310 likes | 556 Views
Securing the Intelligent Information Network. Mark Swantek Consulting Systems Engineer, National Programs. Agenda. Introduction Network Admission Control Network Compliance Management Q&A. Integrate Advanced Security Services Where Needed. Security Point Products. IPSec & SSL VPN. IPS.
E N D
Securing the Intelligent Information Network Mark Swantek Consulting Systems Engineer, National Programs
Agenda • Introduction • Network Admission Control • Network Compliance Management • Q&A
Integrate Advanced Security Services Where Needed Security Point Products IPSec & SSL VPN IPS Firewall Network Anti-Virus Access Control Secure Network Infrastructure Security Services Integrated into the Network ADVANCED TECHNOLOGIES & SERVICES Automated Threat Response Virtualized Security Services Behavioral-based Protection Integrate Advanced Services Endpoint Posture Control Dynamic DDoS Mitigation Application-Layer Inspection Integrated Collaborative Adaptive Leverage Existing Investment IP NETWORK
Intelligent Security Services Network Admission Control
NAC Overview NAC At-A-Glance • An initiative that leverages the network infrastructure to enforce security policy compliance on endpoint devices, thereby limiting their ability to spread infection such as viruses, worms, and spyware. • Ensuring policy compliance for all endpoint devices seeking network access is critical to information security. • Part of a Self-Defending Network, designed to dramatically improve the network’s ability to identify, prevent, and adapt to threats.
The Problem NAC Addresses Threat vectors have changed: • Trusted users can be the weakest link in your network’s security • While most users are authenticated, their computers (laptops, PCs, PDAs, etc.) are not checked for security policy compliance • Non-compliant servers and desktops are common and difficult to detect and contain This can be complicated by: • User types: employees, contractors, mission partners • Device types: laptops, PDAs, desktops managed, unmanaged • Access types: remote/VPN, wireless LAN, branch offices
EXTRANETS FIELD OFFICES CAMPUS Improve Communications and Access with Mission Partners and Factories using IPSec or SSL Extend the Network to Field Offices in a Reliable and Secure Manner Enhance Security by Ensuring Privacy of Critical Information Across the Data Center and the Entire Campus PHYSICAL SECURITY IP COMMUNICATION Secure Physical Assets using IP-based Access Control and Surveillance Technologies Secure All Types of Traffic Including Data, Voice and Video Extranet DEPLOYED USER WIRELESS MANAGEMENT Providing Anywhere, Anytime Access with IPSec and SSL VPN Technologies Maintain Security with New Access Technologies that extend connectivity Centralized Control of All Security Aspects with one solution to Configure, Audit and Troubleshoot Voice NAC helps Secure Network Ingress Points
Why Use The Network for Admission Control? • Every bit of data you are concerned about touches the network • Every device you are concerned about is attached to the network • Broadest possible security solution covering the largest number of networked devices can be deployed • Device posture security decisions made at the network, not on the endpoint device • Ability to prevent spoofed device as “compliant” and rock-solid policy enforcement • Provides a consistent security policy to all parts of the network with the smallest footprint possible
network security device security AAA guest access employee VPNs personal Anti-spyware IDS/IPS firewalls HIPS perimeter firewalls anti-virus X Identity alone fails: Identifies user, but not deviceNetwork level access is typically controlled at network perimeter, but not on the internal network X X Endpoint security alone fails: Most assets have AV, but infections persist! Host based apps are easily manipulated (even unintentionally) Lag time between new viruses and anti-virus patch upgrade cycle Non-controlled assets often do not meet security requirements Network security alone fails: Firewalls cannot block legitimate ports VPNs cannot block legitimate users Detection often occurs after-the-fact Difficult to implement access control if usersare on the internal network A New Solution Is Needed identity
Please enter username: A Complimentary Solution Network Admission Control (NAC) is a solution that uses the network infrastructure to ensure all devices seeking network access comply with an organization’s security policy identity device security network security NAC
1. • End user connects and authenticates to the network • Network access is blocked until wired or wireless end user provides login information 3b. • Device is “clean” • Machine is granted access to network in appropriate role based on who/what/where criteria NAC High-Level User Flow Overview“The Network is the Control Point” Authentication Server 2. • Authentication is passed to NAC policy server • NAC validates username and password, also performs device and network scans to assess vulnerabilities on the device NAC Policy Server Intranet/Network 3a. • Device is noncompliant or login is incorrect • User is denied access and assigned to a quarantine role with access to online remediation resources Quarantine Role
Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Agency Asset What System Is It? Agency Employee Contractor Guest Unknown Who Owns It? Where Is It Coming From? LAN VPN WLAN WAN Anti-Virus, Anti-Spyware Personal Firewall Patching Tools What’s On It? Is It Running? Pre-Configured Checks Customized Checks Self-Remediation or Auto-Remediation Third-Party Software What’s The Preferred Way To Check/Fix It? NAC Means Better Criteria for Security
ENFORCECONSISTENTPOLICY QUARANTINE AND REMEDIATE CONFIGURE AND MANAGE SECURELY IDENTIFY DEVICE & USER Assesses and enforces a policy across the entire network via scanning & evaluation Acts on posture assessment results, isolates device, and brings it into compliance Easily creates comprehensive, granular policies that map quickly to user groups and roles Enforcement at the network level provides a solid foundation for holistic security Quarantine critical to halt damage due to non-compliance; remediation addresses root cause problems Policies that are easy to create and maintain lead to better system operations and adherence Four Key Capabilities of NAC Uniquely identifies users and devices, and creates associations between the two WHAT IT MEANS WHY IT ISIMPORTANT Associating users with devices enables granular enforcement in policies by role or group A robust NAC solution must have all four capabilities.
NAC Summary Dramatically Improves Security • Ensures both managed and unmanaged assets conform to a consistent security policy • Proactively protects against worms, viruses, spyware, and malware • Focuses operations on prevention, not reaction Ensure policy compliance • Security policy compliance enforcement at the network level • Addresses issue of unauthorized access • Assists in achieving organizational compliance Extends Existing Investments • Enhances investment in network infrastructure and vendor software Increases Enterprise Resilience • Comprehensive admission control across all access methods (LAN, WAN, VPN, wireless, etc.) • Prevents noncompliant and rogue endpoints from impacting network availability • Reduces time related to identifying and repairing non-compliant, rogue, and infected systems
Intelligent Security Services Network Compliance Management “Accelerating Operational Success”
Our community faces multi-faceted network deployment and operations challenges Compliance Growth Complexity Expertise Intense pressure to meet a variety of compliance mandates Increased demand for new services & applications Feature-rich network infrastructure Shortage of specialized skills (intelligent information network, QoS, HA, service- oriented network applications, web services) (productivity increase requirements, scarce network expertise in NOC) (network expansion, VoIP, data center and critical mission applications) (regulatory standards, agency policies, technology rules)
Data manually collected & reported Costly, tedious and incomplete Configuration, scripts and OS images stored on various IT workstations Lack of security & standardization Clients directly connect to network devices Lack of control over the network Devices configured manually one by one Costly & error prone manual changes This facilitates a change from manual, ad-hoc network configuration IT Staff Network Tools Manager Network Architect Auditor Manager Director Network Manager Security Engineers Network Engineers NOC Operators
Prevent errors & enforce process through centralized point of control Track all activity down to the very operator keystrokes IT Staff Network Tools Manager Network Architect Network Manager Security Engineers Network Engineers NOC Operators Automate complex network management tasks through multi-threaded event-driven automation engine Control and standardize across infrastructure in a central, secure location ...to fully automated network configuration and change management Auditor Manager Director Network Management Tools
Compliance and Mission Continuity • Network security management is essential, providing policy enforcement and provisioning capabilities • It is not a “nice-to-have” but has become a “must-have”. • Report violations and provide a detailed plan towards compliance • Makes maintaining continuous compliance possible • Improves the availability of services by controlling change to the underlying infrastructure • Security is higher because access to the network and change is controlled, tracked and audited
Objectives of Network Compliance Management Track Control Automate Prevent Comprehensive configuration management Establish & enforce best practices Automate network management Prevent problems before they occur • Configuration changes • Software updates • Topology mapping • Compliance reporting • Eliminate cowboy changes • Adopt an operational methodology • Complete audit trail (keystroke level) • Coverage for every device type & vendor • Security breaches • Compliance violations • Downtime
Implications of managing networks manually Higher outage rates 80% of outages & security incidents due to manual mis-configurations 80% of network budget allocated reactively to avoid network downtime Lower network availability Labor-intensive change management 45% of network engineers’ time spent on manual network changes Complex, costly compliance management 5x more costly to meet compliance requirements when done manually Source: 2005 EMA Survey and customer feedback
A Solution: Network Compliance Manager • A highly scalable offering for centralized network compliance management • Best-in-breed Network Configuration and Change Management (NCCM) • real-time change detection • pre-deployment validation • policy enforcement • Sophisticated Audit and Compliance Analysis • set policy to track compliance • automated generation of compliance reports • Advanced Workflows • model complex projects • define custom approval policies • Extensive Reporting • network status • compliance
NCM streamlines deployment and operations of large, complex network infrastructure • Greatly reduces network deployment and ongoing management costs • Allows strict enforcement of NOC processes & best practice standards • Government standard policies - FISMA • Mission/IT policies - DCID • networking/technology policies, e.g., ACL, VLANs • Provides unmatched visibility and operational insight into configuration change activity • Controls network security • security best practices • threat patching • vulnerability management
Security Management • Maintain comprehensive config change history archive for security audits • Monitor and enforce compliance with security standards • Create security compliance policies (regex pattern match on firewall configs) and check if firewall configs are in compliance with applied security policies • Provide role-based access control and lockdown to devices and their configurations • Provision configuration changes on firewall devices • Maintain an up to the keystroke level audit trail of changes made on firewall devices • Maintain a history of changes made to ACLs • Easily deploy ACL changes
Another Tool in the Solution:Configuration Assurance Solution Automated network and security compliance audit and analysis • Uniquely features a full topological view of the production security, network and routing infrastructure • Including Cisco PIX, FWSM, ASA, and ISR devices • Support of config file and binary import • Network and security auditing;pinpoint violations and vulnerabilities • Validate configurations, protocols and connectivity against 500+ network and security rules • Assess security compliance and network resiliency under normal, threat,and failure conditions • Analyze access requirements and restrictions; simulate unauthorized flows; pinpoint misconfigured nodes that block valid connectivity, including routing and switching protocols; identify IP addressing problems; validate route maps and ACLs • Report and trend compliance against internal IT policies, regulatory mandates, and industry best practices such as NSA, NIST 800-53, PCI, and others • Compares the results of successive network audits to identify recurring network problems
CAS FISMA NSA NIST 800-53 Cisco SAFE 3 Security Vulnerability Network Resiliency Configuration Trends Routing Analytics Network Design And much more… Security Compliance Audit…Daily or Change-Triggered • Conduct audits with same frequency as changes are made • Watch for configuration changes that are inconsistent with security policies to ensure… • Regulatory compliance • Network-wide security & resiliency • 1… Automated data import into CAS • The network is modeled representing the production infrastructure 2 1 • 2… Automated Configuration Audit • Analyze and validate network level consistency by executing rules that audit the network as a system checking security vulnerabilities, IP addressing, route maps and attributes (e.g. QoS), regulatory compliance, and a wide variety of switching and routing protocols • Notification of critical results are sent to the administrator Network& Security Devices Compliance Reports Network Model Network Analysis Reports • 3… Automated Reporting • Compliance • Remediation Trending • Network Analysis
Summary • Cisco PACE delivers a safer change management environment: • Baselines network topology and configuration • Identifies network security and configuration issues • Recommends actions for resolution • Re-enforces network security, complementing Cisco’s security management suite • Enables users to accelerate deployment, maintain resiliency, and reduce risk
Q and A • Mark Swantek • mswantek@cisco.com • 720-875-1250