells and whistles
- Need an open supplicantJon: trying to rally around the open supplicant- MSFT, CSCO, Juniper – proprietary – how to drive open supplicants
- Good grassroots support to date – www.enterprisestrategygroup.com
Question from audience:- Why won’t people stay with MSFT and CSCO and wait until they are done rolling outSanjay Uppal- Most of their customers (e.g. Hormel), waiting for Longhorn or CSCO, a lot to ask for from people with problems today
- Already have problems with identity theft and guest users
- Products on panel will solve that today and don’t have to wait till giants learn to dance
- For entire infrastructure though, advice is to waitPaul Sangster- Normal enterprise risk analysis decision
- Lots of data on cost for enterprise for not being able to enforce decisions about posture (worms, malware etc)
- Don’t want to make bad decision, need future proofing
- Nature of attacks over last 12 months, more focused on enterprises
- Without integrity checking, lots of enterprises have user auth, nothing to stop malware
- Need to have no malware stealing credentialsSean Convery- Agree that solving acute problems today
- Biggest people deploying our product have short-term access problems
- When talking about NAC and are people ready to deploy NAC
- NAC is AAA
- Dialing into POP over SLIP – using AAA NAC back then
- Principle reason we exist – authenticate people on network
- Repository of user identity and not treated as a critical resource on network
- AAA down – lose VPN and wireless
- Moving forward, how do you authorize users to get on networkSanjay Uppal- On aspects of what customers should do from a practical standpoint
- Non-employees getting on network – biggest risk
- Yesterday – SLIP connection – had today, but need combination of identity of user and device as well (e.g. folks in India and Philippines doing contract programming)Jon:- How much marketing money CSCO has? LotsAudience: where’s the vision for centralizing policies throughout the company . Don’t have the people – geeks on parade. Don’t want to call someone to make change in some device. How to go I to a central policy store to make these changes across enterprise-wide.
Jon – paraphrase – centralized policy instead of policy everywhere
Sean:
- Think we have won’t have centralized policy today, and may never, but some day
- Trying to embrace standards around this area – e.g. XACML around that, SOAP-based interface
- Work on networking problems first, and then start doing it for the applications-side, assert it to the futureJeff:- See solution boiling down to three basic components:
o End point, control piece in switching infrastructure, and IdM infrastructure
o Defining standards – is critical
- Today, ConSentry built controller behind the switches, can’t rip and replace everything
- As people do switch replacement, will see it coming in
- Announced secure switch, embeds full function into wire-speed switchSanjay Uppal- From enterprise, have concern about adding more layers
- Don’t want new policy in AD, RADIUS etc
- There are standards for asking about Identity – not rich, but can work
- No standard way to ask for policy yet
- Also need standards to federate health
- Once standards set – one place to set policy to get management policy (not appliance), and enforcement can be switch or not, think appliance is still important, need client piece as well for integrityPaul Sangster- Centralized place for policies
- Everyone has that, but then you still end up with many centralized stores
- Need MetaDirectory
- Need a PDP that can talk to other PDPs or network
- Can express PDP in some form and push it out (e.g. XACML)Jon:- See standards – e.g. Federation, users have to drive big vendors on TCG and 802.1X
- Will have more IP devices, no vendor at all, including CSCO, MSFT, that will give us what we needAudience:
Qn: focus on LAN and enterprise network, WiFi LANs, services networks etc
Federated model with common security model, tying in all the items, e.g. DS_69 on DSL forum, is important. Standards from wide area, to LAN to core etc.
Is there integrated architecture, for LAN, WAN, Service Provider etc?
Paul Sangster
- Don’t want different infrastructure for all – how to come up with extensible portion across all networks
- Access points for WiFi to talk to RADIUS
- Maybe not needed for LAN over cable
- Backends need common infrastructure – TNC identity all common areas
- Have laid down protocols for bottom layer for some areas already
- Pushing that TNC can cover it all as a high-level infrastructureSean Convery - When we say appliance, means different things to different people
- Goal of IDE is to work with different types of devices
- E.g. FW, switch etc
- Aggregation to get all these things talking
- RADIUS got us on 99% of access decision today
- Some disagreement – position – rich decision made in one place is good, but also want consistent set of entitlements in terms of what you’re allowed on
- But can only do that with standards - so there is limitation
- Even insertion of a device everywhere is close to rip and replaceSanjay Uppal- NAC is not limited to LAN
- Disagreement – their device can check local area network and wide area
- Perimeter is disappearing but they are appearing elsewhere
- It is not just LAN, but also where users are coming in from Jeff Prince- No reason why they can’t span LAN and WAN
- Once solve problems for LAN, then can solve problems for WAN and other places as wellAudience – TNT - Practitioners here – don’t wait. Even TCG/TNC will take time
- There are problems now, and people are buying equipment that the vendors are buying
- Forward thinking folks don’t care and will solve the problem now
- ‘Who is buying the stuff now’
- What position, what problem solvingJeff:- Customers are driven by compliance – PCI compliance in 3 weeks
- Passed audit within 3 weeks
- Regulated folks – HIPAA, PCI, SOX – folks with corporate assets on LAN
- Prove have clamped data need now
- Compliance is not done yet (still real today)Sanjay:- 1. There is a compliance push out there
- No one is making be-all and end-all of compliance solution
- Have one, pass all, no compliance in a box today
- Can implement these much quicker
- 2. Business enablement – e.g. outsourcing, make sure people only get access to specific areas. Not security value-prop, but business value-prop
- 3. Risk management – ID theft, laptops getting stolen, CIOs want to lock down sensitive information, criminal or other records
- Identity-based NAC to deal with thatSean:- Biggest problem – contractors, guests, visitors – that we are solving right now
- Keeps customer excited longer term
- Flexibility of policy
- Organizations have directories all over – really useful information – meaningful access decision
- E.g. Library at university that wanted low QoS for overdue customersPaul:- Apply political approach
- He is a standards person
- TNC – no standard, but people have standards-compliant products?
- Going out and taking RADIUS and using it
- Using EAP and if doing 802.1X, already have it
- TLS, IPsec, doing standards over
- Have to have a common way do the same thing, protocol standards already existJon: 7 minutes left – Lightning Round
Audience: so, who is the buyer?
Jeff:
- Security is champion, but the network ops guys is the one buyingSanjay:- Security guy signoff- app guy if app resource, or networking guy if network resourceSean:- network and security guysPaul:- samePapa Gino’s – audience, Chris Cahalin, Network Manager
Qn: $ spent towards unified standards is $ saved
-TPM already exists on laptops – march 2005 – have been using it
- Facilitates business
- Backs TCG
- Extends end-point analysis, can you trust the response you’re getting
- In deployment today
- Appreciates open standards
Jon: closing thoughts
Paul:
- too many NAC, tell vendors that want one open solution, can start today
- Built on things already deployed
Sean:- Can start today
- Things that you can do that don’t require TPM or OTP
- User names and passwords insufficient is not reason
- Diagnostics etc are more significantSanjay:- Enterprises with business problem today – they have solution
- Audience in IdM space – combination will get thereJeff:- Clear alternatives to CSCO
- Get to secure LAN today with them
- Give them opportunity and show value