Risk Management using Network Access Control and Endpoint Control for the Enterprise

1
Risk Management using Network Access Control and
Endpoint Control for the Enterprise

• Kurtis E. Minder Mirage Networks

2
Agenda

• Drivers of NAC
• Network Design Elements
• Key Elements of NAC Solutions
• Identify
• Assess
• Monitor
• Mitigate
• NAC Business Application
• Who is Mirage?
• QA

3
Business Needs Drive Security Adoption

• 3 Ubiquitous Security technologies
• Anti-virus - Business driver File sharing
• Firewalls - Business driver Interconnecting
  networks (i.e. Internet)
• VPNs - Business driver Remote connectivity
• Todays top security driver - Mobile PCs and
  devices
• Broadband access is everywhere
• Increased percentage of the time devices spend on
  unprotected networks
• Perimeter security is rendered less effective
  because mobile devices bypass it and arent
  protected by it
• Mobility of IP devices is driving the need for
  Network Access Control solutions
• Leading source of network infections
• More unmanaged devices on the network than ever -
  guest and personal devices

4
The Traditional Approach to Network Security
Isnt Enough
5
The Problem NAC Should Address
Today, endpoint devices represent the greatest
risk to network security by propagating threats
or being vulnerable to them.
Because of worms and other threats, you can no
longer leave your networks open to unscreened
devices and users. By year-end 2007, 80 percent
of enterprises will have implemented network
access control policies and procedures. Gartner,
Protect Your Resources With a Network Access
Control Process
Infected Devices
propagate threats, resulting in loss of
productivity hours of cleanup
Unknown Devices
like home PCs, contractor PCs, WiFi phones can
introduce new threats or compromise data security
Out-of-Policy Devices
are more vulnerable to malware attacks, while
running services that could jeopardize security
6
The Cost
1 mi2g Intelligence Unit, Malware Damage in
2004 2 ICSA Labs, 9th Annual Computer Virus
Prevalence Survey
7
The Problem is Expected to Get Worse

• 2006 Statistics
• Steep increase in the number of software security
  vulnerabilities discovered by researchers and
  actively exploited by criminals
• Microsoft Corp issued fixes for 97 (versus 37 in
  2005) security holes assigned "critical" label
• 14 of of the critical became "zero day" threats.
• Experts worry that businesses will be slow to
  switch to Vista.
• Pre-Vista MS Office is expected to remain in
  widespread use for the next 5-10 years.

Source Washington Post, Dec 2006, Cyber Crime
Hits the Big Time in 2006
8
NAC Market Expectations

• NAC Appliance vendors will sell 660m worldwide
  in 2008
• NAC Appliances will gain 17 worldwide share of
  the NAC market by 2008, up from 6 in 2005
• Research reveals World Network Access Control
  (NAC) Products and Architectures Markets earned
  revenues of over 85 million in 2006 and
  estimates this to reach over 600 million in 2013
• Gartner estimates that the NAC market was 100M
  in 2006 and will grow by over 100 by YE 2007

9
Increasing Number of Targets to Protect
Sans Institute 2006 Top Attack Targets

• Operating Systems
• Internet Explorer
• Windows Libraries
• Microsoft Office
• Windows Services
• Windows Configuration Weaknesses
• Mac OSX
• Linux Configuration Weaknesses
• Network Devices
• VoIP Phones Servers
• Network Other Devices Common Configuration
  Weaknesses

• Cross Platform Applications
• Web Applications
• Database Software
• P2P File Sharing Applications
• Instant Messaging
• Media Players
• DNS Servers
• Backup Software
• Security, Enterprise, and Directory Management
  Servers
• Security Policy Personnel
• Excessive User Rights Unauthorized Devices
• Users (Phishing/Spear Phishing)

SANS Institute Top 20 Internet Security Attack
Targets (2006 Annual Update), v7.0, 11.15.06
10
What Class of NAC Solutions to Deploy?
Aberdeen Research, 2006
11
Top Drivers Influencing NAC Solutions
Aberdeen Research, 2006
12
Top Features Required in a NAC Solution
Aberdeen Research, 2006
13
Principle Network Design Elements
14
Network Design Meets Security Design

• Multi-layer Switching
• Fundamental to network architecture
• Supplemental to network security
• Getting closer to the desktop
• Access switch technologies
• Agent approaches
• Virtual Local Area Networks (VLAN)s
• Network segmentation or security tool?
• Appliance or infrastructure?

15
Network Design Models
16
Evolution of Network Device Segmentation Where
is 802.1x Going?
17
Network Security Design Example
Typical network design includes security at the
perimeter. This is a best practice Also desktop
software may be used to keep machines clean of
virus and malicious content This is a typical
network, simplified
18
Key Elements of NAC Solutions
19
Common NAC Elements

• NAC is an evolving space with evolving
  capabilities
• NAC solution elements - some or all
• Identify - Detect authenticate new devices
• Assess - Endpoint integrity checks to determine
  levels of risk and adherence to security policy
• Monitor - Watch the devices activity for change
  of assessed state with respect to policy and
  threat status
• Mitigate - Take appropriate action upon any
  device that is identified as a security risk by
  previous three elements

20
Identify - Find/Authenticate New Devices

• Question - How do you know when a new device
  comes on the network? Is it a known or unknown
  device? Is it an authenticated user?
• Common approaches
• Leverage 802.1x or network infrastructure OS
• Authenticate through existing EAP infrastructure
  to pass credentials to authentication server
• Special purpose DHCP server
• Authentication usually web based and tied to
  authentication server
• Authentication proxy
• NAC solution serves as a proxy between device and
  authentication server
• Inline security appliances (i.e. security
  switches)
• Serve as a proxy between device and
  authentication server
• Real time network awareness
• Authentication usually web based and tied to
  authentication server
• All approaches trigger off entry on the network
  by a new IP device

21
Identify - Pros Cons of Various Approaches

• 802.1x approach
• Pros Device detected and authenticated prior to
  IP address assignment
• Cons Often is a costly and time consuming
  installation
• Requires switch upgrade/reconfiguration
• Endpoints must be 802.1x enabled - requires
  supplicant software
• Must create guest/remediation VLANs
• Out of band appliances with network awareness
• Pros Sees all devices as they enter the network
  both managed and unmanaged easier to implement
  than many of the other approaches
• Cons May require switch integration for
  mitigation of problem
• Authentication proxy
• In-line security appliance/switch
• DHCP Lease Quarantine

22
NAC Design - Proxy
Using proxy technology to enforce NAC can be very
effective since it supplies L3-7 visibility into
packet data It can also be a point of failure
and latency Downstream traffic may be missed
23
NAC Design - Inline
Inline NAC enforcers effectiveness are directly
impacted by network placement Point of
failure/latency possible Downstream missed
24
NAC Design Access Switch Replacement
Access switch NAC devices are a viable
solution L3-7 visibility Expensive Not a switch
25
NAC Design OOB
Out of band solutions are ideal for complex
network environments Supports heterogeneous
environments Sees all traffic May need complex
switch integration
26
Assess
27
Assess Endpoint Integrity

• Question Even if a device is allowed on my
  network, how do I ensure it meets my security
  policies and risk tolerance?
• Answer Endpoint integrity checks
• Operating system identification and validation
  checks
• Typically requires an agent
• Must establish a policy relating to acceptable
  patch level (latest patch on company SMS server,
  no older than X months, most recent patch
  available from software vendor)
• What do you do for unknown devices? Usually
  requires an agent for these checks
• Security software checks - AV, personal firewall,
  spyware, etc.
• Is it up and running
• Is it in the right configuration
• Is it up to date - both the software and the
  database
• Usually requires an agent for these checks

28
Scanning the host

• Client Integrity checks often include
• Patch Level
• Anti-Virus existence and rev. level
• Anti-Spyware existence and rev. level
• Personal Firewall enable status

29
Scanning the host.
Does the device get network access? Posture
assessment will determine if high risk device
will get network access, or limit access based on
risk level
30
Assess Endpoint Integrity cont.

• Additional Elements may be required to
  effectively set and enforce Network Access
  Control policy on the network. Often these
  components are managed individually.
• Elements for endpoint integrity checks
• Network scanning server (Optional)
• Endpoint software - permanent or transient
  (Optional)
• Policy server (Required) - must have somewhere to
  define what is allowed/disallowed
• Switch API
• Etc.

31
Monitor
32
Monitoring Post Network Entry

• The forgotten element of Network Access Control
• Why is monitoring a critical element of NAC?
• Cant effectively check for all threats on entry
  - takes too long
• Security policy state can change post entry -
  users initiate FTP after access is granted
• Infection can occur post entry - e-mail and web
  threats can change security state of the device
• This is critical to network awareness /
  intelligence
• Monitoring is both for threats and policy
  adherence - takes advantage of policy definition
  of NAC solution
• Works hand in hand with NAC quarantine services

33
Traditional Approach to Network Security

• Traditional Approach
• Firewall/IPS at the Perimeter
• AV, HIDS/HIPS on the Endpoint

• External Environment
• New technologies
• New threats
• Regulatory requirements

34
Exploiting the Networks Weakness
Infected endpoints bypass the perimeter generati
ng rapidly propagating threats that take over a
network in minutes
35
Monitoring Approaches

• Agent based approaches
• Host Intrusion Prevention Systems
• Personal firewalls
• Both require integration with a network policy
  server to be an element of NAC
• Doesnt cover unknown/unmanaged/unmanageable
  devices
• Network based approaches
• In-line Typically evolution of IPS vendors into
  NAC capabilities also includes Network Based
  Anomaly Detection (NBAD) vendors
• Out-of-band Most commonly NBAD and old
  Distributed Denial of Service (DDoS) security
  vendors

36
Mitigate
37
Mitigation Approaches for NAC

• Two elements for NAC mitigation
• Quarantine capabilities (required)
• On-entry restrict access for devices not meeting
  requirements
• Post-entry take a device off the network and send
  to quarantine zone if they violate policy or
  propagate a threat
• Ideally should be able to assign to different
  quarantine server based on problem, i.e.
  registration server for guests, AV scanner for
  infected devices, etc.
• Remediation services for identified problems
  (optional)
• Additional diagnostic tools for deeper checks -
• Vulnerability scanners
• AV scanners, etc.
• Tools for fixing identified problems
• OS patch links
• AV signature update and malware removal tools
• Registration pages for unknown devices

38
Quarantine Approaches

• Switch integration
• Uses either ACLs or 802.1x
• ACLs - not commonly used because of negative
  performance impact and access requirements in the
  network
• 802.1x - forces device to re-authenticate and
  assigns new VLAN
• Pros Effective both pre and post admission,
  uses standards based approach in 802.1x
• Cons Can negatively impact switch performance
  Usually not granular in quarantine server
  assignment If using broadcast quarantine VLAN
  there is a cross-infection risk
• ARP management
• Pros No network integration required for full
  quarantine capabilities enables surgical,
  problem specific quarantine without
  cross-infection risk effective both pre and post
  admission
• Cons If implemented improperly network
  equipment can misidentify this as an attack and
  drop this traffic
• In-line blocking with web redirect
• Proxy with Switch Integration
• Agent with Switch Integration
• DHCP lease revocation

39
Business Application of NAC
40
What is our goal? Protect the triad.

• The business goal is to protect CIA.
• Confidentiality of Data
• Assurance of data privacy. Only the intended and
  authorized recipients individuals, processes or
  devices, may read the data.
• Integrity of that Data
• Assurance of data non-alteration. Data integrity
  is having assurance that the information has not
  been altered in transmission, from origin to
  reception.
• Availability of the Data and Critical Business
  Assets
• Assurance in the timely and reliable access to
  data services for authorized users. It ensures
  that information or resources are available when
  required.

41
How much should be spent?

• A security budget should reflect the value of the
  data you are protecting.
• How much is data worth?
• Network downtime has a cost associated with it
• Data reliability has a value tied to it
• Pro-active investigation into network downtime
  and data valuation is critical.
• Engage a consulting firm to help with discovery
• Create a process for continued assessment

42
Network Security GOAL

• to minimize risk on the network with the least
  amount of administrative overhead and cost.
• Invest in solutions that eliminate the
  low-hanging fruit
• The bulk of network attacks are opportunistic in
  nature, eliminate that risk
• Invest in solutions that have future / cost
  protection
• Solutions that require daily maintenance have
  many hidden costs
• Invest in processes that compliment security
  infrastructure
• Have threat mitigation and escalation plan
• Consult local law regarding data forensics and
  legal admissibility

43
How Does NAC Accomplish the Security GOAL?

• Typical security investments are largely
  re-active
• Anti-virus relies on signatures and waits for an
  outbreak to occur to address the problem
• IDS / IPS monitors traffic and re-actively
  addresses an outbreak at a choke point in the
  network
• Most security investments require significant
  attention to operate effectively or interfere
  with user productivity
• IDS/IPS can require daily upkeep to remain
  effective
• Anti-virus can interfere with desktop
  applications and cause help-desk pains
• NAC is pro-actively assessing risk and then
  re-enforcing with real-time monitoring at the
  desktop level, sometimes w/o software!
• Some NAC solutions can address the risk
  management challenge out-of-band, infrastructure
  independent, software free, etc.
• Behavioral threat assessment can require little
  or no daily upkeep
• Following posture assessment, high risk devices
  are kept off the network completely

44
Summary

• NAC is an evolving technology space
• Know what problems are most important to address
• Unknown/unauthenticated user control
• Policy enforcement for endpoints
• Preventing threats on your network
• Understand implementation tradeoffs
• Quarantine flexibility
• Performance impact
• Cost of solution
• IT effort to implement
• Keep track of early evolving standards

45
About Mirage
46
Mirage Networks Endpoint Control

• Network Access Control
• Comprehensive Endpoint Control
• On-entry Risk Assessment
• Policy Enforcement
• IP Telephony Enabled
• Wireless Support
• Out-of-Band
• Agentless

• Day-Zero Threat Protection
• Patented Behavioral Technology
• No Signatures, No Updates
• Leverages Dark IP Space
• Minimal False Positives
• Customized Policies
• Day Zero

• Network Intelligence
• Central Mgmt
• Asset Tracking
• Network Visibility
• Executive Reports
• Cross Network Correlation
• Compliance Audit Support

• Policy Enforcement
• Surgical Quarantining
• Customized remediation
• Infrastructure-Independent
• No Network Re-architecture
• Flexible Self-Remediation Options
• ARP Management - No VLAN of Death

47
Strategic Partners
IBM Internet Security Systems (formerly ISS) has
formed an alliance with Mirage Networks to
provide Network Access Control to global
enterprise customers. (Signed November, 2006)
Extreme Networks provides organizations with the
resiliency, adaptability and simplicity required
for a truly converged network that supports
voice, video and data over a wired or wireless
infrastructure, while delivering high-performance
and advanced security features. (Signed March,
2005)
Mitsui Bussan Secure Directions, a subsidiary of
Mitsui Co., Ltd. - one of the worlds most
diversified and comprehensive trading and
services companies - powers Mirage NAC sales in
the Japanese marketplace. (Signed October, 2004)
ATT resells Mirage NAC in its managed services
portfolio. Marketed as ATT Managed IPS, it
represents the ATT commitment to enabling
business to be conducted effectively, efficiently
and securely across both wired and wireless IP
networks. (Signed March, 2005)
Part of the Avaya DevConnect Program, Mirage
works with Avaya to develop world-class interior
network defense solutions, particularly for
emerging IP telephony technology.
48
Selected Customers
Finance
Government
Professional Services
Healthcare
Higher Education
K-12
Manufacturing
Other
49
Mirage NAC is the Answer

• Full Cycle Pre- and Post-Admission Policy
  Enforcement
• Out of Band Deployment no latency, switch
  integration
• Infrastructure Independent All networks, All
  devices, All OSs
• Zero Day protection without signatures
• Agentless Easy to Deploy and Manage
• Quarantines without switch integration
• Patented technology

Check on Connect Pre-Admission
Policy Enforcement
Zero Day Threat Prevention Post Admission
50
Thank You

• Kurtis Minder, CISSP - Mirage Networks
• Download Getting the Knack of NAC, 29 Page
  Industry Whitepaper at www.miragenetworks.com