510 likes | 704 Vues
Bob Reny, Sr. Systems Engineer. Do you know NAC? Data Connectors - Vancouver. 4/25/2013. The Origin of Network Access Control. Code Red worm – $2 Billion damage. SoBig - $37.1 billion damage. MyDoom - $38.5 billion damage. Sasser - $500 million damage. Blaster - $320 million damage.
E N D
Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013
The Origin of Network Access Control Code Red worm – $2 Billion damage SoBig- $37.1 billion damage MyDoom - $38.5 billion damage Sasser - $500 million damage Blaster - $320 million damage
Cisco’s Answer (2004) Source: http://web.archive.org/web/20040603071700/http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
Cisco’s Answer (2004) Source: http://web.archive.org/web/20040603071700/http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
Do You Know NAC? Complex architecture Takes forever to implement WRONG! Difficult to manage Not worth the effort Requires 802.1x agents
Today The NAC Market is Booming • BYOD phenomenon • Ubiquitous expectation of wireless networks • Greater concern over data leakage • Need to keep private data from getting onto the wrong devices • Greater realization that desktop security is hard • IT managers want a third-party check on PC security posture • Products are better
Modern Network Access Control Products Great variations exist between vendors’ NAC products, but the best products are: • Simpler, less complex • Easy to deploy and manage • Help you control BYOD • Provide tremendous visibility • Offer a range of enforcement options • Integrate with other security infrastructure (SIEM, MDM, etc.) • Deployment options – physical, virtual, managed services
Why Do You Need NAC? -- Visibility Non-Corporate Corporate Resources Endpoints Antivirus out of date… Unwanted application… Encryption/DLP agent not installed… Network Devices Applications NAC Real-time Visibility and Automated Control Users ? Not Visible Visible Protection Possible No Protection Possible
The Poster Child for Visibility: Smartphones • Smartphones at a major hospital • Believed they had 8,000 devices on the network • They actually had 12,000 • The culprit? Smartphones • No security measure in place
Why Do You Need NAC? -- Cost Savings • Policy automation • Roll out and enforce standardized security policies • User acknowledgement • Guest management automation • Wired and wireless guest registration • Role-based access • Asset management automation • Maintain accurate inventory control • Hardware and software
Why Do You Need NAC? -- BYOD Control “NAC provides one of the most flexible approaches to securely supporting BYOD.” “No matter what [BYOD] strategy is selected, the ability to detect when unmanaged devices are in use for business purposes will be required — and that requires NAC.” Gartner, “NAC Strategies for Supporting BYOD Environments”, 22 December 2011, Lawrence Orans and John Pescatore http://mammanatech.wordpress.com/category/cloud-computing/
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security ManagedEndpoints UnmanagedEndpoints
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Role-based network access control • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Example: Endpoint Security Validation • Agent-based endpoint security solutions are only good if they are installed, running and updated. • Agent-based systems have blind spots. • “We identified that McAfee ePO was pushing DAT files properly, but ForeScout found a couple hundred endpoints where the McShield service was not running.” • “On another occasion, McAfee ePO failed to receive and push DAT files for a week. Desktop operations was unaware because McAfee ePO was unaware. ForeScout noticed the problem and notified the InfoSec team.”
Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Role-based network access control • Detect and control unmanaged endpoints • Detect and control rogue network devices • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Role-based network access control • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints
Why Do You Need NAC? -- Network Access Control HR Sales Finance GuestNetwork Sales HR Finance Contractors Guests Employees
Agenda • History of NAC • Why the NAC market is booming • Selecting a NAC product
What is Network Access Control (NAC)? Technology that identifies users and network-attached devices and automatically enforces security policy. LIMITED FIXED GRANTED BLOCKED
What is Network Access Control (NAC)? • Who are you / group? • What device? • Device configuration? • Security posture? • Device location? • Time of day?
NAC Basics – Form Factor • NAC comes in many flavors ... • Network framework NAC • Endpoint software NAC • Out-of-band appliance NAC • In-line appliance NAC • You have to determine which flavor is best for your environment and users
NAC Basics – Network Enforcement Mechanisms • 802.1x • VLAN change • ARP poisoning • In-line blocking • ACL management • TCP resets • DHCP
NAC Basics – Agent or Agentless • Agent-based • Well, the agent must be working! • Provide deep intelligence • More complex to manage • May impact endpoint performance • May not work in an unmanaged environment (BYOD) • Agent-less • Less complex to operate • Easy integration with network intelligence • Easily adaptable to BYOD environments • Easy integration with network enforcement mechanisms • But may not provide as deep intel as agent-based
NAC Requirements – Accurate Discovery • Guest vs. employee • Computers (Mac, Win, Linux) • Virtual machines • Printers and fax • Handheld devices • VoIP phones • WAP devices • Equipment • USB devices • Software • Processes
NAC Requirements – Health Check • Pre-connection • Comply with security policies • Meet regulatory requirements • Remediate problems • Post-connection • Monitor endpoints to ensure that they remain compliant • Look for abnormal activity on the endpoints • Ensure that approved endpoints remain valid and are not spoofed
NAC Requirements – Flexibility • Support diverse types of users, devices, access methods • Managed and unmanaged devices • Employees, guests, contractors • Wired, wireless, VPN • Provide a range of responses • Audit • Alert/Inform • Allow • Limit • Remediate • Block
Advanced NAC – Integration NAC Policy Engine Antivirus Windows MDM Mac/Linux VPN Wi-Fi SIEM User Dir Switch
Example: Integration with SIEM SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices
Example: Integration with SIEM NAC SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices
Example: Integration with SIEM Endpoint Posture and Context NAC SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices
Example: Integration with SIEM Endpoint Posture and Context NAC SIEM Remediation Actions Databases Applications Switches Wireless VPN Endpoints Security Devices
ForeScout’s Third Generation NAC • Horizontal visibility • Every device on the network • Vertical visibility • Deep information about the device, software, and user • Extensive range of actions • Inform, educate, remediate, control, block • Easy to implement • Works with your existing network infrastructure
How It Works ForeScout CounterACT • Out of band • Agentless
See Grant Fix Protect ForeScout CounterACT • What type of device? • Who owns it? • Who is logged in? • What applications? ( ( ( ( ( ( (
See Grant Fix Protect ForeScout CounterACT • Grant access • Register guests • Block access • Restrict access ( ( ( ( ( ( (
See Grant Fix Protect ForeScout CounterACT • Remediate OS • Fix security agents • Fix configuration • Start/stop applications • Disable peripheral
See Grant Fix Protect • Customized Policy Enforcement • Degree of disruption directly related to degree of violation • Multiple actions and conditions available and can be nested with Boolean logic • Policies are enforced at the point of connection and throughout the duration of the connection • Malicious threat detection is always on with enforcement actions configured by administrator
Install Antivirus • Is the software installed? • Run a script that can install software as an automated action
Start Antivirus • Is AV not running? • Start software • Additional action: • Notify user • Notify administrator
See Grant Fix Protect ForeScout CounterACT • Detect unexpected behavior • Block insider attack • Block worms • Block intrusions