160 likes | 373 Views
Alcatel NIBU Security. Agenda. Security Trends – Security Best Practice. Alcatel Trusted Network. Worms/Viruses Blended Threats. Infected Laptops. Security beyond the Traditional Perimeter. Internal Threats. - at the perimeter but also: - within core network - in front of servers
E N D
Agenda Security Trends – Security Best Practice Alcatel Trusted Network
Worms/Viruses Blended Threats Infected Laptops Security beyond the Traditional Perimeter Internal Threats - at the perimeter but also: - within core network - in front of servers - in front of users (PCs) - in hosts Day Zero Attacks Personal Email Accounts WLAN Connectivity Perimeter is fadingThe Network is the perimeter Security trends and implications • Attacks increasing exponentially • Security becomes the highest concerns of our Enterprise customers • Battle front is “everywhere” • Traditional perimeter of defense has blurred (WLAN, notebook use at home, personal applications) • Point product at localized perimeter location not enough anymore • The network infrastructure must be part of the defense system • The network must offer state of the art network level protection • Attacks not only at network level but application level • Network level defense is not enough. “Application” level must be provided as well in broader solution • But still cooperation of the network is required 1 2 3
Agenda Security Trends Alcatel Trusted Network
The Challenge of Network Based Security ESD Data Directions • Managed Network Security • Users / switch ports management • Policy based management to scale & support secure mobility • Enabled Network Security • Network access control – host integrity check • Application access control • Application level attack detection & containment • Network + best of breed partner appliances • Embedded Network Security • Secure systems, secure architectures • Network access control – partitioning/ authentication • Network level attack detection & containment • Network only
Security TO the switch • Role based management: partitioned management • Secure traffic: SSH, SSL, SNMPv3 • Intrusion management Security THROUGH the switch • Differentiated QoS • Secure network access: dynamic user partitioning with mobile/authenticated user groups • L3/L4 traffic filtering Embedded Network Security Security OF the switch • Security by default: no backdoor, no defaulted “on” ports • DOS defense: survive, alert, contain, communicate • Guaranteed bandwidth and CPU cycles for mgt/control traffic
From Embedded …. to Enabled Network Security • Dynamic user partitioning • Mobile user group with unmatched flexibility and manageability • Authenticated user group formaximum security • Mobile + Authenticated user group: ideal to secure IPT and WLAN From Network Embedded to Network Enabled • Pro-active solutions • Check software on hosts before granting access • Isolate non conforming usersin quarantine VLANs • Provide mean for usersto update and get out of quarantine • Containment solutions • Receive alerts from switchesor specialized IDS appliances • Isolate users in quarantine VLANs
The need Prevent the introduction and propagation of virus / worms Most attacks can be prevented if systems are up to date with OS, AV,… Automatic enforcement host security parameters IT objective Reduce OPEX Automate the host integrity check against security policies Guarantee that non-compliant host have no access to sensitive resources Automate host configuration updates The solution Combination of 802.1x authentication, host integrity agent and host integrity server prevents non compliant hosts to access sensitive resources. Dynamic VLAN assignment allows a host to move from Quarantine VLAN to “working” VLAN once its configuration has been updated. AV, FW agnostic, works with leading vendors: Network Associates, Symantec, Trend Micro,… Policy-based VLAN management allows efficient deployment of 802.1x authentication Pro-active solutions Host Integrity Check
User Authenticates using 802.1x (Authenticator is workgroup switch) • Authentication message includes user name and password • Authentication message includes host integrity status (OK or not OK) 1 • Authentication request reaches the proxy authentication server • Checks integrity status (check is OK) • Forwards authentication information to RADIUS 2 RADIUS Authenticates and sends VLAN information 3 • Authorization is sent to switch • User is placed in VLAN 4 Alcatel Trusted Network Pro-active solution: Host Integrity Check and Network Authentication Sequence of events Management Server Radius Server Client Integrity Server 802.1x Client Integrity Agent Critical Resources If Host Integrity is not OK, user is placed in quarantine VLAN / Remediation VLAN Data Center Switch Workgroup Switches End stations
Containment solutions the Pain Today 1 User with a computer virus or worm attaches to network The virus spreads rapidly IT staff tries to identify the signature and locate the user manually with available tools User denied network access, doesn’t understand why, moves to another port and calls the helpdesk The virus continues to spread IT staff manually loads patches on the infected computers and try to contain the virus 2 3 4 5 6 Disaster recovery Wiring closet Network operations Data center Branch office Internet Remote user WAN PSTN PBX Branch office Branch office
Infected station attacks server (e.g. port scan) 1 IDP identifies the attack and source of attack 2 • Quarantine Engine • !!! Attack detected !!!, you can: • Shut down faulty user port • Create an ACL • Move faulty MAC to quarantine IDP notifies OmniVista of type of attack and source of attack 3 • Trap appears and Network administrator is offered pre-determinedresponses • Shut down faulty user port • Create ACL (on port / VLAN / Switch / Network) • Move faulty MAC to quarantine VLAN 4 Response is activated in the network 5 Alcatel Trusted Network – Containment solutionsIntrusion Prevention through Network Response Sequence of events OmniVista Network Management System (SNMP based) Data Center Switch Critical Resources Workgroup Switches End stations
Alcatel Trusted Network Focus on Automated Quarantine Engine - AQE AQE Phase I (part of professional services) • Administrator defines routers and switches • Upon intrusion IP/MAC address is entered (MAC@ is resolved from IP@) • MAC address is placed in penalty VLAN (using Group Mobility at edge switches) AQE Phase II • OmniVista filters/analyses traps before activating AQE • Faulty IP/MAC address are automatically listed in the candidate list • MAC@ is resolved from IP@ • MAC address is placed in penalty VLAN by AQE AQE Phase III • Integration within OmniVista
The need The Security battle front has shifted from LAN/WAN border to edge network ports Strict Security needs to be enforced at the edge of the network against rogue users, rogue network devices, network address spoofing,… IT objective Reduce OPEX Automate Configuration of edge port security parameters Allow for mobility of users at the edge of the network – minimize configuration changes when users are moving The solution Concept of port profile – Security parameters to be applied to a group of ports Client port security profile BPDU guard IP spoofing protection 802.1x and Group Mobility VLAN supported on same port Secure support of 802.1x devices Secure support of “silent” devices (IP phones, UNIX stations,…) Support for mobility Port Profile Management Client Port
User plugs in with Microsoft Network Bridge enabled • BPDUs flow into switch port 1 Switch detects BPDU packets 2 Switch sends trap and shuts down port 3 Port shuts off BPDU User spoofs source IP address 1 Switch detects spoofing Check between VLAN subnet and source IP 2 Switch sends trap and shuts down port 3 Client Port BPDUs protection and IP spoofing protection BPDU Blocking IP spoofing prevention Port security profile Client ports Users with Network Briidge enabled Critical Resources Data Center Switch Edge Switches End stations
UNIX Workstation PC (802.1x capable) IP Phone PC (802.1x capable) PC (802.1x capable) PC (802.1x capable) UNIX Workstation IP Phone IP Phone Client port Secure Mobility 802.1x Authentication required MAC/IP based Group Mobility Rule Client ports OmniVista