White Paper Intel Information Technology Computer Manufacturing Client Security Enforcing Network Security on Connection In response to the rise in network security threats, Intel IT is taking advantage of new industry standards to enhance its network security. Through 802.1x authentication, security policy compliance enforcement, and remediation, each device and user is identified, verified, and validated for compliance with security policies before being connected to our network. Sagi Bar-Or, Intel Corporation February 2007 IT@Inte l 2 White Paper Enforcing Network Security on Connection Executive Summary As networking evolves to support both wired and wireless access, securing corporate networks from attack becomes ever more essential. Intel IT is using a new security method to authenticate devices, validate them against security compliance policies, and remediate specific problems before they connect to Intel’s networks. Our strategy includes: Ensuring that network hardware, firmware, and software meet the IEEE 802.1x standard. Authenticating all devices attempting to connect to our network. Checking for compliance with Intel’s information security policies. Cleaning infected systems and bringing their configuration into compliance with security policies before they connect to our network. Providing wired and wireless clients an assured connection to a known network. Protecting mobile devices against unintentionally connecting to a hostile network. A pilot program, which we began in September 2003, validated our approach by protecting wired and wireless client systems in office and factory environments. This is a promising new network security method. For example, it could enable our IT managers to: Ensure that all systems connecting to Intel’s networks meet specific security requirements. Enforce system states to meet security policies, for example, weekly virus scanning. Scan systems for recent worms and viruses and block connectivity until cleaned. Protect mobile laptop PCs that have been unconnected from getting or proliferating recently emerged viruses. Intel IT has demonstrated how to use the capabilities of emerging open network security standards to combine device authentication with security policy compliance enforcement, enabling proactive remediation before a device is allowed on the network. Today, we have completed many major milestones for on-connect authentication, including configuration and deployment of the infrastructure and clients for LAN and wireless LAN (WLAN). We are now working on the next stage: adding compliance enforcement and protecting remote-access virtual private network (VPN). • • • • • • • • • • Intel IT has demonstrated how to use the capabilities of emerging open network security standards to combine device authentication with security policy compliance enforcement, enabling proactive remediation before a device is allowed on the network. 3 Enforcing Network Security on Connection White Paper Contents Executive Summary 2 Background 4 Network Security Risks 5 A New Security Paradigm 6 The Technologies Behind Our Solution 7 Authentication Protocols 7 Password-based Protocol 7 Certificate-based Protocol 8 Tunneling Protocol 9 Security Compliance Enforcement 9 Asset Registration Validation 10 Forming a Program Team 11 Gathering Requirements 11 Identifying Project Scope 11 Intel’s Security Enhancement Program 11 Piloting the Solution 12 Challenges 14 Conclusion 15 Authors 15 Acronyms 15 4 White Paper Enforcing Network Security on Connection Facing this business need, Intel IT saw a solution opportunity in three new standards of the Institute of Electrical and Electronic Engineers (IEEE), all of which offer advanced authentication capabilities: 802.1x for port-based security, next-generation 802.11i for networking, and Wi-Fi* protected access (WPA). Our solution needed to address all aspects of Intel’s complex environment. Intel’s networking environment includes a multitude of client platforms: desktop PCs, laptops, personal digital assistants (PDAs), and other small form-factor devices, such as smartphones. These devices use various operating systems, including Microsoft Windows*, PocketPC*, Linux*, and UNIX*. Our environment also presents a variety of use cases, including office clients, servers, and station controllers. Intel has hundreds of sites worldwide and approximately 100,000 employees (including contractors), each of whom has at least one PC. We’ve moved to a mobile environment in which more than 70 percent of our knowledge workers use mobile computers and more than 40 percent are wireless-enabled. Intel has 30,000 wireless users, 4,000+ wireless access points, and over 50,000 wired switch ports. To address security in this complex environment, Intel IT conducted a pilot project to investigate using state-of-the-art technologies to protect network ports. We wanted to find out whether we could provide required levels of security by combining authentication to prevent unauthorized network access with verification that each device connecting to the network environment is compliant with current security policies. Background In today’s networking world, companies are increasingly at risk for network attacks— from hostile intruders, viruses, and worms to server impersonations. To reduce the potential impact of such attacks at Intel, we needed to enhance security protection in our environment. 5 Enforcing Network Security on Connection White Paper But how do you deny network access to devices that are contaminated or suspicious or not compliant with current information security policies? To detect that a device is non-compliant after it is already on the network and then disconnect it is not sufficient. Worms, for example, propagate themselves very quickly in the network layer. To maximize protection, the device should not be granted access to the network at all unless or until the problem can be remediated. Wired networks have the advantage of requiring physical access to connect to them. As a result, they can be partially protected using physical security measures such as guards or locked doors. However, even with physical security, wired networks still face the same risks from viruses and worms that wireless networks must deal with. And we must still protect the LAN environment from authorized individuals connecting unauthorized devices to the network and from malicious activity by authorized users. By their very nature, WLANs do not lend themselves to physical protection, since they do not require devices to physically connect to the network. Incorporating wireless technology in a large, global enterprise can potentially introduce new risks into the environment if not carefully managed. Wireless ports that are not sufficiently protected can increase the risk of incursions from unauthorized network access. When a wireless network is unprotected, someone can be out in the parking lot or blocks away and still connect to the WLAN. On the other hand, unprotected wireless clients may be vulnerable. “Rogue” wireless devices can also pose dangers to network security. They can increase the risk of server impersonation, where clients are lured onto hostile networks. Network Security Risks Today our networks face many security risks, whether wired or wireless. One of the most common is unauthorized network access. In addition, we must also protect against the threat of damage done by legitimate devices or people through the spread of worms and viruses. 6 White Paper Enforcing Network Security on Connection Intel IT’s proof-of-concept study demonstrated that 802.1x-enabled device authentication, combined with automated scanning and enforcement of security policies, can give us control over every device attached to our network. This new security paradigm is important to us because it has the potential to dramatically improve our ability to enforce security policy. For example, using this new approach, Intel IT managers could: Ensure that only authorized devices and users can connect to the network. Ensure that systems they don’t own or maintain meet minimum security requirements, • • so they can make yes/no decisions on allowing connection to the network. Enforce system states—for example, if a full system scan has not been performed on a connecting system within the time period specified by security policy, we could force the scan prior to connection. Arrange to quickly scan connecting systems for a recent worm that can be detected based on a signature file and block connectivity until the system is cleaned. Require mobile computers that are away from the network for a period of time to update their virus or signature file before they reconnect, protecting laptop PCs from either getting or proliferating a recently emerged virus. • • • A New Security Paradigm In response to these security challenges, the IEEE has been working on 802.11i, an emerging security standard for WLAN. This includes the existing port-based authentication standard, 802.1x, which is also used for wired LANs. 7 Enforcing Network Security on Connection White Paper Authentication Protocols Authentication occurs when a device tries to connect to the network, for example, through a local wired port or a wireless access point (AP). 802.1x is based on the Extensible Authentication Protocol (EAP) specifically developed to address port-level authentication. EAP allows authentication of devices before they are granted access to the network. It is an extension to the Point-to-Point Protocol (PPP) for Ethernet networks and enables a variety of authentication protocols. It passes through the exchange of authentication messages, allowing authentication software on the server to interact with its counterpart on the client before the device is connected. In our study, we considered the following three protocol types for authentication: Password-based Certificate-based Tunneling Password-based Protocol Password-based protocols authenticate using passwords for both the device and the user. Two examples of password-based protocols are Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2* (PEAP-MS CHAP v2) and Cisco’s Lightweight Extensible Authentication Protocol* (LEAP). • • • The Technologies Behind Our Solution The solution employed in our pilot combined authentication, security compliance, and asset registration validation capabilities that are now possible to implement through the 802.1x standard. 8 White Paper Enforcing Network Security on Connection Clients that connect to a Microsoft Windows domain already use device and user credentials to authenticate to the domain. The same credentials can be used to authenticate to the network with 802.1x. For a device, the domain credential is the host name. The password is created when the device joins the domain and its hash is cached both on the client and in the directory. The password is changed automatically, as required by company policy (for instance, every 30 or 90 days). For a user, the domain credential is the username and password. The user password can be made secure using domain-wide group policy objects that require passwords to meet strong password specifications and to be changed periodically. A common industry definition of a strong password specification is that passwords be at least six characters long, and include letters and digits in upper- and lowercase, with at least one special character. Using both device and user credentials provides better protection, as they complement each other’s vulnerabilities. For example, users’ passwords are susceptible to social engineering (tricking a person into revealing their password) and shoulder surfing (stealing a password by looking over someone’s shoulder as they type it in). The device password compensates for that, as the user never uses and does not know the device password. Unfortunately, the ability to authenticate using two credentials in the same session is not yet supported by the IEEE standard. Another drawback of password-based protocols is that the user password is cached on the local hard drive to enable offline logon. This will compromise security if a laptop is stolen. The optimal solution is to not cache the logon credential. However, if the password must be cached to enable offline logon or roaming, it can still be protected with a non-cached PIN, using a hardware module such as a trusted platform module (TPM) to provide tamper-resistant storage. Certificate-based Protocol Computer certificates significantly improve the level of security and resistance to brute force attacks. However, certificate-based protocols such as EAP-Transport Layer Security (EAP- TLS) require a public key infrastructure (PKI), which adds a level of complexity and cost. A certificate authority (CA) must be established to generate the certificate, and a system put in place for deployment and maintenance to revoke, renew, and track certificates. Certificates can be purchased from a commercial source, but they still need to be deployed and maintained. Nevertheless, once the PKI and certificate-based authentication is established, it is a highly stable and scalable service. The optimum approach is to use separate certificates for device and user authentication and to require both forms of authentication before allowing network access. However, this may not be the best option for device authentication, as the credential needs to be associated with the device. One solution is to store the certificate in the TPM on the computer, if the ease of use for customers makes that additional risk worthwhile. 9 Enforcing Network Security on Connection White Paper Tunneling Protocol Tunneling protocols enable a secure tunnel between the client and authenticator, allowing the authentication process to occur securely. This protocol is said to “tunnel” because it pushes through different types of packets, encapsulating them at the peer level or below. Tunneling protocols transport multiple protocols over a common network and provide the vehicle for encrypted VPNs. In the network authentication case, the tunneling protocol is used to perform the authentication session in a protected way. Examples of tunneling protocols include Protected EAP (PEAP) and Tunneled TLS (TTLS). Security Compliance Enforcement Authentication is an important step in protecting networks from unauthorized access, but it’s only one piece of the puzzle. Gartner Group was forecasting that, “by the first quarter of 2005, enterprises that don’t enforce security policies during network login will experience 200 percent more network downtime than those that do (0.7 probability).” 1 By introducing security compliance at Layer 2 of the network stack, devices can be identified as authorized to access the network as well as compliant with information security policies. To become security compliant, the device must pass a series of checks, according to predefined policies. For example, security patches, virus definitions, and other security-related configuration components can be checked against a database 1 “Scan, Block and Quarantine to Survive Worm Attacks.” Gartner Group. Paper ID T21-7-7550. for compliance. This compliance scanning can also verify that critical security services, such as virus protection, are running on the device. Security compliance can be enforced in several ways before a device is allowed to connect to the production network. Here are three examples: Do not enter. When detected as non- compliant, the device is not allowed access. This method is elegant in its simplicity; however, users need the ability to contact a support center when access is denied. Partial access. When detected as non- compliant, the device gains partial access to the network. That is, it is issued a valid IP address, but can only access limited resources. Remediation. When detected as non-compliant, the device is redirected to a non-production (remediation) network. In this network, the device’s security compliance is updated. Remediation can be done using various levels of automation. Once the device (known as a supplicant) is verified to be compliant, it can be assigned an IP address and allowed to access the network, as shown in Figure 1. There are several technologies in the domain of compliance enforcement on connect. They can be divided into three main types, according to the policy enforcement point (PEP): The client as the enforcement point. Typically achieved by a personal firewall or another low-level device driver at the network driver interface (NDI) level, which controls network access for the device. • • • • 10 White Paper Enforcing Network Security on Connection A network service as the enforcement point. In this technology, a network device limits network access per device. This is achieved by a network access server (NAS), or, for example, Dynamic Host Configuration Protocol (DHCP). A proprietary network appliance as the enforcement point. In this method, a specific network appliance captures the packets and controls them accordingly. • • Asset Registration Validation A third condition for allowing a device to be connected to the network is verifying that the device is registered. Verification can be done with an existing database in the organization. The approach is similar to compliance scanning enforcement, described above. Figure 1. Device authentication and compliance enforcement process. 2 3 1 2 3 2 2 2 3 3 1 Client (Supplicant) Network Switch Authentication Server Compliance Server Remediation Zone Remediation Services Production Network ID? OK? STOP NO NO YES YES Step 1: Authentication (Identity—Layer 2) Step 2: Compliance with Policies (Layer 2) Step 3: Open Port, Assign IP Address, Grant Network Access (Layer 3) Remediation Not Possible 2 3 1 Wireless Access Point Client (Supplicant) 2 3 1 2 1 3 1 1 3 [...].. .Enforcing Network Security on Connection White Paper Intel’s Security Enhancement Program Our investigations were prompted by a combination of business need and emerging technologies Intel’s business units were calling for next-generation authentication and security methods to address the increase in security threats to the corporate network At the same time, the 802.11i networking standard... networks needed defending and which technologies existed or were mature at the time platforms and operating systems needed to access of our program’s inception Based on the initial those networks We decided on key use cases exploration, we developed long-term, medium- compliance, and asset registration validation authentication and compliance scanning 11 White Paper Enforcing Network Security on Connection. .. White Paper Enforcing Network Security on Connection Challenges One of the major challenges for the program was that not all required technologies existed or were mature when we began our study Initially, authentication was the only available technology Today, numerous products are offered, or will be offered soon, that include asset registration, validation, or compliance enforcement Components that... integration requirements We decided on two use cases for Phase 1: Defining Core Components We defined reference designs for core office user and factory user We selected user platforms for Phase 1 based on Intel® Centrino® mobile technology components of the Phase 1 pilot, based on the architecture Among the core components were switch configuration, network ports, authentication, authorization and accounting... servers In our program, excellent cooperation between all teams was a key success factor Enforcing Network Security on Connection White Paper Conclusion During our pilot program to implement improved security methods at Intel, we identified the necessary infrastructure (hardware, firmware, and software) to support secure network access, enforced as devices connect to our LANs and WLANs Our approach... standard We mapped all network ports, including LAN and WLAN, identifying all switches and access points on the network that would need 12 solution that could potentially be deployed in the enterprise To ensure we had a valid pilot, we are using the pilot data to get both the components and the entire system certified by our IT standards body Enforcing Network Security on Connection White Paper Steps... with state-of-the-art authentication Through to networks to allow propagation of worms and authentication and asset registration validation, viruses Through this combination of methods, we we can ensure that only authorized devices are are reducing our security risk Authors Sagi Bar-Or is a systems engineer with Intel Information Technology Acronyms AAA authorization and accounting PEP AP access point... device and user to the network, authenticates the network server to the client, checks the client for compliance to the current security policies, and provides remediation for non-compliant devices Our best defense against unauthorized network allowed on the network By applying security access and other security threats is combining policy compliance checks, we can ensure that security compliance scanning... the access Lastly, working on this type of program requires points to the corporate network, for example, cross-organizational cooperation within the all the LAN switches organization This is a comprehensive solution Applying a new security scheme to the network poses the classic challenge of security versus usability, so we must find the path between 14 that covers client, network equipment, and backend... operating systems and configuration We established engineering sub-teams for each core component reference design to develop, test, and certify solutions We developed reference designs for core components of the authentication and security compliance enforcement system, based on the architecture, and established a sub-team for each core component reference design We tested individual components and certified . allowed on the network. 3 Enforcing Network Security on Connection White Paper Contents Executive Summary 2 Background 4 Network Security Risks 5 A New Security. Paper Intel Information Technology Computer Manufacturing Client Security Enforcing Network Security on Connection In response to the rise in network security threats,