ISP Planet - Technology - Bolting the Back Door with NAC - Part 4: Deploying the Juniper Networks UAC 2.0

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

General

Bolting the Back Door with NAC
Part 4: Deploying the Juniper Networks UAC 2.0
— continued

by Lisa Phifer
VP Core Competence, Inc.
[June 25, 2007]

Charting a course
Given the use cases outlined in part 2 and the TNC components described on the previous page, we were ready to move from abstract to concrete. Next, we had to decide how users would be authenticated, what measurements would be validated, how those results would map into roles, and how those roles would limit network resource access. The target policies we decided to implement are summarized below:

Group	User List	Host Checks	Roles	Resources
Administrators	Active Directory	Supported OS + Firewall + Anti-Virus	Pass: CompliantPC NetAdmin	Mgmt VLANs + Staff VLAN + Private Intranet + Public Internet
			Fail: Remediation	Remediation Server
Other Domain Members	Active Directory	Supported OS + Firewall + Anti-Virus or Bypass List	Pass: CompliantPC	Staff VLAN + Private Intranet + Public Internet
			Fail: Remediation	Remediation Server
Guests	Anonymous Web Portal	Supported OS + Firewall	Pass: GuestPC	Public Internet (web, ftp, mail, vpn)
			Unknown: GuestPDA	Public Internet (web only)
Customers	Local List	Supported OS + Firewall + Anti-Virus	Pass: Per-customer Roles	Public Internet + Customer's own Private Subnet
			Fail: Remediation	Remediation Server

The IC4000's RADIUS server can consult many third-party directories, including LDAP, RSA, NIS, and Netegrity. We wanted to tap our Windows AD to authenticate our own staff, using group membership to determine role. We also planned to create a customer user list on the IC4000, mapping each to a separate role. Finally, we intended to use the IC4000's web portal to admit anonymous guests.

UAC can use TNC APIs to communicate with third-party Integrity Measurement Collectors and Verifiers. For simplicity, we decided to use only rules that Juniper's Host Checker could verify without third-party software. The IC offers a long list of predefined rules for Windows endpoints—we combined a few of those with a custom registry rule and a MAC address bypass rule. The latter gets known/trusted devices past rules that cannot otherwise be enforced (here, a laptop with unrecognized beta AV). Juniper does not currently offer predefined rules for Linux or Mac, but custom rules can check for known processes, ports, or files on those endpoints.

Note that rules cannot even be evaluated on OSs that cannot run Host Checker. This is why we ended up giving non-compliant guests limited internet access instead of blocking them altogether—we needed to admit our un-checkable WinMobile devices. The right way to handle atypical devices like PDAs, VoIP phones, and scanners depends on your own business needs and threat tolerance. We included this simple example in our test to show why it is import to identify and resolve such exceptions during policy design.

Page one: Assembling the pieces

Page two: Charting a course

>Page three: Building a foundation

Page four: Users, endpoints, and roles

Page five: Resource access and policy enforcement

Page six: Conclusion

Feedback

ISP-Planet's RSS feed

The Network for Technology Professionals

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Article: Adobe Helps PHP Developers Create Rich Internet Applications
Case Study: Microsoft IT Strengthens Security with Data Loss Prevention Solution
Article: Reduce Your Infrastructure Costs with Microsoft System Center
Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
Article: Security Enhancements Abound in Windows Server 2008
Article: Enterprise Social Computing with Microsoft SharePoint 2010
Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs

Microsoft Whitepaper: Improve Communications and Collaboration
Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
Microsoft Personalized Whitepapers and Resources for You
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Video: How System Center Helps Reduce IT Costs
IBM Cloud Computing for Developers Virtual Event, April 6-8

Microsoft Video: OCS and Exchange: Platform Futures
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Iron Speed Designer Application Generator

MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Learn Unified Communications
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products
Learn Forefront

Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES