420 likes | 658 Views
Alcatel-Lucent’s Safe NAC for Network Access Control. Presenter. Agenda. Enterprise Security by Alcatel-Lucent Safe Network Access Control Solution Solution Overview OmniSwitch Security for NAC on Corporate LAN VitalQIP for Ubiquitous DHCP Initiated NAC
E N D
Alcatel-Lucent’s Safe NACfor Network Access Control Presenter
Agenda • Enterprise Security by Alcatel-Lucent • Safe Network Access Control Solution • Solution Overview • OmniSwitch Security for NAC on Corporate LAN • VitalQIP for Ubiquitous DHCP Initiated NAC • OmniAcess Initiated NAC for Wireless • Dynamic NAC For Corporate LAN • Safe NAC for VPN and Wireless • Case Studies • Professional Services • Why Alcatel-Lucent for Security
Enterprise Security By Alcatel-LucentOpen. Trusted. Dynamic. Market Context
Creating The Trusted Dynamic Enterprise • Open and Secure Interfaces to • Communications, Data and Services • Enable new collaborative business models • Managed risk • Protected data • Controlled costs • Security Is a Positive Enabler for Business Performance
Alcatel-Lucent’s Enterprise Security Blueprint User Centric Security Delivered from Within the Network Global Corporate-Wide Security • Consistent Application of Security Voice, Data, and Mobility • Independent Chain of Control • Security is Transparent to the User • Security is Always-On • Security is Highly Available For more detail, see Creating the Trusted, Dynamic Enterprise white paper by Alcatel-Lucent http://enterprise.all.alcatel-lucent.com/private/active_docs/WhitePaper_Security-Blueprint_EN_July2009_EPG3310090513.pdf • Security Across Networks, People, Processes & Knowledge
Alcatel-Lucent Security Solutions • A Comprehensive Portfolio
Safe NACNetwork Access Control SolutionGuest Access, Host Integrity Check, Compliance Market Context
4. KNOWLEDGE The Challenge • Guest Access • Partner Access • Contractor Access • Services Unavailable • Non Compliant Endpoints • Infected Endpoints • Rogue Endpoints • Malware Containment 1. NETWORK 2.PEOPLE LOSS OF PRODUCTIVITY OPEN ENDED THREATS • Non-Productive Applications • Multi-Endpoint Platforms • Multi-Authentication • Manage Help Desk Costs • Reduce Management Costs • Increase Compliance Score Card • Data Protection • Control USB Key Usage 3.PROCESS NEW MANDATE FOR THE CIO NEW BUSINESS MODELS
Key Features Access Control for Guests, LAN & Wireless Endpoint Malware Protection Verify OS and End Point Configuration Controls Automatic Remediation Role-based Post Admission Control Audit Reports for Compliance • Trusted Dynamic Enterprise Safe Network Access Control Differentiation • Non Disruptive Multi-vendor Deployment • Support for Multi-authentication, Multi-endpoint environments • Integration with Multiple Network Elements Provides Reduced Cost • Centralized Management Reference Customers • Iona College (US) • Wolf Creek (Canada) • HanseatiCContor
Comprehensive Enterprise NAC Solution • Multi-Vendor Environments • Integration with Alcatel-Lucent OmniSwitches • Integration with VitalQIP • DNAC technology for 3rd Party switches LAN Users Wireless Users • Integration with Alcatel-Lucent Wireless • CyberGatekeeper Remote in-line appliance 802.1x Users • CyberGatekeeper Policy Server VPN Users • CyberGatekeeper Remote in-line appliance Guests • On-demand Web agent - Windows, Linux, and Mac • Continuous Surveillance, Highly Available Solution
OmniSwitch Network Embedded Security Authentication, Host Integrity Check, Dynamic Access Control • Authentication of endpoints and users • MAC based, Captive Portal, 802.1x • Network enforced host integrity check • Dynamic access control is profile-based • QoS, Network Resources, LAN segments • Control is via ACL, not VLAN or IP changes • VLAN not the principle security mechanism • Security applied on individual MAC address • Endpoints connected to VoIP phones are secured • Endpoints behind rogue routers are detected • Enhanced Security with Reduced Costs
Security with Authentication, HIC and Dynamic Access Control
Unique NAC Solution For Network Edge 4 3 OmniSwitch redirects traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OnmiSwitch if the device has passed or failed. 2 CyberGatekeeper Policy Server OmniSwitch provides authentication and identifies user profile. It checks if HIC check is needed for this user. (802.1x, MAC, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the network Alcatel-Lucent OmniSwitch If HIC Passed , OmniSwitch selectively allows device traffic to production network following policy in user profile. If HIC Failed, OmniSwitch restricts traffic to remediation network only Regular LAN User Production Network Guest Resident or On-demand Agent Continuous Surveillance
Powerful NAC Solution with OmniSwitch as In-line Policy Enforcer 5 4 CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the Policy Enforcer if the device has passed or failed. If HIC check required, the Policy Enforcer restricts traffic to the CyberGatekeeper Policy Server and the remediation servers via User Network Profile. 3 The Alcatel-Lucent Policy Enforcer checks that a valid domain credential has been supplied, and if HIC check is required on the endpoint based upon MAC address and User Network Profile. 2 CyberGatekeeper Policy Server Remediation Server(s) The edge switch provides connectivity and possibly authentication Edge Switch 1 802.1x User 6 Employee, contractor or guest connects to the network Regular LAN User If HIC Passed, the Policy Enforcer selectively allows device traffic to production network following policy in User Network Profile. If HIC Failed, Policy Enforcer restricts traffic to remediation network only Alcatel-Lucent Policy Enforcer Guest Network Core (Production) Resident or On-demand Agent Continuous Surveillance
Ubiquitous and Network Initiated Host Integrity Check • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for IP devices • Can be deployed by network segment • Allows multiple NAC strategies • Dynamic NAC, SSL, VPN, 802.1x, and in-line • Enhanced Security with Easy to Deploy Solution
Remediation Servers Unique IP Address Management with Host Integrity Check Solution • DHCP discover/request packets are “intercepted” by the plug-in module in VitalQIP. • The plug-in queries the CyberGatekeeper policy server to check whether endpoint is compliant. • Depending on the results (pass/fail/unknown), the plug-in module inserts user class options into the DHCP discover/request packets. • If a security policy violation is detected the endpoint is quarantined with access to the remediation servers. • VitalQIP assigns access based on the assigned user class. • CyberGatekeeper integrates with VitalQIP using a plug-in module. • Deployment requires no significant network modifications • 1MB Agent for Windows, Mac, Linux • Management of the plug-in module is integrated into the VitalQIP user interface • Enforcement using standard DHCP options • Relies on standard DHCP attributes
Complete Access Control for Wireless Networks • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for endpoints • Supports multiple authentication methodologies • 802.1x, and Captive Portal, MAC • Supports existing role based access controls • Integrated policy management for LAN and Wireless • Enhanced Security for Wireless Deployment
Integrated NAC Solution for Wireless 4 3 OmniAccess restricts traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OmniAccess Controller if the device has passed or failed. 2 CyberGatekeeper Policy Server The OmniAccess Controller provides authentication and identifies user network profile. (802.1x, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the wireless network Alcatel-Lucent OmniAccess Wireless Controller If HIC Passed, the OmniAccess controller allows device traffic to production network with the endpoint placed in the correct VLAN. If HIC Failed, OmniAccess restricts traffic to remediation network only Employee Production Network Guest Resident or On-demand Agent Continuous Surveillance
Dynamic NAC - A Different Approach for Host Integrity Check Enforcer Endpoints Police Endpoints Compliant Endpoints Granted Access Guest Endpoints Audit Only Unauthorized Endpoints Quarantine • LAN Switch Agnostic Existing endpoints provide enforcement Creates a community of endpoints like “Neighborhood Watch” Select endpoints are designated as enforcers Enforcers identify and quarantine unknown endpoints DNAC strengths No network upgrades or changes Authentication agnostic Friendly fail-open design Provides real-time network visibility
Each LAN Segment Self-Organizes CyberGatekeeper Policy Server
Access Control for VPN and Wireless Networks • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for endpoints • Supports multiple NAC strategies • SSL, IPSec, 802.1x, and in-line enforcement • Enhanced Security with Easy to Deploy Solution
CyberGatekeeper Remote In-line Policy Enforcement (Wireless) 4 5 If HIC check required, the CyberGatekeeper Remote restricts traffic to the CyberGatekeeper Remote and the remediation servers. CyberGatekeeper remote server receives HIC report from CyberGatekeeper Agent. 3 The CyberGatekeeper Remote checks if HIC is required on the endpoint. 2 Remediation Server(s) The Wireless Controller provides authentication and identifies user network profile. (802.1x, Captive Portal) Wireless Controller 1 802.1x User Employee, contractor or guest connects to the network 6 Employee If HIC Passed, the Remote allows device traffic to production network. If HIC Failed, the Remote restricts traffic to remediation network only CyberGatekeeper Remote Guest Production Network Resident or On-demand Agent Continuous Surveillance
CyberGatekeeper Remote In-line Policy Enforcement (VPN) 4 5 If HIC check required, the CyberGatekeeper Remote restricts traffic to the remediation servers. CyberGatekeeper Remote receives HIC report from CyberGatekeeper Agent 3 The CyberGatekeeper Remote checks if HIC is required on the endpoint. 2 Remediation Server(s) The Firewall VPN provides authentication and terminates the VPN Tunnel 1 Firewall VPN Employee, contractor or guest connects over the WAN and starts VPN Client 6 Employee If HIC Passed, the Remote allows device traffic to production network. If HIC Failed, the Remote restricts traffic to remediation network only Guest CyberGatekeeper Remote Resident or On-demand Agent Continuous Surveillance Production Network
Iona College Chooses Safe NAC • IONA College, New Rochelle, New York selects CyberGatekeeper to protect their Wireless Network and seamlessly enable Host Integrity Checking/Campus Network Policy on Students’ laptops. • Solution selected as a replacement for Symantec CIM. • Solution scans Symantec A/V to make sure it is not out-of-date. • Using self remediation through the CyberGatekeeper they will be able to deliver the proper A/V package to all the students without the need to touch the laptops. • ‘Desirable Mode’ enables testing policies before deployment. • Client notification capabilities on policy changes well-liked. • Support for Vista and MAC Platforms was key.
Wolf Creek Public School: Approximately 7200 students, from Kindergarten to Grade 12, employs approximately 475 teachers and 350 support staff. There are 33 schools in the division, operating budget for the 2008-2009 school year was $65.2 million. Business Requirements Host integrity check for all endpoints Secure and controlled guest access Encourage students to bring their own laptops Controlled access to resources once connected Minimal additional operational costs Academic Requirements Enable one-to-one mobile computing research Use SaaS as a technology approach for rapid application deployment Use NAC as a technology for securely extending services to student-owned devices Technical Requirements Authentication for all devices (laptops, VoIP phones, Printers, etc) Support for different endpoint platforms (Windows, Mac) Support for unmanaged machines with no pre-installed agent Why Alcatel-Lucent? Ability to provide detailed audit of endpoint configuration Ability to classify endpoints at the MAC layer Ability to apply UNP to restrict or enable access based upon ACLs Ability to leverage existing infrastructure Wolf Creek Chooses Safe NAC
HanseatiCContor Chooses Safe NAC • HanseatiCContor, Germany selects OnmiSwitch NAC & CyberGatekeeper to secure its new converged communications network service customers, guests, and mobile workers. • OmniSwitch & CyberGatekeeper option selected to provide NAC and HIC • Every device connected to the network is authenticated • Access is granted based upon a profile • Different customers are placed into proper network segment • All endpoints are verified to be compliant before allowed onto the network • All critical patches applied, Anti-virus in place, and personal firewall enabled • Unauthorized applications are disabled • If a device changes status it is placed into quarantine • Always-on, with low operational costs was a key factor Needed a secure and manageable communications infrastructure to accommodate a complex business environment
Professional Services • Smart Start Service Package: provides on-site Alcatel-Lucent Professional Services (3 Days Max) for the scoping and the design of the host integrity check solution, includes: • Interviews with the customer organization’s engineering and operations staffs to understand their objectives. • Explanation of industry best practices and recommend the policy configuration that applies to specifically to the customer environment. • If additional work is required SOW and a detailed quotation will be prepared. • Basic Installation Service: provides on-site Alcatel-Lucent Professional Services for the installation of the CyberGatekeeper product, including • Configuration and deployment of one CyberGatekeeper appliance • Building and deploying 10 CyberGatekeeper agents • Integration and testing with OmniSwitch • Optional Redundancy Installation Service: provides on-site Installation and failover testing of redundant CyberGatekeeper appliance. • Policy Manager Installation Service: provides on-site Alcatel-Lucent Professional Services for the installation of the CyberGatekeeper Policy Manager (CPM), including • Configuration of the CyberGatekeeper Policy Manager, integration in the production network and coupling with the CyberGatekeeper appliances. • Basic testing with standard user policies is also provided • Optional Policy Manager Redundancy Installation Service:provides on-site Installation and failover testing of redundant CyberGatekeeper Policy Manager.
4. KNOWLEDGE Meeting the Challenge • Secured Guest Access • Secured Partner Access • Secured Contractor Access • Services are Available • Endpoints are Compliant • Malware is Contained • No Rogue Endpoints • Continuous Surveillance 1. NETWORK 2.PEOPLE PRODUCTIVITY ENHANCED THREAT PROTECTION • Supports Existing Infrastructure • Multi-Vendor Networks • Multiple Endpoint platforms • Multiple Authentication Methods • Reduced Help Desk Costs • Reduced Management Costs • Enterprise is Compliant • Data is Protected 3.PROCESS ENTERPRISE IS SECURE DEPLOYMENT IS SIMPLE
For More Information on Safe NAC http://enterprise.alcatel-lucent.com/?solution=Security&page=SafeNetworkAccess
Why Alcatel-Lucent? World Class R&D with Bell Labs (X.805 setting the Standard) [ITU-T & ISO] • Security, Network & Mobile Technology • Web 2.0, Cloud Computing, Encryption Research Carrier Class security for enterprise • Unmatched scalability and reliability • Understand new deployment models (Web 2.0, Cloud) Open Standards based solution enabling • Best of breed product selection Security Ecosystem provides access to collaboration and research with industry leading government and standards bodies User Centric Approach providing the fine grained control and audit that enables business performance Security Blueprint that enables open, trusted, dynamic security for voice, data and mobility. www.alcatel-lucent.com/enterprise/security • Trusted Advisor for Unique Security Solutions
www.alcatel-lucent.com www.alcatel-lucent.com/enterprise/security