close

Eset Endpoint Security Won't Update

Basic Concepts

Policy Administration – Policy Decission – ISE (Identity Services Engine) Policy Enforcement – Network Access Devices – Switches, Wireless, Routers Policy Information – NAC Agent, NAC Web Agent, 802.1X Supplicant (AnyConnect)

Authentication Methods:

  • 802.1x (NAC Agent, 802.1x supplicant)
  • MAC Authentication bypass (MAB) – Database of the MAC Address of the devices that don’t support 802.1x (printers, cameras)
  • Web Authentication
  • VPN Authentication

Authorization Methods:

  • ACLs (dACL, Named ACL, time based ACL)
  • VLANs assignation
  • Security Group Access – Cisco TrustSec – SGT – Security Group Tagging

Change Of Authorization – Method to change an endpoint authorization status after meeting some conditions, such as checking the security compliance of the endpoint. Needs to be supported by the Network Access Device.

Radius: standard-based for AAA services.

TACACS+: AAA protocol developed by Cisco. Supports command by command basis authorization. Provides accounting for device changes audit.

Current version of ISE: 1.3 (November 2014)

ISA Deployment

ISE can run on 3415, 3455, 3495 servers or VMWare

People:

  • PAN – Policy Administration Node
  • PSN – Policy Service Node
  • MNT – Monitoring and Troubleshooting Node

Failover behavior

  • Admin persona, handles the administrator changes and publishes them to the Policy Service Node. Secondary node needs to be promoted manually.
  • PSN – Redundant PSNs will work concurrently. If one files, the other will continue working.
  • Monitoring Node – If primary fails, secondary will be promoted to primary automatically.

Standalone deployment

  • All personas in the same box.
  • Up to 10.000 endpoints

Redundant deployment

  • Both boxes still have all the same personas. Primary node and Secondary node.
  • Up to 10.000 endpoints

Distributed deployment

  • Two redundant boxes with Admin and Monitoring personas
  • Up to 5 Policy Service Nodes
  • Up to 10.000 endpoints

Distributed deployment, up to 250.000 endpoints

  • Two boxes with Admin roles
  • Two boxes with Monitoring roles
  • Up to 40 PSNs

PSNs can be clusterized in a L2 level.

NAD – Network Access Devices will have the prioritized list of the PSNs that they will use

802.1x

802.1x Host Modes

  • Single Host Mode – Only one device (MAC Address) per port. Second causes unauthorized port state.
  • Multiple Host mode – (hub usage). first device defines authentication, other devices get same access.
  • Multiple Domain Authentication (MDA) mode – Data Voice. Independent authentication for each device.
  • Multiple Authentication mode – Authenticates every MAC address. Same VLAN but ACL per device.

Deployment modes

  • Monitor mode Before authentication: Authentication Open Full access After authentication: Full access configuration: authentication open
  • Low impact mode Before authentication: Authentication OPEN Pre ACL to limit the traffic After authentication: Full access or controlled access through ACL configuration: authentication open ip access-group default-ACL in
  • Closed mode Before authentication: No access allowed. Only EAPOL allowed. After authentication: Full access or controlled access through AC

EAP

EAP – Extensible Authentication Protocol

End user speaks 802.1x with the Network Access Device through a Suplicant. (EAPOL)

Network Access Device speaks Radius with the ISE PSN node. (EAP/Radius)

System uses EAP-X end to end

  • EAP-FAST: Symetric Cryptography. It uses PAC keys (protected access credentials) that are exchange between endpoint and PSN. They could be eavesdropped. The keys are used to create a tunnel to send the credentials.
  • EAP-PEAP: Only a certificate on the PSN is required. The certificate is delivered to the endpoint. The endpoint uses the public key of the PSN certificate to create a session key and setup a tunnel to send the User and Password through it
  • EAP-TLS: Both PSN and endpoint requires a certificate. No encryption is required as they will do an exchange of the public keys. Downside is the big quantity of certificates to be managed.
  • EAP-MD5 – CHAP: Challange – response. No server authentication. Vulnerable to MITM attacks
  • EAP-MSCHAPv2: Challange – response with hashing. Active Directory Environment.

Switch configuration

aaa new-model

endpoint security definition download     endpoint security cloud

TAGS

CATEGORIES