Bring Your Own PC – Thanks to NAC - Aventri...3Com/Trapeze and Cisco/Aironet/Airespace were both considered. Cisco solution was selected as 3Com/Trapeze solution could not demonstrate

Bring Your Own PC – Thanks to NAC

Jeff CrawfordManager of Networking and Security

www.egrps.org

Agenda

A Little Information About East Grand Rapids Public Schools[Briefly] The Long, Slow Evolution To NAC HappinessOperation STS Phase I (2007-2008)Operation STS Phase I (2007 2008)Operation STS Phase II (2008-2010)Operation STS Phase III (2010-2011)Advice

East Grand Rapids Public Schools (EGRPS)

K-12 public school system in southwest Michigan3 elementary schools, 1 middle school, 1 high school, and 1 administration building~$28.1 million operating budget~3,000 students3,000 students~450 staff members

1 600 d d i t t th t k d~1,600 end user devices connect to the network per day~300 end user wireless devices per day~126 guest user devices per day

EGRPS – IT Philosophies

Mission Statement: “Educating and inspiring each student to fnavigate successfully in a global community.”

It is our job as educators to create the best learning environment f h t d tfor each student.Student access to technology is key to successful education (i i d b I di ’ i ACCESS )(inspired by Indiana’s inACCESS program).Strongly believe in Open Standards, Open Content, and Open SSource.Everything done in house: RFPs, Planning, Design, Implementation, Testing etcTesting, etc..

EGRPS – RFP ProcessState the problem or need.Id tif ibl l ti d dIdentify possible solutions and vendors.Meet with manufacturers, not resellers.Develop project milestones, timeline, and budget.Develop RFP draft(s), project metrics, and evaluation rubrics.p ( ), p j ,Meet with manufacturers to review drafts, gauge interest, and engage resellers if needed.Publish RFP, FAQ, and all other relevant information on web.hAll vendor questions handled via email and posted on webhAll vendor questions handled via email and posted on web.

http://www.egrps.org/summer2008tech/

Wake Up Call – 2001 Pioneer Classic Debate TournamentTournament

During the 2001 EGRHS Pioneer Classic Debate Tournament a /debate competitor attached his/her computer to the wired network.

The machine was infected with the Nimda worm the night before on l l h t l’ i l t ka local hotel’s open wireless network.

~300 Windows 98/2000 PCs were infected district-wide.Clean up was done by in-house staff and took over 80 man hours.District purchased beefed up anti-virus (Symantec Anti-Virus District purchased beefed up anti virus (Symantec Anti Virus Corporate Edition).District decided to unplug all high school switches during future District decided to unplug all high school switches during future debate tournaments.

First Baby Step – EGRPS 2003 Allow Policy

In 2003, a working group of EGRPS administrators, teachers, ff fsupport staff, board members, and students formed a policy that

allowed students in grades 6-12 to bring in their own devices for educational work.educational work.Students were required to meet with district IT staff to be “interviewed” as well as have their machines inspected.interviewed as well as have their machines inspected.Traffic was segmented onto its own VLAN and wireless SSID (static WEP key) as well as a beta 3Com SecureIX firewall (later became y) (3Com/TippingPoint X5xx series) was used to do basic internal firewall/IDS/IPS.31 total students signed up.

2006 – Welcome to the World of Wireless ManagementManagement

In June of 2006 EGRPS replaced existing Cisco Aironet 1100 series ( )APs with a managed wireless solution (LWAPP).

3Com/Trapeze and Cisco/Aironet/Airespace were both considered.Cisco solution was selected as 3Com/Trapeze solution could not demonstrate successful mobility groups or roaming.Cisco WLC-4402 controller, 1242ABG Access Points, and Cisco Wireless Control Software (WCS) all purchased and installed.

Introducing Operation STS – MotivationsFUNDINGh K-12 funding in the State of Michigan is an unknown. K 12 funding in the State of Michigan is an unknown. h Technology bonds are not guaranteed to pass. h General Fund dollars increasingly being consumed by salaries and health care.

LEARNINGh Democratize technology in education. Students should be able to use the device that best

f ilit t th i l i (f f t OS ft t )facilitates their learning (form factor, OS, software, etc.).

SECURITYh A plethora of devices and users will continue to show up and require access to network h A plethora of devices and users will continue to show up and require access to network

resources. h Guest user access should be granted at the edge (at the reception desk, the wireless AP,

and the edge ethernet port) and the edge ethernet port). h Security should be as transparent as possible as well as vendor, device, and operating

system agnostic.

Operation STS Phase I Project GoalsImplement Trusted Computing Group’s Trusted Network Connect (TCG/TNC) NAC Components (Access Requester, Policy Enforcement Point, Policy Decision Point).Mitigate Risksh Open network to authorized users on guest wireless devices.h Prevent unauthorized users or devices from accessing the networkh Prevent unauthorized users or devices from accessing the network.

Unmanaged wireless clients are forced through captive portal.Pre-Posture analysis for guest wireless devicesy gh Basic patch levelh Firewall enabledh Anti-virus installed

Upgrade wired switching infrastructure (edge, distribution, core)h Support RFC 3580, TNC standardsSupport RFC 3580, TNC standards

Implement 802.1x capable packet shaping solutionh Just do basic subnet shaping for now.

Trusted Computing Group’s Trusted Network Connect (TCG/TNC) NAC Components(TCG/TNC) NAC Components

Operation STS Phase I Access Requester

On managed Windows, Linux, and Mac machines we selected the O Sopen source, standards-based OpenSEA Xsupplicant.

hCost effective!hOpen Source!hOpen Standards!

On unmanaged Windows, Linux, and Mac machines we decided to use a dissolvable agent delivered by the captive portal.hLimits liability and support calls.hAllows for a plethora of operating systems.

Operation STS Phase I Policy Enforcement Point (PEP)

Existing Cisco ASA 5520 external firewall (Cisco SSL VPN)

(PEP)

Existing Websense Enterprise Web Security content filterExisting Cisco wireless infrastructure (4402 controller 1242ABG Existing Cisco wireless infrastructure (4402 controller, 1242ABG access points, WCS software)Upgrade existing 3Com wired infrastructure (edge, distribution, Upgrade existing 3Com wired infrastructure (edge, distribution, core)Acquire Internet/WAN shaping deviceAcquire Internet/WAN shaping device

Operation STS Phase I Policy Enforcement Point (PEP)

Evaluated 3Com, Cisco, HP, and Enterasys wired switching solutions.

(PEP)

Enterasys Networks selected.hSecond lowest bidder hSecond-lowest bidder. hSupported TCG/TNC standards. hBuilt in policy engine turns the switch into a stateful firewallhBuilt in policy engine turns the switch into a stateful firewall.hN7 core, SecureStack B/C distribution, SecureStack B/C/D edge, NetSight

Inventory/Console management.y g

Operation STS Phase I Policy Enforcement Point (PEP)

Evaluated Astaro, BlueCoat, DeepNines, Exinda, F5, Juniper, Packeteer, and Riverbed Internet shaping solutions.

(PEP)

, p ghAstaro, DeepNines, and Exinda were all “all in one” firewall devices and we

were happy with our existing Cisco ASA 5520.hBlueCoat, F5, Juniper, and Riverbed were all very attractive solutions but did

more than we needed. hP k t ff d th b t b l f i d fhPacketeer offered the best balance of price and performance.

Packeteer 3500 10 Mbps Shaping selected.

Operation STS Phase I Policy Decision Point (PDP)

Evaluated many different NAC solutions. h Not many standards-based or open source.h Preferred out of band, hardware appliance.h Must support Windows Linux and Macintoshh Must support Windows, Linux, and Macintosh.h Must include dissolvable agent.h Originally evaluated Cisco, Juniper, Novell, PatchLink, SonicWall, Sophos, and g y , p , , , , p ,

Symantec.h Most vendors want to sell you a complete system (switches, clients, reporting tools,

etc.) and were expensive or were software-only solutions.etc.) and were expensive or were software only solutions.h Stumbled upon Avenda Systems at Interop 2008 in Las Vegas.h No one was at the price point or as switch vendor agnostic as Avenda Systems.

Selected Avenda Systems eTIPS Policy Platform (dual eTIPS 5200 appliances)

Operation STS Phase I ImplementationAvenda eTIPS implementationh Integrated seamlessly with existing Cisco wireless infrastructureh Integrated seamlessly with existing Cisco wireless infrastructure.hUp and running in two days!hNo gotchas no issues worked perfectlyhNo gotchas, no issues, worked perfectly.

Packeteer 3500 implementationh I installed device by myself in less than an hour.hLeft it in Discovery mode for 4 days to learn traffic patterns.hStarted shaping and noticed immediate benefits.hNo longer did HS students bring Internet bandwidth to a crawl.hBandwidth provisioned equitably.

Operation STS Phase I ImplementationEnterasys wired switching implementationh I designed and tested configuration in my lab for two weeksh I designed and tested configuration in my lab for two weeks.hDeployed configuration to 59 switches in 8 hours.h A colleague of mine and I racked installed and patched all 59 switches in 21 h A colleague of mine and I racked, installed, and patched all 59 switches in 21

MDFs/IDFs over a weekend.hOnly real issue occurred 4 months after deployment when a critical switch y p y

failed and disrupted service at high school during exams.

Operation STS Phase I ResultsAllow program of 31 total (averaged 17 per day) grew to 32 average daily users in first month, 126 average daily users in first year. One day saw over 225 guest t d t !student users!

Techs no longer had to visit with each prospective user for 30+ minutes.B ildi t i t t t t t Thi f th t li d Building secretaries set up to create guest accounts. This further streamlined service (guests must register with the main office for security reasons already) improved overall quality of service.h Yes there were issues. Secretaries would create accounts that expired in 3037 and

re-use accounts created for other users.

Auditing and Accounting via eTIPS greatly increased compliance securityAuditing and Accounting via eTIPS greatly increased compliance, security.20 GbE links between buildings a huge bandwidth.Internet bandwidth provisioning a huge benefit to overall classroom Internet Internet bandwidth provisioning a huge benefit to overall classroom Internet experience.

Operation STS Phase II Project Goals

All managed clients enforced at edge (wireless and wired).All unmanaged clients forced through captive portal (wireless and wired).Apply policy based on role to both wireless and wired users.Transition WEP SSID wireless clients to new 802.1x SSID.Increase wireless capacity significantly to prepare for every student bringing a wireless device in 2011 or 2012.h181 teaching spacesh63 non-academic spaces (athletic, office, etc.)h30 sensor access points for increased security and monitoringhDeploying 802.11n as well

All managed clients enforced at edge (wireless and wired) Implementationwired) Implementation

All managed clients enforced at edge (wireless and wired) Implementation

MultiAuth authentication enabled on all switches.

wired) Implementation

hMAC, 802.1x, PWA (captive portal)

802.1x SSID utilize bridged at AP topology.g p gyRADIUS requests send filter-id parameter back to access point or switch port with appropriate policy based on user role.p pp p p yhPolicy includes VLAN egress, port-based ACLs, network ACLs, QoS

classifications, bandwidth limitations.

Go/no go test used for pre-posturehFailed clients put in remediation VLAN.hNo auto-remediation.

All unmanaged clients forced through captive portal (wireless and wired) Implementation(wireless and wired) Implementation

All unmanaged clients forced through captive portal (wireless and wired) Implementation

Wired and wireless guest users are forced through captive portal f

(wireless and wired) Implementation

device for authentication.PUBLIC SSID utilize bridged at controller topology.Policies still applied based on role.Dissolvable agent performs pre-posture checks for go/no go Dissolvable agent performs pre posture checks for go/no go access.

Operation STS Phase II Wireless Upgrade ImplementationImplementation

Slowly migrating clients off of old static WEP SSID to 802.1x SSIDhUtilizing Group Policy for Windows clients and shell scripts for Linux clients.

Evaluated Aruba, Cisco (existing), and Enterasys wireless , ( g), ysolutions.hAll solutions met our needs technically.

Enterasys HiPath wireless solution selectedhDual HiPath C4110 controllersh274 x AP3610 access pointshHiGuard Wireless Management Suiteg

Operation STS Phase II Results (Ongoing)

Risks are mitigated at the edge on both the wired and wireless side.hFor example, students are restricted from accessing various network

devices/services via network acl.

Users are identified at the edge on both the wired and wireless sideUsers are identified at the edge on both the wired and wireless side.hGreat for security as well as troubleshooting. Tracking down a client takes

seconds via NetSight Compass.g p

802.11n helps greatly with challenging RF situations caused by schools located near households.HiGuard and AP sensors have the ability to make it difficult for students to circumvent district policies by joining unsecured, foreign networks (without doing AP containment).Access point per classroom prepares us for the future.

Operation STS Phase III Project Goals

Deploy IPS district-wide.Configure Websense to support RADIUS requests.Configure Packeteer to support RADIUS requests and provision bandwidth based on user.Find more opportunities to unify authentication and force more

li i (if ll) l diapplications (if not all) to leverage meta-directory.hSingle-sign on productshRADIUShLDAPhSIF

What risks are you trying to mitigate?

Are you trying to prevent unauthorized users or devices from accessing your network?accessing your network?Are you trying to prevent authorized users from doing unauthorized things?things?Are you trying to open your network to authorized users on guest devices?devices?Are your trying to allow guest users?

How do you plan on authenticating users and/or devices?devices?

Will you be using 802.1x, captive portals, and/or a proprietary client?client?Will you be using multiple authentication schemes (for example first 802 1x then captive portal)?first 802.1x then captive portal)?Will you be using MAC address authentication?D d di l bl 802 1 li ?Do you need dissolvable 802.1x supplicants?

How will you perform endpoint security tests?

Are all of your devices managed, unmanaged, or both?Will you try and remediate devices that fail posture checks or will you just quarantine them?Will you allow guest access?Will you allow both “thick” agents as well as dissolvable agents?Will you enforce continuous enforcement (post-posture)?

Ability to phase your deployment is key

Will all of this stuff integrate into my existing environment?environment?

Do your network devices support: default/native VLAN, MAC Authentication Bypass Multi-Authentication RFC 3580 Filter-ID Authentication Bypass, Multi-Authentication, RFC 3580, Filter-ID, etc.?Does your meta-directory (AD LDAP eDir) contain groups roles Does your meta directory (AD, LDAP, eDir) contain groups, roles, etc. that are aligned with your access policy?

Advice

NAC as a technology is still maturing. Single vendor solutions still dominate the marketdominate the market.Stick with vendors who are members of TCG/TNC (okay, Cisco is the exception )the exception…).Good security is transparent security (unless of course the end user does something to run into it).user does something to run into it).Make sure there is a real business case before deploying NAC.G t b i f d d th f th i Get buy-in from end users and prepare them for the coming changes. Sell them on the benefits (like bringing in a personal laptop for personal use).laptop for personal use).

Thank You

Jeff CrawfordManager of Networking and Security

www.egrps.org