Title: Risk Management using Network Access Control and Endpoint Control for the Enterprise
1Risk Management using Network Access Control and
Endpoint Control for the Enterprise
- Kurtis E. Minder Mirage Networks
2Agenda
- Drivers of NAC
- Network Design Elements
- Key Elements of NAC Solutions
- Identify
- Assess
- Monitor
- Mitigate
- NAC Business Application
- Who is Mirage?
- QA
3Business Needs Drive Security Adoption
- 3 Ubiquitous Security technologies
- Anti-virus - Business driver File sharing
- Firewalls - Business driver Interconnecting
networks (i.e. Internet) - VPNs - Business driver Remote connectivity
- Todays top security driver - Mobile PCs and
devices - Broadband access is everywhere
- Increased percentage of the time devices spend on
unprotected networks - Perimeter security is rendered less effective
because mobile devices bypass it and arent
protected by it - Mobility of IP devices is driving the need for
Network Access Control solutions - Leading source of network infections
- More unmanaged devices on the network than ever -
guest and personal devices
4The Traditional Approach to Network Security
Isnt Enough
5The Problem NAC Should Address
Today, endpoint devices represent the greatest
risk to network security by propagating threats
or being vulnerable to them.
Because of worms and other threats, you can no
longer leave your networks open to unscreened
devices and users. By year-end 2007, 80 percent
of enterprises will have implemented network
access control policies and procedures. Gartner,
Protect Your Resources With a Network Access
Control Process
Infected Devices
propagate threats, resulting in loss of
productivity hours of cleanup
Unknown Devices
like home PCs, contractor PCs, WiFi phones can
introduce new threats or compromise data security
Out-of-Policy Devices
are more vulnerable to malware attacks, while
running services that could jeopardize security
6The Cost
1 mi2g Intelligence Unit, Malware Damage in
2004 2 ICSA Labs, 9th Annual Computer Virus
Prevalence Survey
7The Problem is Expected to Get Worse
- 2006 Statistics
- Steep increase in the number of software security
vulnerabilities discovered by researchers and
actively exploited by criminals - Microsoft Corp issued fixes for 97 (versus 37 in
2005) security holes assigned "critical" label - 14 of of the critical became "zero day" threats.
- Experts worry that businesses will be slow to
switch to Vista. - Pre-Vista MS Office is expected to remain in
widespread use for the next 5-10 years.
Source Washington Post, Dec 2006, Cyber Crime
Hits the Big Time in 2006
8NAC Market Expectations
- NAC Appliance vendors will sell 660m worldwide
in 2008 - NAC Appliances will gain 17 worldwide share of
the NAC market by 2008, up from 6 in 2005 - Research reveals World Network Access Control
(NAC) Products and Architectures Markets earned
revenues of over 85 million in 2006 and
estimates this to reach over 600 million in 2013 - Gartner estimates that the NAC market was 100M
in 2006 and will grow by over 100 by YE 2007
9Increasing Number of Targets to Protect
Sans Institute 2006 Top Attack Targets
- Operating Systems
- Internet Explorer
- Windows Libraries
- Microsoft Office
- Windows Services
- Windows Configuration Weaknesses
- Mac OSX
- Linux Configuration Weaknesses
- Network Devices
- VoIP Phones Servers
- Network Other Devices Common Configuration
Weaknesses
- Cross Platform Applications
- Web Applications
- Database Software
- P2P File Sharing Applications
- Instant Messaging
- Media Players
- DNS Servers
- Backup Software
- Security, Enterprise, and Directory Management
Servers - Security Policy Personnel
- Excessive User Rights Unauthorized Devices
- Users (Phishing/Spear Phishing)
SANS Institute Top 20 Internet Security Attack
Targets (2006 Annual Update), v7.0, 11.15.06
10What Class of NAC Solutions to Deploy?
Aberdeen Research, 2006
11Top Drivers Influencing NAC Solutions
Aberdeen Research, 2006
12Top Features Required in a NAC Solution
Aberdeen Research, 2006
13Principle Network Design Elements
14Network Design Meets Security Design
- Multi-layer Switching
- Fundamental to network architecture
- Supplemental to network security
- Getting closer to the desktop
- Access switch technologies
- Agent approaches
- Virtual Local Area Networks (VLAN)s
- Network segmentation or security tool?
- Appliance or infrastructure?
15Network Design Models
16Evolution of Network Device Segmentation Where
is 802.1x Going?
17Network Security Design Example
Typical network design includes security at the
perimeter. This is a best practice Also desktop
software may be used to keep machines clean of
virus and malicious content This is a typical
network, simplified
18Key Elements of NAC Solutions
19Common NAC Elements
- NAC is an evolving space with evolving
capabilities - NAC solution elements - some or all
- Identify - Detect authenticate new devices
- Assess - Endpoint integrity checks to determine
levels of risk and adherence to security policy - Monitor - Watch the devices activity for change
of assessed state with respect to policy and
threat status - Mitigate - Take appropriate action upon any
device that is identified as a security risk by
previous three elements
20Identify - Find/Authenticate New Devices
- Question - How do you know when a new device
comes on the network? Is it a known or unknown
device? Is it an authenticated user? - Common approaches
- Leverage 802.1x or network infrastructure OS
- Authenticate through existing EAP infrastructure
to pass credentials to authentication server - Special purpose DHCP server
- Authentication usually web based and tied to
authentication server - Authentication proxy
- NAC solution serves as a proxy between device and
authentication server - Inline security appliances (i.e. security
switches) - Serve as a proxy between device and
authentication server - Real time network awareness
- Authentication usually web based and tied to
authentication server - All approaches trigger off entry on the network
by a new IP device
21Identify - Pros Cons of Various Approaches
- 802.1x approach
- Pros Device detected and authenticated prior to
IP address assignment - Cons Often is a costly and time consuming
installation - Requires switch upgrade/reconfiguration
- Endpoints must be 802.1x enabled - requires
supplicant software - Must create guest/remediation VLANs
- Out of band appliances with network awareness
- Pros Sees all devices as they enter the network
both managed and unmanaged easier to implement
than many of the other approaches - Cons May require switch integration for
mitigation of problem - Authentication proxy
- In-line security appliance/switch
- DHCP Lease Quarantine
22NAC Design - Proxy
Using proxy technology to enforce NAC can be very
effective since it supplies L3-7 visibility into
packet data It can also be a point of failure
and latency Downstream traffic may be missed
23NAC Design - Inline
Inline NAC enforcers effectiveness are directly
impacted by network placement Point of
failure/latency possible Downstream missed
24NAC Design Access Switch Replacement
Access switch NAC devices are a viable
solution L3-7 visibility Expensive Not a switch
25NAC Design OOB
Out of band solutions are ideal for complex
network environments Supports heterogeneous
environments Sees all traffic May need complex
switch integration
26Assess
27Assess Endpoint Integrity
- Question Even if a device is allowed on my
network, how do I ensure it meets my security
policies and risk tolerance? - Answer Endpoint integrity checks
- Operating system identification and validation
checks - Typically requires an agent
- Must establish a policy relating to acceptable
patch level (latest patch on company SMS server,
no older than X months, most recent patch
available from software vendor) - What do you do for unknown devices? Usually
requires an agent for these checks - Security software checks - AV, personal firewall,
spyware, etc. - Is it up and running
- Is it in the right configuration
- Is it up to date - both the software and the
database - Usually requires an agent for these checks
28Scanning the host
- Client Integrity checks often include
- Patch Level
- Anti-Virus existence and rev. level
- Anti-Spyware existence and rev. level
- Personal Firewall enable status
-
29Scanning the host.
Does the device get network access? Posture
assessment will determine if high risk device
will get network access, or limit access based on
risk level
30Assess Endpoint Integrity cont.
- Additional Elements may be required to
effectively set and enforce Network Access
Control policy on the network. Often these
components are managed individually. - Elements for endpoint integrity checks
- Network scanning server (Optional)
- Endpoint software - permanent or transient
(Optional) - Policy server (Required) - must have somewhere to
define what is allowed/disallowed - Switch API
- Etc.
31Monitor
32Monitoring Post Network Entry
- The forgotten element of Network Access Control
- Why is monitoring a critical element of NAC?
- Cant effectively check for all threats on entry
- takes too long - Security policy state can change post entry -
users initiate FTP after access is granted - Infection can occur post entry - e-mail and web
threats can change security state of the device - This is critical to network awareness /
intelligence - Monitoring is both for threats and policy
adherence - takes advantage of policy definition
of NAC solution - Works hand in hand with NAC quarantine services
33Traditional Approach to Network Security
- Traditional Approach
- Firewall/IPS at the Perimeter
- AV, HIDS/HIPS on the Endpoint
- External Environment
- New technologies
- New threats
- Regulatory requirements
34Exploiting the Networks Weakness
Infected endpoints bypass the perimeter generati
ng rapidly propagating threats that take over a
network in minutes
35Monitoring Approaches
- Agent based approaches
- Host Intrusion Prevention Systems
- Personal firewalls
- Both require integration with a network policy
server to be an element of NAC - Doesnt cover unknown/unmanaged/unmanageable
devices - Network based approaches
- In-line Typically evolution of IPS vendors into
NAC capabilities also includes Network Based
Anomaly Detection (NBAD) vendors - Out-of-band Most commonly NBAD and old
Distributed Denial of Service (DDoS) security
vendors
36Mitigate
37Mitigation Approaches for NAC
- Two elements for NAC mitigation
- Quarantine capabilities (required)
- On-entry restrict access for devices not meeting
requirements - Post-entry take a device off the network and send
to quarantine zone if they violate policy or
propagate a threat - Ideally should be able to assign to different
quarantine server based on problem, i.e.
registration server for guests, AV scanner for
infected devices, etc. - Remediation services for identified problems
(optional) - Additional diagnostic tools for deeper checks -
- Vulnerability scanners
- AV scanners, etc.
- Tools for fixing identified problems
- OS patch links
- AV signature update and malware removal tools
- Registration pages for unknown devices
38Quarantine Approaches
- Switch integration
- Uses either ACLs or 802.1x
- ACLs - not commonly used because of negative
performance impact and access requirements in the
network - 802.1x - forces device to re-authenticate and
assigns new VLAN - Pros Effective both pre and post admission,
uses standards based approach in 802.1x - Cons Can negatively impact switch performance
Usually not granular in quarantine server
assignment If using broadcast quarantine VLAN
there is a cross-infection risk - ARP management
- Pros No network integration required for full
quarantine capabilities enables surgical,
problem specific quarantine without
cross-infection risk effective both pre and post
admission - Cons If implemented improperly network
equipment can misidentify this as an attack and
drop this traffic - In-line blocking with web redirect
- Proxy with Switch Integration
- Agent with Switch Integration
- DHCP lease revocation
39Business Application of NAC
40What is our goal? Protect the triad.
- The business goal is to protect CIA.
- Confidentiality of Data
- Assurance of data privacy. Only the intended and
authorized recipients individuals, processes or
devices, may read the data. - Integrity of that Data
- Assurance of data non-alteration. Data integrity
is having assurance that the information has not
been altered in transmission, from origin to
reception. - Availability of the Data and Critical Business
Assets - Assurance in the timely and reliable access to
data services for authorized users. It ensures
that information or resources are available when
required.
41How much should be spent?
- A security budget should reflect the value of the
data you are protecting. - How much is data worth?
- Network downtime has a cost associated with it
- Data reliability has a value tied to it
- Pro-active investigation into network downtime
and data valuation is critical. - Engage a consulting firm to help with discovery
- Create a process for continued assessment
42Network Security GOAL
- to minimize risk on the network with the least
amount of administrative overhead and cost. - Invest in solutions that eliminate the
low-hanging fruit - The bulk of network attacks are opportunistic in
nature, eliminate that risk - Invest in solutions that have future / cost
protection - Solutions that require daily maintenance have
many hidden costs - Invest in processes that compliment security
infrastructure - Have threat mitigation and escalation plan
- Consult local law regarding data forensics and
legal admissibility
43How Does NAC Accomplish the Security GOAL?
- Typical security investments are largely
re-active - Anti-virus relies on signatures and waits for an
outbreak to occur to address the problem - IDS / IPS monitors traffic and re-actively
addresses an outbreak at a choke point in the
network - Most security investments require significant
attention to operate effectively or interfere
with user productivity - IDS/IPS can require daily upkeep to remain
effective - Anti-virus can interfere with desktop
applications and cause help-desk pains - NAC is pro-actively assessing risk and then
re-enforcing with real-time monitoring at the
desktop level, sometimes w/o software! - Some NAC solutions can address the risk
management challenge out-of-band, infrastructure
independent, software free, etc. - Behavioral threat assessment can require little
or no daily upkeep - Following posture assessment, high risk devices
are kept off the network completely
44Summary
- NAC is an evolving technology space
- Know what problems are most important to address
- Unknown/unauthenticated user control
- Policy enforcement for endpoints
- Preventing threats on your network
- Understand implementation tradeoffs
- Quarantine flexibility
- Performance impact
- Cost of solution
- IT effort to implement
- Keep track of early evolving standards
45About Mirage
46Mirage Networks Endpoint Control
- Network Access Control
- Comprehensive Endpoint Control
- On-entry Risk Assessment
- Policy Enforcement
- IP Telephony Enabled
- Wireless Support
- Out-of-Band
- Agentless
- Day-Zero Threat Protection
- Patented Behavioral Technology
- No Signatures, No Updates
- Leverages Dark IP Space
- Minimal False Positives
- Customized Policies
- Day Zero
- Network Intelligence
- Central Mgmt
- Asset Tracking
- Network Visibility
- Executive Reports
- Cross Network Correlation
- Compliance Audit Support
- Policy Enforcement
- Surgical Quarantining
- Customized remediation
- Infrastructure-Independent
- No Network Re-architecture
- Flexible Self-Remediation Options
- ARP Management - No VLAN of Death
47Strategic Partners
IBM Internet Security Systems (formerly ISS) has
formed an alliance with Mirage Networks to
provide Network Access Control to global
enterprise customers. (Signed November, 2006)
Extreme Networks provides organizations with the
resiliency, adaptability and simplicity required
for a truly converged network that supports
voice, video and data over a wired or wireless
infrastructure, while delivering high-performance
and advanced security features. (Signed March,
2005)
Mitsui Bussan Secure Directions, a subsidiary of
Mitsui Co., Ltd. - one of the worlds most
diversified and comprehensive trading and
services companies - powers Mirage NAC sales in
the Japanese marketplace. (Signed October, 2004)
ATT resells Mirage NAC in its managed services
portfolio. Marketed as ATT Managed IPS, it
represents the ATT commitment to enabling
business to be conducted effectively, efficiently
and securely across both wired and wireless IP
networks. (Signed March, 2005)
Part of the Avaya DevConnect Program, Mirage
works with Avaya to develop world-class interior
network defense solutions, particularly for
emerging IP telephony technology.
48Selected Customers
Finance
Government
Professional Services
Healthcare
Higher Education
K-12
Manufacturing
Other
49Mirage NAC is the Answer
- Full Cycle Pre- and Post-Admission Policy
Enforcement - Out of Band Deployment no latency, switch
integration - Infrastructure Independent All networks, All
devices, All OSs - Zero Day protection without signatures
- Agentless Easy to Deploy and Manage
- Quarantines without switch integration
- Patented technology
Check on Connect Pre-Admission
Policy Enforcement
Zero Day Threat Prevention Post Admission
50Thank You
- Kurtis Minder, CISSP - Mirage Networks
- Download Getting the Knack of NAC, 29 Page
Industry Whitepaper at www.miragenetworks.com