NAP, 802.1x, VMPS & Co

Access Denied

Not a very long time ago, security was still focussed on the external side of networks and all bad guys playing on the Internet. Now, the perimeter security (DMZ, firewalls, IDS and other toys) is performed by mature technologies and devices to protect your network against external attacks (but never forget that, like said Bruce, “Security is a process, not a product“. You need to keep security as a hot topic inside your organization and constantly improve it!).

It’s time to focus on the internal network. There are major threats inside your network which can affect your business, not only in terms of wasting server or network resources but also on a financial point of view. What about visitors? external consultants? Do you allow them to connect untrusted notebooks or mobile devices to your network? Is your outgoing traffic scanned to prevent data loss? (this new technology is called DLP (Data Loss Prevention), I’ll try to discuss about this topic later).

Recently, HP announced that it will support NAP (Network Access Protection) in its Procurve switches. The goal of NAP, developed by Microsoft, is to prevent or reduce access to untrusted computers onto your network. How? Based on defined policies (Is the firewall active? Is there an up-to-date anti virus running? Is the operating system correctly patched?), when a computer will try to connect to a network, the switch will deny or reduce the access). The partnership between HP and Microsoft is interesting at several points:

  • It’s a good opportunity for HP to push its Procurve switched on the market
  • Microsoft Operating Systems are very well deployed in companies (I didn’t say “standard”)
  • It will help companies to increase internal security with an “out-of-the-box” solution

But.. NAP must still prove it’s efficiency! NAP is only available in Vista, Windows Server 2008 and will be available in XP SP3. Wait and see. Otherwise, is there alternatives to increase internal security at access level? Of course!

Protocol/Method Pro Cons

VMPS (VLAN Management Policy Server). Cisco protocol but open source alternatives exist) Authenticates the devices based on their MAC address and assign dynamically the port in a VLAN. There is no OS/hardware restriction (All Ethernet card have a MAC address) Runs only on Cisco switches and the MAC address DB maintenance is a pain
802.1x (IEEE standard) and RADIUS. Devices are connected via traffic is fileted at data link layer. Once authenticated, they get a full connectivity. More user friendly: traffic is redirected to a captive portal where details can be provided (why, how, …) Not supported by all OS (mainly Windows environment). Not all switches support 802.1x.
NAP (Network Access Protocol). Protocol developed by Microsoft to allow network access based on policies. Several policies can be defined based on key security elements (firewall, anti virus). Available only on Vista, Windows Server 2008 and XP SP3. Not only available on all switches.
DHCP Restriction. Unknown hosts do not get IP address assigned to them. Easy to setup. DHCP is very well supported. Not efficient enough to protect the network (devices can have IP address statically assigned).
Basic switches features (MAC address filtering, port security) Easy to deploy, available in almost all switches Low security, hard to manage

There exists other commercial implementations (Cisco NAC, Checkpoint NAC, …). Their methodology is always pretty the same: they evaluate the trust level of a device before allowing connectivity to the network.

Does forget that implementation of any of the solutions above require extra support work load to help users when their access will be denied (education, unlock, explain). A project like this one must be approved by management and a good communication is mandatory.

Now? What about the best solution? If we compare the price regarding efficiency, my vote will go to VMPS. The whole solution can be based on open source code but you need Cisco switches. By implementing VMPS, this will force you to split the company network into separate VLANs which is always good: broadcast domains are reduced, QoS per VLAN can be implemented and access between VLANs can be restricted (example: the workstations VLAN won’t have access to the HR VLAN).

2 comments

  1. I agree with your comments! Even more when they are positive like yours!

    When I speak about ‘efficiency’ vs ‘price’, of course I mean ‘efficiency to protect your assets’.

    IP spoofing is indeed a problem. To reduce risks, you can add a monitoring layer: track your devices on your network by using tools like NeDi[1].

    You can also restrict your VLAN propagation across the corporate switches. Example: the HR VLAN will be restricted to “their” switches, located in their room + local security of course (badges, codes, …)

    [1] http://nedi.sourceforge.net/about.html

  2. Hi

    Please allow me to challenge you! 🙂

    VMPS and DHCP restriction are both based upon the MAC address of the PC, which we all know can be spoofed 🙂

    In your evaluation, one of the cons of VMPS is “DB maintenance is a pain”, which you don’t mention as a con of DHCP restriction, but wich equally applies to it too, IMHO 🙂

    Also, as a con of DHCP restriction, you state that it is “Not efficient enough to protect the network (devices can have IP address statically assigned).” but if just changing a MAC address can get your PC to impersonate the CFO’s laptop and consequently will land you on a very interesting VLAN / network segment, I don’t think that’s enough to protect the network either, is it? 🙂

    VMPS might very well be the best solution when evaluating price vs. efficiency, but not when evaluating price vs. security :

    then .1x / NAC (please bear in mind : NAC != NAP !!! 🙂 beats VMPS hands down! 🙂

    (I won’t start whining when your rebuttal comes down upon me, but I just could not go to bed without leaving these comments! 🙂

    Bring it on! 😛

    Cheers, and please keep up the good work! 🙂

    Dv8or025

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.