1 / 27

Evaluating NAC Architectures

Evaluating NAC Architectures. Sean Tippett Product Manager stippett@consentry.com. Agenda. Why NAC, Why Now? Components of a NAC Solution NAC Architectures Business Cases Shameless Product Pitch. risk of disgruntled employee. regulatory environment. rogue hosts.

terrian
Télécharger la présentation

Evaluating NAC Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating NAC Architectures Sean Tippett Product Manager stippett@consentry.com © 2007 ConSentry Networks

  2. Agenda • Why NAC, Why Now? • Components of a NAC Solution • NAC Architectures • Business Cases • Shameless Product Pitch © 2007 ConSentry Networks

  3. risk of disgruntled employee regulatory environment rogue hosts contractors and partners motivated by profit Historically we haven’t secured the LAN. What’s changed? offshoring, outsourcing attacks are getting more elusive The LAN was built for connectivity, not control. You Can’t Build the LAN on Trust © 2007 ConSentry Networks

  4. Corporate LAN Requirements of NAC Visibility/Audit Monitor users – check for infractions Threat Control Continuously watch for 0-day attacks User Control Control user based on their role Posture Check Check systems for compliance Authenticate Only valid users* are allowed on the network © 2007 ConSentry Networks

  5. Pre vs. Post Admission Control Both pre-admission and post-admission control is required to secure the LAN. Visibility/Audit Threat Control Post-admission Control Identity-Based Control Posture Check Pre-admission Control (classic view of NAC) Authenticate © 2007 ConSentry Networks

  6. Internet guest Lots of choices firewall • Product confusion – everything is “NAC” • Infrastructure impact – switches, VLANs, clients • Deployment choices – where, how? • Overwhelming scope – where do I start? WAN router VPN IDS/IPS Active Directory ? ? © 2007 ConSentry Networks

  7. NAC Evaluation Criteria © 2007 ConSentry Networks

  8. NAC Architectures Architectures we will cover • Endpoint enforcement • Infrastructure-based 802.1X • Out-of-band NAC solutions • Inline NAC solutions How do the architectures differ? • What drops the packet? (policy enforcement point) • Who makes the drop decision? (policy decision point) • Where is user information stored? (authentication dir.) © 2007 ConSentry Networks

  9. Bldg 1, Floor 1 Bldg 1, Floor 2 Bldg 1, Floor 3 Endpoint Enforcement Components to deploy • Endpoint agent software • Endpoint gateway • Endpoint policy manager RADIUS Active Directory Oracle database Endpoint Policy Manager © 2007 ConSentry Networks

  10. Endpoint Security: Evaluation © 2007 ConSentry Networks

  11. Infrastructure-Based 802.1X NAC Components to deploy • 802.1X client supplicants • 802.1X capable switches • 802.1X capable RADIUS server Quarantine Bldg 1, Floor 1 Guest Active Directory Bldg 1, Floor 2 Contractor Bldg 1, Floor 3 Employee 802.1X RADIUS Oracle database Infrastructure reconfiguration • Enable policy VLANs on core and edge (quarantine, employee, guest, contractor) • Enable policy ACLs on core (sometimes edge) • Configure user directory for VLAN mapping © 2007 ConSentry Networks

  12. User enters credentials into 802.1X supplicant 802.1X Authenticator in switch relays it to RADIUS server RADIUS server checks with AD and, if correct sends admit message and VLAN tag for user User can now access the network subject to the ACLs on the VLAN 1 2 3 4 802.1X NAC: How it works Active Directory 802.1X RADIUS Oracle database © 2007 ConSentry Networks

  13. 802.1X NAC: Evaluation © 2007 ConSentry Networks

  14. Out-of-Band (OOB) NAC Solution Components to deploy • Out-of-band NAC appliance • Centralized manager (optional) Quarantine OOB NAC Appliance Bldg 1, Floor 1 Guest Active Directory Bldg 1, Floor 2 Contractor Bldg 1, Floor 3 Employee OOB Central Manager Oracle database Infrastructure reconfiguration • Enable policy VLANs on core and edge (quarantine, employee, guest, contractor) • Set up SNMP, point traps to OOB controller • Quarantine VLAN to OOB controller © 2007 ConSentry Networks

  15. User connects to switch and switch sends SNMP trap to controller Controller signals switch to put user port on quarantine VLAN User enters login credentials – health-check is performed Controller and manager talk and determine user VLAN Quarantine VLAN is removed and proper VLAN is deployed 1 2 3 5 4 OOB NAC: How it works OOB NAC Appliance Active Directory OOB Central Manager Oracle database © 2007 ConSentry Networks

  16. OOB NAC: Evaluation © 2007 ConSentry Networks

  17. Bldg 1, Floor 1 Bldg 1, Floor 2 Bldg 1, Floor 3 Inline NAC Solution Components to deploy • Inline NAC appliance • Inline NAC manager RADIUS Active Directory Oracle database Inline Manager © 2007 ConSentry Networks

  18. Inline controller “snoops” authentication reply and queries AD for role Active Directory Server Inline controller “snoops” the username AD validates user credentials user logs into AD Inline controller applies role-based policy, monitors all flows 3 4 2 1 5 How it works: Inline NAC Solution Oracle Financials core switch Inline NAC Appliance Inline manager edge switch © 2007 ConSentry Networks

  19. Inline NAC Solution: Evaluation © 2007 ConSentry Networks

  20. Stacking up against real problems © 2007 ConSentry Networks

  21. Navigating NAC is Complicated • Understand the architecture of the NAC solution • Choose a solution that will solve your current problems but can also solve future needs • Consider the infrastructure reconfiguration of the solution • Run through troubleshooting scenarios – how can issues be isolated? © 2007 ConSentry Networks

  22. About ConSentry Networks Wire-speed inline NAC © 2007 ConSentry Networks

  23. ConSentry InSight Internet GUI-based LAN tracking, incident reports, and policy setting ConSentry Secure Switching Control every user, secure every port. LANShield Switch LANShield Controller Embedded security for the existing LAN infrastructure Integrated security and switching for the access layer Router Firewall Access Switch Core Switch Access Switch AD, RADIUS, database Access Switch Data Center WLAN Switch © 2007 ConSentry Networks

  24. ConSentry – Enabling Technology • CPU – LANShield Processor • Deep packet inspection and analysis • 128 simultaneous threads • Stateful processing • Programmable • Programmable ASICs • LANShield Accelerator • Detects flows and determines whether deep packet inspection is needed • LANShield Visualizer • Provides flow statistics and accounting © 2007 ConSentry Networks

  25. IM MSN Yahoo AOL P2P BitTorrent eDonkey 2000 Gnutella WinNY eMule Kazaa AppleJuice Network Services DNS DHCP/BOOTP Kerberos SUNRPC MS-RPC RADIUS Connectivity SSH Telnet VNC RTSP MS-Media Business Apps Oracle TNS SAP R/3 VOIP SIP H.323 Cisco SCCP (Skinny) Web/Mail HTTP SMTP POP3 IMAP File Transfer FTP, FTP-Data, TFTP CIFS/SMB/NetBIOS Elements of Secure Switching Only valid people and clean systems get on the LAN • Authentication and posture check • No changes to user login procedure User behavior analysis • Who’s on the LAN? • What are they doing? • Everything tied to user • Faster incident response Anomaly detection • Zero-day malware containment • Application protection Control access to resources and applications • Control where people can go by their role • Only allow them access to applications relevant to their job © 2007 ConSentry Networks

  26. Why ConSentry • Architected from the ground up to secure your LAN • Full control of users and devices • With rich application understanding • At wire speed • Simple deployment of identity-based control • Full visibility and reporting • In a single, self-contained platform © 2007 ConSentry Networks

  27. “The best example of these new (embedded security) vendors is ConSentry Networks” Mark Fabbi, Gartner Select Customers Recognition ConSentry Leadership © 2007 ConSentry Networks

More Related