Auto-Protecting Networks Powered by IPS-Based NAC

1
Auto-Protecting NetworksPowered by IPS-Based NAC

• Ken Low CISSP GSLC Security
  Lead, Asia Pacific

2
(No Transcript)
3
Outline

• The Challenges of NAC
• Trends Where is NAC Heading?
• Intrusion Prevention Systems (IPS)
• Auto-Protecting Networks
• IPS-based NAC

4
Section Divider
The Challenges

• Why Is Software-Based NAC Failing?

If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology.
Bruce Schneier
5
The Problem

• Administrators want to automatically prevent the
  spread of worms and malicious traffic through
  their networks
• Most vendors attempt this through host integrity
  checking via a software agent
• If the host passes a security profile check
  (updated OS patch level and updated AV signature
  file), it is allowed onto the network
• Sounds simple enough, but

Administration Nightmare
6
What we dont need more of
Client Software Applications

• Pop Up Blocker
• Spyware
• Adware
• Anti-Virus
• Personal FW
• Content Filter
• Spam Filter
• IPSec Client
• Citrix Client

MORE CLIENTSOFTWARE
X 1000s of users Unmanageable

• OS dependent
• Device dependent
• Updating nightmare
• Disparate solution set

The market does not need another endpoint
software security application to purchase,
configure, distribute, install, maintain, and
manage.
7
Software-based NAC

• Security Agent (SA) is software residing on host.
  SA available in 2 forms
• As stand alone agent
• Included in partners AV clients
• SA checks for updated OS patch and AV signature
  on host, and communicates hosts profile to a
  Trusted Agent (TA)
• TA receives policy from policy server
• If endpoint fits security policy, then TA
  forwards credentials to infrastructure devices

8
How NAC Works
AV Server (Optional)
AAA RADIUS Policy Server
3 Checks acceptable policy
4 If acceptable, Trusted Agent instructsnetwork
infrastructure to allow connectivity
Trusted Agent on PC
2 Passes profile info to
Security Agent
Client AV
Windows PC
/ or
1
9
Why Networks Need Quarantine
Secure
Vulnerable
Perimeter
Internal
LAN Segment
Enterprise Network
Internet
Wi-Fi
LAN Segment
Remote Branch
X
Attacks enter from LAN endpoints
Attacks Blocked


10
NAC Limitations
Only works with limited / proprietary network
gear
AAA RADIUS Policy Server
Requires Infrastructure Modification new AAA
server
Requires Manual Policy Updates
Trusted Agent on PC
Requires Additional Software Clients
Does not support many 3rd party network devices
Security Agent
Client AV
Windows PC
/ or
Excludes Mac, Linux, VoIP, Printers, PDAs
Forces visitors to adopt new policy or receive a
default access policy
Supports All AV Products?
11
NAC Failures
AAA RADIUS Policy Server
Trusted Agent on PC
Security Agent
Client AV
Windows PC
/ or
Zero-Day Threat with no OS patch or AV signature
12
NAC Failures
AAA RADIUS Policy Server
DDoS Attack
Trusted Agent on PC
Security Agent
Client AV
Windows PC
/ or
A malicious user passes profile check, then
launches attack
13
Enterprise Endpoint Security

• Enterprise Endpoint Security
• Agent Based
• Similar to NAC, but better
• Works with desktop firewall products e.g.
  Symantec NAC, InfoExpress
• Agents forward profile info to assessment
  server/auth server
• Network Based
• If no agent is present, endpoint is scanned with
  VA and OS patch scan tools
• Requires purchase and tuning of scanning for
  different types of devices
• Error prone
• Must create new scan profiles for each type of
  device
• Must update policy
• NAC will have this in Phase 2 release
• Even the network based solution works like an
  agent based solution, bringing the same
  complications of
• forcing all nodes to comply to your security
  profile which will at some point block authorized
  users and generate help desk calls
• failing to prevent malicious users who pass a sec
  policy from launching attacks
• failing to provide infrastructure based security
  mechanisms (i.e. IPS devices to control segments)
• doesnt verify AV at all, so network is still
  vulnerable to all exploits that are not addressed
  by an OS patch

14
Other NAC Problems

• Limitations
• NAC wont scale lots of legacy and even new
  equipment that dont support NAC e.g. VoIP phones
• What is 802.1X? many legacy hardware,
  printers and other devices dont support 802.1X
  protocol to enforce access policies before
  systems are assigned an IPS address
• Exploits
• Attack The Unmanaged Switch hackers can find
  their way into network by connecting through a
  switch not supported by NAC
• Spoofing hackers can spoof MAC and IP
  addresses for known systems that are allowed
  access
• Alter Desktop AV Software make infected
  endpoints appear to be adequately patched and
  have up to date antivirus definitions
• Attack The Quarantine Network introduce zero
  day exploit to quarantined devices, then
  remediate and control them

15
Section Divider
Trends Where is NAC Heading?

• A Survey Of The NACscape

If you think technology can solve your security
problems, then you don't understand the problems
and you don't understand the technology.
Bruce Schneier
16
The NAC Market Yesterday

• Proprietary single vendor solutions
• Proprietary device support
• Limited OS support
• Limited AV support
• Limited Patch support
• Limited network access control policies
• Proprietary or limited authentication support
• No or incomplete open standards

17
The NAC Market Today
Client/Server
IPS-Based
AVAILABLE NOW!

• Major Players
• TCGs TNC
• Microsofts NAP
• Ciscos Network Admission Control

• Methodology
• Clientless Network-Based
• Standards-Based (RADIUS / 802.1x)
• Endpoint agnostic
• Enforce network access policies
• Greater protection beyond AV patches e.g. DDoS,
  Zero Day Attacks, VoIP, Protocol Attacks,
  Phishing, Spyware, Instant Messaging etc.
• Ease of installation, admin maintenance

• Methodology
• Endpoint dependent
• Limited protection - checks for AV and patches
  only (vulnerability scans unrealistic)
• Enforces network access policies

18
The NAC Market Tomorrow (Future)

• TCGs TNC open standards gaining support from
  several partners (ref. Interop NY Aug06).
• Microsofts NAP will work with Longhorn
  (Microsofts new server OS) available in 6 to 12
  months time. Extensive support from Microsoft
  partners.
• Cisco NACs proprietary grip will erode e.g.
  customers can choose to use NAP or NAC client in
  Microsofts Vista and more Cisco products will
  support TNC, joining other network vendors in the
  embrace of open standards.
• Within 2 to 3 years, Microsofts NAP, TCGs TNC
  and Ciscos NAC will mature and possibly
  integrating/consolidating to a single solution.
• IPS-based NAC (e.g. TippingPoint Quarantine) will
  continue to provide more comprehensive
  sophisticated protection for networks as an
  extention of network IPS. There will be more
  powerful integration between IPS-based NAC with
  the major NAC schemes.

19
Section Divider
Intrusion Prevention Systems (IPS)

• Stopping The Attack Before It Happens

Securing a computer system has traditionally been
a battle of wits the penetrator tries to find
the holes, and the designer tries to close them.
M. Gosser
20
Convergence of Network and Security
21
Proactive Defense Through Intelligence and Power
Attacks are detected and blocked at full network
speed. TippingPoint IPS functions as a network
patch or virtual software patch
Attacks are stopped before they can cause damage
to your infrastructure.
22
Closing the Gap with TippingPoint Intrusion
Prevention

• High Performance Custom Hardware
• Highly Advanced Prevention Filters
• Constant Update Protection Service
• 5 Gbps Throughput
• Switch-Like Latency
• 2M Sessions
• 250K Sessions/Second
• Total Flow Inspection
• 64K Rate Shaping Queues
• 10K Parallel Filters

23
World Class Security Research
The Digital Vaccine service is the most
comprehensive, accurate and automatic protection
service available.

• Coverage
• Vendors
• Threat organizations
• Independent researchers (ZDI)
• Internal Threat Management Center
• Timeliness
• Weekly filter distribution
• Zero Day Initiative
• Same day Microsoft Tuesday coverage
• Accuracy
• Designed to block
• 5 years of filter writing experience
• No performance degradation
• Extensibility
• Signatures, vulnerabilities, traffic and protocol
  anomalies
• New Threats P2P, Instant Messaging, Spyware,
  Phishing, VOIP

24
Current TippingPoint Product Line
TippingPoint X505
TippingPoint SMS
25
Worlds Most Awarded IPS 31 Awards
26
Gartner Magic Quadrant Leader
3Com/TippingPoint
ABILITY TO EXECUTE
COMPLETENESS OF VISION
27
TippingPoint Market Leadership
TippingPoint comes out on top they have an
incredibly high percentage of customers running
their product not only in-line, but running their
default recommended settings of over 800 filters
they have a 33 share in 2005, nearly double that
of their next closest competitor. Jeff Wilson,
Infonetics May 2006
Source Infonetics Research Network Intrusion
Prevention Market Outlook May 17, 2006
28
Worlds 1st ICSA-Certified Multi-Gigabit Network
IPS
17 ICSA Consortium Members
10 Testing Participants (Confidential)
3 Gbps84 µsec latency
350 Mbps398 µsec latency
100 Mbps441 µsec latency
3 Certified Vendors
29
Section Divider
Auto-Protecting Networks
The Future Of NAC Now
The user's going to pick dancing pigs over
security every time. - Bruce Schneier
30
Meanwhile in Dads Office .....

• Now
• Son is now in his teens
• PDA phone (e.g. Blackberry) infected with a new
  virus connects to Wi-Fi network automatically.
• No alarms go off this time, the virus spreads in
  the network very quickly and network goes down
• Dad doesnt smile this time, summons his CSO.

• Previously
• Son uses Dads (CEO) computer in the office to
  surf the Internet.
• Unknowingly visits a malicious website and is
  stopped by the companys new Network Access
  Control (NAC) system and the alarms go off.
• Dad walks into the room, finds out whats
  happening and smiles at him.

• Closing
• Son, employees and contractors are using various
  access devices e.g. PDA phones, Wi-Fi laptops,
  iPods, Laptops etc.
• Dad asks, is everything OK?
• Everyone smiles and look at the CSO who carries a
  technical manual entitled ....

31
(No Transcript)
32
(No Transcript)
33
Section Divider
IPS-based NAC

• Powered by TippingPoint Quarantine

We only need to be lucky once. You need to be
lucky every time. The Irish Republican Army
(IRA) to Margaret Thatcher, after a failed
assassination attempt.
34
Three Quarantine Configurations

1. IPS Only
2. IPSSMS
3. IPSSMSNMS

35
Quarantine Configuration 1 IPS Only
Remediation Page
5500 Switch
Internet
Core
TippingPoint IPS
8800 Switch
8800 Switch
1200 Switch
WLANs
Catalyst 6500

• Client authenticates to network
• Malicious traffic blocked by IPS
• IPS performs policy-based thresholding
• Remediation web page sent from IPS to quarantined
  user
• All subsequent outbound traffic blocked by IPS

36
HTTP Redirect
37
Quarantine Configuration 2 IPS SMS
TippingPoint SMS
Radius
5500 Switch
Internet
Core
TippingPoint IPS
8800 Switch
8800 Switch
1200 Switch

1. Client Authenticates via SMS
2. SMS acts as Radius proxy, learning
   MAC/Switch/Port via RADA
3. Malicious activity blocked by IPS
4. Event data sent to SMS
5. SMS performs policy-based thresholding
6. SMS resolves IP to MAC

WLANs
Other Vendors

• MAC Address is placed into a blacklist and policy
  set
• SMS forces re-authentication of compromised
  device
• Device is contained within the set policy at the
  access switch ingress port

38
Quarantine Configuration 3 IPS SMS NMS
TippingPoint SMS
NMS facilitates automatic or manual action
Radius
NMS
5500 Switch
Internet
Core
TippingPoint IPS
8800 Switch
8800 Switch
1200 Switch
WLANs
Other Vendors

1. Client authenticates to network
2. Malicious activity blocked by IPS
3. Event data sent to SMS
4. SMS performs policy-based thresholding
5. SMS sends trap to NMS for administrator and/or
   automated action

39
Wireless Quarantine
Remote Branch
Wireless Controller
Tipping Point IPS
WAN Router
Trusted Client w/ Bad Behavior
WAN
Headquarters
Wireless Controller
Tipping Point IPS
Wireless Quarantine
WAN Router

1. IPS Identifies bad behavior
2. SMS tells RADIUS - block User
3. WX Sends SSID disassociate
4. User rejected re-authentication
5. User sent to remediation page

TP SMS AAA Proxy
Core Switch
Network Core
AAA Server
40
3 Quarantine Configurations
1. IPS Only ? Blocks outgoing malicious traffic? Serves remediation page? Does not prevent intra-segment infection? Does not disconnect user from network
2. IPSSMS ? SMS shuts down port ? MAC-based policy enforcement ? All communication is halted or allowed on Quarantined VLAN only ? Wholly automated solution
3. IPSSMSNMS ? SMS sends SNMP trap to NMS ? Notification of problem and user location ? Allows admin to react or set automated action set through NMS ? Provides additional visibility and flexibility into network activities
41
Quarantine Actions

• Display remediation web page (transparently by
  IPS)
• Block non-HTTP Traffic (at IPS)
• Redirect to a URL (by IPS)
• HTTP 302 or transparent redirect
• IPS provides information to destination web
  server about nature of infection
• Place client in remediation VLAN (Access switch)
• Apply access-list to switch port or router
  (Switch or router)
• Block IP address and or switch port/MAC address
  (block all traffic)
• Works in conjunction with other Quarantine
  Actions
• White list
• Exceptions created for IP addresses or ranges
• Ex. Servers for mission critical applications,
  router and switch IP addresses, the CEOs laptop
  machine, etc.
• Even if a white list is configured, the
  administrator is notified of infected machines
  (logging information) simply no Quarantine
  Action will be enforced
• Internal and External IP addresses
• Different actions based on whether an IP address
  is internal or external
• Ex. External addresses may need to be blocked
  immediately for a period of time such as twelve
  hours, one day, or one week, but not have a
  remediation web page
• Internal IP addresses may need a remediation page
  presented, be blocked on day three, and stay
  blocked for one week

42
Setting a Quarantine Policy
Quarantine Policy Summary Page
43
Advantages of Network-Based Quarantine
Agentless No client software to buy/manage/install Supports all operating systems (Linux, Macintosh) Protects all devices (printers, VoIP phones, Wireless) Guest users not required to conform to new security policy or install client
IPS-based Extends IPS protection to endpoints Signature, protocol, and behavioral protection Continually updated to protect against zero-day threats Prevents malicious activities of internal users
Centrally Managed Flexibility through white lists for VIPs or mission-critical systems Will interoperate with Microsoft NAP Infuses security into the network infrastructure Creates an automated threat elimination system
44
Summary

• The Challenges of NAC Limitations Exploits
• Trends Where is NAC Heading? Yesterday, Today
  Tomorrow
• Intrusion Prevention Systems (IPS) the role of
  the fastest growing security technology in NAC
• Auto-Protecting Networks transform your network
  today
• IPS-based NAC easiest way to deploy NAC and
  prevent network intrusions now and wait for
  NAP/TNC/NAC to stabilize

45
Auto-Protecting NetworksPowered by IPS-Based NAC

• Ken Low CISSP GSLC Security
  Lead, Asia Pacific

46
Section Divider
Case Study
IPS-Based NAC In Action
People in general are not interested in paying
extra for increased safety. At the beginning seat
belts cost 200 and nobody bought them. Gene
Spafford
47
To Be Completed