410 likes | 820 Views
Alcatel-Lucent Safe NAC Network Access Control Solution. Sales Training June 2011. Course Objectives. Targeted audience: Alcatel-Lucent internal salesforce Alcatel-Lucent business partners salesforce Upon completion of this course, you should be able to:
E N D
Alcatel-Lucent Safe NACNetwork Access Control Solution Sales Training June 2011
Course Objectives Targeted audience: • Alcatel-Lucent internal salesforce • Alcatel-Lucent business partners salesforce Upon completion of this course, you should be able to: • Identify the market for Alcatel-Lucent Safe NAC • Describe the Alcatel-Lucent Safe NAC Solution • Explain how Safe NAC fits in Alcatel-Lucent’s Security Portfolio • Understand how to sell Safe NAC • Course length: approximately 60 minutes
Agenda • Introducing Safe NAC • Target Market Segments and Customers • Market Trends and Challenges • Selling approach • Win against the competition • Elevator Pitch • More information • Conclusion
1 Introducing Safe NAC
Trusted Dynamic Enterprise Safe Network Access Control Reference Customers • Gwinnett County Public Schools • Iona College (US) • Wolf Creek (Canada) • HanseatiCContor Key Features • Access Control for Guests, LAN & Wireless • Endpoint Malware Protection • Verify OS and End Point Configuration • Controls Automatic Remediation • Role-based Post Admission Control (MS AD Integration) • Audit Reports for Compliance Differentiation • Non Disruptive Multi-vendor Deployment • Support for Multi-authentication, Multi-endpoint environments • Integration with Multiple Network Elements Provides Reduced Cost • Centralized Management
Comprehensive Enterprise NAC Solution • Integration with Alcatel-Lucent OmniSwitches • Dynamic User Network Profiles for NAC Integrated Windows Login • Integration with VitalQIP • DNAC technology for 3rd Party switches LAN Users Wireless Users • Integration with Alcatel-Lucent WLAN Solution • CyberGatekeeper Remote in-line appliance 802.1x Users • CyberGatekeeper Policy Server VPN Users • CyberGatekeeper Remote in-line appliance Guests • On-demand Web agent - Windows, Linux& Mac Continuous Surveillance, Highly Available Solution
Security with Authentication, HIC and Dynamic Access Control • MS Windows Login
Authentication and Policy Enforcement with OmniSwitch 4 3 OmniSwitch redirects traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OnmiSwitch if the device has passed or failed. 2 CyberGatekeeper Policy Server OmniSwitch provides authentication and identifies user profile. It checks if HIC check is needed for this user. (802.1x, MAC, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the network Alcatel-Lucent OmniSwitch If HIC Passed , OmniSwitch selectively allows device traffic to production network following policy in user profile. If HIC Failed, OmniSwitch restricts traffic to remediation network only Regular LAN User Production Network Guest Resident or On-demand Agent Continuous Surveillance
Dynamic User Network Profiles #3 AuthServer queries domain to obtain groups #2 Endpoint is authenticated and audited… AuthServ #5 User granted access according to correct profile… HIC Server Domain X ü OmniSwitch #4 CyberGatekeeper resolves User/Group and updates UNP… #1 OmniSwitch admits new endpoint to network under default restricted UNP and registers new Mac address with HIC server A seamless NAC process that utilizes Windows Login and does not require 802.1x
Redundant and Fail Open Architecture HIC Server #1 HIC Server cluster members are state aware of all connections registered by OmniSwitch. Fail-over does not interrupt user sessions. ? ü OmniSwitch HIC Server #2 OmniSwitch can be configured with primary and backup HIC servers as well as “fail open” parameters in case both HIC servers are unavailable.
Authentication and Policy Enforcement with OmniAccess 4 3 OmniAccess restricts traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OmniAccess Controller if the device has passed or failed. 2 CyberGatekeeper Policy Server The OmniAccess Controller provides authentication and identifies user network profile. (802.1x, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the wireless network Alcatel-Lucent OmniAccess Wireless Controller If HIC Passed, the OmniAccess controller allows device traffic to production network with the endpoint placed in the correct VLAN. If HIC Failed, OmniAccess restricts traffic to remediation network only Employee Production Network Guest Resident or On-demand Agent Continuous Surveillance
Remediation Servers Authentication and Policy Enforcement with VitalQIP • DHCP discover/request packets are “intercepted” by the plug-in module in VitalQIP. • The plug-in queries the CyberGatekeeper policy server to check whether endpoint is compliant. • Depending on the results (pass/fail/unknown), the plug-in module inserts user class options into the DHCP discover/request packets. • If a security policy violation is detected the endpoint is quarantined with access to the remediation servers. • VitalQIP assigns access based on the assigned user class. • CyberGatekeeper integrates with VitalQIP using a plug-in module. • Deployment requires no significant network modifications • 1MB Agent for Windows, Mac, Linux • Management of the plug-in module is integrated into the VitalQIP user interface • Enforcement using standard DHCP options • Relies on standard DHCP attributes
4. KNOWLEDGE Meeting the Challenge • Secured Guest Access • Secured Partner Access • Secured Contractor Access • Services are Available • Endpoints are Compliant • Malware is Contained • No Rogue Endpoints • Continuous Surveillance 1. NETWORK 2.PEOPLE PRODUCTIVITY ENHANCED THREAT PROTECTION • Supports Existing Infrastructure • Multi-Vendor Networks • Multiple Endpoint platforms • Multiple Authentication Methods • Reduced Help Desk Costs • Reduced Management Costs • Enterprise is Compliant • Data is Protected 3.PROCESS ENTERPRISE IS SECURE DEPLOYMENT IS SIMPLE
2 Target market segments and customers
NAC Appliance Market Unit Shipment and Revenue Forecasts (World), 2005-2015 NAC Appliance market in 2008 was approximately $110M Compound Annual Growth Rate (2008-2015): 15.0% • Most Organizations Have Yet to Rollout NAC World Network Access Control Products Market, Frost & Sullivan, N69E-74, September 2009
Market Distribution NAC Appliance Market: Revenue Distribution by Vertical Market (World), 2008 World Network Access Control Products Market, Frost & Sullivan, N69E-74, September 2009
Market Segment Drivers • Education • Have thousands of concurrent users requiring different levels of network access • High percentage of unmanaged endpoints • Is more price sensitive • Compete on factors such as scalability, interoperability, endpoint coverage , strong on guest access. • Strong competition from Bradford and Cisco • Finance • Present the most lucrative targets for malware writers and cyber attacks • High security requirements that NAC was originally envisioned to enforce • Highly regulated, and NAC can enable demonstration of compliance • Also require guest networking capabilities • Most endpoints are managed, and standardized on the Windows • Long-standing relationships with large IT vendors such as Cisco and Symantec • Government • Smaller state and local government organizations have shown strong interest in NAC • Breadth of enforcement options (such as 802.1x and DHCP management, combined with inline enforcement) and strong quarantine abilities are very important • NAC vendors to achieve certain certifications • Developing partnerships with the correct distributors and IT resellers is crucial • Government organizations have very closed operations • Healthcare • Interest in NAC is primarily motivated by HIPAA, demonstration of compliance • Need to demonstrate ability to reduce help desk workload • high number of unmanaged endpoints • Myriad of endpoint types such as IP enabled healthcare-related technologies • Complex networks with numerous static IP address-based endpoints World Network Access Control Products Market, Frost & Sullivan, N69E-74, September 2009
3 Market Trends and Challenges
Why Are Customers Buying • Guest Network Services • Isolating guests and visitors from corporate network • Providing guests with limited connectivity - Internet access only. • Commonly start with wireless guest then extend to the wired network. • Endpoint Baselining • Determining if endpoints are compliant with device • Providing support for remediation • Identity-aware Networking • Providing visibility and control over user behavior • Monitor user traffic and enforce access to critical resources • Monitoring & Containment • Monitoring endpoints or network traffic to detect and quickly contain endpoints that begin to exhibit dangerous behavior. • Monitoring/containment is a secondary driver for the other three usage cases. NAC market in 2008 was approximately $221M • Customers Will Look First to Their Current Infrastructure Vendor *Gartner MQ for Network Access Control, March 2009, G00166224
Why Can Safe NAC Win • Ability to provide comprehensive solution covering market need • Guest Access, device health check, and being compliant • Competitive feature set with other major NAC vendors • Support many deployment scenarios matching diverse customer environments • Multiple trigger and policy enforcement points • Ability and trusted to provide a multi-vendor solution • Ability and trust to provide professional services to ensure a successful project • Ability to compete on price vs features and performance
4 Selling approach
Who Should we Talk to in Target Customers IT Network Manager Gain access to the Center of Receptivity and test Value Hypothesis Director IT Build momentum with the Center of Dissatisfaction CSO/CIO/Finance Prove value to the Center of Power (Business Case)
What Are Their Needs? IT Manager • Reduce help desk costs • Reduce time to handle requests for guest access • Reduce time to trouble shoot outages related to malware and mis-configured endpoints • Easy to deploy solution for NAC Director IT • Comprehensive solution for multi-vendor network • Support all types of endpoints: windows, Unix, MAC, iPhone, Xbox, etc. • Support for global rollout of solution • Reduced overhead costs CSO/CIO • Network is protected from malware • No rogue endpoints on the network • Users can only access services for which they are approved • Producing audit reports and demonstrating compliance is efficient • Vendors has appropriate pedigree in security Finance • Competitive price vs. performance and functionality • Trusted multi-network solution vendor • Global multi-network capable professional services organization
Qualifying a Prospect • Key Questions for the Customer • Can you provide safe and economical guest access to you corporate network? • Have you put in place the required security to ensure that all endpoints connecting to your network are properly identified and configured? • Are controls in place ensuring that once an individual is connected to the network they have access to only the resources they need? • Can you efficiently provide the required audits on user activity to demonstrate compliance? • Are you concerned that a malware infected endpoint can cause your voice communications to grind to a halt? • Are you protected against malware infected endpoints running a softphone application? • Can you control access to the network of non-managed endpoints such as iPhones and Xboxes? Safe NAC as an OmniSwitch, OmniAccess or VitalQIP Up-sell
5 Win against the competition
6 Elevator pitch
Three Minutes to Convince your Customer • IT Manager: Safe NAC will meet your organizations need for secure guests access, endpoint host integrity check, and improve your ability to demonstrate compliance. Safe NAC is architected to be non-disruptive to install in existing networks, is easy to manage, and has been shown to reduce help desk costs and save time for the IT team. • Finance: Safe NAC is a comprehensive solution that is competitive on price vs. performance and functionality when compared with other solutions on the market. Alcatel-Lucent is able to meet the needs of large enterprises with its global multi-vendor capable professional services organization. • CIO/CSO: Safe NAC is secure because security is enforced by the network infrastructure rather at the endpoints. Safe NAC can provide the controls required to ensure that access to the corporate LAN and applications is as per corporate policy. This includes the required reporting to demonstrate compliance.
7 More information
Gwinnett County Public Schools: Located 30 miles northeast of Atlanta. Over 160,000 students attend the 114 schools from kindergarten through high school. GCPS is the state of Georgia’s largest public school. The student population steadily grows each year by about 3,500. With staff of 22,000 people, GCPS is Gwinnett county’s largest employer Requirements Host Integrity check for all end-points Secure and control access to the LAN & WLAN for staff, student and guest access Controlled access to resources once connected Endpoints of different types (PC’s, VoIP Phones, Printers) can be given different access privileges Students are only allowed access when using Gwinnett managed endpoints Real-time quarantine when security policy violations occur Minimal additional operational costs Technical Requirements Authentication for all devices (laptops, VoIP phones, Printers, etc) Support for different endpoint platforms (Windows, Mac) High Availability solution with fail open Why Alcatel-Lucent? Ability to provide a seamless and secure NAC solution for the large school district that can be central managed in an efficient manner Ability to dynamically apply security policies on the go at connection time as well as run time. Ability to provide detailed audit of endpoint configuration Ability to integrate and leverage existing infrastructure Gwinnett County Public School chooses Safe NAC
Wolf Creek Public School: Approximately 7200 students, from Kindergarten to Grade 12, employs approximately 475 teachers and 350 support staff. There are 33 schools in the division, operating budget for the 2008-2009 school year was $65.2 million. Business Requirements Network Access Control for all users & endpoints Secure and controlled guest access Encourage students to bring their own laptops Controlled access to resources once connected Minimal additional operational costs Academic Requirements Enable one-to-one mobile computing research Use SaaS as a technology approach for rapid application deployment Use NAC as a technology for securely extending services to student-owned devices Technical Requirements Authentication for all devices (laptops, VoIP phones, Printers, etc) Support for different endpoint platforms (Windows, Mac) Support for unmanaged machines with no pre-installed agent Why Alcatel-Lucent? Ability to provide detailed audit of endpoint configuration Ability to classify endpoints at the MAC layer Ability to apply UNP to restrict or enable access based upon ACLs Ability to leverage existing infrastructure Wolf Creek Chooses Safe NAC
HanseatiCContor Chooses Safe NAC • HanseatiCContor, Germany selects OnmiSwitch NAC & CyberGatekeeper to secure its new converged communications network service customers, guests, and mobile workers. • OmniSwitch & CyberGatekeeper option selected to provide NAC and HIC • Every device connected to the network is authenticated • Access is granted based upon a profile • Different customers are placed into proper network segment • All endpoints are verified to be compliant before allowed onto the network • All critical patches applied, Anti-virus in place, and personal firewall enabled • Unauthorized applications are disabled • If a device changes status it is placed into quarantine • Always-on, with low operational costs was a key factor Needed a secure and manageable communications infrastructure to accommodate a complex business environment
Iona College Chooses Safe NAC • IONA College, New Rochelle, New York selects CyberGatekeeper to protect their Wireless Network and seamlessly enable Host Integrity Checking/Campus Network Policy on Students’ laptops. • Solution selected as a replacement for Symantec CIM. • Solution scans Symantec A/V to make sure it is not out-of-date. • Using self remediation through the CyberGatekeeper they will be able to deliver the proper A/V package to all the students without the need to touch the laptops. • ‘Desirable Mode’ enables testing policies before deployment. • Client notification capabilities on policy changes well-liked. • Support for Vista and MAC Platforms was key.
For More Information on Safe NAC http://enterprise.all.alcatel-lucent.com/products/?family=Security&product=SNAC&page=overview
8 Conclusion – Key takeaways
8. ConclusionKey Takeaways • Safe NAC offers a comprehensive network access control solution enabling an enterprise to safely provide controlled access to its LAN and applications for, guests, partners, contractors, and employees, to ensure endpoints are free from malware and conform to corporate policy, and to increase ability to demonstrate compliance. • Safe NAC continuously monitors the corporate network and automatically controls remediation. • At the core of Alcatel-Lucent’s Safe NAC solution is InfoExpress CyberGatekeeper integrated with the OmniSwitch, OmniAccess, VitalQIP, and OmniVista. Soon to come is integration with and Alcatel-Lucent 8950 AAA. • Safe NAC’s key differentiators include supporting a multi-vendor network, support for multi-endpoint platforms and can be deployed without disruption to existing network. • Safe NAC is competitive on price vs performance and functionality and is supported by a multi-vendor capable professional services team.