500 likes | 614 Views
Risk Management using Network Access Control and Endpoint Control for the Enterprise. Kurtis E. Minder – Mirage Networks. Agenda. Drivers of NAC Network Design Elements Key Elements of NAC Solutions Identify Assess Monitor Mitigate NAC Business Application Who is Mirage? Q&A.
E N D
Risk Management using Network Access Control and Endpoint Control for the Enterprise Kurtis E. Minder – Mirage Networks
Agenda • Drivers of NAC • Network Design Elements • Key Elements of NAC Solutions • Identify • Assess • Monitor • Mitigate • NAC Business Application • Who is Mirage? • Q&A - CONFIDENTIAL -
Business Needs Drive Security Adoption • 3 Ubiquitous Security technologies • Anti-virus - Business driver: File sharing • Firewalls - Business driver: Interconnecting networks (i.e. Internet) • VPNs - Business driver: Remote connectivity • Today’s top security driver - Mobile PCs and devices • Broadband access is everywhere • Increased percentage of the time devices spend on unprotected networks • Perimeter security is rendered less effective because mobile devices bypass it and aren’t protected by it • Mobility of IP devices is driving the need for Network Access Control solutions • Leading source of network infections • More unmanaged devices on the network than ever - guest and personal devices - CONFIDENTIAL -
The Traditional Approach to Network Security Isn’t Enough - CONFIDENTIAL -
The Problem NAC Should Address Today, endpoint devices represent the greatest risk to network security — by propagating threats or being vulnerable to them. “Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users. By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures.” Gartner, Protect Your Resources With a Network Access Control Process Infected Devices propagate threats, resulting in loss of productivity & hours of cleanup Unknown Devices like home PCs, contractor PCs, & WiFi phones can introduce new threats or compromise data security Out-of-Policy Devices are more vulnerable to malware attacks, while running services that could jeopardize security - CONFIDENTIAL -
The Cost 1 mi2g Intelligence Unit, Malware Damage in 2004 2 ICSA Labs, 9th Annual Computer Virus Prevalence Survey - CONFIDENTIAL -
The Problem is Expected to Get Worse 2006 Statistics • Steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals • Microsoft Corp issued fixes for 97 (versus 37 in 2005) security holes assigned "critical" label • 14 of of the critical became "zero day" threats. • Experts worry that businesses will be slow to switch to Vista. • Pre-Vista MS Office is expected to remain in widespread use for the next 5-10 years. Source: Washington Post, Dec 2006, Cyber Crime Hits the Big Time in 2006 - CONFIDENTIAL -
NAC Market Expectations • NAC Appliance vendors will sell $660m worldwide in 2008 • NAC Appliances will gain 17% worldwide share of the NAC market by 2008, up from 6% in 2005 • Research reveals World Network Access Control (NAC) Products and Architectures Markets earned revenues of over $85 million in 2006 and estimates this to reach over $600 million in 2013 • Gartner estimates that the NAC market was $100M in 2006 and will grow by over 100% by YE 2007 - CONFIDENTIAL -
Increasing Number of Targets to Protect Operating Systems • Internet Explorer • Windows Libraries • Microsoft Office • Windows Services • Windows Configuration Weaknesses • Mac OSX • Linux Configuration Weaknesses Network Devices • VoIP Phones & Servers • Network & Other Devices Common Configuration Weaknesses Sans Institute 2006 Top Attack Targets* • Cross Platform Applications • Web Applications • Database Software • P2P File Sharing Applications • Instant Messaging • Media Players • DNS Servers • Backup Software • Security, Enterprise, and Directory Management Servers • Security Policy & Personnel • Excessive User Rights & Unauthorized Devices • Users (Phishing/Spear Phishing) *SANS Institute Top 20 Internet Security Attack Targets (2006 Annual Update), v7.0, 11.15.06 - CONFIDENTIAL -
What Class of NAC Solutions to Deploy? Aberdeen Research, 2006 - CONFIDENTIAL -
Top Drivers Influencing NAC Solutions Aberdeen Research, 2006 - CONFIDENTIAL -
Top Features Required in a NAC Solution Aberdeen Research, 2006 - CONFIDENTIAL -
Network Design Meets Security Design • Multi-layer Switching • Fundamental to network architecture • Supplemental to network security • Getting closer to the desktop • Access switch technologies • Agent approaches • Virtual Local Area Networks – (VLAN)s • Network segmentation or security tool? • Appliance or infrastructure? - CONFIDENTIAL -
Network Design Models - CONFIDENTIAL -
Evolution of Network Device Segmentation – Where is 802.1x Going? - CONFIDENTIAL -
Network Security Design Example Typical network design includes security at the perimeter. This is a best practice Also desktop software may be used to keep machines clean of virus and malicious content This is a typical network, simplified - CONFIDENTIAL -
Common NAC Elements • NAC is an evolving space with evolving capabilities • NAC solution elements - some or all • Identify - Detect & authenticate new devices • Assess - Endpoint integrity checks to determine levels of risk and adherence to security policy • Monitor - Watch the device’s activity for change of assessed state with respect to policy and threat status • Mitigate - Take appropriate action upon any device that is identified as a security risk by previous three elements - CONFIDENTIAL -
Identify - Find/Authenticate New Devices • Question - How do you know when a new device comes on the network? Is it a known or unknown device? Is it an authenticated user? • Common approaches • Leverage 802.1x or network infrastructure OS • Authenticate through existing EAP infrastructure to pass credentials to authentication server • Special purpose DHCP server • Authentication usually web based and tied to authentication server • Authentication proxy • NAC solution serves as a proxy between device and authentication server • Inline security appliances (i.e. security switches) • Serve as a proxy between device and authentication server • Real time network awareness • Authentication usually web based and tied to authentication server • All approaches trigger off entry on the network by a new IP device - CONFIDENTIAL -
Identify - Pros & Cons of Various Approaches • 802.1x approach • Pros: Device detected and authenticated prior to IP address assignment • Cons: Often is a costly and time consuming installation • Requires switch upgrade/reconfiguration • Endpoints must be 802.1x enabled - requires supplicant software • Must create guest/remediation VLANs • Out of band appliances with network awareness • Pros: Sees all devices as they enter the network both managed and unmanaged; easier to implement than many of the other approaches • Cons: May require switch integration for mitigation of problem • Authentication proxy • In-line security appliance/switch • DHCP Lease Quarantine - CONFIDENTIAL -
NAC Design - Proxy Using proxy technology to enforce NAC can be very effective since it supplies L3-7 visibility into packet data It can also be a point of failure and latency Downstream traffic may be missed - CONFIDENTIAL -
NAC Design - Inline Inline NAC enforcers effectiveness are directly impacted by network placement Point of failure/latency possible Downstream missed - CONFIDENTIAL -
NAC Design – Access Switch Replacement Access switch NAC devices are a viable solution L3-7 visibility Expensive Not a switch - CONFIDENTIAL -
NAC Design – OOB Out of band solutions are ideal for complex network environments Supports heterogeneous environments Sees all traffic May need complex switch integration - CONFIDENTIAL -
Assess Endpoint Integrity • Question: Even if a device is allowed on my network, how do I ensure it meets my security policies and risk tolerance? • Answer: Endpoint integrity checks • Operating system identification and validation checks • Typically requires an agent • Must establish a policy relating to acceptable patch level (latest patch on company SMS server, no older than X months, most recent patch available from software vendor) • What do you do for unknown devices? Usually requires an agent for these checks • Security software checks - AV, personal firewall, spyware, etc. • Is it up and running • Is it in the right configuration • Is it up to date - both the software and the database • Usually requires an agent for these checks - CONFIDENTIAL -
Scanning the host… • Client Integrity checks often include: • Patch Level • Anti-Virus existence and rev. level • Anti-Spyware existence and rev. level • Personal Firewall enable status - CONFIDENTIAL -
Scanning the host…. Does the device get network access? Posture assessment will determine if high risk device will get network access, or limit access based on risk level… - CONFIDENTIAL -
Assess Endpoint Integrity cont. • Additional Elements may be required to effectively set and enforce Network Access Control policy on the network. Often these components are managed individually. • Elements for endpoint integrity checks • Network scanning server (Optional) • Endpoint software - permanent or transient (Optional) • Policy server (Required) - must have somewhere to define what is allowed/disallowed • Switch API • Etc. - CONFIDENTIAL -
Monitoring Post Network Entry • The forgotten element of Network Access Control • Why is monitoring a critical element of NAC? • Can’t effectively check for all threats on entry - takes too long • Security policy state can change post entry - users initiate FTP after access is granted • Infection can occur post entry - e-mail and web threats can change security state of the device • This is critical to network awareness / intelligence • Monitoring is both for threats and policy adherence - takes advantage of policy definition of NAC solution • Works hand in hand with NAC quarantine services - CONFIDENTIAL -
This approach leaves a soft underbelly through which unmanaged, out-of-policy and infected endpoints can easily gain access. Traditional Approach to Network Security • Traditional Approach • Firewall/IPS at the Perimeter • AV, HIDS/HIPS on the Endpoint • External Environment • New technologies • New threats • Regulatory requirements - CONFIDENTIAL -
…bringing business to a halt and creating costly cleanup. Exploiting the Network’s Weakness Infected endpoints bypass the perimeter… …generating rapidly propagating threats that take over a network in minutes… - CONFIDENTIAL -
Monitoring Approaches • Agent based approaches • Host Intrusion Prevention Systems • Personal firewalls • Both require integration with a network policy server to be an element of NAC • Doesn’t cover unknown/unmanaged/unmanageable devices • Network based approaches • In-line: Typically evolution of IPS vendors into NAC capabilities; also includes Network Based Anomaly Detection (NBAD) vendors • Out-of-band: Most commonly NBAD and old Distributed Denial of Service (DDoS) security vendors - CONFIDENTIAL -
Mitigation Approaches for NAC • Two elements for NAC mitigation • Quarantine capabilities (required) • On-entry restrict access for devices not meeting requirements • Post-entry take a device off the network and send to quarantine zone if they violate policy or propagate a threat • Ideally should be able to assign to different quarantine server based on problem, i.e. registration server for guests, AV scanner for infected devices, etc. • Remediation services for identified problems (optional) • Additional diagnostic tools for deeper checks - • Vulnerability scanners • AV scanners, etc. • Tools for fixing identified problems • OS patch links • AV signature update and malware removal tools • Registration pages for unknown devices - CONFIDENTIAL -
Quarantine Approaches • Switch integration • Uses either ACLs or 802.1x • ACLs - not commonly used because of negative performance impact and access requirements in the network • 802.1x - forces device to re-authenticate and assigns new VLAN • Pros: Effective both pre and post admission, uses standards based approach in 802.1x • Cons: Can negatively impact switch performance; Usually not granular in quarantine server assignment; If using broadcast quarantine VLAN there is a cross-infection risk • ARP management • Pros: No network integration required for full quarantine capabilities; enables surgical, problem specific quarantine without cross-infection risk; effective both pre and post admission • Cons: If implemented improperly network equipment can misidentify this as an attack and drop this traffic • In-line blocking with web redirect • Proxy with Switch Integration • Agent with Switch Integration • DHCP lease revocation - CONFIDENTIAL -
What is our goal? Protect the triad. • The business goal is to protect CIA. • Confidentiality of Data • Assurance of data privacy. Only the intended and authorized recipients: individuals, processes or devices, may read the data. • Integrity of that Data • Assurance of data non-alteration. Data integrity is having assurance that the information has not been altered in transmission, from origin to reception. • Availability of the Data and Critical Business Assets • Assurance in the timely and reliable access to data services for authorized users. It ensures that information or resources are available when required. - CONFIDENTIAL -
How much should be spent? • A security budget should reflect the value of the data you are protecting. • How much is data worth? • Network downtime has a cost associated with it • Data reliability has a value tied to it • Pro-active investigation into network downtime and data valuation is critical. • Engage a consulting firm to help with discovery • Create a process for continued assessment - CONFIDENTIAL -
Network Security GOAL • …to minimize risk on the network with the least amount of administrative overhead and cost. • Invest in solutions that eliminate the low-hanging fruit • The bulk of network attacks are opportunistic in nature, eliminate that risk • Invest in solutions that have future / cost protection • Solutions that require daily maintenance have many hidden costs • Invest in processes that compliment security infrastructure • Have threat mitigation and escalation plan • Consult local law regarding data forensics and legal admissibility - CONFIDENTIAL -
How Does NAC Accomplish the Security GOAL? • Typical security investments are largely re-active • Anti-virus relies on signatures and waits for an outbreak to occur to address the problem • IDS / IPS monitors traffic and re-actively addresses an outbreak at a choke point in the network • Most security investments require significant attention to operate effectively or interfere with user productivity • IDS/IPS can require daily upkeep to remain effective • Anti-virus can interfere with desktop applications and cause help-desk pains • NAC is pro-actively assessing risk and then re-enforcing with real-time monitoring at the desktop level, sometimes w/o software! • Some NAC solutions can address the risk management challenge out-of-band, infrastructure independent, software free, etc. • Behavioral threat assessment can require little or no daily upkeep • Following posture assessment, high risk devices are kept off the network completely - CONFIDENTIAL -
Summary • NAC is an evolving technology space • Know what problems are most important to address • Unknown/unauthenticated user control • Policy enforcement for endpoints • Preventing threats on your network • Understand implementation tradeoffs • Quarantine flexibility • Performance impact • Cost of solution • IT effort to implement • Keep track of early evolving standards - CONFIDENTIAL -
Mirage Networks Endpoint Control • Network Access Control • Comprehensive Endpoint Control • On-entry Risk Assessment • Policy Enforcement • IP Telephony Enabled • Wireless Support • Out-of-Band • Agentless • Day-Zero Threat Protection • Patented Behavioral Technology • No Signatures, No Updates • Leverages Dark IP Space • Minimal False Positives • Customized Policies • Day Zero • Policy Enforcement • Surgical Quarantining • Customized remediation • Infrastructure-Independent • No Network Re-architecture • Flexible Self-Remediation Options • ARP Management - No VLAN of Death • Network Intelligence • Central Mgmt • Asset Tracking • Network Visibility • Executive Reports • Cross Network Correlation • Compliance & Audit Support - CONFIDENTIAL -
Strategic Partners IBM Internet Security Systems (formerly ISS) has formed an alliance with Mirage Networks to provide Network Access Control to global enterprise customers. (Signed November, 2006) Extreme Networks provides organizations with the resiliency, adaptability and simplicity required for a truly converged network that supports voice, video and data over a wired or wireless infrastructure, while delivering high-performance and advanced security features. (Signed March, 2005) Mitsui Bussan Secure Directions, a subsidiary of Mitsui & Co., Ltd. - one of the world’s most diversified and comprehensive trading and services companies - powers Mirage NAC sales in the Japanese marketplace. (Signed October, 2004) AT&T resells Mirage NAC in its managed services portfolio. Marketed as AT&T Managed IPS™, it represents the AT&T commitment to enabling business to be conducted effectively, efficiently and securely across both wired and wireless IP networks. (Signed March, 2005) Part of the Avaya DevConnect Program, Mirage works with Avaya to develop world-class interior network defense solutions, particularly for emerging IP telephony technology. - CONFIDENTIAL -
Selected Customers Finance Government Healthcare Professional Services Higher Education K-12 Manufacturing Other - CONFIDENTIAL -
Mirage NAC is the Answer Full Cycle: Pre- and Post-Admission Policy Enforcement Out of Band Deployment; no latency, switch integration Infrastructure Independent: All networks, All devices, All OSs Zero Day protection without signatures Agentless: Easy to Deploy and Manage Quarantines without switch integration Patented technology Check on Connect Pre-Admission Policy Enforcement Zero Day Threat Prevention Post Admission - CONFIDENTIAL -
Thank You Kurtis Minder, CISSP - Mirage Networks Download “Getting the Knack of NAC”, 29 Page Industry Whitepaper at www.miragenetworks.com