1 / 44

Risk Management using Network Access Control and Endpoint Control for the Enterprise

Risk Management using Network Access Control and Endpoint Control for the Enterprise. Kurtis E. Minder – Mirage Networks. i. Agenda. Drivers of NAC Key Elements of NAC Solutions Identify Assess Monitor Mitigate NAC Landscape. Business Needs Drive Security Adoption.

lani
Télécharger la présentation

Risk Management using Network Access Control and Endpoint Control for the Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management using Network Access Control and Endpoint Control for the Enterprise Kurtis E. Minder – Mirage Networks

  2. i - CONFIDENTIAL -

  3. Agenda • Drivers of NAC • Key Elements of NAC Solutions • Identify • Assess • Monitor • Mitigate • NAC Landscape - CONFIDENTIAL -

  4. Business Needs Drive Security Adoption • 3 Ubiquitous Security technologies • Anti-virus - Business driver: File sharing • Firewalls - Business driver: Interconnecting networks (i.e. Internet) • VPNs - Business driver: Remote connectivity • Today’s top security driver - Mobile PCs and devices • Broadband access is everywhere • Increased percentage of the time devices spend on unprotected networks • Perimeter security is rendered less effective because mobile devices bypass it and aren’t protected by it • Mobility of IP devices is driving the need for Network Access Control solutions • Leading source of network infections • More unmanaged devices on the network than ever - guest and personal devices - CONFIDENTIAL -

  5. The Traditional Approach to Network Security Isn’t Enough - CONFIDENTIAL -

  6. The Problem NAC Should Address Today, endpoint devices represent the greatest risk to network security — by propagating threats or being vulnerable to them. “Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users. By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures.” Gartner, Protect Your Resources With a Network Access Control Process Infected Devices propagate threats, resulting in loss of productivity & hours of cleanup Unknown Devices like home PCs, contractor PCs, & WiFi phones can introduce new threats or compromise data security Out-of-Policy Devices are more vulnerable to malware attacks, while running services that could jeopardize security - CONFIDENTIAL -

  7. The Cost 1 mi2g Intelligence Unit, Malware Damage in 2004 2 ICSA Labs, 9th Annual Computer Virus Prevalence Survey - CONFIDENTIAL -

  8. The Numbers Tell the Story “Protection” is in place… • 98% use firewalls1 • 97% of companies protect machines with antivirus software1 • 79% use anti-spyware1 • 61% use email monitoring software1 But it’s not enough! • Cost of malware: $14.2B2 • 80% of companies experienced 1 or more successful attacks, 30% had more than 103 • Average net loss for malware incidents in US companies is nearly $168,000 per year1 • Worldwide, 32% of companies experience attacks involving business partners • 43% of those were infections, while 27% were unauthorized access4 • 75% of enterprises will be infected with malware that evaded traditional defenses5 1 Computer Security Institute/FBI’s 2006 Computer Crime and Security Survey 2 Computer Economics, 2006 3 ICSA Labs, 9th Annual Computer Virus Prevalence Survey 4 Cybertrust, Risky Business, September 2006 5 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 & Beyond, December 2006 - CONFIDENTIAL -

  9. The Problem is Expected to Get Worse 2006 Statistics • Steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals • Microsoft Corp issued fixes for 97 (versus 37 in 2005) security holes assigned "critical" label • 14 of of the critical became "zero day" threats. • Experts worry that businesses will be slow to switch to Vista. • Pre-Vista MS Office is expected to remain in widespread use for the next 5-10 years. Source: Washington Post, Dec 2006, Cyber Crime Hits the Big Time in 2006 - CONFIDENTIAL -

  10. NAC Market Expectations • NAC Appliance vendors will sell $660m worldwide in 2008 • NAC Appliances will gain 17% worldwide share of the NAC market by 2008, up from 6% in 2005 • Research reveals World Network Access Control (NAC) Products and Architectures Markets earned revenues of over $85 million in 2006 and estimates this to reach over $600 million in 2013 • Gartner estimates that the NAC market was $100M in 2006 and will grow by over 100% by YE 2007 - CONFIDENTIAL -

  11. Increasing Number of Targets to Protect Operating Systems • Internet Explorer • Windows Libraries • Microsoft Office • Windows Services • Windows Configuration Weaknesses • Mac OSX • Linux Configuration Weaknesses Network Devices • VoIP Phones & Servers • Network & Other Devices Common Configuration Weaknesses Sans Institute 2006 Top Attack Targets* Cross Platform Applications • Web Applications • Database Software • P2P File Sharing Applications • Instant Messaging • Media Players • DNS Servers • Backup Software • Security, Enterprise, and Directory Management Servers Security Policy & Personnel • Excessive User Rights & Unauthorized Devices • Users (Phishing/Spear Phishing) *SANS Institute Top 20 Internet Security Attack Targets (2006 Annual Update), v7.0, 11.15.06 - CONFIDENTIAL -

  12. What Class of NAC Solutions to Deploy? Aberdeen Research, 2006 - CONFIDENTIAL -

  13. Top Drivers Influencing NAC Solutions Aberdeen Research, 2006 - CONFIDENTIAL -

  14. Top Features Required in a NAC Solution Aberdeen Research, 2006 - CONFIDENTIAL -

  15. Key Elements of NAC Solutions

  16. Common NAC Elements • NAC is an evolving space with evolving capabilities • NAC solution elements - some or all • Identify - Detect & authenticate new devices • Assess - Endpoint integrity checks to determine levels of risk and adherence to security policy • Monitor - Watch the device’s activity for change of assessed state with respect to policy and threat status • Mitigate - Take appropriate action upon any device that is identified as a security risk by previous three elements - CONFIDENTIAL -

  17. Identify - Find/Authenticate New Devices • Question - How do you know when a new device comes on the network? Is it a known or unknown device? Is it an authenticated user? • Common approaches • Leverage 802.1x or network infrastructure OS • Authenticate through existing EAP infrastructure to pass credentials to authentication server • Special purpose DHCP server • Authentication usually web based and tied to authentication server • Authentication proxy • NAC solution serves as a proxy between device and authentication server • Inline security appliances (i.e. security switches) • Serve as a proxy between device and authentication server • Real time network awareness • Authentication usually web based and tied to authentication server • All approaches trigger off entry on the network by a new IP device - CONFIDENTIAL -

  18. Identify - Pros & Cons of Various Approaches • 802.1x approach • Pros: Device detected and authenticated prior to IP address assignment • Cons: Often is a costly and time consuming installation • Requires switch upgrade/reconfiguration • Endpoints must be 802.1x enabled - requires supplicant software • Must create guest/remediation VLANs • DHCP approach • Pros: Easier to deploy, independent of network infrastructure, covers both managed and unmanaged devices • Cons: Bypassed by static IP address assignment, remediation typically to a broadcast VLAN (cross infection risk) - CONFIDENTIAL -

  19. Identify - Pros & Cons of Various Approaches cont. • Authentication proxy • Pros: Good hook for checking managed devices • Cons: Unknown devices may never authenticate, but still could have network access; may not check all IP devices • In-line security appliance/switch • Pros: Sees all devices both managed and unmanaged and doesn’t require agent based software • Cons: If it is not inline with, or does not replace the access switch then it will not see the device as it comes on the network • Out of band appliances with network awareness • Pros: Sees all devices as they enter the network both managed and unmanaged; easier to implement than many of the other approaches • Cons: May require switch integration for mitigation of problems - CONFIDENTIAL -

  20. Assess

  21. Assess Endpoint Integrity • Question: Even if a device is allowed on my network, how do I ensure it meets my security policies and risk tolerance? • Answer: Endpoint integrity checks • Operating system identification and validation checks • Typically requires an agent • Must establish a policy relating to acceptable patch level (latest patch on company SMS server, no older than X months, most recent patch available from software vendor) • What do you do for unknown devices? Usually requires an agent for these checks • Security software checks - AV, personal firewall, spyware, etc. • Is it up and running • Is it in the right configuration • Is it up to date - both the software and the database • Usually requires an agent for these checks - CONFIDENTIAL -

  22. Assess Endpoint Integrity cont. • Endpoint integrity checks cont. • Endpoint configuration - find unauthorized servers and services • Web servers, FTP servers, mail servers, etc. • Vulnerable or high risk ports, i.e. port 445 exploited by Zotob • These checks can be done from the network or with an agent • Threat detection • Scan the device for active infections or backdoors • Not commonly implemented on entry to the network • Too much latency • Risk profile substituted for deep scans (i.e. AV is up to date and had a current scan) • Elements for endpoint integrity checks • Network scanning server (Optional) • Endpoint software - permanent or transient (Optional) • Policy server (Required) - must have somewhere to define what is allowed/disallowed - CONFIDENTIAL -

  23. Monitor

  24. Monitoring Post Network Entry • The forgotten element of Network Access Control • Why is monitoring a critical element of NAC? • Can’t effectively check for all threats on entry - takes too long • Security policy state can change post entry - users initiate FTP after access is granted • Infection can occur post entry - e-mail and web threats can change security state of the device • What Gartner says in their paper “Protect Your Resources With a Network Access Control Process” • “The network traffic and security state of systems that are connected to the network must be monitored for anomalous behavior or system changes that bring them out of compliance with security policies.” • Why isn’t this simply another network security function? • Monitoring is both for threats and policy adherence - takes advantage of policy definition of NAC solution • Works hand in hand with NAC quarantine services - CONFIDENTIAL -

  25. This approach leaves a soft underbelly through which unmanaged, out-of-policy and infected endpoints can easily gain access. Traditional Approach to Network Security • Traditional Approach • Firewall/IPS at the Perimeter • AV, HIDS/HIPS on the Endpoint • External Environment • New technologies • New threats • Regulatory requirements - CONFIDENTIAL -

  26. …bringing business to a halt and creating costly cleanup. Exploiting the Network’s Weakness Infected endpoints bypass the perimeter… …generating rapidly propagating threats that take over a network in minutes… - CONFIDENTIAL -

  27. Monitoring Approaches • Agent based approaches • Host Intrusion Prevention Systems • Personal firewalls • Both require integration with a network policy server to be an element of NAC • Doesn’t cover unknown/unmanaged/unmanageable devices • Network based approaches • In-line: Typically evolution of IPS vendors into NAC capabilities; also includes Network Based Anomaly Detection (NBAD) vendors • Out-of-band: Most commonly NBAD and old Distributed Denial of Service (DDoS) security vendors • Key considerations • Does the security device watch for policy violations as well as threats? • Does it see devices as they enter the network? • Can they work across both voice and data networks without negatively impacting quality and performance? • What is the management overhead associated with both approaches? - CONFIDENTIAL -

  28. Mitigate

  29. Mitigation Approaches for NAC • Two elements for NAC mitigation • Quarantine capabilities (required) • On-entry restrict access for devices not meeting requirements • Post-entry take a device off the network and send to quarantine zone if they violate policy or propagate a threat • Ideally should be able to assign to different quarantine server based on problem, i.e. registration server for guests, AV scanner for infected devices, etc. • Remediation services for identified problems (optional) • Additional diagnostic tools for deeper checks - • Vulnerability scanners • AV scanners, etc. • Tools for fixing identified problems • OS patch links • AV signature update and malware removal tools • Registration pages for unknown devices - CONFIDENTIAL -

  30. Quarantine Approaches • DHCP integration • Uses DHCP process for identification and endpoint integrity checks on entry to the network. • Pros: Assigns appropriate IP and VLAN according to their risk level • Cons: After IP address is assigned they don’t have an independent quarantine capability; Static IPs bypass their enforcement • Switch integration • Uses either ACLs or 802.1x • ACLs - not commonly used because of negative performance impact and access requirements in the network • 802.1x - forces device to re-authenticate and assigns new VLAN • Pros: Effective both pre and post admission, uses standards based approach in 802.1x • Cons: Can negatively impact switch performance; Usually not granular in quarantine server assignment; If using broadcast quarantine VLAN there is a cross-infection risk - CONFIDENTIAL -

  31. Quarantine Approaches cont. • In-line blocking with web redirect • Pros: Improved performance over ACLs; Can granularly block suspect traffic; has the capability of sending web traffic to appropriate quarantine server based on problem • Cons: Doesn’t see downstream traffic so can only block and redirect traffic that comes through it; May require additional integration with network for mitigation because of this • ARP management • Security appliance selectively goes inline for a single host and becomes its default gateway by ARP manipulation • Pros: No network integration required for full quarantine capabilities; enables surgical, problem specific quarantine without cross-infection risk; effective both pre and post admission • Cons: If implemented improperly network equipment can misidentify this as an attack and drop this traffic - CONFIDENTIAL -

  32. Today’s NAC Landscape • Evolving proprietary standards • Cisco Network Admission Control (CNAC) • Three critical elements - Cisco Trust Agent (CTA), updated Network Access Device (NAD), Cisco Access Control Server (ACS) • Integration with endpoint agents to communicate with ACS regarding appropriate access level to the network • Microsoft Network Access Protection (NAP) • Available in Vista • Endpoint needs System Health Agent (SHA) • SHA reports to System Health Validator (SHV) to do policy checks • Network isolation through enforcement integrations • DHCP Quarantine Enforcement Server (QES) • VPN QES • 802.1x • Trusted Network Connect open standard • TNC compliant client required on endpoints • Policy Decision Point (PDP) for security policy comparisons • Policy Enforcement Point (PEP) for quarantining - CONFIDENTIAL -

  33. Summary • NAC is an evolving technology space • Know what problems are most important to address • Unknown/unauthenticated user control • Policy enforcement for endpoints • Preventing threats on your network • Understand implementation tradeoffs • Quarantine flexibility • Performance impact • Cost of solution • IT effort to implement • Keep track of early evolving standards - CONFIDENTIAL -

  34. About Mirage

  35. Background & Key Accomplishments • Company Highlights • First GA Product: January, 2004, V3 Launched in July, 2006 • Acquisition of WholePoint Corporation - Dec 04 • 1 NAC Patent Granted; 10 Pending • Customer/Partner Momentum • 1100+ units sold and deployed • 350+ Production Customers • Key Verticals: EDU, H/C, FIN, TEC, MFG, S&L, PRO • 120 Channel Partners (93% of Revenues) • Strategic Relationships: IBM/ISS, Extreme, Mitsui, AT&T, Avaya • Industry Recognition • Info Security Hot Companies 2007 • Best Anti-Worm, Anti-Malware, SC Magazine/RSA 2006 • InfoSecurity Customer Trust Product Excellence Award, 2006 • Software Development magazine: four star product review, May 2005 - CONFIDENTIAL -

  36. Mirage Networks Management Team • Greg Stock, President & CEO • Manugistics, Vastera, e-security, IBM • Thomas Brand, VP, WW Field Operations • Vastera, Toyota, Chrysler David Thomas, VP, Products • NovusEdge, Vignette, IBM • Michael D’Eath, VP, Business Development • Waveset, Tivoli, Novell • Grant Hartline, CTO • Cisco, Dell, NEC David Settle, CFO • Exterprise, Dazel, Convex Computer Corp - CONFIDENTIAL -

  37. Mirage Board of Directors/Investors • Greg Stock, Mirage Networks • Tim McAdam, Trinity Ventures • Martin Neath, Adams Capital • Bill Bock, CFO, Silicon Labs • George Kurtz, EVP McAfee • Howard Schmidt, Former CISO EBAY, Microsoft - CONFIDENTIAL -

  38. Strategic Partners IBM Internet Security Systems (formerly ISS) has formed an alliance with Mirage Networks to provide Network Access Control to global enterprise customers. (Signed November, 2006) Extreme Networks provides organizations with the resiliency, adaptability and simplicity required for a truly converged network that supports voice, video and data over a wired or wireless infrastructure, while delivering high-performance and advanced security features. (Signed March, 2005) Mitsui Bussan Secure Directions, a subsidiary of Mitsui & Co., Ltd. - one of the world’s most diversified and comprehensive trading and services companies - powers Mirage NAC sales in the Japanese marketplace. (Signed October, 2004) AT&T resells Mirage NAC in its managed services portfolio. Marketed as AT&T Managed IPS™, it represents the AT&T commitment to enabling business to be conducted effectively, efficiently and securely across both wired and wireless IP networks. (Signed March, 2005) Part of the Avaya DevConnect Program, Mirage works with Avaya to develop world-class interior network defense solutions, particularly for emerging IP telephony technology. - CONFIDENTIAL -

  39. Selected Customers Finance Government Healthcare Professional Services Higher Education K-12 Manufacturing Other - CONFIDENTIAL -

  40. Mirage Networks Endpoint Control • Network Access Control • Comprehensive Endpoint Control • On-entry Risk Assessment • Policy Enforcement • IP Telephony Enabled • Wireless Support • Out-of-Band • Agentless • Day-Zero Threat Protection • Patented Behavioral Technology • No Signatures, No Updates • Leverages Dark IP Space • Minimal False Positives • Customized Policies • Day Zero • Policy Enforcement • Surgical Quarantining • Customized remediation • Infrastructure-Independent • No Network Re-architecture • Flexible Self-Remediation Options • ARP Management - No VLAN of Death • Network Intelligence • Central Mgmt • Asset Tracking • Network Visibility • Executive Reports • Cross Network Correlation • Compliance & Audit Support - CONFIDENTIAL -

  41. Behavioral Rules Example:Threat Propagation Mirage continually monitors the dark IP space on the network. When a device attempts to connect to multiple dark IPs, Mirage’s behavioral rules immediately identify this as an attack and quarantine the offending device. - CONFIDENTIAL -

  42. Attack Deception Mirage leverages the dark IP space to create device decoys that lock up a would-be attacker (whether inside or outside the network) in a lengthy, non-productive dialog. - CONFIDENTIAL -

  43. Mirage NAC is the Answer Full Cycle: Pre- and Post-Admission Policy Enforcement Out of Band Deployment; no latency, switch integration Infrastructure Independent: All networks, All devices, All OSs Zero Day protection without signatures Agentless: Easy to Deploy and Manage Quarantines without switch integration Patented technology Check on Connect Pre-Admission Policy Enforcement Zero Day Threat Prevention Post Admission - CONFIDENTIAL -

  44. Thank You Kurtis Minder, CISSP - Mirage Networks Download “Getting the Knack of NAC”, 29 Page Industry Whitepaper at www.miragenetworks.com

More Related