家中等職業(yè)教育改革發(fā)展示范學(xué)校.ppt

1、Risk Management using Network Access Control and Endpoint Control for the Enterprise,Kurtis E. Minder Mirage Networks,i,Agenda,Drivers of NAC Key Elements of NAC Solutions Identify Assess Monitor Mitigate NAC Landscape,Business Needs Drive Security Adoption,3 Ubiquitous Security technologies Anti-vi

2、rus - Business driver: File sharing Firewalls - Business driver: Interconnecting networks (i.e. Internet) VPNs - Business driver: Remote connectivity Todays top security driver - Mobile PCs and devices Broadband access is everywhere Increased percentage of the time devices spend on unprotected netwo

3、rks Perimeter security is rendered less effective because mobile devices bypass it and arent protected by it Mobility of IP devices is driving the need for Network Access Control solutions Leading source of network infections More unmanaged devices on the network than ever - guest and personal devic

4、es,The Traditional Approach to Network Security Isnt Enough,The Problem NAC Should Address,Today, endpoint devices represent the greatest risk to network security by propagating threats or being vulnerable to them.,Infected Devices,Unknown Devices,Out-of-Policy Devices,propagate threats, resulting i

5、n loss of productivity may not check all IP devices In-line security appliance/switch Pros: Sees all devices both managed and unmanaged and doesnt require agent based software Cons: If it is not inline with, or does not replace the access switch then it will not see the device as it comes on the net

6、work Out of band appliances with network awareness Pros: Sees all devices as they enter the network both managed and unmanaged; easier to implement than many of the other approaches Cons: May require switch integration for mitigation of problems,Assess,Assess Endpoint Integrity,Question: Even if a d

7、evice is allowed on my network, how do I ensure it meets my security policies and risk tolerance? Answer: Endpoint integrity checks Operating system identification and validation checks Typically requires an agent Must establish a policy relating to acceptable patch level (latest patch on company SM

8、S server, no older than X months, most recent patch available from software vendor) What do you do for unknown devices? Usually requires an agent for these checks Security software checks - AV, personal firewall, spyware, etc. Is it up and running Is it in the right configuration Is it up to date -

9、both the software and the database Usually requires an agent for these checks,Assess Endpoint Integrity cont.,Endpoint integrity checks cont. Endpoint configuration - find unauthorized servers and services Web servers, FTP servers, mail servers, etc. Vulnerable or high risk ports, i.e. port 445 expl

10、oited by Zotob These checks can be done from the network or with an agent Threat detection Scan the device for active infections or backdoors Not commonly implemented on entry to the network Too much latency Risk profile substituted for deep scans (i.e. AV is up to date and had a current scan) Eleme

11、nts for endpoint integrity checks Network scanning server (Optional) Endpoint software - permanent or transient (Optional) Policy server (Required) - must have somewhere to define what is allowed/disallowed,Monitor,Monitoring Post Network Entry,The forgotten element of Network Access Control Why is

12、monitoring a critical element of NAC? Cant effectively check for all threats on entry - takes too long Security policy state can change post entry - users initiate FTP after access is granted Infection can occur post entry - e-mail and web threats can change security state of the device What Gartner

13、 says in their paper “Protect Your Resources With a Network Access Control Process” “The network traffic and security state of systems that are connected to the network must be monitored for anomalous behavior or system changes that bring them out of compliance with security policies.” Why isnt this

14、 simply another network security function? Monitoring is both for threats and policy adherence - takes advantage of policy definition of NAC solution Works hand in hand with NAC quarantine services,Traditional Approach to Network Security,Traditional Approach Firewall/IPS at the Perimeter AV, HIDS/H

15、IPS on the Endpoint,External Environment New technologies New threats Regulatory requirements,Exploiting the Networks Weakness,Infected endpoints bypass the perimeter generating rapidly propagating threats that take over a network in minutes,bringing business to a halt and creating costly cleanup.,M

16、onitoring Approaches,Agent based approaches Host Intrusion Prevention Systems Personal firewalls Both require integration with a network policy server to be an element of NAC Doesnt cover unknown/unmanaged/unmanageable devices Network based approaches In-line: Typically evolution of IPS vendors into

17、 NAC capabilities; also includes Network Based Anomaly Detection (NBAD) vendors Out-of-band: Most commonly NBAD and old Distributed Denial of Service (DDoS) security vendors Key considerations Does the security device watch for policy violations as well as threats? Does it see devices as they enter

18、the network? Can they work across both voice and data networks without negatively impacting quality and performance? What is the management overhead associated with both approaches?,Mitigate,Mitigation Approaches for NAC,Two elements for NAC mitigation Quarantine capabilities (required) On-entry res

19、trict access for devices not meeting requirements Post-entry take a device off the network and send to quarantine zone if they violate policy or propagate a threat Ideally should be able to assign to different quarantine server based on problem, i.e. registration server for guests, AV scanner for in

20、fected devices, etc. Remediation services for identified problems (optional) Additional diagnostic tools for deeper checks - Vulnerability scanners AV scanners, etc. Tools for fixing identified problems OS patch links AV signature update and malware removal tools Registration pages for unknown devic

21、es,Quarantine Approaches,DHCP integration Uses DHCP process for identification and endpoint integrity checks on entry to the network. Pros: Assigns appropriate IP and VLAN according to their risk level Cons: After IP address is assigned they dont have an independent quarantine capability; Static IPs

22、 bypass their enforcement Switch integration Uses either ACLs or 802.1x ACLs - not commonly used because of negative performance impact and access requirements in the network 802.1x - forces device to re-authenticate and assigns new VLAN Pros: Effective both pre and post admission, uses standards ba

23、sed approach in 802.1x Cons: Can negatively impact switch performance; Usually not granular in quarantine server assignment; If using broadcast quarantine VLAN there is a cross-infection risk,Quarantine Approaches cont.,In-line blocking with web redirect Pros: Improved performance over ACLs; Can gra

24、nularly block suspect traffic; has the capability of sending web traffic to appropriate quarantine server based on problem Cons: Doesnt see downstream traffic so can only block and redirect traffic that comes through it; May require additional integration with network for mitigation because of this

25、ARP management Security appliance selectively goes inline for a single host and becomes its default gateway by ARP manipulation Pros: No network integration required for full quarantine capabilities; enables surgical, problem specific quarantine without cross-infection risk; effective both pre and p

26、ost admission Cons: If implemented improperly network equipment can misidentify this as an attack and drop this traffic,Todays NAC Landscape,Evolving proprietary standards Cisco Network Admission Control (CNAC) Three critical elements - Cisco Trust Agent (CTA), updated Network Access Device (NAD), C

27、isco Access Control Server (ACS) Integration with endpoint agents to communicate with ACS regarding appropriate access level to the network Microsoft Network Access Protection (NAP) Available in Vista Endpoint needs System Health Agent (SHA) SHA reports to System Health Validator (SHV) to do policy

28、checks Network isolation through enforcement integrations DHCP Quarantine Enforcement Server (QES) VPN QES 802.1x Trusted Network Connect open standard TNC compliant client required on endpoints Policy Decision Point (PDP) for security policy comparisons Policy Enforcement Point (PEP) for quarantining,Summary,NAC is an