9.9. Network Requirements for OpenNAC Deployment
Network Access technologies require a correct network segmentation. Having a clear design will help us to deploy a NAC Solution.
First, we will define Layer 2, Layer 3 and Layer 4 network requirements to guarantee a successful deployment.
Layer 2: Deployed in the network before OpenNAC Enterprise deployment.
Layer 3: IP visibility between different software components, routing and firewalls changes could be required to ensure the correct communication between the nodes and the access to all necessary services.
Layer 4: TCP/UDP Ports that must be open in the network to avoid integration problems.
9.9.1. Layer 2 Requirements
OpenNAC Enterprise provides an easily adaptable and customizable network configuration module called ON Netconf
OpenNAC Enterprise establishes at least three VLANS by default, but those can be easily expanded such as explained:
Registry VLANs:
OpenNAC Enterprise uses Registry VLANS to register users, this can be used to register new devices for authenticated users, a common use case that apply for that is BYOD.
Quarantine VLANs:
OpenNAC Enterprise uses Quarantine VLANS for User devices that do not meet the enterprise security policies requirements. Further action (agent installation, patching, AV updates..etc) can be done to comply with the enterprise requirements.
Service VLANs:
OpenNAC Enterprise uses the Service VLAN to provide access to corporate resources. There may be one or more service VLANs depending on the number of the user devices and on the resources access rights. OpenNAC Enterprise assigns user devices to the different service VLANs based on policy compliance defined by the administrator.
Guest VLANs:
OpenNAC Enterprise uses Guest VLANS to provide Guest services in the Network through a sponsorization process, and auto enrollment is also an option. The Guest management system uses a customizable workflow.
Custom VLANs
OpenNAC Enterprise can expand the VLANs to provide more flexibility.
9.9.2. Layer 3 and 4 Requirements
Source |
Destination |
Port |
Service |
|---|---|---|---|
Principal/Worker |
Principal/Worker |
TCP/22 |
SSH |
Principal/Worker |
Analytics |
TCP/22 |
SSH |
Principal/Worker |
Aggregator |
TCP/22 |
SSH |
Principal/Worker |
Sensor |
TCP/22 |
SSH |
Principal/Worker |
Principal/Worker |
TCP/80 |
HTTP |
Principal/Worker |
Principal/Worker |
TCP/443 |
HTTPS |
Worker |
Principal |
TCP/3306 |
MySQL |
Worker |
Principal |
TCP/6379 |
Redis |
Worker |
Principal |
UDP/25826 |
Collectd |
Principal/Worker |
Analytics |
TCP/5601 |
Kibana |
Principal/Worker |
Analytics |
TCP/9200 |
ElasticSearch |
Principal/Worker |
Aggregator |
TCP/5000 |
FileBeat |
Principal/Worker |
Network Dev |
UDP/161 |
SNMP |
Principal/Worker |
Network Dev |
UDP/3799 |
CoA |
Principal/Worker |
Network Dev |
TCP/22 |
SSH |
Principal/Worker |
Network Dev |
TCP/23 |
TELNET |
Principal/Worker |
MTA Relay |
TCP/25 |
SMTP |
Principal/Worker |
NTP SERVER |
UDP/123 |
NTP |
Principal/Worker |
Proxy Radius |
TCP/8080 [*] |
HTTP / HTTPS |
Principal/Worker |
DNS |
UDP/53 |
DNS |
Principal/Worker |
AD SERVERS |
UDP/TCP/88 |
KERBEROS |
Principal/Worker |
AD SERVERS |
UDP/TCP/135 |
DCOM/RPC |
Principal/Worker |
AD SERVERS |
UDP/TCP/137 |
NETBIOS |
Principal/Worker |
AD SERVERS |
UDP/TCP/138 |
NETBIOS |
Principal/Worker |
AD SERVERS |
UDP/TCP/139 |
NETBIOS |
Principal/Worker |
AD SERVERS |
UDP/TCP/389 |
LDAP |
Principal/Worker |
AD SERVERS |
TCP/445 |
SMB |
Principal/Worker |
AD SERVERS |
TCP/464 |
KPASSWD |
Principal/Worker |
AD SERVERS |
TCP/636 |
LDAPs |
Principal/Worker |
Palo Alto Fw |
TCP/443 |
HTTPS |
Principal/Worker |
Any |
ICMP |
User device discover & profiling |
TCP/21, TCP/22, TCP/23, TCP/53 TCP/79 TCP/80 TCP/123 TCP/135 TCP/137 TCP/138 TCP/139 TCP/280 TCP/389 TCP/442 TCP/443 TCP/445 TCP/515 TCP/554 TCP/631 TCP/636 TCP/1027 TCP/1088 TCP/1801 TCP/1947 TCP/2000 TCP/2001 TCP/2002 TCP/2003 TCP/2009 TCP/2021 TCP/2030 TCP/2103 TCP/2105 TCP/2107 TCP/2701 TCP/3000 TCP/3001 TCP/3003 TCP/3007 TCP/3306 TCP/3389 TCP/4000 TCP/4001 TCP/4224 TCP/5000 TCP/5001 TCP/5060 TCP/5357 TCP/5800 TCP/5900 TCP/6001 TCP/6100 TCP/6996 TCP/6997 TCP/6998 TCP/6999 TCP/8000 TCP/8009 TCP/8080 TCP/8081 TCP/9001 TCP/9002 TCP/9100 TCP/9200 TCP/9220 TCP/9290 TCP/9500 TCP/9999 TCP/10000 TCP/10002 TCP/16992 TCP/16993 TCP/30718 TCP/49152 TCP/49153 TCP/49154 TCP/49155 TCP/49156 TCP/49157 TCP/49158 TCP/49176 TCP/50000 TCP/50001 TCP/50002 TCP/50636 TCP/61900 UDP/21 UDP/22 UDP/23 UDP/53 UDP/79 UDP/80 UDP/123 UDP/135 UDP/137 UDP/138 UDP/139 UDP/161 UDP/280 UDP/389 UDP/442 UDP/443 UDP/445 UDP/515 UDP/554 UDP/631 UDP/636 UDP/1027 UDP/1088 UDP/1801 UDP/1947 UDP/2000 UDP/2001 UDP/2002 UDP/2003 UDP/2009 UDP/2021 UDP/2030 UDP/2103 UDP/2105 UDP/2107 UDP/2701 UDP/3000 UDP/3001 UDP/3003 UDP/3007 UDP/3306 UDP/3389 UDP/4000 UDP/4001 UDP/4224 UDP/5000 UDP/5001 UDP/5060 UDP/5357 UDP/5800 UDP/5900 UDP/6001 UDP/6100 UDP/6996 UDP/6997 UDP/6998 UDP/6999 UDP/8000 UDP/8009 UDP/8080 UDP/8081 UDP/9001 UDP/9002 UDP/9100 UDP/9200 UDP/9220 UDP/9290 UDP/9500 UDP/9999 UDP/10000 UDP/10002 UDP/16992 UDP/16993 UDP/30718 UDP/49152 UDP/49153 UDP/49154 UDP/49155 UDP/49156 UDP/49157 UDP/49158 UDP/49176 UDP/50000 UDP/50001 UDP/50002 UDP/50636 UDP/61900 |
|||
Core HTTP (Pri) |
Principal/Worker |
TCP/80 |
HTTP |
Core HTTP (Pri) |
Principal/Worker |
TCP/443 |
HTTPS |
Core API (Pri) |
Principal/Worker |
TCP/80 |
HTTP |
Core API (Pri) |
Principal/Worker |
TCP/443 |
HTTPS |
Core API (Pri) |
Principal/Worker |
TCP/4730 |
Gearman (Queues) |
Core RADIUS (Pri) |
Principal/Worker |
UDP/162 |
SNMPTRAP |
Core RADIUS (Pri) |
Principal/Worker |
UDP/1812 |
RADIUS |
Core RADIUS (Pri) |
Principal/Worker |
UDP/1813 |
RADIUS |
Core DHCP (Pri) |
Principal/Worker |
UDP/67 |
IP HELPER |
Core DNS (Pri) |
Principal/Worker |
UDP/53 |
DNS |
Core DNS (Pri) |
Principal/Worker |
TCP/53 |
DNS |
Analytics |
Principal/Worker |
TCP/22 |
SSH |
Analytics |
Sensor |
TCP/22 |
SSH |
Analytics |
Aggregator |
TCP/22 |
SSH |
Analytics |
Analytics |
TCP/22 |
SSH |
Analytics |
Analytics |
TCP/9200 |
ElasticSearch |
Analytics |
Analytics |
TCP/9300 |
ElasticSearch |
Analytics |
NTP SERVER |
UDP/123 |
NTP |
Analytics |
DNS |
UDP/53 |
DNS |
Analytics |
Proxy Radius |
TCP/8080 |
HTTP / HTTPS |
Aggregator |
Principal/Worker |
TCP/22 |
SSH |
Aggregator |
Sensor |
TCP/22 |
SSH |
Aggregator |
Analytics |
TCP/22 |
SSH |
Aggregator |
Aggregator |
TCP/22 |
SSH |
Aggregator |
Core API (Pri) |
TCP/80 |
HTTP |
Aggregator |
Core API (Pri) |
TCP/443 |
HTTPS |
Aggregator |
NTP SERVER |
UDP/123 |
NTP |
Aggregator |
DNS |
UDP/53 |
DNS |
Aggregator |
Proxy Radius |
TCP/8080 [*] |
HTTP / HTTPS |
Analytics |
Analytics |
TCP/5601 |
Kibana |
Analytics |
Analytics |
TCP/9200 |
ElasticSearch |
Aggregator |
Aggregator |
TCP/5002 |
SYSLOG |
Sensor |
Principal/Worker |
TCP/22 |
SSH |
Sensor |
Sensor |
TCP/22 |
SSH |
Sensor |
Analytics |
TCP/22 |
SSH |
Sensor |
Aggregator |
TCP/22 |
SSH |
Sensor |
Analytics |
TCP/5000-5015 |
FileBeat |
Sensor |
Core Principal |
TCP/6379 |
Redis |
Sensor |
Core Principal |
TCP/4730 |
Gearman (Queues) |
Sensor |
Core API (Pri) |
TCP/4730 |
Gearman (Queues) |
Sensor |
NTP SERVER |
UDP/123 |
NTP |
Sensor |
DNS |
UDP/53 |
DNS |
Sensor |
Proxy Radius |
TCP/8080 |
HTTP / HTTPS |
Switches |
Core RADIUS (Pri) |
UDP/162 |
SNMPTRAP |
Switches |
Core RADIUS (Pri) |
UDP/1812 |
RADIUS |
Switches |
Core RADIUS (Pri) |
UDP/1813 |
RADIUS |
VPNs |
Core RADIUS (Pri) |
UDP/1812 |
RADIUS |
VPNs |
Core RADIUS (Pri) |
UDP/1813 |
RADIUS |
Wifi |
Core RADIUS (Pri) |
UDP/1812 |
RADIUS |
Wifi |
Core RADIUS (Pri) |
UDP/1813 |
RADIUS |
Routers |
Core DHCP (Pri) |
UDP/67 |
IP HELPER |
Palo Alto Fw |
Aggregator |
TCP/5002 |
SYSLOG |
Any (with agent) |
Core HTTP (Pri) |
TCP/80 |
HTTP |
Any (with agent) |
Core HTTP (Pri) |
TCP/443 |
HTTPS |
Any (captive net) |
Core HTTP (Pri) |
TCP/80 |
HTTP |
Any (captive net) |
Core HTTP (Pri) |
TCP/443 |
HTTPS |
Any (captive net) |
Core DHCP (Pri) |
UDP/67 |
DHCP |
Any (captive net) |
Core DNS (Pri) |
UDP/53 |
DNS |
Any (captive net) |
Core DNS (Pri) |
TCP/53 |
DNS |
Management VPN |
Principal/Worker |
TCP/22 |
SSH |
Management VPN |
Analytics |
TCP/22 |
SSH |
Management VPN |
Aggregator |
TCP/22 |
SSH |
Management VPN |
Sensor |
TCP/22 |
SSH |
Management VPN |
Principal/Worker |
TCP/80 |
HTTP |
Management VPN |
Principal/Worker |
TCP/443 |
HTTPS |
Management VPN |
Analytics |
TCP/5600 |
Kibana |
[*] Depending on the customer’s Proxy’s settings
[*] Core Principal and Aggregator. Principal is only Service IPs in a virtual network interface, not a Load Balance service.
9.9.2.1. Authentication process
We are assuming a common scenario where an endpoint is going to be authenticated via wired or WIFI networks:
In the first step, the authentication process begins and we will use the EAPOL protocol.
In the second step, the network device encapsulates the network request into RADIUS protocol.
In the third and fourth steps, the ON Core uses its Active directory integration to check the credentials and validate the endpoint authentication (ports 1812 for authentication and 1813 accounting will be used). To configure this integration, we must have: network access, Kerberos access, NTP synchronized, configured LDAP, Netbios and so on.
In the next steps, the network device decapsulates the network request and the authentication process ends.
9.9.2.2. Default VLAN
To assign a default VLAN, you can send a non-tagged VLAN packet to the network device or utilize a specific VLAN Name or ID, depending on the configuration of the network device. In the following example, the ON Core will send this empty parameters leaving this configuration to the network devices criteria.
9.9.2.3. Network device management and reauthentication
- Network device connection: it is required and recommended to use SSH connection (port 22) to gain access to network devices. This connection allows a few important capabilities, for instance:
Network devices configuration management: Allows us to apply remote configuration to network devices.
Network devices backup management: Allows us to get backup configurations form network devices remotely.
Network compliance configuration management: Once we get a network device configuration, we can check if the device meets certain requirements that we specify.
COA (Change of authorization): In some scenarios it is required to force a policy reevaluation and change the type of authorization forcing its change via software.
SNMP Toggle port: As an additional method, to force a policy evaluation, the SNMP can be used to execute a shut down and physically turn on the port.
9.9.2.4. IP helper / DHCP relay servicer
Another important protocol used to discover and profile assets is the DHCP. As a general concept, we must understand that it’s based on broadcast messages and if it’s used an IP Helper or a DHCP Relay agent, this will be forwarded in unicast packages. ng/docs-master/images/reference-guide/used-ports/l3l4agentconnectivity.PNG
9.9.2.5. Captive Portal
We will use the Captive Portal to manage non corporate devices or users. External users and their devices go through an authentication and authorization process in which security controls are exercised to subsequently grant access to the corporate network.
For those non corporate users or devices (Guest and BYOD), it is required to create a way to provide authentication and authorization mechanisms when the devices need to connected to a network.
As soon as the user or the device is identified, and not accepted by the security policy, the users and devices requests will be forwarder to registry VLAN and from then to a captive portal using a poisoned DNS It is important to mention that the ON Core could provide DNS services.
To access to the Captive Portal, initially, you must be forwarded to a registry network. The client will get an IP from DHCP servers defining the proper DNS server.
As soon as the client tries to navigate the internet, the poisoned DNS server will respond with the IP for the Captive Portal. In the Captive Portal, users will be able to register through some workflows, validating their credentials or registering if they are not already registered in the system.
Once the user is registered, they will be able to navigate any website.
