© Egemen K. Çetinkaya

Introduction to Network Security Missouri S&T University CPE 5420

Network Access Control

Egemen K. Çetinkaya

Department of Electrical & Computer Engineering

Missouri University of Science and Technology

cetinkayae@mst.edu

http://web.mst.edu/~cetinkayae/teaching/CPE5420Fall2016

28 October 2016 rev. 16.0 © 2014–2016 Egemen K. Çetinkaya

© Egemen K. Çetinkaya

Network Access Control Outline

• Overview

• Methods

MST CPE 5420 – Network Access Control 28 October 2016 2

© Egemen K. Çetinkaya

Network Access Control Overview

• Overview

• Methods

MST CPE 5420 – Network Access Control 28 October 2016 3

© Egemen K. Çetinkaya

Network Access Control Overview

• NAC – Network Access Control

• Deals with authorized access

• Authenticates users

• Decides what action a user can perform

28 October 2016 MST CPE 5420 – Network Access Control 4

© Egemen K. Çetinkaya

Network Access Control Architecture

28 October 2016 MST CPE 5420 – Network Access Control 5

© Egemen K. Çetinkaya

Network Access Control Architectural Components

• Users/supplicants/access requestors

• Policy servers

• Network authentication server/media gateway

– policy server can be part of NAS

28 October 2016 MST CPE 5420 – Network Access Control 6

© Egemen K. Çetinkaya

Network Access Control Methods

• Overview

• Methods

MST CPE 5420 – Network Access Control 28 October 2016 7

© Egemen K. Çetinkaya

Network Access Control Methods

• IEEE 802.1X

– port-based network access control

• VLAN

– virtual local area network

• Firewall

• ACL

– access control list

28 October 2016 MST CPE 5420 – Network Access Control 8

© Egemen K. Çetinkaya

Network Access Control IEEE 802.1X Overview

• Port-based network access control

– port: IEEE 802 LAN service access points

• Protocols for secure communication between devices

• Provides: authentication, authorization, key agreement

• It defines EAP over LAN protocol (EAPOL)

– EAP – extensible authentication protocol [RFC 3748]

• History: 2001 → 2004 → 2010

– 2010 version incorporates applications of 801.1AE MACsec

• MACsec provides confidentiality of the MAC frames

28 October 2016 MST CPE 5420 – Network Access Control 9

© Egemen K. Çetinkaya

Network Access Control IEEE 802.1X Authentication Example

• Standards are linked on the webpage

• [Ref: http://en.wikipedia.org/wiki/IEEE_802.1X]

28 October 2016 MST CPE 5420 – Network Access Control 10

© Egemen K. Çetinkaya

Network Access Control VLAN Overview

• Virtual local area network

• Partition the layer-2 network into broadcast domains

• End nodes may not be on the same physical location

28 October 2016 MST CPE 5420 – Network Access Control 11

© Egemen K. Çetinkaya

Network Access Control VLAN Example

• Traffic cannot pass between VLANs

• [Ref: CISCO VLAN]

28 October 2016 MST CPE 5420 – Network Access Control 12

© Egemen K. Çetinkaya

Network Access Control Firewall Overview

• Firewalls are defense mechanisms

• Allows authorized traffic to pass through firewall

• A firewall can serve as a platform for IPsec

– in tunnel mode VPN acts like a firewall

• Types of firewalls

– packet filtering

• based on packet type, port number, address number etc.

– stateful inspection

• in addition to packet filtering looks for TCP characteristics

– application layer filtering

• filtering based on applications (e.g. e-mail, FTP, HTTP)

28 October 2016 MST CPE 5420 – Network Access Control 13

© Egemen K. Çetinkaya

Network Access Control Packet Filtering Example

• Packet filtering rules applied in the order

• Rule # 2 is considered default rule:

– what happens to packet none other rule applies?

28 October 2016 MST CPE 5420 – Network Access Control 14

Rule Source Address Destination Address Action

1 128.45.34.189 14.16.35.67 permit

2 0.0.0.0/0 0.0.0.0/0 deny

© Egemen K. Çetinkaya

Network Access Control Packet Filtering Examples

• permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25

• permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53

• deny 0.0.0.0 0.0.0.0 ICMP type = 8

28 October 2016 MST CPE 5420 – Network Access Control 15

[Ref: Cisco IP filtering]

© Egemen K. Çetinkaya

Network Access Control Packet Filtering Examples

• permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25

• allows TCP segments with a source port >= 1024 and a destination port of 25 (SMTP mail)

• permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53

• allow UDP segments with a source port > 910 and a destination port of 53 (Domain Name Service)

• deny 0.0.0.0 0.0.0.0 ICMP type = 8

• deny ICMP echo request (pings)

28 October 2016 MST CPE 5420 – Network Access Control 16

[Ref: Cisco IP filtering]

© Egemen K. Çetinkaya

Network Access Control Firewall Caveats

• Why firewalls don’t work?

28 October 2016 MST CPE 5420 – Network Access Control 17

© Egemen K. Çetinkaya

Network Access Control Firewall Caveats

• Why firewalls don’t work?

• Good for defense against outsiders, but not insiders

• Insider may be tricked into downloading:

– malicious code/e-mail/virus

• Misconfigured firewall can be annoying

28 October 2016 MST CPE 5420 – Network Access Control 18

© Egemen K. Çetinkaya

Network Access Control ACL Overview

• Access control list

• A mechanism for access to system resource

• List of permissions

– filesystem ACL

• e.g. for access to which files by whom in an end-host

– network ACL

• e.g. rules applied for packet filtering

• Similar to firewall

– firewalls can do stateful inspection

• can keep track of TCP states in the state machine

– ACLs are stateless

28 October 2016 MST CPE 5420 – Network Access Control 19

© Egemen K. Çetinkaya

References and Further Reading

• [KPS2002] Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall, 2002.

• [S2017] William Stallings, Cryptography and Network Security: Principles and Practice, 7th edition, Prentice Hall, 2017.

• [NAT: RFC 3022, RFC 2663]

• [L2TP: RFC 2661, RFC 3193]

MST CPE 5420 – Network Access Control 28 October 2016 20

© Egemen K. Çetinkaya

End of Foils

MST CPE 5420 – Network Access Control 28 October 2016 21