Shulou(Shulou.com)06/01 Report--

Using open source NAC to prevent illegal network access

NAC, which will be introduced in this paper, stands for Network admission Control (Network Access Control). In traditional methods, in order to prevent foreign devices from accessing the enterprise network, we can set IP-MAC binding on the switch, combined with ACL and other methods to make foreign devices unable to access the network. At present, there have been some online behavior management and audit products on the market, and then make a general introduction to the more well-known products, the functions of these products also provide a direction for the following research work, with guiding significance.

Deeply convinced by the online behavior management of AC series

Netcom Internet Control Gateway

Cisco NAC

In addition, it also includes a variety of commercial products such as Huawei and Beixinyuan. Several open source NAC tools are introduced below, which have more user-friendly management.

1. Brief introduction to PacketFence

PacketFence is an open source network access control software, which uses NESSUS to scan the network node computer for vulnerabilities, thus finding that there is a security risk in the device. Once the security risk in the node computer is determined, the terminal will be prohibited from accessing the target network. PacketFence also uses SNORT sensors to detect activity from the network and give warnings accordingly. PacketFence supports VLAN settings for managed switches of many manufacturers, and prevents unsafe terminals from accessing the network by dividing different VLAN, including managed switches produced by H3C, Cisco, DELL and other manufacturers. PacketFence provides 802.1X wireless support through the FreeRADIUS module, which can provide us with the same security control mode as the wired network. Administratively, we can manage it through WEB and the command line interface. These management functions can fully meet the current network access control needs of most small and medium-sized enterprises. PacketFence can run in RHEL, CentOS Linux and Debian systems, we can download its binary package to install, or download its integrated VMWare virtual machine files for direct use. We can download his Live CD (the latest version 5.6.0) files from the http://www.packetfence.org/download/zen.html website, and put them on a USB disk to be used as a boot system directly.

Hardware configuration: an ordinary server requires two high-performance gigabit network cards (one for the chain console and the other for collecting information at the SPAN port of the switch). The requirement for the switch is a network manageable switch. Visit the WEB interface: https://ip:1443/

2. PacketFence deployment

The deployment of PacketFence and IDS system can use bypass mode to access the network, that is, bypass access through SPAN port, and another connection method is connected in series behind the firewall, which is easy to cause a single point of failure, so the author suggests that bypass mode should be used to connect to the network.

This figure clearly shows the details of illegal access points.

For example: operating system distribution information

Example: Packetence's log

3. FreeNAC

FreeNAC is also an open source and free NAC software, which also provides the function of dividing VLAN to the switch and assigning dynamic VLAN to the computer terminal with MAC address, so as to provide access control to various resources in the local area network. FreeNAC can control the access of servers, workstations, printers and IP telephones in the LAN. FreeNAC can automatically find all kinds of terminals that survive in the network, and provides support for 802.1x and Cisco's VMPS port security module, as well as system patch package distribution and other functions. However, although FreeNAC provides support for unmanaged switches, the use of unmanaged switches greatly reduces its NAC function, so if you want to play all its NAC functions, it is best to use a networked switch, and in order to use Cisco's VMPS function, it is best to use Cisco's VMPS-enabled managed switch.

4. Xplico

The following open source tool is not as powerful as the above two NAC. Xplico is not only a network protocol analysis tool, but also an open source network forensics analysis tool (NFAT), which can find anomalies and can be used as an auxiliary NAC tool. The goal of Xplico is to extract and display the information from the captured Internet application data, which refers to the capture of Internet network traffic to extract the data contained in various network applications and analyze different network applications. For example, Xplico can parse the traffic passing through the gateway in real time, or parse the IP traffic data in the pcap file, and parse each mailbox (including POP,IMAP and SMTP protocols), parse all HTTP content, and VOIP applications, and so on.

The XPlico system consists of four parts:

Decoding controller (Dema)

IP/ network × × (Xplico)

Assemblies to process decoded data (ManiPulators)

Visualization system, used to view results

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Its main working process is to grab the data packets in the network through the data capture module (cap_dissector), and then input the data packets into each parsing component (Dissectors). The parsed results are stored in the database through the distribution component (Dispatcher), and finally displayed. The process is shown in the following figure.

As can be seen from the above picture Xplico adopts a top-down process to analyze the protocol. First, Xplico captures the network data packet, then distinguishes different protocols according to different fields in the packet, and divides them into TCP, UDP and other protocols for analysis. TCP protocol and UDP protocol are further subdivided according to different port numbers and application layer protocol characteristics, and different parsers are used to analyze and process the message. Finally, a conclusion is drawn and the results are saved.

Data acquisition method of Xplico

The underlying layer of Xplico uses Libpcap to grab packets, which is a well-known programming interface dedicated to capturing network data. It has been widely used in many network security fields, and many famous network security systems are developed based on LibPcap, such as the famous network packet capture and analysis tool Tcpdump, and the network detection system snort is also implemented by Libpcap. Libpcap has almost become the standard interface for network packet capture. BPF filtering mechanism is used in Libpcap, which is a kernel-based filtering module, which enables Libpcap to capture specific data packets, which can filter out packets that are not needed on the network, but only capture packets that users are interested in. "using Libpcap, you can store packets captured from the network into a file, and read the packet information from the file. The reading result is the same as the result of capturing a packet from the network. The role of Libpcap is mainly in the following four aspects:

1 capture all kinds of network packets

2 analyze network packets

3 storing network packets

4 filtering network packets

Xplico download is integrated in Deft, and its deployment details can be found in the book Unix/Linux Network Log Analysis and Traffic Monitoring.

The book evaluates http://item.jd.com/11582561.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.