The document outlines a meetup for the Boston Network Operations Group (BosNOG), detailing its growth and vendor-neutral mission to build a community of networking experts. It includes presentations on network access control (NAC) from various speakers, emphasizing implementation best practices, user experience, and next-generation NAC technologies. The discussion includes lessons learned from past projects and highlights the importance of contextual data in enhancing network security.

1. NAC Stack Talk

2. Meetup Sponsors

3. Meetup Sponsors

4. About BOSNOG
http://bosnog.herokuapp.com @BostonNOG
Do a talk? help organize? sponsor? Let me know!
jamesraul@gmail.com Slack/Twitter: @jamesraul
Started Sept 2017 – 9th Event – 400+ Members (up ~30% since last meetup)
We are a vendor neutral organization that is driving to build a vibrant community
of networking experts in the Boston area. BOSNOG is a place to share
knowledge, meet other IT professionals and learn more about our industry.

5. Intro / Agenda
● Shoutouts: Chris Farden @ Omada for the refreshments, Brian Lubelczyk @
Athena for the venue, Speakers: Josh Trivilino , Andy Richter, Kyeyeon Kim
● (3) 15m Lightning Style Talks ~ 45m
● NAC Panel Style / QA ~30m
○ Go on BOSNOG slack and DM @jamesraul your questions for the panel discussion later!

6. Josh Trivilino
• Partner and engineer with Omada Technologies
• 10 years in Network and Security fields
• Consulting / Implementation engineer for network, security, storage, and
cloud strategies
• Many network security projects across most, if not all, verticals, including
finance, higher education, K-12, legal, medical, technology, and hospitality
• Mainly Aruba Networks ClearPass product integrated with Aruba or Cisco
network devices.
• Also worked on Bradford Networks (now Fortinet), Pulse Secure (formerly
Juniper and Funk Software), and Microsoft NPS

7. NAC – WHAT IS IT?
• Network Access Control: Policing which devices and/or users can connect to
the network based on some knowledge of who and/or what the device/user
is and how it may be behaving.
• At a very basic level, this could be employing MAC authentication. In more
advanced scenarios, it could include 802.1X authentication with advanced
endpoint analytics data factored into the network access decision.
• Gets a bad image, though, because some think of it as posture assessment of
an endpoint, which went really poorly in the early days of NAC.

8. IMPLEMENTATION RECOMMENDATIONS
• Get senior management/executive sponsorship
• Find out what is on your network – not just devices, but also network
equipment
• Develop a thorough policy – what access do you want to give each
device/user, and what factors do you want to include into your policy
decisions?
• Plan extensively – every detail matters
• Test… test again… and then test again
• Start with a rollout in a small area with known users (usually in the IT space
is a good start), and then roll out in phases from there
• Get outside help (for deployment, or just for perspective)

9. SHORT LIST OF BEST PRACTICES
• Design for failures (high availability), staying as close to best practices
as you can, but still within your budget
• Use strong authentication (EAP-TLS)
• Ensure every device gets its own access (no piggybacking)
• Create granular access controls… but not too granular

10. REAL-WORLD EXAMPLES
• Large hospital
• No executive sponsor
• Not well planned
• Unknown network infrastructure
• Poor results
• Medium hospital
• Executive sponsor
• Well planned/tested
• Unknown systems infrastructure
• Very good results

11. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential. Use of any part of this document without the express written consent of Presidio, Inc. is prohibited.
Cisco ISE
Andy Richter
Senior Solutions Architect
Distinguished Engineer

12. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
Andy Richter
• IT guy for 20 years
• Consulting Engineer 10 Years
– Focused on security most of that time
• Distinguished Engineer Class 2018
• Top Verticals:
– Healthcare
– Financial Services
• ISE publication: Practical Deployments of ISE

13. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
How did I start doing NAC for real?
• I said the following thing to my boss in 2011:
“I will never do another ******* NAC project again.”

14. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
Lessons Learned
• Blunt tools
• Poor focus on user experience
• Focus on policy that does not
reflect current threat
environment

15. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
Approach Focused
• User experience focused
• Avoid using posture assessment
• Crawl
– Monitor Mode
• Walk
– Basic Enforcement
• Run
– Segmentation
• Strong focus on available tools
– Maintaining focus on use case
• Clear Focus on strengths of the
customer
• Take advantage of contextual
data!
– Sharing information across
platforms regardless of
manufacturer

16. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
Security Approach
• Security to enable and
support the businessBusiness Goals
• Roles and responsibilities
• FrameworksProgram
• Threat models
• Capabilities
Policy &
Architecture
• Preventive
• Detective
• Analytic
Controls
“If you think technology can solve your security problems, then you don’t understand the problems and you
don’t understand the technology.”
- Bruce Schneier

17. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
Make Fully Informed Decisions with Rich Contextual Awareness
Context
Who
What
Where
When
How
IP address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Bob
Tablet, iOS, v. 9.1x
Building 200, first floor
11:00 a.m. EST on April 10
Wireless
The right user, on the right device, from the
right place is granted the right access
Any user, any device, anywhere gets on
the network
Result
Poor Context Awareness Extensive Context Awareness

18. © 2018 Presidio, Inc. All rights reserved. Proprietary and Confidential.
For security, which is more useful information?
“The compromised device is 192.168.100.123”
- OR -
“The compromised device is James Raulinaitis iPad in HQ”
Cisco ISE collects contextual “big data” from multiple
sources across the network. Via Cisco pxGrid technology,
this contextual data is shared with partners.
With ISE contextual data, Partner Solutions can more accurately
and more quickly identify, mitigate, and remediate security
threats across the network.
Cisco Platform Exchange Grid (pxGrid) - API
Accelerating Partner Technology Efficiencies via Context Sharing

19. FIND OUT MORE
THANK YOU

20. Together. More Secure
Next Generation NAC
Genian NAC

21. Kyeyeon Kim
• CTO of GENIANS, INC.
• President of GENIANS USA, INC.
• Serial Terminal Emulator (1993)
• Internet Dialup Service (1994)
• Launching Yahoo! Korea (1996)
• Developing Firewall (1997)
• Developing VPN (2000)
• Developing NAC (2005)
• 25 years Software Engineer
• C/C++, PHP, MySQL, Docker, Ansible
Linux Kernel Driver, Embedded Linux

22. • Secure access to network nodes by devices when they
initially attempt to access the network
• Managing connected device on corporate network
• Pre admission
• Identification (MAC, Platform, Position)
• Authentication (Device / User)
• Health
• Anti-virus protection level
• System update level and configuration
• Post admission
• Authorization (VLAN / Destination Network / Service)
• Continuous assessment
What is Network Access Control
22

23. • Endpoint-based NAC
• NAC from software vendors (Microsoft, Symantec, Mcafee)
• Microsoft NAP (Network Access Protection) - not available starting with Windows 10
• Endpoint Protection Platform - Symantec NAC (EOL on 2014)
• Only provides NAC to managed platforms
• 802.1x-based NAC
• NAC from network infrastructure vendors (Cisco, HP, Juniper, Extreme)
• Need 802.1x capable Switches and Access Point.
• A single platform must be built to use the extended functionality.
• Port-based Access Control. not Device-based Access Control
• Access control must be enabled from the beginning of deployment.
• Easy to deploy on wireless network, but difficult to wired network.
• Complicate non-802.1x capable device on boarding process
Traditional NAC - Deployment types
23

24. •Switch integration based NAC
• Pure NAC vendors (Forescout, Bradford Networks)
• Data collection by SNMP Read, SNMP Trap
• Can’t manage dummy switch network
• Enforcement by switch config change (VLAN, ACL)
• Need to change network infrastructure (VLAN, ACL, config)
• Enforcement by Port Mirroring (SPAN)
• Need a big box for handling traffic (40G, 100G)
• South-North traffic only (Can’t control East-West traffic)
• Problem when remote network disconnection
• Limited visibility because of sensor-less and agent-less
Traditional NAC - Deployment types
24

25. • More flexible deployment options
• More device visibility for BYOD, IoT Era
• More granular policy enforcement
• Easy to integrate other systems
• Easy to deploy for SMB
Next Generation NAC Requirement
25

26. • Independent network sensor
• Connect to access port or trunk port (802.1q)
• No 802.1x or managed switch required. Working with dummy switches
• Provide accurate activity monitoring using ARP
• No 802.1x or polling is required for switch devices.
• Enhanced Platform Detection using layer 2 protocol
• DHCP, UPNP, Netbios, MDNS, LLMNR, CDP, LLDP…
• Enhanced IPAM features
• IP Reservation, IP Conflict Prevention, IP Change Block, MAC/IP Cloning detection
• ARP poisoning enforcement
• Out of band, Infrastructure independent access control
• Enhanced features using layer 2 network sensor
• Local DHCP server and Unauthorized/Misconfigured DHCP server detection
• IPv6 detection using Neighbor Discovery Protocol
Next-gen NAC - L2 Network Sensor
26

27. Next-gen NAC - L2 Network Sensor
27

28. • Provide accurate device platform information
• No 802.1x or managed switch required. Working with dummy switches
• Provide Device Lifecycle information
• End-of-Life (EOL), End-of-Support (EOS), Manufacturer Out-of-Business, Acquisition
• Provide device context information
• Device picture, Connection type, Manufacturer, Origin country,
• Provide platform vulnerability information
• Number of CVE: 114,907 (Total), 1,188 (Sep/2018), 1,465 (Oct/2018)
• Filter only CVEs for company owned devices.
Next-gen NAC - Device Platform Intelligence
28

29. Next-gen NAC - Device Platform Intelligence

30. • On-Premises
• Traditional appliance, Generic Server, Virtual Machine, HCI
• Cloud-managed
• Policy Server in the cloud. Monthly/Yearly subscription
• Service Provider
• Dockerlized Policy Server for Multi-tenancy
• We deploy any public cloud or private cloud
• Dockerlized Network Sensor for Unified Platform
• NFV, uCPE, SD-WAN Integration, Generic Linux machine
• Cloud Service Manager
• Trial, Subscription, Checkout, Cancelation, Notification, Custom Policy
• Manager of Managers
• Cloud Watch, Insights, Datadog, ELK
Next-gen NAC - Flexible Deployment Options
30

31. • WLAN Monitoring
• SSID Detection
• Security, Channel, Hidden, SoftAP
• Rogue AP Detection
• Unauthorized access point
• Accurately detect Internal AP
• SoftAP, Hotspot detection
• Connection Monitoring
• Who is using which SSID
• Detect neighbor SSID connect
• WLAN Manager
Software
• SSID Whitelisting
• Block SoftAP / Tethering
• One click connection
• Wireless Sensor +
Agent
• Dedicated Wireless Sensor
• Agent Plugin
Next-gen NAC - Wireless LAN Security

32. www.genians.com
Download Free Edition or
30 Days Trial Cloud Edition