Upload
nguyenkhuong
View
219
Download
4
Embed Size (px)
Citation preview
© Egemen K. Çetinkaya
Introduction to Network Security Missouri S&T University CPE 5420
Network Access Control
Egemen K. Çetinkaya
Department of Electrical & Computer Engineering
Missouri University of Science and Technology
http://web.mst.edu/~cetinkayae/teaching/CPE5420Fall2016
28 October 2016 rev. 16.0 © 2014–2016 Egemen K. Çetinkaya
© Egemen K. Çetinkaya
Network Access Control Outline
• Overview
• Methods
MST CPE 5420 – Network Access Control 28 October 2016 2
© Egemen K. Çetinkaya
Network Access Control Overview
• Overview
• Methods
MST CPE 5420 – Network Access Control 28 October 2016 3
© Egemen K. Çetinkaya
Network Access Control Overview
• NAC – Network Access Control
• Deals with authorized access
• Authenticates users
• Decides what action a user can perform
28 October 2016 MST CPE 5420 – Network Access Control 4
© Egemen K. Çetinkaya
Network Access Control Architecture
28 October 2016 MST CPE 5420 – Network Access Control 5
© Egemen K. Çetinkaya
Network Access Control Architectural Components
• Users/supplicants/access requestors
• Policy servers
• Network authentication server/media gateway
– policy server can be part of NAS
28 October 2016 MST CPE 5420 – Network Access Control 6
© Egemen K. Çetinkaya
Network Access Control Methods
• Overview
• Methods
MST CPE 5420 – Network Access Control 28 October 2016 7
© Egemen K. Çetinkaya
Network Access Control Methods
• IEEE 802.1X
– port-based network access control
• VLAN
– virtual local area network
• Firewall
• ACL
– access control list
28 October 2016 MST CPE 5420 – Network Access Control 8
© Egemen K. Çetinkaya
Network Access Control IEEE 802.1X Overview
• Port-based network access control
– port: IEEE 802 LAN service access points
• Protocols for secure communication between devices
• Provides: authentication, authorization, key agreement
• It defines EAP over LAN protocol (EAPOL)
– EAP – extensible authentication protocol [RFC 3748]
• History: 2001 → 2004 → 2010
– 2010 version incorporates applications of 801.1AE MACsec
• MACsec provides confidentiality of the MAC frames
28 October 2016 MST CPE 5420 – Network Access Control 9
© Egemen K. Çetinkaya
Network Access Control IEEE 802.1X Authentication Example
• Standards are linked on the webpage
• [Ref: http://en.wikipedia.org/wiki/IEEE_802.1X]
28 October 2016 MST CPE 5420 – Network Access Control 10
© Egemen K. Çetinkaya
Network Access Control VLAN Overview
• Virtual local area network
• Partition the layer-2 network into broadcast domains
• End nodes may not be on the same physical location
28 October 2016 MST CPE 5420 – Network Access Control 11
© Egemen K. Çetinkaya
Network Access Control VLAN Example
• Traffic cannot pass between VLANs
• [Ref: CISCO VLAN]
28 October 2016 MST CPE 5420 – Network Access Control 12
© Egemen K. Çetinkaya
Network Access Control Firewall Overview
• Firewalls are defense mechanisms
• Allows authorized traffic to pass through firewall
• A firewall can serve as a platform for IPsec
– in tunnel mode VPN acts like a firewall
• Types of firewalls
– packet filtering
• based on packet type, port number, address number etc.
– stateful inspection
• in addition to packet filtering looks for TCP characteristics
– application layer filtering
• filtering based on applications (e.g. e-mail, FTP, HTTP)
28 October 2016 MST CPE 5420 – Network Access Control 13
© Egemen K. Çetinkaya
Network Access Control Packet Filtering Example
• Packet filtering rules applied in the order
• Rule # 2 is considered default rule:
– what happens to packet none other rule applies?
28 October 2016 MST CPE 5420 – Network Access Control 14
Rule Source Address Destination Address Action
1 128.45.34.189 14.16.35.67 permit
2 0.0.0.0/0 0.0.0.0/0 deny
© Egemen K. Çetinkaya
Network Access Control Packet Filtering Examples
• permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25
• permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53
• deny 0.0.0.0 0.0.0.0 ICMP type = 8
28 October 2016 MST CPE 5420 – Network Access Control 15
[Ref: Cisco IP filtering]
© Egemen K. Çetinkaya
Network Access Control Packet Filtering Examples
• permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25
• allows TCP segments with a source port >= 1024 and a destination port of 25 (SMTP mail)
• permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53
• allow UDP segments with a source port > 910 and a destination port of 53 (Domain Name Service)
• deny 0.0.0.0 0.0.0.0 ICMP type = 8
• deny ICMP echo request (pings)
28 October 2016 MST CPE 5420 – Network Access Control 16
[Ref: Cisco IP filtering]
© Egemen K. Çetinkaya
Network Access Control Firewall Caveats
• Why firewalls don’t work?
28 October 2016 MST CPE 5420 – Network Access Control 17
© Egemen K. Çetinkaya
Network Access Control Firewall Caveats
• Why firewalls don’t work?
• Good for defense against outsiders, but not insiders
• Insider may be tricked into downloading:
– malicious code/e-mail/virus
• Misconfigured firewall can be annoying
28 October 2016 MST CPE 5420 – Network Access Control 18
© Egemen K. Çetinkaya
Network Access Control ACL Overview
• Access control list
• A mechanism for access to system resource
• List of permissions
– filesystem ACL
• e.g. for access to which files by whom in an end-host
– network ACL
• e.g. rules applied for packet filtering
• Similar to firewall
– firewalls can do stateful inspection
• can keep track of TCP states in the state machine
– ACLs are stateless
28 October 2016 MST CPE 5420 – Network Access Control 19
© Egemen K. Çetinkaya
References and Further Reading
• [KPS2002] Charlie Kaufman, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall, 2002.
• [S2017] William Stallings, Cryptography and Network Security: Principles and Practice, 7th edition, Prentice Hall, 2017.
• [NAT: RFC 3022, RFC 2663]
• [L2TP: RFC 2661, RFC 3193]
MST CPE 5420 – Network Access Control 28 October 2016 20
© Egemen K. Çetinkaya
End of Foils
MST CPE 5420 – Network Access Control 28 October 2016 21