Institute of Technology Tallaght, Dublin Department of Computing Bachelor of Science in I.T. Management Subject: 4 th Year IT Management Project Assignment Title: Complete Project Documentation Weight: -- Supervisor: Enda Lee Date of Issue: 26th January 2015 Date of Submission: 1 st September 2015 Student Name: Conor Ryan (X00079990) Declaration 1
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Institute of Technology Tallaght, Dublin
Department of Computing
Bachelor of Science in I.T. Management
Subject: 4th Year IT Management Project
Assignment Title: Complete Project Documentation
Weight: --
Supervisor: Enda Lee
Date of Issue: 26th January 2015
Date of Submission: 1st September 2015
Student Name: Conor Ryan (X00079990)
Declaration
I hereby declare that this is my original work produced without the help of any third party.
Signed:
Date:
1
Network Access Control as a Network Security solutionBy
Conor Ryan
Submitted in partial fulfilment of the requirements for Bachelor of Science Degree (Hons)
In IT Management
Institute of Technology Tallaght Dublin
Author: Conor Ryan
Supervised by: Enda Lee, Lecturer at IT Tallaght
Contents2
Abstract....................................................................................................................................5
1 Project Introduction.........................................................................................................6
1.1 Project Plan................................................................................................................7
1.1.1 Target audience..................................................................................................7
2 Network Access Control...................................................................................................7
2.1 Background................................................................................................................7
2.2 Policies.......................................................................................................................8
2.3 Benefits of Network Access Control...........................................................................8
2.4 Problems NAC solves.................................................................................................9
2.5 Components..............................................................................................................9
2.5.1 Users.................................................................................................................10
2.5.2 Remediation.....................................................................................................10
2.6 Points of enforcement.............................................................................................11
2.6.1 Port-based NAC................................................................................................11
2.6.2 Gateway based NAC.........................................................................................11
2.6.3 Which is more suited........................................................................................12
3 Project Implementation.................................................................................................12
3.1 PacketFence.............................................................................................................12
3.1.1 PacketFence ZEN..............................................................................................12
3.2 Phase 1.....................................................................................................................13
3.2.1 Network Setup..................................................................................................13
3.2.2 PacketFence ZEN Appliance..............................................................................14
3.2.3 Virtual Machine................................................................................................14
3.2.4 Phase Review....................................................................................................16
3.3 Phase 2.....................................................................................................................17
3.3.1 Web Configurator GUI......................................................................................17
3.3.2 Phase Review....................................................................................................22
3.4 Phase 3.....................................................................................................................23
3.4.1 Administration and testing...............................................................................23
3.4.2 Phase Review....................................................................................................33
3.5 PacketFence ZEN review..........................................................................................34
3.6 Other Technologies..................................................................................................35
3
3.6.1 Check Point Security Gateway..........................................................................35
3.6.2 Review..............................................................................................................38
4 Conclusion......................................................................................................................38
4.1 Implementation Review...........................................................................................39
4.1.1 Phase 1............................................................................................................. 39
4.1.2 Phase 2............................................................................................................. 39
4.1.3 Phase 3............................................................................................................. 39
4.1.4 Other Technologies...........................................................................................39
4.2 Limitations...............................................................................................................39
4.3 Recommendations...................................................................................................40
5 References......................................................................................................................41
Appendix................................................................................................................................ 42
Table of Figures..................................................................................................................42
4
AbstractThis project provides an investigation into the topic of Network Access Control as a network security solution. It details the purpose of NAC solutions, as well as the method for configuration regarding a specific network architecture and also an insight into some of a NAC solutions features. This project tests the method of deployment as well as investigating other paths of deployment and implementation. Aspects such as testing of a user gaining access to a networks resources, and the overall management of a NAC solution are the main priorities regarding integration of this projects implementation section. The overall objective of this project being to portray an in-depth understanding of the concept of network access control and its essential workings.
5
1 Project IntroductionThis document has been prepared to present a detailed and researched review on the topic of Network Access Control (NAC), which is based around the element of network security and IT governance. Essentially, the overall drive of this project being to investigate NAC in relation to its suitability as an effective networking security solution. Such aspects which will be conveyed within this report will relate to the overall project scope, aims, and possible users of the technology. Technology comparisons and possible implementation methods in order to physically test this study will also be examined.
Other topics which will be regarded will include the platforms of implementation and different methods of integration. Whether a specific solution is more feasible than another and which will portray the functionality and features of Network access control more suitably. Factors such as Risk of development within a chosen solution and specific hardware requirements will also be touched on.
1.1 Project PlanThe purpose of this project is to investigate whether or not Network access control is a suitable method of security on a networks access. The overall goal of the project being to gain an in-depth understanding of NAC, and successfully demonstrate Network access control by exercising a NAC solution and demonstrating some of its characteristics. The reason for this being to test whether it is an effective method of security in relation to a managing and monitoring network access. PacketFence is a considered solution chosen to be demonstrated and examined in order to test NAC as a security solution and also to develop an in-depth understanding of NAC software and how it works. The overall goal being to efficiently exercise this solution in a lab environment in order to convey some of its key features, those of which are characteristics of network access control.
1.1.1 Target audienceThe audience in which this project is aimed at consists of any end user wanting to gain access to the materials and resources of the network. It could also be of interest to any individual interested in utilising NAC software as a mechanism to apply another degree of security to a specific network. This project will demonstrate the capabilities of NAC put into perspective for users/individuals whether it is deemed useful for their personal requirements or needs.
2 Network Access Control2.1 BackgroundIt is imperative that a business or enterprise of any scale has the ability to control access to their networks resources. This primarily being so as to ensure network security and compliance within that organisations network. Network access control (NAC) is an approach which restricts access to network resources to known/ unknown devices (phones, workstations, servers, etc.) which are requesting access to a particular network. It is
6
essentially a new method of security that has not quite made its stamp on IT security just yet, although has an intriguing level of promise bound to it. NACs aim is to control access to a network using a strict set of policies and assessment checks of the devices or endpoints requesting network access or resources within a network. NAC ensures only policy-compliant individuals and devices can obtain access to a networks attributes (Cygnia.co.uk, July 2, 2009). Solutions based around Network access control are designed in a way which provided the ability to prevent end-devices that are absent of antivirus or host intrusion prevention software from admitting themselves to a network. Beneficially halting devices which violate the policy of an outdated spyware check can be crucial to a network environment. Infected devices can damage a networks infrastructure by contaminating and leaving other users of the network at risk of infection due to viruses and other unwanted malicious attributes. NAC solutions provide in depth and precise monitoring of the users and machines which request/ gain access to a network. A wide range of policies and chosen rules can be integrated to most appropriately suite the network environment.
2.2 PoliciesPolicies are fundamentally the core element of every NAC solution. They are the protocols or set of rules bound to a network by the solution in order to effectively implement a certain level of security onto a networks access or resources. These policies can be customised in a way which suits an organisation best and defines the network into the way in which they want it to be utilised. These policies focus mostly on endpoint security actions and offer elements such as anti-virus, anti-spyware, firewalls and other anti-malware attributes all utilised in a way which makes endpoint security invulnerable to attacks or hackings of the network. Policies can be as simple as literally the types of computer a user is using to the role of a specific user, these elements can be used as policies of access to a network.
2.3 Benefits of Network Access ControlSome of the major reasons to consider NAC as a security software solution are
Restricts the amount of data and resources that a certain user can access. NAC can implement a certain degree of anti-threat solutions that protect against
intrusion and viral infection by using applications such as firewalls, spyware software and antivirus based software.
Another feature of Network access control software is that once applied it can majorly moderate and restrict the amount of resources a user can utilise once access is granted to the specific network.
Efficient policy enforcement in regards to rules in which must be abide by in order to be granted access to a network and its related resources.
Using NAC software in a business place where the amount of users utilising the network can be monitored, is ideal for deployment.
NAC enforces policies for different sets of users depending on the method of entry to the network
7
It is a resilient and reliable way to keep your network clean of any malicious activity if policies are set to do so.
Figure 1- NAC remediation
2.4 Problems NAC solvesIntegration of Network access control onto a network allows for substantial interaction with some common network security issues. In regards to the problems which NAC resolves, one which is most notable and regarded upon is the implementation of endpoint integrity. This feature of a NAC solution solves the problem of users obtaining unlimited access to a specific network and its resources. It solves this problem by running an endpoint or access assessment test of an endpoint, in order to deploy a certain level of rules onto it and ensuring that this endpoint meets the particular protocols that the network has implemented. It is these access control policies that must be adhered to, which make NAC effective against unwanted access.
The implementation of Network access control will generate a strong, granular and centralised element of access control upon a network. Defining a persistent and flexible method of tackling problems such as malware intrusions, data breaches, unauthorised access and also comes with the ability to enforce regulatory compliance checks. Compliance checks can be performed through the use of mandatory performance scans, registry keys or personal authentication attributes.
2.5 ComponentsAfter a business has made the decision to implement NAC software onto the desired network infrastructure as a means for security, there are few factors that have to be obtained in regards to the necessary components needed to fully utilise a Network access control solution. All NAC solutions consist of three parts
8
The Policy Engine: Which is the point in which the specific policies are decided to be applied onto. It is the most important factor as it controls the NAC deployment by creating the essential access rules for the user and the monitoring of the enforcement point of the infrastructure. It also must keep track of the specific rules it pushes out to all endpoint devices
Endpoint Agent: retains all user data and policy information, also communicates any change in device state with the policy engine.
Policy enforcement point: The point of the infrastructure in which the particular access rules and policies are resigned to. Also the position that moves users who do not meet the policy requirement to a quarantined network.
2.5.1 UsersNetwork access control solutions are beneficial for any organisation, or any agency that is looking to apply a degree of authentication or access control upon their network resources. Whether it is in relation to non-zero attacks which is based around anti-viral concepts or Pre-admission or post-admission concepts which are in regards to policies which take place before or after access is to be granted. In regards to endpoint clients who utilise the actual protocols of NAC solutions, there are many types. However, the client usually depends on the specific device they are utilising and generally they are categorised into three central groups. Whether it is a laptop, smartphone or Desktop OS and it also depends on the particular endpoint you have decided to run your software on.
Full agents and lightweight agents are the particular types or methods of installation of the solution in regards to the specific users that might be interacting with the NAC software and network at different levels of expertise. A full agent is usually targeted at a corporate employee who would have regular interaction with the network, this would involve more detail to the implementation in relation to administrative rights being obtained in order to fully install this agent. A lightweight agent which is usually applied mainly for guests or irregulars who have come in requesting network access. Administrative privileges are typically not needed on the local machine for a lightweight agent making it a bit more beneficial and easier to deploy.
2.5.2 RemediationRemediation is a key component in any Network access control solution, it is the method of migrating a user who does not meet the specific requirements presumed by the solution and network to a guest network to be serviced. When triggered by the enforcement policy, the enforcement point moves users that don’t comply with the particular NAC policies to an abstract quarantined network. It is in this quarantined network, that users must be “fixed” in order to progress or get re-scanned by the NAC solution. This method of redirecting and notifying the user is called Remediation.
Remediation can be categorised into two types:
9
Auto-remediation : where remediation happens automatically once the user is deemed unsuitable to progress onwards
User self-remediation : this involves instructions from the endpoint client that the user must pursue in order to essentially repair their machine or device
2.6 Points of enforcementAn important aspect of Network Access Control that must be considered by any entity wishing to utilise a NAC solution, is the path in which the NAC is to be performed upon. Generally, access control is deployed in two types of methods within the network infrastructure, those of which are Port-based and Gateway Based NAC.
2.6.1 Port-based NACThis path of NAC deployment is fundamentally constructed around the port security element on an 802.1X-complaint network switch. Port-based NAC is integrated around the idea of enforcing integral switch port security through the use of 802.1X. 802.1x is an IEEE standard of security used for authentication over a wired or wireless LAN through the use of Extensible Authentication Protocol (EAP) packets. The hosts authenticate using an EAP attribute before layer 2 datalink access is provided to the particular network (Cygnia.co.uk, July 2, 2009).A solution that is designed around Port-based deployment will quarantine devices or machines that are deemed non-compliant, or that do not pass specific policy requirements at the edge of the network. The enforcement point of port-based NAC is therefore places on the Switch or wireless access point. This means that the quarantine zone in which non-compliant guests are placed is within a dedicated isolation VLAN or port ACL.
2.6.1.1Issues 0f port-basedSome of the issues regarding port-based deployment include factors such as the actual deployment of this method. Port-based deployment can be a very complex process and can be very difficult to implement, especially on large scale networks. This is due to complications in switch requirements as well as component integration within the network infrastructure along with device compatibilities (do the switches support 802.1x etc.). Difficulty can also arise while attempting to segment the network into the required VLANs necessary to support 802.1x. Configuration of RADIUS servers, interfaces and determining the NAC standards that will be appropriate for the infrastructure are also key elements which can be difficult to resolve. Many skills are needed to manage a 802.1x deployment of Network Access Control on a network infrastructure.
2.6.2 Gateway based NACGateway-based NAC deployment works in a different way to port-based deployment. Port-based deployment performs its enforcement within layer 2 (data-link) whereas gateway deployment operates it enforcement within Layer 3 at the network level. It performs restricts in relation to device IP addresses. Gateway deployment does not require the use of EAP and instead uses the abilities of an agent to authenticate through means of
10
identification of the user or machine. The agent is also used to perform health and overall quality checks on devices which have been identified. The enforcement point of a gateway deployment is via firewalls, which makes the quarantine zone at the network edge or default gateway. Gateway-based deployment is a method of network access control that avoids the complexity of 802.1x port-based deployment, while still exercising a respectable degree of security within a network architecture.
2.6.3 Which is more suitedDeciding which deployment type is more beneficial for an organisation completely depends on the company’s goals, and what they want to essentially get out of network access control. In relation to the two types, gateway deployment is the more cost effective choice. Gateway-based deployment can be considered more suitable if an organisation has the goal of performing health checks and providing a mechanism to ensure policy compliance upon endpoint devices within the network.
If the organisations main objective is to ensure strict security around devices which plug into the network, 802.1x port-based solutions are better suited. As port-based deployment prevents unauthorised machines from gaining access when connected to the network infrastructure via switch or access point.
3 Project ImplementationThis section of the project relates to the exercising of Network access control in the form of a lab environment. The main objective being to test and convey some of the features of network access control through the utilisation of a NAC solution. The implementation runs through the setup, configuration and the essential testing of a NAC solution as a mechanism of demonstrating this topic.
3.1 PacketFencePacketFence is the solution used to demonstrate and exercise the area of NAC within a lab environment. PacketFence is a free, open-sourced network access control application created as a mechanism to authenticate users via a networks identification policies, examine device states in regards to quality and to present an application for self-remediation. PacketFence is based around the 802.1x port-based deployment method regarding network access control and boasts an impressive amount of features in relation to security methods and policies. With the main solution providing features including Snort IDS and scans via the Nessus vulnerability scanner.
3.1.1 PacketFence ZENIntegration of the PacketFence application onto a network architecture can be a complex task, sometimes taking months to fully implement into a networks environment. PacketFence ZEN (Zero Effort NAC) is a VMWare, Linux-based appliance which stands as a compact version of the solution. Although it does not possess half the features that the full version boasts, it still caters for an effective way to test and exercise some NAC attributes. It
11
provides a slimmed down, pre-compiled version of PacketFence built around a CentOS operating system.
PacketFence ZEN provides a method of testing NAC in the form of a registration process. This feature of ZEN allows for the exercising of a key feature of network access control in the form of authentication of a user based on whether they have “registered” to access the network.
3.2 Phase 13.2.1 Network SetupThe first step in relation to initializing the setup of the demonstration is to construct the necessary network architecture for efficiently exercising the PacketFence ZEN application. As stated before this demonstration will demonstrate PacketFences INLINE method of enforcement as opposed to the out-of-band VLAN enforcement method. This setup of the application utilises the PacketFence server (the host laptop) as the gateway between the demonstration device and the internet or specific network in which authorisation is required.
The network setup for this demonstration consists of a test device (laptop) directly connected to an entry level switch via Ethernet cable, which is connected via another Ethernet cable to the host device (PacketFence server). In relation to connectivity between server and network, this demonstration uses the host laptops Wi-Fi adapter for internet connectivity. Ethernet connectivity may have been used if the device had an extra network port. It is crucial that the host device possesses two NICs in order for connectivity between guest and host and host to network.
Firstly, ensuring network access is obtainable through the demonstration device to the internet through the host device is the initial step. This is achieved by selecting internet connection sharing in the host devices network and sharing properties within the control panel. Leave the connection type at “Ethernet” for the time being, which is to be changed to the chosen interface by which the inline network is connected to the demonstration device.
3.2.1.1VLAN out-of-band setupAn alternative network setup which can be constructed is one which will cater for the VLAN isolation setup which PacketFence can be deployed upon. This setup uses 5 or more virtual interfaces to cater for the specific states in which PacketFence forces upon the client that wishes to gain network access. This architecture consists of a number of VLANs those of which consist of the Management and inline VLANs, as well as a regular, registration and isolation VLAN for the visitors and guests which are looking to achieve network access. It is
12
also necessary to have a Guest VLAN and a MAC Detection VLAN. The MAC Detection VLAN is used mostly in a fuller scale operation of PacketFence and is utilised as a means to detect the devices MAC address that has been connected to the switch and from there it is processed into the next appropriate VLAN whether it is for remediation or registration based on the devices current state.
This enforcement type requires a supported switch type in order to create and manage the specific VLANs. The list of suitable supported switches is available on the website, however the vast majority of Cisco switches that support VLAN creation, SNMP and have port security will work just fine.
3.2.2 PacketFence ZEN AppliancePacketFence is an open source, fully trusted network access control solution (PacketFence, 2015). The Application possesses many impressive features in relation to network security when deployed effectively on small to large networks through operations that can take months to deploy. However in order to try to test it in some sort of fashion on a minor scale network this demonstration will use PacketFence ZEN or Zero effort NAC. PacketFence Zen is a pre-compiled, Linux based version of the PacketFence solution which only boasts a fraction of the full products capabilities in terms of network security attributes and protocols. However, ZEN poses as a good application for demonstrating a port-based Network access control feature.
3.2.2.1Download and install To obtain the product, download the PacketFence Zen Virtual Appliance (OVF) file from the PacketFence website and unpack its contents. There are a couple of ways in which to install and boot this version of PacketFence, for this project demonstration testing through a virtualised method has been chosen in which the unpacked virtual machine appliance image is mounted within a hypervisor.
3.2.2.1.1 Alternative methodsIn relation to other methods of deploying the application, the PacketFence ZEN appliance can be booted as a “Live” application by burning to a CD or USB stick. By booting the host device from USB or CD drive the host machine adopts the PacketFence operating system and through this means becomes the server. This method is useful for demonstrating the ZEN application to potential clients by simply bringing the disk or stick to their on campus network In order to demonstrate the application on existing servers or devices without any pre-configuration.
Some of the issues which arose when this method was tested for this project mostly revolved around host machine capability. The laptop spec did not seem to be up to par which result in consistent machine crashes and stress on the device in terms of performance.
13
3.2.3 Virtual MachineIn regards to the hypervisor in which the appliance can be deployed on there are a couple of choices. The most effective method of virtualisation comes from VMWare workstation, VMWare Player and VirtualBox which through testing has been deemed the most unsuitable. VMWare products are most suited as PacketFence ZEN is a noted VMWare compatible product. For this demonstration VMware player was chosen.
It is important to dedicate two network adapters to the guest VM, one to cater for the inline network which will be connected via Ethernet and the other to go out to the internet via Wi-Fi. It is essential that all interfaces are set to a bridged connection in order for the virtual machine to communicate with the host OS and essentially receive network access. This is done so by configuring the adapter states within the “Hardware” section under virtual machine settings.
Figure 2- VMWare player adapter settings
In order for PacketFence ZEN to perform adequately a dedicated 8 GB of memory is necessary to ensure efficient execution of the solution. Once the appliance has been booted in the Virtual Machine, the credentials “root” and “p@ck3tf3nc3” as username and password are required to login to the interface.
Once login has been achieved it is required that an assigned IP address is used in order to advance to the web configurator GUI from the PacketFence server. It is from this interface that specific network configuration is performed as part of the configuration process. In order to locate this IP address which has been assigned to the machines virtual interface, the command “ifconfig” is to be done which will reveal the address needed. It will be located under the interface number under “inet addr:”.
14
Figure 3- Eth0 virtual interface IP
If no IP Address is revealed it means no interface has been initiated. To ensure the required interfaces are up enter the command “if config eth(Num) up”. This will bring the required interface up and using the command “dhclient eth(Num)” will ensure that an IP address is given to it if it has not already been done.
Use this assigned address to advance to the web configurator distinct to PacketFence ZEN by opening up a web browser and point to the address with the appended port number of 1443 in order to get started.
3.2.3.1Issues with VirtualboxIn relation to testing done with PacketFence ZEN in Virtualbox, there were a few issues which arose throughout the exercising of the application which caused negative effects on performance. One which arose frequently was the inconsistency of files not being present in their appropriate locations within the PacketFence appliance. This may have been caused by file incompatibilities within Virtualbox from the PacketFence system as it may not be as suited to run the appliance as essentially necessary in order to exercise and access all of the aspects of the ZEN solution. It is these locations which contain the information describing the set-up of the specific systems VLANs and network interfaces which are crucially needed to perform the required configuration capabilities to construct an adequate network setup. PacketFence automatically fills the files related to the virtual interface with an IP Address generated by the DHCP service provided by the solution. Throughout the testing of Virtualbox it was this inconsistency of empty interface files which lead to problems regarding network setup.
3.2.4 Phase ReviewThrough exercising of this phase the bases for which the demonstration can be developed on should now be constructed. It was in this section that the network setup was decided
15
upon in regards to the enforcement type of the PacketFence application. The inline method was chosen over the VLAN setup due to manageability of the project and the perspective of which was considered more suitable for deployment. Testing with the VLAN out-of-band enforcement method was attempted but concluded with no feasible results due to time deficiencies and complications with the supported switch type. Once the Cisco 2960 switch was configured with the necessary VLANs (registration, management, isolation, guest, MAC authentication) the PacketFence server would not pick up the configured interfaces in which they were set to. This is an aspect of the project which would be beneficial to review if it were feasible to do so. As the VLAN enforcement is an effective feature of PacketFence, in a way which really breaks down in detail the method of 802.1X port-based deployment.
3.3 Phase 2This section of the testing and configuration of the PacketFence ZEN solution revolves around further configuration and population of the network attributes and appropriate interface files.
IP forwarding must be enabled on the PacketFence server within the CentOS operating system. This is necessary so as to configure the OS with a router type feature, so that packets that come in and out can be identified and sent on to the appropriate network destination NIC or interface. This is enabled by the following commands:
#echo 1 > /etc/sysctl.conf/net/ipv4/ip_forwarding
Or an alternative way is to edit the file #/etc/sysctl.conf
And simply change net.ipv4.ip_forward = 1
To save this command you need to type:
#sysctl –p /etc/sysctl.conf
3.3.1 Web Configurator GUIThis phase concentrates on the actual configuration of the PacketFence ZEN environment and the necessary elements needed in order to get the server up and running. The first step being to open up a web browser and direct to the assigned IP address and the appropriate port number of 1443, as discussed earlier. Once pointed to the specific address, advancement will be made to the PacketFence web GUI in order to initiate further configuration.
3.3.1.1Enforcement TypeOnce the web interface is reached the first step in configuration is choosing the specific enforcement technique which best suites the environment or network architecture. For this specific demonstration the Inline enforcement type was chosen in order to cater for the
16
entry level switch. VLAN enforcement is best suited if a manageable switch is obtained. It is also acceptable to run both enforcement types if desired this is called Hybrid Enforcement.
Inline enforcement method uses “ipset” which is a framework inside the Linux kernel in order to place nodes as registered, unregistered or isolated using stored IP addresses and MAC addresses with an entry matching utility. This inline type of enforcement forces the traffic from the inline network of the network environment through the management network interface and out to the internet once network access is granted.
Figure 4-PacketFence enforcement type
3.3.1.2Network InterfacesThe next step in configuration relates to the defining of the static network attributes for each interface within the network. For this demonstration the management interface (eth0) received the IP address “1.16” as given by the networks DHCP service. This interface will work as the management side and will be used to communicate with the server and also to NAT traffic from the inline network out. The inline interface of “eth1” was statically mapped to the “2.0” subnet and given the IP address of “2.1” as a sample configuration. It is important to make sure that this interface is defined as the inline interface when IP address assigning is taking place. This is achievable by simple clicking the interface type on the GUI once the “add VLAN” button is clicked next to the interface.
Figure 5- Network interface configuration
17
It is also necessary to enter in the default gateway for persistence to occur. This address will be the gateway IP of the management network.
3.3.1.2.1 Manual ConfigurationAlthough it is not always needed, it is possible to manually configure the interface configuration files if problems occur within the GUI. This can be helpful for statically configuring the IP of an interface as well as other critical attributes needed such as the default gateway of the production network and whether they are set from initial application launch.
3.3.1.2.1.1 ScriptsTo manual configure the interface it is necessary to edit the network-scripts this can be done by using the command:
Vi/etc/sysconfig/network-scripts/eth0
And
Vi/etc/sysconfig/network-scripts/eth1.1
And setting the configurations and values manually
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=DHCP
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
And
DEVICE=eth1.1
ONBOOT=yes
BOOTPROTO=none
IPADDR= 192.168.2.1
NETMASK=255.255.255.0
GATEWAY=192.168.2.1
TYPE=Ethernet
Save the settings and restart the network service by using the command:
18
/etc/init.d/network restart
This method is usually unnecessary due to the PacketFence server’s capability to populate the virtual interface on the management network. The web GUI is used to populate the other interfaces within the environment but through testing it was defined that this manually configuration can be useful.
3.3.1.3Database ConfigurationThe next step is the setup of the MySQL server database account. This step is very straight forward as PacketFence ZEN comes with a configured MySQL database so now download or installation is unnecessary. This step will configure the MySQL server in regards to the user name and password required for the database. Once that is decided upon it is important to start and create the database account before the next step is available.
Figure 6-MySQL setup
3.3.1.4PacketFence ConfigurationThe next step of configuration is based around the general options related to the PacketFence installation. The general options are straight forward in terms of providing the
19
domain and hostname regarding the demonstration host device acting as the PacketFence server, as a mechanism for being observable to foreign devices.
The DHCP servers section is to be populated with all of the DHCP servers on the management or production network. This list is to be comma-delimited so as to divide the server addresses. The purpose of this section is to establish all of the servers which are related to the specific network and also for the reason that no rogue-DHCP servers are picked up if they exist. For this demonstration the DHCP service is provided by the network router on the management side.
Figure 7-General configurations
3.3.1.5Administrator account creationAfter the general configurations are set for the PacketFence environment, the next step is to create the administration account. This is necessary so as to allow the admin to access the PacketFence Administration web interface. It is as simple as providing a username and password and creating the user via the “Create User” button.
3.3.1.6Services InitiationAfter the general configurations are set efficiently for the PacketFence environment, and the administrator account has been created, the overall necessary configurations for the demonstration should be completed. Clicking continue will provide advancement to the PacketFence Services page where a list of the applications main functions will be present, along with their current status (started or stopped). Clicking the “start PacketFence services” button should initiate the specific starting services provided by PacketFence ZEN, in which case the server shuld be up and running. If everything is configured appropriately
20
PacketFence will generate a message confirming the succession and prompting the user to redirect to the admnistartion interface.
Figure 8-completed configuration
3.3.1.6.1 Service failureThe service confirmation interface lists all of the present PacketFence services and their current status. This is beneficial as it helps locate which services have stopped or are not working. Some of the main reasons for service failure during this projects prior configurations were most notably related to the network and interface setup. Services such as PacketFence DHCP cannot be established if the inline interface has not been created or identified correctly, leading to service and overall configuration failure.
While exercising Virtualbox as the chosen hypervisor for this phase of the demonstration, any case which lead to service failure lead to an overall crashing of the PacketFence environment. These consistent failures brought each attempt at configuration to a halt, and required for a new PacketFence ZEN image to be imported and for configuration to be started from the beginning after every attempt.
If a failure persists while exercising the solution through VMWare products, a system reconfigure is not necessary. If a service fails to start it is possible to identify why and where by looking at the log output and identifying the failure, and from here help determine the occurring problem.
/usr/local/pf/logs: vi error.log or pfconfig.log
3.3.2 Phase ReviewThis phase runs through the overall configuration of the PacketFence environment which is necessary in order to customise the settings of the network environment in the specified way. This phase presented many problems in regards to initial testing and attempts at configuration. Most of the issues relating to the methods of virtualisation in terms of the hypervisor used to run the PacketFence Solution. Virtualbox had its issues in regards to the PacketFence services not initiating effectively and also network interfaces not being
21
populated as required. This in turn impacted negatively on this phase as it delayed the creation of the PacketFence account and prohibited access to the administrator interface of the demonstration. Through testing with VMWare player it was concluded that this was the most appropriate method for completing phase two of the project demonstration.
3.4 Phase 33.4.1 Administration and testingPhase three of the demonstration of PacketFence is based essentially around the testing of the solution and the monitoring of the server as it recognises new devices, and deems users as registered or unregistered. To access the administration web interface open a web browser and go to the admin interface address, using the assigned IP of the management interface along with the port number of 1443 i.e. https://192.168.1.16:1443/admin/login. From there it is as simple as using the username and password credentials created in step 5 of configuration to log in and gain access to the administrator interface.
Figure 9- admin Login
3.4.1.1Server StatusOnce administration credentials are entered correctly, relocation to the administration interface is performed. This interface immediately greets the admin with the essential statistics regarding the PacketFence environment and server. It mainly displays information regarding the frequency in registrations within the chosen timeframes and the overall correlating server load.
22
Figure 10- PacketFence server output
The server load represents the activity levels within the PacketFence environment and fluctuates up and down when specific actions are taken. Server load increases while manual registrations take place due to the adding of nodes/devices to the MySQL database. Another monitored status within the dashboard is the Available memory of the server. This relates to the overall usage of the overall assigned memory capacity which was given to the application during initial configuration within the virtual machine. This can be changed by referring back to the memory configurations within VMWare player.
Figure 11- Memory
From the Status dashboard on the initial admin interface it is also possible to monitor the total access requests/accepts and the corresponding frequencies related to the Radius server. These graphs represent the relations between nodes or devices which are requesting access to the network, and the corresponding action which was taken towards these nodes in regards to admission or denial.
3.4.1.1.1 Monitoring servicesFrom the status dashboard it is important that the provided services of the PacketFence environment are monitored and initiated before any network access control protocols can be put in motion. From this dashboard the specific services can be regulated in regards to their current status and it is possible to start and stop particular services when desired or necessary.
23
Figure 12-PacketFence services
To ensure that the devices which are requesting access are provided with an IP address, it is important that the DHCP service is running at all times. This is necessary so as to dynamically assign an IP address from the inline network subnet to the node as it is connected to the switch on that side of the inline network.
Restarting the services can be of a beneficial value so as to refresh the server and make sure all services are still functioning properly. This will determine whether the services start again and whether they are in a positive state. Refreshing the “iptables” service can be of use as sometimes they fail to update properly when a node has be granted access and stored as a registered node.
3.4.1.2Creating/adding nodesWithin the Administration GUI lies the interface regarding the networks relevant nodes or devices. This section lists all devices which are discovered and connected to the specific networks router within the environment. It is from here that PacketFence ZEN access and registration process can be demonstrated and also tested.
The list shown in figure (13) is the nodes which are connected to the routers default gateway which were discovered by the PacketFence server. Not all of these nodes are influenced by PacketFence NAC capabilities, due to the fact that they are not connected directly into the network architecture (i.e. switch, access point). However, PacketFence can monitor the nodes in relation to stating the devices current status relevant to the network, along with the MAC address needed for gaining the IP address and computer name from the network. It also states the type of device in regards to whether it is a smartphone, gaming console, laptop or storage device.
24
Figure 13-Network nodes/Device list
3.4.1.2.1 Testing of nodesWithin the list of nodes present on the demonstration network, the node which will be used for testing and demonstrating of the PacketFence ZEN registration feature, will be the test device named “Niamh-Laptop”. This device is the only node on the list which is directly connected to the demonstration network environment via the entry level switch. It belongs to the 192.168.137.0 subnet which is configured as the INLINE network within the PacketFence setup. Its only gateway to the internet being from the INLINE network interface through the management interface and out to the internet from there. Once access has been authorized.
3.4.1.2.2 Actions against nodesFrom the interface containing the list of nodes comes the bulk of the PacketFence ZEN network access control capabilities. By ticking the box beside the desired node and entering the “Action” dropdown box (fig 14), comes the list of action that can be taken against this node/device, once it is connected to the demonstration network setup.
Figure 14-Node action list
The actions that can placed on a node include:
25
Clearing a Violation which has been discovered or placed on a device. This can include attributes such as requiring a system scan, violating the specific bandwidth limit, requiring of a Nessus or Open VAS scan.
Registering of a device so that network access is granted. Deregistering of a device which was previously registered and was granted access to
the network through self-registration or through admin. Revaluating access which will determine the status of the device in regards to
gaining access to the network and determining why access has been denied if that is the case.
Applying a role to an undetermined device in relation to its state and what type of access it requires. This can be determined by classing it as a gaming, default or guest type role within the network.
Applying a Violation to a node. This action allows the admin to apply a specific violation attribute to a device if the admin requires or requests that node to pass a specific policy before access can be granted. Or it can be just used as a routine check-up on that node. Some of the violations of the system that can be manually placed on a node include:
o A Nessus scano OpenVAS scano Rogue DHCP characteristico Wireless IPSo A system scano Time Expiration on network accesso A bandwidth limitation
3.4.1.2.2.1 Testing authorisationIn order to test the authorisation and registration actions against a node. An unregistered device must be connected directly into the network setup via switch or access point. For this demonstration the device “Niamh-Laptop” was used and connected into the entry level switch. Once connected, the device was given an IP address within the 192.168.137.0 INLINE network subnet. In most cases, this is configured automatically by PacketFence DHCP service provided towards the INLINE interface. For this demonstration the IP was given statically. However, the device does not have immediate access to the network or internet. To test this, it is required that a browser is opened and pointed towards a HTTP site (i.e. www.packetfence.org). If all goes accordingly the device should be relocated to the PacketFence Registration page at the captive portal (192.18.1.16/captive-portal) (fig 15)
26
Figure 15-Registration notification
Figure 16-Registration Log in page
27
Figure 17-PacketFence Registration page
Once the device is relocated to the registration page this effectively means access to the network is not permitted and the node is essentially unregistered within the network. The username and password for testing the registration process is
Username: demouser
Password: demouser
(Packetfence.org, 2015)
If all goes accordingly within the captive portal, Redirection to the destination web page should now be made and internet access is granted. This registration process is the main feature regarding the testing of a PacketFence environment and acts as an efficient way to test a feature of NAC by authentication. However, within this demonstration the captive portal self-registration mechanism became problematic, and the only way to provide access to a device was manually through the administrative web GUI.
To manually grant access to this device, it was necessary to redirect to the administrator GUI. From there it was required to select the node and refer to the “Action” pane and click the “Register” option. This will essentially register the device as a known node within the network and the device then was granted access to the network and internet.
Figure 18-Device state
It was through this method that this feature of PacketFence was tested as a mechanism to demonstrate its main registration and access feature.
3.4.1.2.2.1.1 Device self-registrationThroughout this demonstration problems arose in regards to the PacketFence device self-registration aspect of the system. The problem being related to the registration process not activating accordingly. When the user enters the username and password provided by PacketFence the Login stalls and nothing appears to happen once the login button is clicked. No further advancement is given to the user in regards to network access or a notification message acknowledging the attempt at registration. Throughout testing, manual registration of a node within the administration interface was the only method of providing access to the device “Niamh-Laptop”. However, it is possible that admin accepting of the node is required in any case post self-registration process by the device. With extended time on the project further investigation into this aspect would be advised.
3.4.1.3Creation/Registration of NodesIt is also possible to create and register a device manually from the administrator GUI. PacketFence allows for nodes to be created and registered straight away so that a particular
28
device can access the network without going through the registration process. Internet access is granted immediately without need for authentication or authorisation.
This was tested using an alternative device named “KIERON-TOSH”. The purpose of this test was to register this device by MAC address so that if it was to connect to the PacketFence INLINE interface it would be registered and automatically gain internet access without need for registration.
Figure 19- PacketFence Node creation
Regardless of the IP address this node is now seen as a registered device on the network (fig).
Figure 20- Kieron laptop state
As a means of testing this procedure, “KIERON-TOSH” was connected to the INLINE network of the demonstration environment. It was then necessary to reset its IP address given to it via DHCP by the management network, and set it to obtaining an IP address via Ethernet on the INLINE subnet on the PacketFence INLINE interface.
Once connected, the device was given immediate access to the internet. This was due to the fact that the device had already been created and registered, prior to the node being connected and seen as a foreign device within the PacketFence network. This is feasible due to the MAC authentication. Once the device is connected to the switch port, the device was
29
given the IP address of 192.168.137.144. Statically setting the IP of the laptop to an IP on that subnet is necessary if DHCP failure occurs by PacketFence. PacketFence then identifies that the node comes with a corresponding MAC address which has been registered within the system from the “iptables”. So access to the network and internet is achieved for the device. There is also a un-registration date set as a mechanism to deregister a user. This provides the admin with more control over the network and generates a more manageable grasp over the devices which are registered within the network.
3.4.1.4Configuration InterfacePacketFence ZEN also comes with a very flexible and efficient configuration interface. It is from here that the administrator can go over all of the configurations of the PacketFence environment, in a way which caters for an effective and personal grasp over the security methods and policies desired for the network.
3.4.1.4.1 Main ConfigurationsGeneral configurations within the PacketFence administration Web interface are plentiful. They are designed in a way which presents the administrator with a way to fine grain every aspect of the way in which devices are treated and in what way network access control is managed.
Configurations can be made to prior setups made through the initial phases of the PacketFence installation. These can relate to DHCP server information, made alterable in the case that new servers are added on larger scale production environments. From the configuration interface the specific services of PacketFence can be altered on or off as well as simple altercation within the self-registration page, in relation to what text is displayed on the “registration” button (fig 21).
Figure 21- Captive portal configurations
In order to save memory and ensure that there is no back up of inactive nodes on the server, there is an expiration configuration within PacketFence. This configuration allows for the admin to generate a specific time allocation for which a node will remain on the server while it has been idle from use (fig 22).
30
Figure 22- node expiration configurator
Setting the expiration to a reasonable amount of time is beneficial as it releases server memory and load from inactive or unused nodes and users from the system. Setting an expiration on IP/MAC logs is also of importance as irrelevant data in regards to these addresses is invalid within the server, once considered inactive by the time allocation.
3.4.1.4.2 Network ConfigurationsThe network configuration interface is also an element within the administrative GUI. This section of configuration is massively important as it allows for the alteration of network interfaces within the PacketFence network setup. During this demonstration it was imperative that new interfaces were created in order to do significant testing of both management and INLINE networks.
Figure 23-Interface and network configurations
From this section it was possible to reconfigure old and new interfaces to cater for different connections. Deciding which interfaces are set active or not is also key as it determines which interface the devices connect to. So essentially, the ability to alter and change these aspects are crucial. From this element of configuration, PacketFence excels as it really
31
provides total control over the specific network leaving no gaps for error in relation to connections.
There is also a section for managing the specific switches local to the network setup. Providing a mechanism to describe whether a switch is set as a production switch or merely for testing. This however, was not needed for this demonstration as a manageable switch was not utilised. An aspect which would have been considered beneficial to examine if further testing could have been achieved. As the VLAN deployment type setup is a major aspect of the 802.1X port-based enforcement method of Network access control, that PacketFence excels with.
3.4.2 Phase ReviewThis phase of the demonstration of PacketFence ZEN contributed to the final testing stages of the application and provided an insight into some of the features available within the ZEN version. It also provided insight into how the server operated when workload was generated and functions were put into use.
3.4.2.1Issues with phase 3 and aspects of further investigationWithin the final stages of the implementation perspective of the project, there were in fact applications that were not exercised as effectively as initially planned. Some of the issues regarding aspects of phase 3 and the overall functionality of the PacketFence that arose were most notably in relation to the quality checks provided by the solution. These are features that although were present within the demonstration could not be demonstrated as effectively as initially intended for various reasons which will be touched on.
3.4.2.1.1 Perform ScanOne of PacketFence main features is to perform a vulnerability checks in the form a Nessus or OpenVAS scan on newly registered devices or manually by selection of the scan option. Nessus is essentially a vulnerability scanner software developed by Tenable Network Security (Tenable, 2015). Its main feature local to PacketFence being to perform scan operations on newly registered devices to determine whether the guest has a specific vulnerability which needs to be rectified. This operation failed to establish whilst testing was made on registered devices within this projects implementation of PacketFence ZEN.
The errors that occurred when scans were selected to be performed on nodes within the server’s databases were established by frequent errors regarding the Apache server within the PacketFence system. Displaying a message noting that the server certificate could not be registered and that a new certificate was to be regenerated. A parameter also restricting a scan was a warning in relation to the captive portal failing to start. This may be related to the issue regarding the captive portal login. This is a feature that was hoped to be exercised within this demonstration from the initial prototype. Nessus vulnerability scans are an effective attribute within this solution, and practice of this concept would have been an effective attribute in portraying an essential feature of network access control.
32
3.4.2.1.2 RemediationOne of the features of PacketFence which demonstrates a key element of security within a NAC consistent network is the application of remediation. Remediation of a device is the process of placing that node within the required location or URL necessary in regards to the status of the device. PacketFence uses a captive portal method in which the user is placed in the appropriate location based on the current status of the device in relation to violations obtained by the node or policy infringements. In any case, network traffic is terminated and the offending device is redirected to a page from which they will be informed of the problem and be notified in a way which represents a method of rectifying it.
Within this demonstration this feature was not managed to be exercised. The device still manages to redirect to the URL in which it originally intended to visit. Once a violation is placed on a device from the management interface the device still negates this statement and avoids the captive portal URL in which they are intended to visit. Only unregistering of a device can prevent a device from reaching its destination. Reasons for this problem could relate to specific browser types chosen for demonstration or the issue regarding the captive portal mechanism not functioning as intended. From further research it was defined that some browser types preferably redirect the device to the chosen URL without compromise from the captive portal remediation page. An issue that would be revised if more time had been presented. It is also possible that the INLINE setup is not as compatible to handle remediation properties related to the captive portal. This issue could be related to the fact that there is not a separate VLAN to remediate devices to once violations occur in the shape of a zone of quarantine, as INLINE setup is merely a basic setup in order to test the registration properties within PacketFence ZEN with an unmanageable switch type.
3.5 PacketFence ZEN reviewIn regards to the overall outcome in relation to testing of whether PacketFence ZEN is a suitable solution for demonstrating NAC, the results have varied. In general, the fact that PacketFence is free, open sourced and fully supported makes it a great application to demonstrate the topic of network access control. Its ability to perform registration and remediation is a critical element in regards to portraying important features typical of a NAC solution. Its capability to perform compliance and health scans and checks makes it a good solution for determining the state of a networks access by devices.
From this demonstration and overall study of the solution, it was determined that PacketFence does indeed flourish in its features. However, it is important to state that the solution would not be deemed an adequate testing mechanism in terms of ease of use and deployment. Configuration of PacketFence was, and can be challenging in relation to overall setup. It can be confusing to deploy due to the fact that there is no “straight forward” method or approach to setting it up. This is due to the differentiation of the different network setups and architectures by which PacketFence can be deployed to. From this demonstration it was easy to determine that the setup required vast amounts of trial and
33
error in regards to network architecture, the required equipment and the virtual machine configuration. However, once the steps regarding configuration are complete, it was clear that PacketFence portrays an excessively controllable administration interface. From exercising the Administrative aspect of the solution, it was clear to see that the application carries a well manageable and impressive administrative element. In which the administrative user truly has essential controlling capabilities and feasible grasp over the overviewed Network and devices from a manageable point of view.
The functionality that was demonstrated in regards to the registration feature of devices within a network was of most importance. Although, not as simple to set up as so deemed by the PacketFence administration guide, once configured the feature adequately conveys a key element of Network Access Control. Which through this demonstration and exercising of the product it was clear to define that on a larger scale deployment, the fully featured version of PacketFence would truly be an impressive component in relation to NAC.
3.6 Other TechnologiesAnother element which is of importance to gain an understanding with, is the aspect related to gateway deployed network access control. As a good perception regarding this area is important in order to truly grasp an adequate understanding of NAC as a whole. Check Point security gateway solutions act as a prime example of how gateway-based network access control is defined, configured and utilised. In a way which through a short investigative insight, a better understanding of this methodology can be acquired.
3.6.1 Check Point Security GatewayCheck Point technologies have been a substantial contributor as a security provider over the last two decades, protecting customers from a consistently altering online threat environment (Point, 2014). One of the most notable products of the company is their Security Gateway appliances which have been a leading mechanism for defending against unwanted access and web-borne malware. The method of this solution is based around two NAC products (R65 and R70) that once acquired provides for all the elements needed to enable gateway-based network access control. From the use of Cooperative enforcement, CP security gateway uses firewalls primarily as a point of enforcement to quarantine and remediate users that violate gateway policies. Which differs from PacketFence VLAN enforcement due to the fact that PacketFence out-of-band deployment is a port defined NAC solution. This Gateway-based solution works similarly to PacketFence in relation to its method of dealing with devices. Check Point software also uses a Captive Portal by which hosts are notified about their current status in regards to gaining access to the network.
34
Figure 24- Check Point captive portal (Point, 2014)
Hosts that fall out of policy or compliance with the network can be disconnected, restricted, remediated and quarantined much like the process by which PacketFence deals with devices which fall out of compliance with the network. The solution allows for users which fall out of compliance to correct the violations if possible, in which case the restrictions are lifted and the host is relocated from the quarantine network. Check Point Security Gateway NAC also allows for administrative management over the methods by which policies and firewalls are enforced, so as to allow the network to be secured with as much protection as required, in a manner which suites the needs of that specific network.
3.6.1.1ConfigurationIn regards to configuration of this solution, it is completed in 3 easy steps so as to get Network access control up and running. Cooperative enforcement is a critical element to this type of enforcement so it must be enabled on the Check Point security gateway. This is achievable by initialising the SmartDashboard application and logging in to the SmartCenter (Cygnia.co.uk, July 2, 2009) which is a user data centre log in purchasable from Check Point Technologies. From the same GUI the security policies and firewalls which are to be applied to the network are chosen and installed from a policy drop down box.
The last step of the configuration of the Security Gateway application is to navigate to the Endpoint Security server and redirect to the gateway Manager and define the actual gateway by which policies will be enforced.
35
Figure 25-Check Point gateway manager (Cygnia.co.uk, July 2, 2009)
Once the gateway has been chosen the final step is to enforce a rule upon the Check Point gateway. Policies are implemented via the “enforcement settings” tab and it is as simple as defining the rule name and specifying the conditions. The conditions usually being to check for a registry key and value or a specific file name that must be obtained in order to gain access to the network. Save the rule and it is now added as an enforcement policy upon the gateway in which hosts will be looking for access to. It is a quick and easy method for organisations to add gateway NAC to their network.
3.6.1.2Simple TestCheck Point NAC software is not free to use, but they provide a mechanism to test some of their software via 30 day trial. The Check Point threat emulation software blade is an application which emulates a software and file policy check, which can be utilised as a mechanism of NAC in a way which acts as a compliance check for endpoints. The purpose of such an application is to prevent infections from undiscovered exploits and zero-day targeted attacks. The test works by uploading a file of any type to the Check Point cloud and from here the file is analysed for threats or malware. If purchased the software will perform these scans at the Check Point gateway as a mechanism to enforce network access control in the form of a malware check policy. When the file is uploaded it is opened, run and analysed by a threat emulation sandbox and monitored for suspicious behaviour.
Figure 26-Check Point software emulation process (technologies, 2015)
36
From there it is determined whether the file is infected or malicious in any sort of aspect by the threat emulation software. Once monitoring of the file is completed the user is provided with a downloadable report in which information about the file is given, if infected the user will be informed of malicious activity within this report. If the file is infected, Threat extraction software will be used to remove infected attributes such as macros and embedded objects (technologies, 2015). The file is then returned to the user from the cloud or gateway free of malicious content and completely safe to download.
Figure 27- report screenshots
From the report it was clear to see that there was no malicious content found within the file, by the threat emulation software. So compliance would have been present and the parameter or policy would have been adhered to in relation to gaining access to the network.
3.6.2 ReviewIn relation to the method by which gateway deployed NAC is implemented, it was clear to see that once the proper hardware is acquired the Check Point security gateway solution could be deployed quickly and efficiently. The method by which firewalls are used to query devices and act as the point of enforcement is efficient as an approach to integrating NAC. The solution acts as a sufficient way to add to an organisations existing secure Network architecture.
4 ConclusionThis projects main purpose Is to provide an insight into network access control as a mechanism for applying a degree of security to a networks access and resources. From research and exercising of the topic it was clear to state that NAC can provide an organisation or business with durable, well managed control over a networks access to endpoint devices. Regardless what method is chosen to deploy NAC, both gateway and port-
37
based implementations have their strong points and mechanisms to ensure security over a networks access.
4.1 Implementation Review4.1.1 Phase 1Phase one of implementation provided an insight into developing the necessary foundations for initial deployment of the NAC solution. It regarded the foundations for the network architecture used for the demonstration and knowledge into the initial downloading and setup of the virtual machine and the PacketFence appliance. As well as possible alternative methods by which the demonstration could be exercised.
4.1.2 Phase 2Phase two of implementation was based around the essential configurations needed to get the PacketFence server up and running. It provides an insight into initial commands needed for the CentOS operating system as well as a guide into how the PacketFence environment was established.
4.1.3 Phase 3Phase three of implementation was most notably based around monitoring of the PacketFence environment and providing an insight and evaluation of the solution through the administrative aspect of the environment. Testing and evaluation of the registration feature of the solution was also exercised as well as the creation and monitoring of devices which were connected to the network.
4.1.4 Other TechnologiesThis section comprised of a brief investigation into an alternative solution for providing gateway-based network access control. It provided an insight on the Check Point Security Gateway solution and assessed the method by which configuration and features are integrated on such a solution.
4.2 LimitationsPacketFence ZEN was the application used in order to demonstrate the topic of Network Access control. Limitations regarding the implementation of NAC in a lab environment revolve around the method by which the solution of PacketFence was deployed. The Inline enforcement type of PacketFence ZEN limits the demonstration to registration and deregistration of a device upon the network. It was possible to apply violations to devices which in turn would block traffic from that device to the network, but with no capable way for the device to reprimand the specified violation. Remediation to an alternative network was also a limitation as the inline enforcement may not support this feature. This being due to no alternative VLAN to redirect the device which has fallen out with compliance. PacketFence as a solution is a challenging application to implement on to any network. With production time frames usually taking months to integrate. Insufficient time has acted as a
38
limitation in regards to exercising and configuring some of PacketFences other NAC features such as performance scans and remediation due to violations.
4.3 RecommendationsRecommendations for this project most notably apply to the way in which the demonstration was configured. VLAN enforcement as the initial method of enforcement would be the main element to be considered if future exercising of the solution commenced. This being due to this type of enforcement being a better method by which the solution could be tested. VLAN enforcement would allow for more features to be examined due to the fact that more ports would be available to demonstrate aspects such as remediation, MAC detection, isolation, quarantine etc. In relation to hardware a cisco manageable switch should be considered as this would allow for more control over the specific states devices would enter, and also allow for SNMP traps and enhanced port security.
39
5 ReferencesCygnia.co.uk, July 2, 2009. www.cygnia.co.uk. [Online] Available at: http://www.cygnia.co.uk/content/whitePapers/Check%20Point/CheckPointget-nac-up-and-running.pdf
Packetfence.org, 2015. PacketFence ZEN Inine enforcement configuration guide. [Online] Available at: http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Inline_Deployment_Quick_Guide_ZEN-5.1.0.pdf
PacketFence, 2015. www.packetfence.org. [Online] Available at: www.packetfence.org
Point, C., 2014. www.CheckPoint.com. [Online] Available at: https://www.checkpoint.com/downloads/product-related/datasheets/SWG-appliance-datasheet.pdf
technologies, C. P. S., 2015. Check Point threat emulation software blade. [Online] Available at: https://threatemulation.checkpoint.com/teb/upload.jsp
Tenable, 2015. www.tenable.com. [Online] Available at: http://www.tenable.com/products/nessus-vulnerability-scanner
40
AppendixTable of FiguresFigure 1- NAC remediation.......................................................................................................8Figure 2- VMWare player adapter settings.............................................................................14Figure 3- Eth0 virtual interface IP...........................................................................................15Figure 4-PacketFence enforcement type................................................................................17Figure 5- Network interface configuration.............................................................................17Figure 6-MySQL setup............................................................................................................19Figure 7-General configurations.............................................................................................20Figure 8-completed configuration..........................................................................................21Figure 9- admin Login.............................................................................................................22Figure 10- PacketFence server output....................................................................................23Figure 11- Memory.................................................................................................................23Figure 12-PacketFence services..............................................................................................24Figure 13-Network nodes/Device list.....................................................................................25Figure 14-Node action list......................................................................................................25Figure 15-Registration notification.........................................................................................27Figure 16-Registration Log in page.........................................................................................27Figure 17-PacketFence Registration page..............................................................................28Figure 18-Device state............................................................................................................28Figure 19- PacketFence Node creation...................................................................................29Figure 20- Kieron laptop state................................................................................................29Figure 21- Captive portal configurations................................................................................30Figure 22- node expiration configurator................................................................................31Figure 23-Interface and network configurations....................................................................31Figure 24- Check Point captive portal (Point, 2014)...............................................................35Figure 25-Check Point gateway manager (Cygnia.co.uk, July 2, 2009)...................................36Figure 26-Check Point software emulation process (technologies, 2015)..............................36Figure 27- report screenshots................................................................................................37
41
Related Documents
