Enforcing Network Security on Connection pdf

Through 802.1x authentication, security policy compliance enforcement, and remediation, each device and user is identified, verified, and validated for compliance with security policies

Computer Manufacturing

In response to the rise in network security threats, Intel IT is taking advantage of new industry standards to enhance its network security Through 802.1x authentication, security policy compliance enforcement, and remediation, each device and user is identified, verified, and validated for compliance with security policies before being connected to our network Sagi Bar-Or, Intel Corporation

February 2007

Executive Summary

As networking evolves to support both wired and wireless access, securing corporate networks from attack becomes ever more essential Intel IT is using a new security method to authenticate devices, validate them against security compliance policies, and remediate specific problems before they connect to Intel’s networks.

Our strategy includes:

Ensuring that network hardware, firmware, and software meet the IEEE 802.1x standard.

Authenticating all devices attempting to connect to our network.

Checking for compliance with Intel’s information security policies.

Cleaning infected systems and bringing their configuration into compliance with security policies before they connect to our network

Providing wired and wireless clients an assured connection to a known network Protecting mobile devices against unintentionally connecting to a hostile network.

A pilot program, which we began in September 2003, validated our approach by protecting wired and wireless client systems in office and factory environments This is a promising new network security method For example, it could enable our

IT managers to:

Ensure that all systems connecting to Intel’s networks meet specific security requirements.

Enforce system states to meet security policies, for example, weekly virus scanning.

Scan systems for recent worms and viruses and block connectivity until cleaned Protect mobile laptop PCs that have been unconnected from getting or

proliferating recently emerged viruses.

Intel IT has demonstrated how to use the capabilities of emerging open network security standards to combine device authentication with security policy compliance enforcement, enabling proactive remediation before a device is allowed on the network Today, we have completed many major milestones for on-connect authentication, including configuration and deployment of the infrastructure and clients for LAN and wireless LAN (WLAN) We are now working on the next stage: adding compliance enforcement and protecting remote-access virtual private network (VPN)

•

•

•

•

•

•

•

•

•

•

Intel IT has

demonstrated how to

use the capabilities

of emerging open

network security

standards to combine

device authentication

with security

policy compliance

enforcement, enabling

proactive remediation

before a device

is allowed on the

network.

Executive Summary .

Background 4

Network Security Risks 5

A New Security Paradigm 6

The Technologies Behind Our Solution 7

Authentication Protocols 7

Password-based Protocol 7

Certificate-based Protocol 8

Tunneling Protocol 9

Security Compliance Enforcement 9

Asset Registration Validation 10

Forming a Program Team 11

Gathering Requirements 11

Identifying Project Scope 11

Intel’s Security Enhancement Program 11

Piloting the Solution 1

Challenges 14

Conclusion 15

Authors 15

Acronyms 15

Facing this business need, Intel IT saw a solution opportunity in three new standards of the Institute

of Electrical and Electronic Engineers (IEEE), all of which offer advanced authentication capabilities:

802.1x for port-based security, next-generation 802.11i for networking, and Wi-Fi* protected access (WPA)

Our solution needed to address all aspects of Intel’s complex environment Intel’s networking environment includes a multitude of client platforms: desktop PCs, laptops, personal digital assistants (PDAs), and other small form-factor devices, such as smartphones These devices use various operating systems, including Microsoft Windows*, PocketPC*, Linux*, and UNIX*

Our environment also presents a variety of use cases, including office clients, servers, and station controllers

Intel has hundreds of sites worldwide and approximately 100,000 employees (including contractors), each of whom has at least one PC We’ve moved to a mobile environment in which more than 70 percent of our knowledge workers use mobile computers and more than 40 percent are wireless-enabled Intel has 30,000 wireless users, 4,000+ wireless access points, and over 50,000 wired switch ports

To address security in this complex environment, Intel IT conducted a pilot project to investigate using state-of-the-art technologies to protect network ports We wanted to find out whether

we could provide required levels of security by combining authentication to prevent unauthorized network access with verification that each device connecting to the network environment

is compliant with current security policies

Background

In today’s networking world, companies are increasingly at risk for network attacks— from hostile intruders, viruses, and worms to server impersonations To reduce the potential impact of such attacks at Intel, we needed to enhance security protection

in our environment

But how do you deny network access to devices

that are contaminated or suspicious or not

compliant with current information security

policies? To detect that a device is non-compliant

after it is already on the network and then

disconnect it is not sufficient Worms, for example,

propagate themselves very quickly in the network

layer To maximize protection, the device should

not be granted access to the network at all unless

or until the problem can be remediated

Wired networks have the advantage of requiring

physical access to connect to them As a result,

they can be partially protected using physical

security measures such as guards or locked

doors However, even with physical security,

wired networks still face the same risks from

viruses and worms that wireless networks

must deal with And we must still protect the

LAN environment from authorized individuals

connecting unauthorized devices to the network

and from malicious activity by authorized users

By their very nature, WLANs do not lend themselves to physical protection, since they do not require devices to physically connect to the network Incorporating wireless technology in a large, global enterprise can potentially introduce new risks into the environment if not carefully managed Wireless ports that are not sufficiently protected can increase the risk of incursions from unauthorized network access When a wireless network is unprotected, someone can

be out in the parking lot or blocks away and still connect to the WLAN

On the other hand, unprotected wireless clients may be vulnerable “Rogue” wireless devices can also pose dangers to network security They can increase the risk of server impersonation, where clients are lured onto hostile networks

Network Security Risks

Today our networks face many security risks, whether wired or wireless One of the

most common is unauthorized network access In addition, we must also protect

against the threat of damage done by legitimate devices or people through the

spread of worms and viruses

Intel IT’s proof-of-concept study demonstrated that 802.1x-enabled device authentication, combined with automated scanning and enforcement of security policies, can give

us control over every device attached to our network

This new security paradigm is important to us because it has the potential to dramatically improve our ability to enforce security policy

For example, using this new approach, Intel IT managers could:

Ensure that only authorized devices and users can connect to the network

Ensure that systems they don’t own or maintain meet minimum security requirements,

•

•

so they can make yes/no decisions on allowing connection to the network

Enforce system states—for example, if a full system scan has not been performed on a connecting system within the time period specified by security policy, we could force the scan prior to connection

Arrange to quickly scan connecting systems for a recent worm that can be detected based

on a signature file and block connectivity until the system is cleaned

Require mobile computers that are away from the network for a period of time to update their virus or signature file before they reconnect, protecting laptop PCs from either getting or proliferating a recently emerged virus

•

•

•

A New Security Paradigm

In response to these security challenges, the IEEE has been working on 802.11i,

an emerging security standard for WLAN This includes the existing port-based authentication standard, 802.1x, which is also used for wired LANs.

Authentication Protocols

Authentication occurs when a device tries to

connect to the network, for example, through a

local wired port or a wireless access point (AP)

802.1x is based on the Extensible Authentication

Protocol (EAP) specifically developed to address

port-level authentication

EAP allows authentication of devices before

they are granted access to the network It is an

extension to the Point-to-Point Protocol (PPP)

for Ethernet networks and enables a variety of

authentication protocols It passes through the

exchange of authentication messages, allowing

authentication software on the server to interact

with its counterpart on the client before the

device is connected

In our study, we considered the following three protocol types for authentication:

Password-based Certificate-based Tunneling

Password-based Protocol

Password-based protocols authenticate using passwords for both the device and the user

Two examples of password-based protocols are Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2* (PEAP-MS CHAP v2) and Cisco’s Lightweight Extensible Authentication Protocol* (LEAP)

•

•

•

The Technologies Behind

Our Solution

The solution employed in our pilot combined authentication, security compliance,

and asset registration validation capabilities that are now possible to implement

through the 802.1x standard

Clients that connect to a Microsoft Windows domain already use device and user credentials

to authenticate to the domain The same credentials can be used to authenticate to the network with 802.1x

For a device, the domain credential is the host name The password is created when the device joins the domain and its hash is cached both on the client and in the directory The password is changed automatically, as required by company policy (for instance, every 30 or 90 days)

For a user, the domain credential is the username and password The user password can be made secure using domain-wide group policy objects that require passwords to meet strong password specifications and to be changed periodically

A common industry definition of a strong password specification is that passwords be at least six characters long, and include letters and digits in upper- and lowercase, with at least one special character

Using both device and user credentials provides better protection, as they complement each other’s vulnerabilities For example, users’

passwords are susceptible to social engineering (tricking a person into revealing their password) and shoulder surfing (stealing a password by looking over someone’s shoulder as they type it in) The device password compensates for that,

as the user never uses and does not know the device password Unfortunately, the ability to authenticate using two credentials in the same session is not yet supported by the IEEE standard

Another drawback of password-based protocols is that the user password is cached on the local hard

drive to enable offline logon This will compromise security if a laptop is stolen The optimal solution

is to not cache the logon credential However, if the password must be cached to enable offline logon or roaming, it can still be protected with a non-cached PIN, using a hardware module such

as a trusted platform module (TPM) to provide tamper-resistant storage

Certificate-based Protocol

Computer certificates significantly improve the level of security and resistance to brute force attacks However, certificate-based protocols such as EAP-Transport Layer Security (EAP-TLS) require a public key infrastructure (PKI), which adds a level of complexity and cost A certificate authority (CA) must be established

to generate the certificate, and a system put

in place for deployment and maintenance to revoke, renew, and track certificates Certificates can be purchased from a commercial source, but they still need to be deployed and maintained Nevertheless, once the PKI and certificate-based authentication is established, it is a highly stable and scalable service

The optimum approach is to use separate certificates for device and user authentication and to require both forms of authentication before allowing network access However, this may not be the best option for device authentication, as the credential needs to be associated with the device One solution is to store the certificate in the TPM on the computer,

if the ease of use for customers makes that additional risk worthwhile

Tunneling Protocol

Tunneling protocols enable a secure tunnel

between the client and authenticator, allowing

the authentication process to occur securely

This protocol is said to “tunnel” because it pushes

through different types of packets, encapsulating

them at the peer level or below Tunneling

protocols transport multiple protocols over a

common network and provide the vehicle for

encrypted VPNs In the network authentication

case, the tunneling protocol is used to perform

the authentication session in a protected

way Examples of tunneling protocols include

Protected EAP (PEAP) and Tunneled TLS (TTLS)

Security Compliance

Enforcement

Authentication is an important step in protecting

networks from unauthorized access, but it’s

only one piece of the puzzle Gartner Group was

forecasting that, “by the first quarter of 2005,

enterprises that don’t enforce security policies

during network login will experience 200 percent

more network downtime than those that do (0.7

probability).”1 By introducing security compliance

at Layer 2 of the network stack, devices can be

identified as authorized to access the network as

well as compliant with information security policies

To become security compliant, the device must

pass a series of checks, according to predefined

policies For example, security patches, virus

definitions, and other security-related configuration

components can be checked against a database

1 “Scan, Block and Quarantine to Survive Worm Attacks.” Gartner

Group Paper ID T21-7-7550.

for compliance This compliance scanning can also verify that critical security services, such as virus protection, are running on the device

Security compliance can be enforced in several ways before a device is allowed to connect to the production network Here are three examples:

Do not enter When detected as non-compliant, the device is not allowed access

This method is elegant in its simplicity;

however, users need the ability to contact a support center when access is denied

Partial access When detected as non-compliant, the device gains partial access

to the network That is, it is issued a valid IP address, but can only access limited resources

Remediation When detected as non-compliant, the device is redirected to a non-production (remediation) network In this network, the device’s security compliance is updated

Remediation can be done using various levels

of automation Once the device (known as a supplicant) is verified to be compliant, it can be assigned an IP address and allowed to access the network, as shown in Figure 1

There are several technologies in the domain of compliance enforcement on connect They can

be divided into three main types, according to the policy enforcement point (PEP):

The client as the enforcement point Typically achieved by a personal firewall or another low-level device driver at the network driver interface (NDI) level, which controls network access for the device

•

•

•

•

A network service as the enforcement point

In this technology, a network device limits network access per device This is achieved by

a network access server (NAS), or, for example, Dynamic Host Configuration Protocol (DHCP)

A proprietary network appliance as the enforcement point In this method, a specific network appliance captures the packets and controls them accordingly

•

•

Asset Registration Validation

A third condition for allowing a device to be connected to the network is verifying that the device is registered Verification can be done with an existing database in the organization The approach is similar to compliance scanning enforcement, described above

Figure 1 Device authentication and compliance enforcement process

2 3

1

2

2

1

Client (Supplicant)

Network Switch

Authentication Server ComplianceServer

Remediation Zone

Remediation Services

Production Network

STOP

Step 1: Authentication (Identity—Layer 2) Step 2: Compliance with Policies (Layer 2) Step 3: Open Port, Assign IP Address, Grant Network Access (Layer 3)

Remediation Not Possible

2 3 1

Wireless

Access Point

Client

(Supplicant)

2

3

1

2

1

3

1