Bypassing NAC v2.0 - OSSIR

More documents

Recommendations

Info

Architecture• Components– Cisco Trust Agent (CTA)– Cisco network access device (NAD) with NAC enabled on one ormore interfaces for network access enforcement– Cisco Secure Access Control Server (ACS) for endpointcompliance validation• Enforcement strategies– NAC L3 IP• Deployed using Routers• Triggered by an IP packet– NAC L2 IP• Deployed using switches/routers• Apply per interface• Triggered by either a DHCP packet or an ARP request– NAC L2 802.1x• Triggered by any data-link packet
Cisco NAC FrameworkInformation ExchangeSource: Cisco
Page 4 and 5:
Introduction
Page 6 and 7:
IntroductionThe Problem• An enter
Page 8 and 9:
Introduction“My” NAC is not “
Page 10 and 11:
Capabilities
Page 12 and 13:
CapabilitiesNAC Functions• The fo
Page 14 and 15:
CapabilitiesNAC Functions- Remediat
Page 16 and 17:
Attack Vectors
Page 18 and 19: Bypassing NACBackground
Page 20 and 21: Element DetectionQuestions to Ask
Page 22 and 23: BasicsQuarantine• There are a var
Page 24 and 25: QuarantineQuestions to Ask• How d
Page 26 and 27: Enforcement• How is enforcement p
Page 28 and 29: End-point Compliance Assessment•
Page 30 and 31: End Point Compliance AssessmentAgen
Page 32 and 33: Bypassing NACExamples
Page 34 and 35: Bypassing NACExamples• The exampl
Page 36 and 37: DHCP ProxyArchitecture
Page 38 and 39: DHCP ProxyInformation Exchange
Page 40 and 41: DHCP ProxyWeaknesses• Detected el
Page 42 and 43: DHCP ProxyWeaknesses• Not able to
Page 44 and 45: Authenticated DHCPorDHCP In-a-Box
Page 46 and 47: DHCP In-A-BoxArchitecture
Page 48 and 49: DHCP In-A-BoxStrengths• Theoretic
Page 50 and 51: DHCP In-A-BoxRogue DHCP Server
Page 52 and 53: Broadcast Listeners
Page 54 and 55: Broadcast ListenersArchitecture: Ma
Page 56 and 57: Broadcast ListenersWeaknesses• So
Page 58 and 59: Broadcast ListenersWeaknesses• Un
Page 60 and 61: Switch IntegrationSNMP Traps
Page 62 and 63: SNMP TrapsWeaknesses• Must rely o
Page 64 and 65: 802.1x
Page 66 and 67: 802.1x• Exceptions- Hosts that do
Page 70 and 71: Cisco NAC FrameworkInformation Exch
Page 72 and 73: Cisco NAC FrameworkWeaknesses• Wo
Page 74 and 75: Cisco NAC Framework• Static Excep
Page 76 and 77: Cisco NAC FrameworkWeaknesses• No
Page 78 and 79: In-Line Devices
Page 80 and 81: In-Line DevicesWeaknesses• No kno
Page 82 and 83: In-Line DevicesWeaknesses• Not ab
Page 84 and 85: Out-of-Band DevicesArchitecture
Page 86 and 87: Out-of-Band DevicesWeaknesses• In
Page 88 and 89: The End-Result• A (very) confused
Page 90 and 91: Resources• Microsoft NAPhttp://ww
show all

Bypassing NAC v2.0 - OSSIR

Create successful ePaper yourself

Delete template?

Save as template?