Network Access Control: Disruptive Technology?

Network Access Control (NAC) implements policy-based access control to the trusted network. It regulates entry to the network by the use of health verifiers and policy control points to mitigate the introduction of malicious software. However the current versions of NAC may not be the universal remedy to endpoint security that many vendors tout. Many organizations that are evaluating the technology, but that have not yet deployed a solution, believe that NAC presents an opportunity for severe disruption of their networks. A cursory examination of the technologies used and how they are deployed in the network appears to support this argument. The addition of NAC components can make the network architecture even more complex and subject to failure. However, one recent survey of organizations that have deployed a NAC solution indicates that the \u27common wisdom\u27 about NAC may not be correct

Analisis dan Simulasi Keamanan Jaringan Pada Sistem Network Access Control (NAC)

ABSTRAKSI: Keamanan jaringan merupakan hal yang signifikan pada saat ini, khususnya keamanan jaringan pada sisi internal jaringan komputer. Keamanan jaringan internal perlu mendapatkan penanganan khusus, dikarenakan sebagian besar threat yang menyerang jaringan berasal dari internal user jaringan itu sendiri. Oleh karena itu, diperlukan suatu pengendalian akses terhadap setiap internal user yang terkoneksi ke jaringan. Tugas akhir ini mengimplementasikan sistem Network Access Control (NAC) yang digunakan sebagai cara untuk mengendalikan akses internal user pada jaringan. Dengan sistem ini, terlebih dulu internal user harus melakukan proses otentikasi dan pemeriksaan kondisi “kesehatan” pada endpointnya sebelum terkoneksi ke jaringan. Sehingga hanya internal user yang terotentikasi dan memiliki sistem yang complianced saja yang berhak mengakses jaringan sesuai otoritas akses yang dimilikinya. Dikarenakan produk NAC yang beredar di pasar memiliki nilai investasi yang mahal dan masih didominasi oleh jaringan berskala enterprise, maka tugas akhir ini dibangun dengan menggunakan beberapa teknologi open source. Penggunaan teknologi open source bertujuan agar sistem NAC dapat dimanfaatkan juga oleh jaringan berskala kecil dengan tidak mengeluarkan biaya investasi tambahan yang mahal. Melalui tugas akhir ini, dihasilkan kesimpulan bahwa sistem NAC merupakan teknologi keamanan yang cocok diterapkan untuk mengendalikan akses jaringan internal, yang berarti bahwa sistem NAC memiliki peranan penting dalam keamanan jaringan internal. Kata Kunci : keamanan jaringan internal, pengendalian akses internal, Network Access Control, jaringan berskala kecilABSTRACT: Network security defines a significant point nowdays, especially concerning with internal network security. We must concern more briefly with internal network security since there is a fact that says threat attacks mostly come from its own internal users. Hence, connected internal-user’s access needs to be controlled. This final assignment is implementing a Network Access Control (NAC) system which is used as a way to define and control internal user’s access to the network. With NAC system, every internal user must do the authentication and check their endpoint’s “health” status before they get access into the network. Henceforth, there will only be authenticated and complianced internal user who can get access into the network based on their authorized access. All NAC products in the market are expensive and used by mostly enterprise networks. Therefore, this final assignment is then built by using some numbers of open source technologies. Henceforth, small-sized networks can also adopt NAC system without having worry about some large additional cost. From this final assignment, we conclude NAC system as a security technology which is very well-suited to control internal network access. Thus, NAC system has an important role in defining internal network security. Keyword: internal network security, internal access control, Network Access Control, small-sized networ

Behavior-Based Outlier Detection for Network Access Control Systems

Network Access Control (NAC) systems manage the access of new devices into enterprise networks to prevent unauthorised devices from attacking network services. The main difficulty with this approach is that NAC cannot detect abnormal behaviour of devices connected to an enterprise network. These abnormal devices can be detected using outlier detection techniques. Existing outlier detection techniques focus on specific application domains such as fraud, event or system health monitoring. In this paper, we review attacks on Bring Your Own Device (BYOD) enterprise networks as well as existing clustering-based outlier detection algorithms along with their limitations. Importantly, existing techniques can detect outliers, but cannot detect where or which device is causing the abnormal behaviour. We develop a novel behaviour-based outlier detection technique which detects abnormal behaviour according to a device type profile. Based on data analysis with K-means clustering, we build device type profiles using Clustering-based Multivariate Gaussian Outlier Score (CMGOS) and filter out abnormal devices from the device type profile. The experimental results show the applicability of our approach as we can obtain a device type profile for five dell-netbooks, three iPads, two iPhone 3G, two iPhones 4G and Nokia Phones and detect outlying devices within the device type profile

BARTER: Behavior Profile Exchange for Behavior-Based Admission and Access Control in MANETs

Mobile Ad-hoc Networks (MANETs) are very dynamic networks with devices continuously entering and leaving the group. The highly dynamic nature of MANETs renders the manual creation and update of policies associated with the initial incorporation of devices to the MANET (admission control) as well as with anomaly detection during communications among members (access control) a very difficult task. In this paper, we present BARTER, a mechanism that automatically creates and updates admission and access control policies for MANETs based on behavior profiles. BARTER is an adaptation for fully distributed environments of our previously introduced BB-NAC mechanism for NAC technologies. Rather than relying on a centralized NAC enforcer, MANET members initially exchange their behavior profiles and compute individual local definitions of normal network behavior. During admission or access control, each member issues an individual decision based on its definition of normalcy. Individual decisions are then aggregated via a threshold cryptographic infrastructure that requires an agreement among a fixed amount of MANET members to change the status of the network. We present experimental results using content and volumetric behavior profiles computed from the ENRON dataset. In particular, we show that the mechanism achieves true rejection rates of 95% with false rejection rates of 9%

SISTEM IDENTIFIKASI PERSONAL KOMPUTER BERBASIS NETWORK ADMISSION CONTROL ( NAC ) MENGGUNAKAN JAVA

This paper contains a discussion of internet access problem today is very high, this resulted in increased demand for access to a secure network is getting higher. This situation requires the network admin to be more selective in allowing users to access to the network. To these problems is a method to overcome that is by using the method of Network Admission Control (NAC). The application aims to make security systems more reliable and easier, because the system can detect the identity of a personal computer that supports the dynamic vlan. Generally these applications can make a change vlan on cisco Switch by java application using the perl libraries and make the interested users can access and obtain access rights according to existing rules on the network so as to reduce the risk of the illegal user can be dangerous and expense of others. . Keyword: dynamic vlan, Network Admission Control,cisco,librar

Remodelación de la red LAN de IEAISA a través de la solución NAC

Information systems, security and networks are the main asset of organizations today. This is reflected in the resources they are investing in order to prevent further attacks and vulnerabilities. This project shows how the IEAISA company has to restructure its local area network (LAN) in order to improve the security and to increase the efficiency in their daily operation. In order to carry out the remodeling a Network Access Control (NAC) solution has been proposed allowing to control the access of all devices among the company. This technology enables the possibility to analyze and separate organization devices throughout the use of internal policies and procedures that restric the access according to specific control policies. Furthermore, it is capable to restrict the access to the resources of the company for those users who do not have a permission, regardless from where they try to access (i.e., inside the company or remotely). Additionally, this solution requires that many devices must be reconfigured, by adapting them to the new operation and behavior of the network. An investigation has been carried out on the operation of the NAC solution and associated technologies, followed by a choice of the NAC that best fits the characteristics of the company. The entire process has been documented, including the whole change process followed by IEAISA network and summing up with the configuration of all the devices and the NAC solution chosen in order to achieve the established objectives

Pembuatan Aplikasi Sistem Keamanan yang Berbasis Network Admission Control (NAC) Menggunakan Java dengan Komunikasi Terenkripsi

ABSTRACT This paper contains a discussion of internet access problem today is very high, this resulted in increased demand for access to a secure network is getting higher. This situation requires the network admin to be more selective in allowing users to access to the network. To these problems is a method to overcome that is by using the method of Network Admission Control (NAC) and Elgamal Enkripsy Method . The application aims to make security systems more reliable and easier, because the system can detect the identity of a personal computer that supports the dynamic vlan. Generally these applications can make a change vlan on cisco Switch by java application using the perl libraries and make the interested users can access and obtain access rights according to existing rules on the network so as to reduce the risk of the illegal user can be dangerous and expense of others. Keyword: Elgamal, dynamic vlan, Network Admission Control,cisco,librar

IMPLEMENTASI NETWORK ACCESS CONTROL PADA JARINGAN EEPIS

Belakangan ini, pencurian identitas pribadi melalui media internet semakin marak. Berbagai cara bisa digunakan misalnya melalui phishing, email scan ataupun menggunakan piranti yang sanggup melacak gerak-gerik kebiasaan user ketika mengakses situs-situs web di internet. Kebocoran informasi ini tidak hanya terjadi secara personal tapi juga dapat terjadi secara korporat. Yang mana tidak tertutup kemungkinan kebocoran itu datang dari orang dalam sendiri. Karena itulah diperlukan adanya pengaman jaringan diantaranya dengan menggunakan metode NAC (Network Access Control). Dengan menggunakan metode NAC, seorang administrator jaringan dapat mengontrol dan mengamankan jaringannya dari aksi para user yang tidak bertanggung jawab dengan cara mengisolasi komputer user tersebut dari koneksi jaringan. Dalam pengerjaan tugas akhir ini, terdapat sebuah komponen tambahan yang digunakan, yaitu SNORT NIDS. NAC dapat dikembangkan lebih lanjut dengan menambah komponen-komponen pendukung lain. Komponen-komponen tersebut diantaranya adalah hping, nmap, nessus, ethereal dan masih banyak lagi. Dengan NAC ini diharapkan keamanan dalam jaringan akan semakin terjami

Control de acceso vía SDN para redes IoT

[ES]El objetivo de este proyecto es crear un sistema NAC (Network Access Control) sencillo, adecuado a entornos IoT. Para hacerlo, nos basamos en la capacidad que tienen las SDN (Software Defined Networks) para programar el comportamiento de los dispositivos de red. Queremos crear una herramienta intuitiva de cara al usuario prescindiendo de la complejidad de una infraestructura de clave pública y de gestión de credenciales.[EN]The aim of the project is to create a simple NAC (Network Access Control) for IoT environments. In order to achieve it, we take advantage of the ability to program the behavior of network devices provided by SDN (Software Defined Networks). We want to create an intuitive tool for the end user avoiding the complexity that credential management and a public key infrastructure brings to the table

Análisis de las Soluciones de Control de Acceso a la Red (NAC) para mejorar la seguridad externa e interna de redes corporativas.

Se desarrolló un estudio de las soluciones del control de acceso a la red NAC para determinar la mejor alternativa de seguridad externa e interna de redes corporativas. La investigación analizó las distintas alternativas de solución del control de acceso a la red que se ofrecen en el mercado ya que los esfuerzos están en su mayoría enfocados a la actualización de antivirus en los equipos. La herramienta PacketFence de código abierto es una alternativa NAC para las redes corporativas que permiten enfrentar nuevas amenazas, es por ello que contar con la más reciente actualización es imprescindible. Para el levantamiento de la simulación de la red corporativa se tomó como referencia un nodo de red, se utilizó el software GNS3 junto con la herramienta NAC PacketFence, misma que cumplió con los estándares de seguridad propuestas como son la Autenticación, Integridad y Disponibilidad mediante la creación de un portal cautivo que realizó tareas de autenticación de usuarios y dispositivos de red en un 98% de efectividad en cuanto a la integridad de datos 99% y disponibilidad de servicios 99% de efectividad. La solución NAC debe ejecutar todos los componentes y dependencias necesarias para su buen funcionamiento, además de recordar que PacketFence se integra también con redes inalámbricas a través del módulo FreeRADIUS, esto permite asegurar sus redes inalámbricas.It was developed a study of control solutions of NAC net access for determining the best alternative of internal and external security of corporative networks. The research analyzed the alternatives of control solution of network access offered in the market since the efforts are focused on the antivirus updating in the equipment. The PacketFence tool of opened cod is an alternative NAC for the corporative networks that allow facing new threats, for this reason, is essential to have with the most recent updating. For the requirement of simulation of corporative network, a network node was taken like reference, it was used a software GNS3 with the NAC PacketFence tool, which fulfilled with proposed security standards as authentication, integrity and availability. The NAC solution must execute all the components and dependencies for its good functioning, in addition, to recall that PacketFence is also integrated with wireless networks by FreeRADIUS module, allowing sure its wireless network