1 / 24

Network Access Control NAC

ziva
Download Presentation

Network Access Control NAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Network Access Control (NAC) Arun George

    2. Agenda The IPS-Secured Network Introducing Network Access Control v4.1 TippingPoint Advantages

    3. IPS-Secured Networks A bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar networkA bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar network

    4. IPS-Secured Networks A bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar networkA bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar network

    5. IPS-Secured Networks A bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar networkA bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar network

    6. IPS-Secured Networks A bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar networkA bi-planar network is a network where connectivity devices (switches and routers) get packets from point A to B and overlay devices called network control points – or NCPs – provide control. If you’ve deployed any overlay device – IPS, anti-x gateways, WAN optimizers, inline sniffers – or are considering it, you’re building a bi planar network. Once you start to think of networks this way, it tells you all sorts of things about how a bi-planar network should be built. In fact, you can build a list of the fundamental requirements of a bi-planar network

    7. How TippingPoint NAC Works How does this endpoint compliance process work? [Build Discover] The first step in this process is for the access point to discover the device attempting access. [Build Enforce] From there, the solution can apply an integrity check to determine if the endpoint is compliant with current security policy. [Build Remediate] If out of policy, the system can be quarantined, remediated or given federated access to the LAN. [Build Monitor] Of course, it is also important to have ongoing checks to ensure that, if a security event occurs, that the system can be discovered/remediated at a subsequent time. These steps ensure compliance on contact, but also the ability to have an ongoing connection to that endpoint.How does this endpoint compliance process work? [Build Discover] The first step in this process is for the access point to discover the device attempting access. [Build Enforce] From there, the solution can apply an integrity check to determine if the endpoint is compliant with current security policy. [Build Remediate] If out of policy, the system can be quarantined, remediated or given federated access to the LAN. [Build Monitor] Of course, it is also important to have ongoing checks to ensure that, if a security event occurs, that the system can be discovered/remediated at a subsequent time. These steps ensure compliance on contact, but also the ability to have an ongoing connection to that endpoint.

    8. Introducing TippingPoint NAC 4.1

    9. Different Users, Different Endpoints, Different Needs

    10. Enforcement Tradeoffs

    11. Combining Enforcements

    12. TippingPoint NAC 4.1

    13. TippingPoint’s Inline Enforcement

    14. How 802.1x Enforcement Works

    15. How DHCP Enforcement Works

    16. TippingPoint Enforcement Advantages Inline Can be installed logically because its VLAN aware. NAC Solutions developed as a switch may require a physical inline deployment that escalates the number of devices necessary and limit HA to be dependent on spanning tree Provides granular access control per connection 802.1X and DHCP Other NAC Solutions deployed out-of-band rely on switch infrastructure to send traps and may push new switch configurations on the fly reliant on firmware support. TippingPoint uses standards-based approaches to ensure network compatibility Solutions developed as a switch or gateway only offer inline enforcement as part of their NAC solution. TippingPoint can offer inline enforcement only where it is appropriate given the deployment and user profiles. 802.1X offers protection down to the edge port, while DHCP deploys without any changes to network infrastructure.

    17. How Posture Collection Works

    18. Posture Collection Advantages TippingPoint’s NAC Posture client: Does not require administrative access NAC Solutions utilizing Microsoft’s RPC port or install as a full application require administrative access Is not blocked by personal firewall software NAC Solutions using network-based scans attempt to discover vulnerabilities by assessing open ports on the endpoint. Personal firewall software blocks these network-based scans from learning important information about the endpoint’s compliancy. Is browser independent NAC Solutions using ActiveX are limited to support Internet Explorer browser versions only. Supports Apple, Linux, Microsoft Many NAC Solutions only support Microsoft OS versions

    19. User Directory Integration Advantages Not all NAC Solutions integrate directly with LDAP or Active Directory TippingPoint can ‘mix and match’ multiple authentication methods with multiple authentication servers on the same network Not all NAC Solutions can match on groups without changes to the external user directory TippingPoint learns group membership and user account details during authentication without requiring any new policies or changes to user accounts in the user directories Not all NAC Solutions can create defaults, causing an administrator to create policies for every group in the external authentication server Roles-based policies uses filters and matches to create defaults or collapse multiple groups into the same policy

    20. TippingPoint Advantages Multiple Enforcement Options. Other vendors will need to advocate that DHCP, 802.1x, or Inline enforcement by itself is the one perfect enforcement type. TippingPoint gives the flexibility to utilize the appropriate enforcement or combinations thereof under centralized management to provide a superior solution. Multi-OS Posture Agent. TippingPoint posture agent does not require administrative access unlike vendors using RPC, is browser independent unlike vendors using ActiveX, can be used as persistent or dissolvable unlike vendors with only thick clients, and does not rely on any network-based scans that can be thwarted by personal firewalls. Extended Posture Vendor Support and Update Service. TippingPoint offers posture checks for antivirus, antispyware, and personal firewall software with built-in support for 100's of vendors with policies that update automatically. Secure Guest Access. TippingPoint offers a clean guest-user experience with a customized captive portal, dissolvable posture agent, and specific access controls Integration with Intrusion Prevention. TippingPoint will offer integration of network access control into its award-winning best-in-breed IPS products to provide 360 degree coverage.

    21. Substantial Growth in NAC Market

    22. Selected TippingPoint NAC Customers

    23. Philadelphia School District World’s largest WLAN One of the largest NAC deployments in the world All centrally managed by RP World’s largest WLAN One of the largest NAC deployments in the world All centrally managed by RP

    24. Size: 34 Regions, 340 Campuses / Buildings Problem: Multiple contractors and consultants visiting Boeing locations Driven by CIO and VP level requirements Needs: Multi-tiered guest access critical to operations Various guest user types that have specific network and application access requirements Self-registration with automated approval process and provisioning management Detailed audit trails Support for internal user access management Large Company Losing 10’s of thousands per day Looked at everything—and we are displacing a SSL VPN (Nortel & Juniper) Only 20% into a $3million purchaseLarge Company Losing 10’s of thousands per day Looked at everything—and we are displacing a SSL VPN (Nortel & Juniper) Only 20% into a $3million purchase

    25. Thank You

More Related