Overview Opennac Org Eng v9

March 22, 2018 | Author: JUNFERN | Category: Radius, System Software, Computer Architecture, Computer Networking, Computing


Comments



Description

Xavier Gonzáĺ[email protected] Oct 2013 Network access control and management solution @opennac 2 11/12/13 @opennac Summary  Current situation Current situation  What is openNAC? What is openNAC?  What does openNAC can do? What does openNAC can do?  openNAC architecture openNAC architecture  openNAC components openNAC components  openNAC services openNAC services  Contact us Contact us 3 11/12/13 @opennac openNAC solution  2 year+ of active development 2 year+ of active development  Opensource Network Access Control solution Opensource Network Access Control solution  nterprise support services availa!le nterprise support services availa!le  CentO" !ased CentO" !ased 4 11/12/13 @opennac Current situation  Corporate network access management is Corporate network access management is poorly controlled poorly controlled  #o!ile Workers$ %sers !ecome more mo!ile #o!ile Workers$ %sers !ecome more mo!ile  #ore type of di&erents devices like #ore type of di&erents devices like "martphones' ta!lets'$$$ "martphones' ta!lets'$$$  (his scenarios generate security and availa!ility (his scenarios generate security and availa!ility pro!lems due to non controlled )AN access pro!lems due to non controlled )AN access  (he security of the workstations is constantly (he security of the workstations is constantly threatened !y new vulnera!ilities threatened !y new vulnera!ilities  "ecurity' network management and monitoring "ecurity' network management and monitoring tools of e*pensive and poorly integrated tools of e*pensive and poorly integrated 5 11/12/13 @opennac What is openNAC?  Network Access Control for corporate )AN + WAN Network Access Control for corporate )AN + WAN environments environments  na!les na!les authentication authentication' ' authorization authorization and and audit audit policy,!ased all access to network policy,!ased all access to network  #ultivendor solution #ultivendor solution  -ased on open source components and self, -ased on open source components and self, development development  -ased on industry standards such as .ree/adius' -ased on industry standards such as .ree/adius' 012$2*' ldap' $$$ 012$2*' ldap' $$$  *tensi!le' new features can !e incorporated *tensi!le' new features can !e incorporated  asily integrated with e*isting systems asily integrated with e*isting systems  3t provides value added services such as con4guration 3t provides value added services such as con4guration management' network' !ackup con4gurations' Network management' network' !ackup con4gurations' Network 5iscovery and Network #onitoring 5iscovery and Network #onitoring 6 11/12/13 @opennac What does openNAC can do?  Corporate network access !ased on a set of Corporate network access !ased on a set of rules 6access policy7 rules 6access policy7  (he availa!ility of Noti4cations or (he availa!ility of Noti4cations or 8uarantine to users regardless of the client 8uarantine to users regardless of the client device 6via !rowser7 device 6via !rowser7  Access accounting and audit Access accounting and audit  /eal time monitoring of users' allowing to /eal time monitoring of users' allowing to instantly locate users' ip' mac' switch' port instantly locate users' ip' mac' switch' port and physical location and physical location  9alue,added services such as monitoring' 9alue,added services such as monitoring' discovery and con4guration of network discovery and con4guration of network infrastructure infrastructure 7 11/12/13 @opennac Features  Authentication of 012$2* ena!le devices Authentication of 012$2* ena!le devices  Authentication !ackend !ased on ldap or A5 Authentication !ackend !ased on ldap or A5  "upport to detect rogue devices using "upport to detect rogue devices using 012$2* or "N#: traps 012$2* or "N#: traps  -ulk con4guration of network devices using -ulk con4guration of network devices using module onNetConf module onNetConf  -ulk !ackup of con4guration of network -ulk !ackup of con4guration of network devices using module onNet-ackup devices using module onNet-ackup  5etection of os' antivirus' 4rewall and os 5etection of os' antivirus' 4rewall and os updates of devices conected to enforce an updates of devices conected to enforce an access policy access policy 8 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC " 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC  Access /e;uestor Access /e;uestor  "et of client devices such as "et of client devices such as :Cs' "martphones' (a!lets' :Cs' "martphones' (a!lets' printers' others$ printers' others$  5i&erent types of O" such as 5i&erent types of O" such as Windows' )inu*' #acO"' 3O"' Windows' )inu*' #acO"' 3O"' Android' etc $$$ Android' etc $$$  Wired )AN' Wi.i' 9:N Wired )AN' Wi.i' 9:N #$ 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC  :olicy nforcement :oint :olicy nforcement :oint  Network access for all Network access for all devices that connect to devices that connect to the network 6dge the network 6dge Network7 Network7  Composed !y wired )AN Composed !y wired )AN and Wi,.i e;uipment and Wi,.i e;uipment 6Access :oints7 6Access :oints7  #ultivendor #ultivendor ## 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC  :olicy 5ecision :olicy 5ecision :oint :oint  "ervice that "ervice that allows system allows system to take policy to take policy decisions that decisions that apply to each apply to each type of access type of access !ased on !ased on identity' identity' device' device' location' location' time' $$$ time' $$$ #2 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC  #etadata Access :oint #etadata Access :oint  "ervice that stores all "ervice that stores all data relating to data relating to incoming events incoming events  All information is All information is related to each other in related to each other in order to ma*imi<e the order to ma*imi<e the utility utility  /eal time access to the /eal time access to the information information #3 11/12/13 @opennac onNAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Eternal !ensors onNAC onNAC  *ternal "ensors *ternal "ensors  "ervices such as 35" sensors or "ervices such as 35" sensors or 4rewalls that can !oth provide 4rewalls that can !oth provide new information to the platform new information to the platform as consulting onNAC as consulting onNAC information to make !etter information to make !etter decisions decisions #4 11/12/13 @opennac openNAC components #5 11/12/13 @opennac Modular architecture  All information is stored in a C#5- All information is stored in a C#5-  8ueue,!ased' allowing for greater scala!ility 8ueue,!ased' allowing for greater scala!ility and tracea!ility and tracea!ility  9ery =e*i!le identity !ackend' ldap' 9ery =e*i!le identity !ackend' ldap' data!ases' etc $$$ data!ases' etc $$$  -ased in a /"( A:3s -ased in a /"( A:3s  .rontend we! !ased in 5O>O .rontend we! !ased in 5O>O  "criptea!le command line "criptea!le command line #6 11/12/13 @opennac onNAC Component #7 11/12/13 @opennac onNAC description  3s the main module' with the services of 3s the main module' with the services of Authentication' Authori<ation and Audit Authentication' Authori<ation and Audit :roduct :roduct  na!les 012$2? authentication or captive na!les 012$2? authentication or captive we! portal for all devices we! portal for all devices  All security policy is de4ned and applied in All security policy is de4ned and applied in this module this module  /ogue devices detection /ogue devices detection #8 11/12/13 @opennac onNAC screenshots Overall dash!oard #" 11/12/13 @opennac onNAC screenshots "tate of users logged into the platform 2$ 11/12/13 @opennac onNAC screenshots - Policy Comprehensive security policy to apply to all users 2# 11/12/13 @opennac onNAC screenshots - Policy 22 11/12/13 @opennac onNAC screenshots - CM! 23 11/12/13 @opennac onN"#$SC% component 24 11/12/13 @opennac onN"#$SC%  Allows discovery of network devices Allows discovery of network devices  "tore discovered devices in the C#5- "tore discovered devices in the C#5-  #aintains the inventory updated #aintains the inventory updated  5iscover the network topology' detecting 5iscover the network topology' detecting devices without redundant links devices without redundant links  Allows periodic discovery tasks Allows periodic discovery tasks  8ueue,!ased 8ueue,!ased  Allows you to e*port the results to csv Allows you to e*port the results to csv 25 11/12/13 @opennac onN"#C%NF component 26 11/12/13 @opennac onN"#C%NF component  Network ;uipment Con4gurator allows you Network ;uipment Con4gurator allows you to de4ne con4guration templates and apply to de4ne con4guration templates and apply them to sets of network e;uipment them to sets of network e;uipment  .rontend we! or We! "ervice .rontend we! or We! "ervice  -ased on a service ;ueue to ensure -ased on a service ;ueue to ensure tracea!ility and integrity of any action tracea!ility and integrity of any action  9ery useful for applying settings to large 9ery useful for applying settings to large amount of network e;uipment amount of network e;uipment  9ery useful to install and con4gure NAC 9ery useful to install and con4gure NAC service service 27 11/12/13 @opennac onN"#C%NF Screenshots - #emplate Create a con4guration template to send a group of network devices %omands to send !ni''ets 28 11/12/13 @opennac onN"#C%NF Screenshots - e&ices ;uipment selection (et)or* de+ice list 2" 11/12/13 @opennac onN"#C%NF Screenshots - 'esults 9iewing the results of con4guration tasks 3$ 11/12/13 @opennac onN"#!AC()P component 3# 11/12/13 @opennac onN"#!AC()P  #ake !ackups and automatic archiving of #ake !ackups and automatic archiving of network devices con4gurations network devices con4gurations  Allows programming device groups Allows programming device groups copies copies  Allows de4ne retention policy Allows de4ne retention policy  -ased on a service ;ueue to ensure -ased on a service ;ueue to ensure tracea!ility and integrity of any action tracea!ility and integrity of any action 32 11/12/13 @opennac onN"#!AC()P "election of devices to perform !ackups 33 11/12/13 @opennac onN"#!AC()P 5isplay planning !ackups 34 11/12/13 @opennac onM%N component 35 11/12/13 @opennac onM%N  #onitoring is provisioned automatically #onitoring is provisioned automatically from the C#5- from the C#5-  #onitoring pro4les availa!le !ased on #onitoring pro4les availa!le !ased on device type device type  /eal time network devices status /eal time network devices status  @enerates alerts if any of the parts of the @enerates alerts if any of the parts of the network is not working properly network is not working properly 36 11/12/13 @opennac onN"#M%N 9iewing the status of a network computer 37 11/12/13 @opennac onCM! component 38 11/12/13 @opennac onCM!  (he module C#5- is the repository of all (he module C#5- is the repository of all information of the inventory information of the inventory  Allows you to easily share information with Allows you to easily share information with other platforms other platforms  3t stores all the !asic elements that use the 3t stores all the !asic elements that use the platform as network devices' security rules' platform as network devices' security rules' networks' groups' 9)AN' $$$ networks' groups' 9)AN' $$$ 3" 11/12/13 @opennac onM"#A'"P% component 4$ 11/12/13 @opennac onM"#A'"P%  #(A5A(A Access :oint server module #(A5A(A Access :oint server module  3t uses protocol 3.,#A: 3t uses protocol 3.,#A: 4# 11/12/13 @opennac openNAC ser&ices  "ecurity Consulting "ecurity Consulting  "et architecture and methodology appropriate for a "et architecture and methodology appropriate for a client to improve the security of access and client to improve the security of access and authori<ation from your network authori<ation from your network  /oll out /oll out  openNAC setups in companies and organi<ations openNAC setups in companies and organi<ations  "upport "upport  A*2B support to openNAC installations A*2B support to openNAC installations  5evelopment and customi<ation 5evelopment and customi<ation  Creating speci4c modules and functionality to Creating speci4c modules and functionality to customers customers  "upport new infrastructure "upport new infrastructure  3ntegration 3ntegration  3ntegrating the solution with third tools 3ntegrating the solution with third tools 42 11/12/13 @opennac Contact  httpC++www$opennac$org httpC++www$opennac$org  info@opennac$org info@opennac$org  (witterC @opennac (witterC @opennac
Copyright © 2024 DOKUMEN.SITE Inc.