Transcript Introducing Mirage NAC

Risk Management using Network
Access Control and Endpoint
Control for the Enterprise
Kurtis E. Minder – Mirage Networks
Agenda
Drivers of NAC
Network Design Elements
Key Elements of NAC Solutions




Identify
Assess
Monitor
Mitigate
NAC Business Application
Who is Mirage?
Q&A
2
- CONFIDENTIAL -
Business Needs Drive Security Adoption
3 Ubiquitous Security technologies
 Anti-virus - Business driver: File sharing
 Firewalls - Business driver: Interconnecting networks (i.e. Internet)
 VPNs - Business driver: Remote connectivity
Today’s top security driver - Mobile PCs and devices
 Broadband access is everywhere
 Increased percentage of the time devices spend on unprotected
networks
 Perimeter security is rendered less effective because mobile
devices bypass it and aren’t protected by it
Mobility of IP devices is driving the need for Network
Access Control solutions
 Leading source of network infections
 More unmanaged devices on the network than ever - guest and
personal devices
3
- CONFIDENTIAL -
The Traditional Approach to Network
Security Isn’t Enough
4
- CONFIDENTIAL -
The Problem NAC Should Address
Today, endpoint devices
represent the greatest risk to
network security — by
propagating threats or being
vulnerable to them.
“Because of worms
and other threats,
you can no longer
leave your
networks open to
unscreened
devices and users.
By year-end 2007,
80 percent of
enterprises will
have implemented
network access
control policies and
procedures.”
Infected Devices
propagate threats, resulting
in loss of productivity &
hours of cleanup
Gartner, Protect Your
Resources With a
Network Access
Control Process
Unknown Devices
like home PCs, contractor PCs, &
WiFi phones can introduce new
threats or compromise data security
Out-of-Policy Devices
are more vulnerable to malware
attacks, while running services that
could jeopardize security
5
- CONFIDENTIAL -
The Cost
1 mi2g Intelligence
Unit, Malware
Damage in 2004
2 ICSA Labs, 9th
Annual Computer
Virus Prevalence
Survey
6
- CONFIDENTIAL -
The Problem is Expected to Get Worse
2006 Statistics
Steep increase in the number of software security vulnerabilities
discovered by researchers and actively exploited by criminals
Microsoft Corp issued fixes for 97 (versus 37 in 2005) security holes
assigned "critical" label
14 of of the critical became "zero day" threats.
Experts worry that businesses will be slow to switch to Vista.
Pre-Vista MS Office is expected to remain in widespread use for the next
5-10 years.
Source: Washington Post, Dec 2006, Cyber Crime Hits the Big Time in 2006
7
- CONFIDENTIAL -
NAC Market Expectations
NAC Appliance vendors will sell $660m
worldwide in 2008
NAC Appliances will gain 17% worldwide
share of the NAC market by 2008, up from 6%
in 2005
Research reveals World Network Access
Control (NAC) Products and Architectures
Markets earned revenues of over $85 million
in 2006 and estimates this to reach over $600
million in 2013
Gartner estimates that the NAC market was
$100M in 2006 and will grow by over 100% by
YE 2007
8
- CONFIDENTIAL -
Increasing Number of Targets to Protect
Sans Institute 2006 Top Attack Targets*
Operating Systems
Cross Platform Applications
Internet Explorer
Web Applications
Windows Libraries
Database Software
Microsoft Office
P2P File Sharing Applications
Windows Services
Instant Messaging
Windows Configuration Weaknesses
Media Players
Mac OSX
DNS Servers
Linux Configuration Weaknesses
Backup Software
Network Devices
VoIP Phones & Servers
Network & Other Devices Common
Configuration Weaknesses
Security, Enterprise, and Directory
Management Servers
Security Policy & Personnel
Excessive User Rights & Unauthorized
Devices
Users (Phishing/Spear Phishing)
* SANS Institute Top 20 Internet Security Attack Targets (2006 Annual Update), v7.0, 11.15.06
9
- CONFIDENTIAL -
What Class of NAC Solutions to Deploy?
Don't know, 3%
Pre-admission (at network
connect), 30%
Both, 60%
Post-admission
(continuous monitoring),
7%
Aberdeen Research, 2006
10
- CONFIDENTIAL -
Top Drivers Influencing NAC Solutions
59%
Reduce incidents of malware propagation
Control network access for staff, partners and
contractors
53%
Enforce endpoint software configurations
42%
Enforce security policy compliance
41%
24%
Improve network uptime
Reduce time required to recover from malware
outbreak
22%
Automate remediation of policy / configuration
violations
17%
Improve endpoint visibility
12%
Reduce IT operations cost
12%
11%
Meet regulatory requirements
0%
Aberdeen Research, 2006
10%
20%
30%
40%
% of Respondents
All Respondents
50%
60%
70%
11
- CONFIDENTIAL -
Top Features Required in a NAC Solution
Day zero malware control
37%
Integration with current network infrastructure
34%
30%
Identity-based control
Prevent infection of your endpoints by remote control,…
28%
Ease of management
24%
23%
Network infrastructure independent
Endpoint configuration posture check (continuous/ongoing)
19%
Ease of deployment
17%
Endpoint configuration posture check (on admission)
16%
Redirection of users to remediation resources
14%
Visibility to endpoint threats
14%
Reporting
12%
11%
Scalability / fault tolerance
7%
Threat propagation detection / IDS
6%
Visibility to endpoint configurations
0%
10%
20%
30%
40%
% of Respondents
Aberdeen Research, 2006
All Respondents
12
- CONFIDENTIAL -
Principle Network Design Elements
Network Design Meets Security Design
Multi-layer Switching
 Fundamental to network architecture
 Supplemental to network security
Getting closer to the desktop
 Access switch technologies
 Agent approaches
Virtual Local Area Networks – (VLAN)s
 Network segmentation or security tool?
Appliance or infrastructure?
14
- CONFIDENTIAL -
Network Design Models
15
- CONFIDENTIAL -
Evolution of Network Device
Segmentation – Where is 802.1x Going?
16
- CONFIDENTIAL -
Network Security Design Example
Typical network design
includes security at the
perimeter. This is a
best practice
Also desktop software
may be used to keep
machines clean of virus
and malicious content
This is a typical
network, simplified
17
- CONFIDENTIAL -
Key Elements of NAC Solutions
Common NAC Elements
NAC is an evolving space with evolving capabilities
NAC solution elements - some or all
 Identify - Detect & authenticate new devices
 Assess - Endpoint integrity checks to determine levels of risk and
adherence to security policy
 Monitor - Watch the device’s activity for change of assessed state
with respect to policy and threat status
 Mitigate - Take appropriate action upon any device that is identified
as a security risk by previous three elements
19
- CONFIDENTIAL -
Identify - Find/Authenticate New Devices
Question - How do you know when a new device comes on the
network? Is it a known or unknown device? Is it an authenticated user?
Common approaches
 Leverage 802.1x or network infrastructure OS
• Authenticate through existing EAP infrastructure to pass credentials to
authentication server
 Special purpose DHCP server
• Authentication usually web based and tied to authentication server
 Authentication proxy
• NAC solution serves as a proxy between device and authentication server
 Inline security appliances (i.e. security switches)
• Serve as a proxy between device and authentication server
 Real time network awareness
• Authentication usually web based and tied to authentication server
All approaches trigger off entry on the network by a new IP device
20
- CONFIDENTIAL -
Identify - Pros & Cons of Various
Approaches
802.1x approach
 Pros: Device detected and authenticated prior to IP address assignment
 Cons: Often is a costly and time consuming installation
• Requires switch upgrade/reconfiguration
• Endpoints must be 802.1x enabled - requires supplicant software
• Must create guest/remediation VLANs
Out of band appliances with network awareness
 Pros: Sees all devices as they enter the network both managed and
unmanaged; easier to implement than many of the other approaches
 Cons: May require switch integration for mitigation of problem
Authentication proxy
In-line security appliance/switch
DHCP Lease Quarantine
21
- CONFIDENTIAL -
NAC Design - Proxy
Using proxy technology
to enforce NAC can be
very effective since it
supplies L3-7 visibility
into packet data
It can also be a point of
failure and latency
Downstream traffic may
be missed
22
- CONFIDENTIAL -
NAC Design - Inline
Inline NAC enforcers
effectiveness are
directly impacted by
network placement
Point of failure/latency
possible
Downstream missed
23
- CONFIDENTIAL -
NAC Design – Access Switch
Replacement
Access switch NAC
devices are a viable
solution
L3-7 visibility
Expensive
Not a switch
24
- CONFIDENTIAL -
NAC Design – OOB
Out of band solutions
are ideal for complex
network environments
Supports
heterogeneous
environments
Sees all traffic
May need complex
switch integration
25
- CONFIDENTIAL -
Assess
Assess Endpoint Integrity
Question: Even if a device is allowed on my network, how
do I ensure it meets my security policies and risk
tolerance?
Answer: Endpoint integrity checks
 Operating system identification and validation checks
• Typically requires an agent
• Must establish a policy relating to acceptable patch level (latest patch
on company SMS server, no older than X months, most recent patch
available from software vendor)
• What do you do for unknown devices? Usually requires an agent for
these checks
 Security software checks - AV, personal firewall, spyware, etc.
•
•
•
•
Is it up and running
Is it in the right configuration
Is it up to date - both the software and the database
Usually requires an agent for these checks
27
- CONFIDENTIAL -
Scanning the host…
Client Integrity checks often include:
•
Patch Level
•
Anti-Virus existence and rev. level
•
Anti-Spyware existence and rev. level
•
Personal Firewall enable status
28
- CONFIDENTIAL -
Scanning the host….
Does the device get
network access?
Posture assessment
will determine if high
risk device will get
network access, or
limit access based on
risk level…
29
- CONFIDENTIAL -
Assess Endpoint Integrity cont.
Additional Elements may be required to effectively set and
enforce Network Access Control policy on the network.
Often these components are managed individually.
Elements for endpoint integrity checks
 Network scanning server (Optional)
 Endpoint software - permanent or transient (Optional)
 Policy server (Required) - must have somewhere to define what is
allowed/disallowed
 Switch API
 Etc.
30
- CONFIDENTIAL -
Monitor
Monitoring Post Network Entry
The forgotten element of Network Access Control
 Why is monitoring a critical element of NAC?
• Can’t effectively check for all threats on entry - takes too long
• Security policy state can change post entry - users initiate FTP after
access is granted
• Infection can occur post entry - e-mail and web threats can change
security state of the device
This is critical to network awareness / intelligence
 Monitoring is both for threats and policy adherence - takes
advantage of policy definition of NAC solution
 Works hand in hand with NAC quarantine services
32
- CONFIDENTIAL -
Traditional Approach to Network Security
Traditional Approach
• Firewall/IPS at the Perimeter
• AV, HIDS/HIPS on the Endpoint
External Environment
• New technologies
• New threats
• Regulatory requirements
This approach leaves a soft underbelly through
which unmanaged, out-of-policy and infected
endpoints can easily gain access.
33
- CONFIDENTIAL -
Exploiting the Network’s Weakness
…bringing
Infected
endpoints
businessbypass
to a
the perimeter…
halt
and creating costly
cleanup.
…generating rapidly
propagating threats that
take over a network in
minutes…
34
- CONFIDENTIAL -
Monitoring Approaches
Agent based approaches
 Host Intrusion Prevention Systems
 Personal firewalls
 Both require integration with a network policy server to be an element of
NAC
 Doesn’t cover unknown/unmanaged/unmanageable devices
Network based approaches
 In-line: Typically evolution of IPS vendors into NAC capabilities; also
includes Network Based Anomaly Detection (NBAD) vendors
 Out-of-band: Most commonly NBAD and old Distributed Denial of Service
(DDoS) security vendors
35
- CONFIDENTIAL -
Mitigate
Mitigation Approaches for NAC
Two elements for NAC mitigation
 Quarantine capabilities (required)
• On-entry restrict access for devices not meeting requirements
• Post-entry take a device off the network and send to quarantine zone if
they violate policy or propagate a threat
• Ideally should be able to assign to different quarantine server based on
problem, i.e. registration server for guests, AV scanner for infected
devices, etc.
 Remediation services for identified problems (optional)
• Additional diagnostic tools for deeper checks – Vulnerability scanners
– AV scanners, etc.
• Tools for fixing identified problems
– OS patch links
– AV signature update and malware removal tools
– Registration pages for unknown devices
37
- CONFIDENTIAL -
Quarantine Approaches
Switch integration
 Uses either ACLs or 802.1x
 ACLs - not commonly used because of negative performance impact and access
requirements in the network
 802.1x - forces device to re-authenticate and assigns new VLAN
 Pros: Effective both pre and post admission, uses standards based approach in
802.1x
 Cons: Can negatively impact switch performance; Usually not granular in quarantine
server assignment; If using broadcast quarantine VLAN there is a cross-infection
risk
ARP management
 Pros: No network integration required for full quarantine capabilities; enables
surgical, problem specific quarantine without cross-infection risk; effective both pre
and post admission
 Cons: If implemented improperly network equipment can misidentify this as an
attack and drop this traffic
In-line blocking with web redirect
Proxy with Switch Integration
Agent with Switch Integration
DHCP lease revocation
38
- CONFIDENTIAL -
Business Application of NAC
What is our goal? Protect the triad.
The business goal is to protect CIA.
Confidentiality of Data
 Assurance of data privacy. Only the intended and authorized
recipients: individuals, processes or devices, may read the data.
Integrity of that Data
 Assurance of data non-alteration. Data integrity is having
assurance that the information has not been altered in
transmission, from origin to reception.
Availability of the Data and Critical Business Assets
 Assurance in the timely and reliable access to data services for
authorized users. It ensures that information or resources are
available when required.
40
- CONFIDENTIAL -
How much should be spent?
A security budget should reflect the value of the data you
are protecting.
How much is data worth?
 Network downtime has a cost associated with it
 Data reliability has a value tied to it
Pro-active investigation into network downtime and data
valuation is critical.
 Engage a consulting firm to help with discovery
 Create a process for continued assessment
41
- CONFIDENTIAL -
Network Security GOAL
…to minimize risk on the network with the least amount of
administrative overhead and cost.
Invest in solutions that eliminate the low-hanging fruit
 The bulk of network attacks are opportunistic in nature, eliminate
that risk
Invest in solutions that have future / cost protection
 Solutions that require daily maintenance have many hidden costs
Invest in processes that compliment security infrastructure
 Have threat mitigation and escalation plan
 Consult local law regarding data forensics and legal admissibility
42
- CONFIDENTIAL -
How Does NAC Accomplish the Security
GOAL?
Typical security investments are largely re-active
 Anti-virus relies on signatures and waits for an outbreak to occur to
address the problem
 IDS / IPS monitors traffic and re-actively addresses an outbreak at a choke
point in the network
Most security investments require significant attention to operate effectively or
interfere with user productivity
 IDS/IPS can require daily upkeep to remain effective
 Anti-virus can interfere with desktop applications and cause help-desk
pains
NAC is pro-actively assessing risk and then re-enforcing with real-time
monitoring at the desktop level, sometimes w/o software!
 Some NAC solutions can address the risk management challenge out-ofband, infrastructure independent, software free, etc.
 Behavioral threat assessment can require little or no daily upkeep
 Following posture assessment, high risk devices are kept off the network
completely
43
- CONFIDENTIAL -
Summary
NAC is an evolving technology space
Know what problems are most important to address
 Unknown/unauthenticated user control
 Policy enforcement for endpoints
 Preventing threats on your network
Understand implementation tradeoffs




Quarantine flexibility
Performance impact
Cost of solution
IT effort to implement
Keep track of early evolving standards
44
- CONFIDENTIAL -
About Mirage
Mirage Networks Endpoint Control
Network Access Control
•Comprehensive Endpoint Control
•On-entry Risk Assessment
•Policy Enforcement
•IP Telephony Enabled
•Wireless Support
•Out-of-Band
•Agentless
Policy Enforcement
•Surgical Quarantining
•Customized remediation
•Infrastructure-Independent
•No Network Re-architecture
•Flexible Self-Remediation Options
•ARP Management - No VLAN of Death
Day-Zero Threat Protection
•Patented Behavioral Technology
•No Signatures, No Updates
•Leverages Dark IP Space
•Minimal False Positives
•Customized Policies
•Day Zero
Network Intelligence
•Central Mgmt
•Asset Tracking
•Network Visibility
•Executive Reports
•Cross Network Correlation
•Compliance & Audit Support
46
- CONFIDENTIAL -
Strategic Partners
IBM Internet Security Systems (formerly ISS) has formed an alliance with
Mirage Networks to provide Network Access Control to global enterprise
customers. (Signed November, 2006)
Extreme Networks provides organizations with the resiliency, adaptability
and simplicity required for a truly converged network that supports voice,
video and data over a wired or wireless infrastructure, while delivering
high-performance and advanced security features. (Signed March, 2005)
Mitsui Bussan Secure Directions, a subsidiary of Mitsui & Co., Ltd. - one
of the world’s most diversified and comprehensive trading and services
companies - powers Mirage NAC sales in the Japanese marketplace.
(Signed October, 2004)
AT&T resells Mirage NAC in its managed services portfolio. Marketed as
AT&T Managed IPS™, it represents the AT&T commitment to enabling
business to be conducted effectively, efficiently and securely across both
wired and wireless IP networks. (Signed March, 2005)
Part of the Avaya DevConnect Program, Mirage works with Avaya to
develop world-class interior network defense solutions, particularly for
emerging IP telephony technology.
47
- CONFIDENTIAL -
Selected Customers
Finance
Government
Healthcare
Professional Services
Higher Education
K-12
Manufacturing
Other
48
- CONFIDENTIAL -
Mirage NAC is the Answer
Full Cycle: Pre- and Post-Admission Policy Enforcement
Out of Band Deployment; no latency, switch integration
Infrastructure Independent: All networks, All devices, All OSs
Zero Day protection without signatures
Agentless: Easy to Deploy and Manage
Check on Connect
Pre-Admission
Quarantines without switch integration
Policy
Enforcement
Patented technology
Zero Day
Threat Prevention
Post Admission
49
- CONFIDENTIAL -
Thank You
Kurtis Minder, CISSP - Mirage Networks
Download “Getting the Knack of NAC”, 29 Page Industry
Whitepaper at www.miragenetworks.com