家中等职业教育改革发展示范学校bagx.pptx

《家中等职业教育改革发展示范学校bagx.pptx》由会员分享，可在线阅读，更多相关《家中等职业教育改革发展示范学校bagx.pptx（45页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Risk Management using Network Access Control and Endpoint Control for the EnterpriseKurtis E.Minder Mirage Networksi2-CONFIDENTIAL-AgendaDrivers of NACKey Elements of NAC SolutionsIdentifyAssessMonitorMitigateNAC Landscape3-CONFIDENTIAL-Business Needs Drive Security Adoption3 Ubiquitous Security tec

2、hnologiesAnti-virus-Business driver:File sharingFirewalls-Business driver:Interconnecting networks(i.e.Internet)VPNs-Business driver:Remote connectivityTodays top security driver-Mobile PCs and devicesBroadband access is everywhereIncreased percentage of the time devices spend on unprotected network

3、sPerimeter security is rendered less effective because mobile devices bypass it and arent protected by itMobility of IP devices is driving the need for Network Access Control solutionsLeading source of network infectionsMore unmanaged devices on the network than ever-guest and personal devices4-CONF

4、IDENTIAL-The Traditional Approach to Network Security Isnt Enough5-CONFIDENTIAL-The Problem NAC Should AddressToday,endpoint devices represent the greatest risk to network security by propagating threats or being vulnerable to them.Infected DevicesUnknown DevicesOut-of-Policy Devicespropagate threat

5、s,resulting in loss of productivity&hours of cleanuplike home PCs,contractor PCs,&WiFi phones can introduce new threats or compromise data securityare more vulnerable to malware attacks,while running services that could jeopardize security“Because of worms and other threats,you can no longer leave y

6、our networks open to unscreened devices and users.By year-end 2007,80 percent of enterprises will have implemented network access control policies and procedures.”Gartner,Protect Your Resources With a Network Access Control Process6-CONFIDENTIAL-The Cost1 mi2g Intelligence Unit,Malware Damage in 200

7、42 ICSA Labs,9th Annual Computer Virus Prevalence Survey7-CONFIDENTIAL-The Numbers Tell the Story“Protection”is in place98%use firewalls197%of companies protect machines with antivirus software 1 79%use anti-spyware 1 61%use email monitoring software 1 But its not enough!Cost of malware:$14.2B 280%o

8、f companies experienced 1 or more successful attacks,30%had more than 10 3Average net loss for malware incidents in US companies is nearly$168,000 per year1Worldwide,32%of companies experience attacks involving business partners43%of those were infections,while 27%were unauthorized access475%of ente

9、rprises will be infected with malware that evaded traditional defenses5 1 Computer Security Institute/FBIs 2006 Computer Crime and Security Survey2 Computer Economics,20063 ICSA Labs,9th Annual Computer Virus Prevalence Survey4 Cybertrust,Risky Business,September 20065 Gartner,Gartners Top Predictio

10、ns for IT Organizations and Users,2007&Beyond,December 20068-CONFIDENTIAL-The Problem is Expected to Get Worse2006 StatisticsSteep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals Microsoft Corp issued fixes for 97(versus 37 in

11、 2005)security holes assigned critical label14 of of the critical became zero day threats.Experts worry that businesses will be slow to switch to Vista.Pre-Vista MS Office is expected to remain in widespread use for the next 5-10 years.Source:Washington Post,Dec 2006,Cyber Crime Hits the Big Time in

12、 20069-CONFIDENTIAL-NAC Market ExpectationsNAC Appliance vendors will sell$660m worldwide in 2008NAC Appliances will gain 17%worldwide share of the NAC market by 2008,up from 6%in 2005Research reveals World Network Access Control(NAC)Products and Architectures Markets earned revenues of over$85 mill

13、ion in 2006 and estimates this to reach over$600 million in 2013Gartner estimates that the NAC market was$100M in 2006 and will grow by over 100%by YE 200710-CONFIDENTIAL-Increasing Number of Targets to ProtectOperating SystemsInternet ExplorerWindows LibrariesMicrosoft OfficeWindows ServicesWindows

14、 Configuration WeaknessesMac OSXLinux Configuration WeaknessesNetwork DevicesVoIP Phones&ServersNetwork&Other Devices Common Configuration Weaknesses*SANS Institute Top 20 Internet Security Attack Targets(2006 Annual Update),v7.0,11.15.06Cross Platform ApplicationsWeb ApplicationsDatabase SoftwareP2

15、P File Sharing ApplicationsInstant MessagingMedia PlayersDNS ServersBackup SoftwareSecurity,Enterprise,and Directory Management ServersSecurity Policy&PersonnelExcessive User Rights&Unauthorized DevicesUsers(Phishing/Spear Phishing)Sans Institute 2006 Top Attack Targets*11-CONFIDENTIAL-Pre-admission

16、(at network connect),30%Post-admission(continuous monitoring),7%Both,60%Dont know,3%What Class of NAC Solutions to Deploy?Aberdeen Research,200612-CONFIDENTIAL-%of Respondents00.20.40.60.8Meet regulatory requirementsReduce IT operations costImprove endpoint visibilityAutomate remediation of policy/c

17、onfiguration violationsReduce time required to recover from malware outbreakImprove network uptimeEnforce security policy complianceEnforce endpoint software configurationsControl network access for staff,partners and contractorsReduce incidents of malware propagation11%12%12%17%22%24%41%42%53%59%Al

18、l RespondentsTop Drivers Influencing NAC SolutionsAberdeen Research,200613-CONFIDENTIAL-Top Features Required in a NAC Solution%of Respondents00.10.20.30.4Visibility to endpoint configurationsThreat propagation detection/IDSScalability/fault toleranceReportingVisibility to endpoint threatsRedirectio

19、n of users to remediation resourcesEndpoint configuration posture check(on admission)Ease of deploymentEndpoint configuration posture check(continuous/ongoing)Network infrastructure independentEase of managementPrevent infection of your endpoints by remote control,spyware and botsIdentity-based cont

20、rolIntegration with current network infrastructureDay zero malware control6%7%11%12%14%14%16%17%19%23%24%28%30%34%37%All RespondentsAberdeen Research,200614-CONFIDENTIAL-Key Elements of NAC SolutionsCommon NAC ElementsNAC is an evolving space with evolving capabilitiesNAC solution elements-some or a

21、llIdentify-Detect&authenticate new devicesAssess-Endpoint integrity checks to determine levels of risk and adherence to security policyMonitor-Watch the devices activity for change of assessed state with respect to policy and threat statusMitigate-Take appropriate action upon any device that is iden

22、tified as a security risk by previous three elements 16-CONFIDENTIAL-Identify-Find/Authenticate New DevicesQuestion-How do you know when a new device comes on the network?Is it a known or unknown device?Is it an authenticated user?Common approachesLeverage 802.1x or network infrastructure OSAuthenti

23、cate through existing EAP infrastructure to pass credentials to authentication serverSpecial purpose DHCP serverAuthentication usually web based and tied to authentication serverAuthentication proxyNAC solution serves as a proxy between device and authentication serverInline security appliances(i.e.

24、security switches)Serve as a proxy between device and authentication serverReal time network awarenessAuthentication usually web based and tied to authentication serverAll approaches trigger off entry on the network by a new IP device17-CONFIDENTIAL-Identify-Pros&Cons of Various Approaches802.1x app

25、roachPros:Device detected and authenticated prior to IP address assignmentCons:Often is a costly and time consuming installationRequires switch upgrade/reconfigurationEndpoints must be 802.1x enabled-requires supplicant softwareMust create guest/remediation VLANsDHCP approachPros:Easier to deploy,in

26、dependent of network infrastructure,covers both managed and unmanaged devicesCons:Bypassed by static IP address assignment,remediation typically to a broadcast VLAN(cross infection risk)18-CONFIDENTIAL-Identify-Pros&Cons of Various Approaches cont.Authentication proxyPros:Good hook for checking mana

27、ged devicesCons:Unknown devices may never authenticate,but still could have network access;may not check all IP devicesIn-line security appliance/switchPros:Sees all devices both managed and unmanaged and doesnt require agent based softwareCons:If it is not inline with,or does not replace the access

28、 switch then it will not see the device as it comes on the networkOut of band appliances with network awarenessPros:Sees all devices as they enter the network both managed and unmanaged;easier to implement than many of the other approachesCons:May require switch integration for mitigation of problem

29、s19-CONFIDENTIAL-AssessAssess Endpoint IntegrityQuestion:Even if a device is allowed on my network,how do I ensure it meets my security policies and risk tolerance?Answer:Endpoint integrity checksOperating system identification and validation checksTypically requires an agent Must establish a policy

30、 relating to acceptable patch level(latest patch on company SMS server,no older than X months,most recent patch available from software vendor)What do you do for unknown devices?Usually requires an agent for these checksSecurity software checks-AV,personal firewall,spyware,etc.Is it up and runningIs

31、 it in the right configurationIs it up to date-both the software and the databaseUsually requires an agent for these checks21-CONFIDENTIAL-Assess Endpoint Integrity cont.Endpoint integrity checks cont.Endpoint configuration-find unauthorized servers and servicesWeb servers,FTP servers,mail servers,e

32、tc.Vulnerable or high risk ports,i.e.port 445 exploited by ZotobThese checks can be done from the network or with an agentThreat detectionScan the device for active infections or backdoorsNot commonly implemented on entry to the networkToo much latencyRisk profile substituted for deep scans(i.e.AV i

33、s up to date and had a current scan)Elements for endpoint integrity checksNetwork scanning server(Optional)Endpoint software-permanent or transient(Optional)Policy server(Required)-must have somewhere to define what is allowed/disallowed22-CONFIDENTIAL-MonitorMonitoring Post Network EntryThe forgott

34、en element of Network Access ControlWhy is monitoring a critical element of NAC?Cant effectively check for all threats on entry-takes too longSecurity policy state can change post entry-users initiate FTP after access is grantedInfection can occur post entry-e-mail and web threats can change securit

35、y state of the deviceWhat Gartner says in their paper“Protect Your Resources With a Network Access Control Process”“The network traffic and security state of systems that are connected to the network must be monitored for anomalous behavior or system changes that bring them out of compliance with se

36、curity policies.”Why isnt this simply another network security function?Monitoring is both for threats and policy adherence-takes advantage of policy definition of NAC solutionWorks hand in hand with NAC quarantine services 24-CONFIDENTIAL-Traditional Approach to Network Security Traditional Approac

37、h Firewall/IPS at the Perimeter AV,HIDS/HIPS on the EndpointThis approach leaves a soft underbelly through which unmanaged,out-of-policy and infected endpoints can easily gain access.External Environment New technologies New threats Regulatory requirements 25-CONFIDENTIAL-Exploiting the Networks Wea

38、knessInfected endpoints bypass the perimetergenerating rapidly propagating threats that take over a network in minutesbringing business to a halt and creating costly cleanup.26-CONFIDENTIAL-Monitoring ApproachesAgent based approachesHost Intrusion Prevention SystemsPersonal firewallsBoth require int

39、egration with a network policy server to be an element of NACDoesnt cover unknown/unmanaged/unmanageable devicesNetwork based approachesIn-line:Typically evolution of IPS vendors into NAC capabilities;also includes Network Based Anomaly Detection(NBAD)vendorsOut-of-band:Most commonly NBAD and old Di

40、stributed Denial of Service(DDoS)security vendorsKey considerationsDoes the security device watch for policy violations as well as threats?Does it see devices as they enter the network?Can they work across both voice and data networks without negatively impacting quality and performance?What is the

41、management overhead associated with both approaches?27-CONFIDENTIAL-MitigateMitigation Approaches for NACTwo elements for NAC mitigationQuarantine capabilities(required)On-entry restrict access for devices not meeting requirementsPost-entry take a device off the network and send to quarantine zone i

42、f they violate policy or propagate a threatIdeally should be able to assign to different quarantine server based on problem,i.e.registration server for guests,AV scanner for infected devices,etc.Remediation services for identified problems(optional)Additional diagnostic tools for deeper checks-Vulne

43、rability scannersAV scanners,etc.Tools for fixing identified problemsOS patch linksAV signature update and malware removal toolsRegistration pages for unknown devices29-CONFIDENTIAL-Quarantine ApproachesDHCP integrationUses DHCP process for identification and endpoint integrity checks on entry to th

44、e network.Pros:Assigns appropriate IP and VLAN according to their risk levelCons:After IP address is assigned they dont have an independent quarantine capability;Static IPs bypass their enforcementSwitch integrationUses either ACLs or 802.1xACLs-not commonly used because of negative performance impa

45、ct and access requirements in the network802.1x-forces device to re-authenticate and assigns new VLANPros:Effective both pre and post admission,uses standards based approach in 802.1xCons:Can negatively impact switch performance;Usually not granular in quarantine server assignment;If using broadcast

46、 quarantine VLAN there is a cross-infection risk30-CONFIDENTIAL-Quarantine Approaches cont.In-line blocking with web redirectPros:Improved performance over ACLs;Can granularly block suspect traffic;has the capability of sending web traffic to appropriate quarantine server based on problemCons:Doesnt

47、 see downstream traffic so can only block and redirect traffic that comes through it;May require additional integration with network for mitigation because of thisARP managementSecurity appliance selectively goes inline for a single host and becomes its default gateway by ARP manipulationPros:No net

48、work integration required for full quarantine capabilities;enables surgical,problem specific quarantine without cross-infection risk;effective both pre and post admissionCons:If implemented improperly network equipment can misidentify this as an attack and drop this traffic31-CONFIDENTIAL-Todays NAC

49、 LandscapeEvolving proprietary standardsCisco Network Admission Control(CNAC)Three critical elements-Cisco Trust Agent(CTA),updated Network Access Device(NAD),Cisco Access Control Server(ACS)Integration with endpoint agents to communicate with ACS regarding appropriate access level to the networkMic

50、rosoft Network Access Protection(NAP)Available in VistaEndpoint needs System Health Agent(SHA)SHA reports to System Health Validator(SHV)to do policy checksNetwork isolation through enforcement integrationsDHCP Quarantine Enforcement Server(QES)VPN QES802.1xTrusted Network Connect open standardTNC c