Network Access Control: The Company-Wide Team Building Exercise That Only You Know About - Dean Webb

so our first talk today is on network access control the company-wide team-building exercise that only you know about by Dean web from networking forums let's give dean a round of applause thank you thank you very much here this is my first time to present at a technical conference I've done stand-up before and I have to say this is a lot easier than stand up because it's serious so if you don't laugh I'm good all right and I gotta laugh so there I'm even better all right now we're access control i gave it this title because when i started at my current role here I was the new guy and I was young I was brash I was eager and

they said hey you could do the network access control project I thought yeah I want to show him what I can do and I didn't realize it was the crap project that nobody else wanted and then I found out why soon I became the neck engineer that's right I am the one who knacks and I it was my job to tell people you're not going to be able to connect this to the network anymore or you have to have a certificate or we have to have another log in and I was the bad guy i was showing up and you're just being mean to everybody and I was alone i was telling people what i wanted from them what I

wanted to do to them what I against them it was a whole relationship and the as I talked to other neck engineers I realize that the neck project can sometimes go off the rails and do things that the network that you didn't want to have happen and this is largely again due to the lack of communication between different branches of the business and the actual network access control project i I've talked to people where yes it was Skynet unleashed or brought down an entire production line it brought down the worldwide ATM network it did horrible horrible things and I will not say where those happened because charter house rules there are Chapman house rules sorry but yeah they

happen to know it was bad and it was bloody but it doesn't have to be that way ok get some help is what I learned if I'm going to do this thing right I need to bring in people from other organizations to assist me in this project and yeah I show the care bears here but that's because they care if I bring them in they'll care about what I'm doing it's that maybe that guy he looks a little grumpy but oh well he's still part of the team right and you think about this knack involves much more than the network it involves everything that connects to the network all your windows clients all your Linux all your

Macintosh all your wireless device is the guest networks the phones the light bulbs nowadays that's right some guy over in maintenance as about a whole line of ip-enabled light bulbs is plugged them in and you're wondering what happened to my dhcp scope and you're also wondering what happened to my license count on my neck product cuz now I got to account for these light bulbs crap yeah you want everybody everybody who's got something that touches the network needs to know about the project and needs to be able to offer input to it you want to have a core team for your network access control project some of you may know this series the IT crowd from England

wonderful things but yeah you've got your client guy the network security person there you've got your wireless fella and then somebody here on the end here the executive the director type who at the very least can talk to other departments and let them know hey you're about your people are about to get email from my people and I want your people to be able to help them as best as they can when the executives talk to executives when managers talk to managers they're able to help smooth the wheels that are going to grind slowly forward if I am just sending emails to some guy over in client say hey we're about to install a whole new package of client software and

it's going to have to have admin level access to all the windows devices I send that to him directly he's taking that cold and I get immediate resistance if my manager talks to his manager it's a little easier if my executive talks to his executive it's even easier than that at that point the organization becomes bought into the idea of this network access control succeeding and if I have a client person actually on my team or having our team lunch meeting and he's there and I say hi I'm Dean he says hi I'm Roy and we talked and like oh you also like music I like music too hey all right now when I ask him to do something hey how

about getting a client installed on the windows boxes instead of absolutely not it's I might be difficult but that's good I can work with that might be difficult that's a much more interesting and productive kinds of conversation than the one that starts with no so although those also start interesting conversations but yes you want a team and I quote from the IT crowd team team team team team team I even love Satan the word team you want that be that team builder if you're the knack engineer yeah this is part of the company-wide exercise in team building you know about it you educate the others and then they become part of your team you want your

vendor to help kick out there too you've got your sales engineer he can provide a lot of good insight as to how this thing can be accomplished technically you also want to talk to the sales rep and I know how many of you really enjoy talking to sales reps I mean you'll live for that day I'm getting crickets out there it's an oil painting nobody like how do you like somebody else to talk to the sales guys now the hands come up okay we know what happen inside someone's got to do it if not you who if not now when you talk to the salesman he can give you the numbers you need because neck is going

to be a big ticket project no matter what your organization is this is going to be something that will when you submit the budget item they're going to go whoa a license for every thing that connects to the network yes a license for everything that connects to the network and the heart rule that's a hardware cost there yeah and the sales guy is going to be able to talk to your purchasing people and discuss how this can be worked out hopefully it's a sales person that can learn to work with the way your organization does business how to invoice how to do everything properly there but that's the discussion that you don't want to have what you do want to

be able to talk to the sales person so he knows here's your environment here's what's going on here's the things that you're going be looking for and he can communicate that properly to your managers your executives your purchasing department and help get the system that you want to have because it's quite easy to buy the wrong next system for your environment it's quite easy to do that and remember this is your job you're the neck engineer you have the final say on the answers these are part of your team they will advise you you take that advice in and then you communicate in now I've mentioned vendors which vendor is the best usually it's the second one I've

talked to a lot of guys who done neck around the world and repeatedly I here oh yeah we ripped out vendor X it was a piece of junk but in vendor y work great and then somewhere else Oh vendor why please we tore him out we put in vendor X as we're a very happy with indirect and I realized it doesn't matter who the vendor is all the time there are some places where ya a vendor is going to be better for this than that but in general it wasn't the vendor that made the difference it was the experience it was the lessons learned it was the ability to do it right and the first time they

did it they made a whole lot of mistakes learn tons of things from it they became very experienced and what that experience came wisdom and I mean lack of funding can be another problem there they went to enforcement mode too soon lots of things happen there and it all comes down to lack of teamwork and I as I watch this I thought you know what there's no reason that my current vendor has to be ripped out and we go with vendor to I can make this one work if I bring the people together if I have the right information if I can get the right funding get all these pieces together my first vendor can be the right one and

there are places where this has happened through some foresight or luck they put a team together and having that team approach gave them a better shot at security a better shot at getting this done successfully I mentioned talking with other people you need to go out and not just not fun if I not just me but find other people who done that projects around the world talk with them they're your grizzled veterans they yes these guys have gone through an act project you can see it in there cases oh yeah I remember we did neck back in Okinawa okay anyway um and so if you've done that before you can think of for ya all ya the Internet of Things was

coming over the hill and all we had was a switch you want vendor references from your vendors when you're talking if you're going through a pilot phase you're testing or comparing vendors one against the other ask the vendors can you tell me somebody at another company about my size that is also used your product successfully have that conversation you want to have it where you drive in conversation without the vendor present so that way the guy can be absolutely honest and no one's going to interrupt and say oh but wait if you bought this licensing what he got back no you want to talk to the guy of what did he go through what did she

experienced what did they have to face and from that information it can inform you about possible pitfalls with the product that you either need to plan carefully about or that maybe make it something works out of the running but you talk to these people you want to read product reviews and sadly nak does not have a lot of product reviews for it because you know it's a very niche product it's something that doesn't happen all the time to everyone everywhere but when you find those reviews talk to those people maybe send them an email okay go to forums online and just look for various vendors and query on them and see what people have to say about them but if you learn from

the experiences of others and you make them part of your extended team someone that you could email later on and say hey we're eating this what happened to you and you face down all your iPhone's it couldn't take a certificate of this tour oh well we did this oh thank you that will be very helpful and that'll reduce a chance you rip something out and go with another vendor no matter what nak product you use though you will have to use 802 dot1x even their vendors who will promise like oh we have an 802 dot1x the free solution yeah but when you get to wireless oh yeah we use 802 dot1x okay no matter what you'll have it

and your next system will be the radius server that provides the authentication or either all the wireless network or all the wireless and wired network I do not know this man personally but I want to shake his hand I do not have a vested financial interest in this book but I wish I did because this is saved my life many times you want the 802 dhawan export based authentication book by Edwin Lyle Brown I have gone through bitter experience and this was my salvation it is a full run through the entire protocol from start to finish bottom the top tells you where how it started why people make decisions about the growth of 802 dot1x what it is led

to it mentions how different vendors do different things what it also talks about how a device actually authenticates with that and you use that and you people say it's not working you get the Wireshark captures you open this book to the right page and you can say ah here it's a client problem because the switch sent this and the client didn't respond there you go right here and you feel so good knowing that and being able to point to something in a book with certainty with certainty and then you go to the other people and then deal with it but that is a godsend please buy that book and read it if you haven't already and you're in an act

project if you're about to be in one get it now all right it is I beat that dead horse okay and as you go through the project you want to keep recruiting and keep selling okay you are the as the lead engineer you are going to sell it to the rest of your organization you are not going to just turn it on and hope that nobody complains you've got to talk to other people because it's going to tie into so many other things one thing that network access control vendors have realized is that the next system itself can be this hub that orchestrates all the other IT components that you have you you may have vulnerability scanning

it ties in with the client so the client can help provide reports up to the bowler vulnerability scanner you've got fire I that is one example well that's going to tie in with some of these vendors here and then the client will report back up the stream you've got it the virus solution the nap will tie into that so this is something that can be very useful very helpful how many of you have people that I don't know you have windows in your environment anybody have windows okay you hands are up okay you know what admit I understand but the package management on Windows SCCM it can tie into the neck solutions that way when they get on the network it forces

them to have that package if you can tell the SCCM guy you're going to give them a report not on what he has to do but on what he's all what has already been done he would hug you and kiss you if it was not an HR violation I have seen this myself so but you you sell that point you go to the other groups and you say hey you know what with this neck I tell you what it can do it can make your job easier how can I will tell you how you know maybe not as cheesy but if you just give them the information they can run with it and they can see

this is something that they want to have and they'll start asking other people when are we going to get neck turned on for this and that that will push your product forward that will push your success with this project forward when you do the project you want some quick wins all right the I've talked to consultants who have done this successfully to other firms and they say all right number one get the wireless done Wireless has got 80 to 1 X built into it turn that on get it going issue all the certs from it could be a window certificate authority that does it or some other homegrown one it doesn't have to be a fancy entrust or verisign just

get the cert on every box they check it boom that is secure lock it down VPN users they come in through a little choke point and then explore the rest of your network well cut neck there so it can say everybody who's connected with a VPN boom now they're they're properly vetted they are the ones who should be on the network we're good there then the next success that building or floor that has all the IT guys in it not because they want to experience the potential health at an act project is but because they'll give you rich error reporting you know what I'm talking about they're not just going to say it's love Oh or it's broken they're going to say

hey why is it that I can't ssh over to 10 dot one dot 395 okay thank you all right that's good and then you can work with Enzo oh here's why because we block this or that and you can go from there but those are your early successes those are where you can say we've had these things we've got the value for the company now we can build on this and go forward from there and the last one monitor everything before in forcing anything so important because neck turns into story time you're going to turn this thing on and people will insist I have zero devices of that particular kind on this network turn on neck and it

finds two of them oh wait yeah that's right we do have to now that you mention it what are the oh yeah you know 10 years ago we couldn't upgrade payroll and so we had to leave these devices on and now that's how we get paid it's always you know some mission-critical legacy application that you find and you've got a story with it if you turned on if you went on the assurance that oh yeah all we have on this floor you know windows 7 that's it nothing else you turn on your neck and you let all the windows 17 you block everything else boom payroll goes down or a production line goes down or the global ATM network

goes down in and you're you're deep deep deep trouble but you do the monitoring you find this and you say okay this is an unknown device tell me some more about it or why is it that all of our phones which have one label on the front to have a different kind of Nick in the back oh well see this manufacturer is subcontractor okay thanks that's good to know because now when I'm trying to figure out what phones are allowed and or not allowed on my voice network I now know that there's some other Nick vendors to look at besides vendor so get those wins in first before you hit the other stuff and be ready to have

resources diverted to solve problems that aren't next trouble but because knack is new and involves math nobody understands that they want to blame it this actually came from I think the firewall is blocking my gets not the firewall well you put in a con they'll stop complaining about the firewall and now it's next problem for the same fuzzy little errors out there they'll say can you turn it off your job is to insist that knack not be turned off but that we we figure out what's going on to determine what is causing your errors and again back to monitoring if you're monitoring you could go up to someone and say if we turned it on today your

device would be blocked could you help me figure out and then once you ascertain that ok now we've done these things it should not be blocked you turn it on it's not blocked he knows you're not to blame and he'll go back to the firewall guy which is also me all right there will be shocks a plenty here and this is goes over a few of the things you'll see the number to their client is in a build state you can't do 802 dot1x with it I read that in the Edwin Lyle brown book Intel tried to figure out a way to do it and they said no no it can't be done and so you know the guy

will say oh I've got these build devices what do I do well it's either come up with some very elaborate rules or sequester them to a particular area you know that's what I learned from other guys the native windows 8 02 that when X supplicant can be a horror story there to this one the seastar oh just got nacked what do you tell her I want to say you're welcome because you're secure if people want to make exclusions for upper security it's not just an act problem it's a company-wide perception problem about what security should or should not do and you have to get the idea that if the seastar something is getting act or getting blocked or

getting hit with a proxy error message that has to be a level of security that is enforced company why did it everybody follows these rules and everyone will be more secure as a result there will be sensitive devices that nobody knew about that get nacked they say oh that's just a printer they have no idea that an nmap scan will cause it to have a memory failure I had that happen and then the last one discovering the deadly effect on radius traffic of the combination of Windows respecting mt use with EEP all traffic and default cisco iOS qsr logic on saturated landlink six weeks but we solved it solved it okay but yeah if you

want to hit me up on that i can take this offline because it's a long long shaggy-dog story but there will be shocks you will have plan B which is planning a with an element of panic you'll have your architect come up with these beautiful lines and you will discover that those lines are actually ditches between a cornfield I picked this road in particular because when I was going through Mexico and I wanted to go from Veracruz to trace the PO taste to see some Olmec ruins their Google Maps it oh this is the fastest route this other route and grey would be two hours longer this is the fastest route this is what google maps told me would

work it does not it does not it took an extra hour over and above the time the other one would have had this I bring up because your vendors your architects will say ah yes this is how it'll work all your radius traffic will have high priority on this land link nothing bad will happen to it back to the problem i mentioned earlier turns out it fragments and the fragments are not marked as radius so they get dropped and there is your ditch between cornfields also they may say things like hey we could you have a virtual solution great we'll do it all virtual and then you find out places where the virtual environment that you plan to install doesn't have

enough CPUs to handle your load and yeah what do you I don't know what you do there um except buy more stuff but you know this will happen you've got to be flexible the project plan should have flexibility not only for troubleshooting other problems but we're also dealing with unusual circumstances that arise that don't go according to plan if you build in that time and you build in those resources as little extra fluff Ares and I've seen project management for I know that they can do that they can build in some cushion do that enak project should never be run lean you should never be runt on a tight string and a tight schedule because it's going

to end capaz so many things it will touch the entire company it has to be one of these more company transformation sort of things so get the team together early build out your informal team the guys who aren't attached to the project but know a lot about it because you talk to them read that 802 dot1x book by brown go for those early wins monitor everything before enforcing anything and be ready to troubleshoot just about anything at any time and you've got a chance that you won't have to rip something out as Mel Brooks said hope for the best prepare for the worst life is a play and we run rehearsed that's knack for further cussin and discussing you can

find me i'm at WWE network in forums com I should actually make that HTTPS I just got my cert on there yay I'm very active in the security area there also have a set of videos on to them YouTube I'm zze PTM at gmail if you're not a robot you can figure out what the audio de yada is and also peer list is hosting all the events here so I'm active there and you can find me and talk with me there so I've got a little bit of time left for cussing and discussing here any questions comments yes sir in the back how how big of how big of an organization sizes your organization yeah mine is uh my employer won't let me

say which employer it is but we have over 140,000 windows endpoints alone so ya neck yeah but yes sir the author's first name for the book for the book you mean Edwin Lyle Brown yeah well I go right to it at the Edwin Lyle brown I want to get a tattoo with that on but yeah that's a really good resource there to what extent am I the only net guy right now I've actually gotten at least one other engineer trained on it what was I work for all issues and I've got two others that are trained on it for wireless and I'm going to be getting more training out I will not stand alone because we are going to build this out

as a service and I'm I have a background as a teacher so I'm actually able to go and get other groups in there but yeah they finally listened to me they got some more resources attached not just to the project but also to the idea that this is a service yeah to what extent do you do the posture you know going over and above just your authorized on the port or not like right dynamic ackles and those types of things like what we have is the first thing that we wanted to do is just to say can we get them on the network without killing everything so we're not even at the posturing part but we have tested things like that

where we said okay you know in this in this IT area let's see what happens if we block everybody that doesn't have a current virus signature and about twenty percent of the people got blocked and then they're able to go and download it and we thought okay that works so we do a remediation VLAN and we can talk more on that so we have time for one more question okay you mentioned hundred forty windows endpoints how are you handling the non a tour to annex supplicant and supported endpoints and in reference to organizations that have hundreds of thousands and points that are not your standard PC yeah so Mac bypass other other series you found

there good what we've done is a combination of trying to find things that do as little mac bypass as possible because that can be a huge tax on the servers and part of that also comes in to vendor selection there are some vendors are going to be a very effective with non 8002 dot1x environments and some that will follow the pieces so do we have time for one more one more question no okay get me here I'll be roaming around I'd love to talk about this because I love it you guys been wonderful thank you Las Vegas rules good night