First Generation NAC – Very Complex, Insecure, Expensive

Download Report

Transcript First Generation NAC – Very Complex, Insecure, Expensive 

Introducing Next Generation (NG)
Network Access Control (NAC)
“NetClarity is Changing
The Game for SMB Security”
– Golden Bridge Award, 2011
Network Security from the Inside-Out, Not the Outside-In…
Copyright © 2011, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending.
Company Confidential
1
Every Network is Only 5% Secure.
Here’s why…
Your Network Security Castle – Looking Outside-In…
“over 80% of
successful
exploitation
happens from
the inside,
behind the
firewall”
- SANS.org
3
You are only 5% secure…Most Risk is Internal!
 You invested in firewalls,
anti-virus and intrusion
prevention to protect your
network from the outside-in.
 Today, most threats happen
from the inside-out.
 NACwalls®: Our Next Generation Network Access Control
Solutions provide cost effective Inside-Out Network Security™
Company Confidential
4
You are the target…Hackers shift attacks to SMBs
One Breach Could Put
You Out of Business!
In this case, “the
smaller you are, the
harder you fall.”
Top security experts
believe that this is an
explosive trend.
See: www.privacyrights.org
Company Confidential
5
Fact: Everyone can be exploited internally!
All of our internal systems have holes!
(also known as common vulnerabilities and exposures - CVEs)
According to the
USCERT, SANS, FBI and
MITRE, over 95% of
security breaches are a
direct result of exploiting
a Common Vulnerability
and Exposure (CVE®).
Vulnerability Growth Rate
40000
35000
Total Vulns
30000
25000
20000
15000
10000
5000
0
2003
See: http://nvd.nist.gov
2004
2005
2006
2007
2008
2009
Year
80% of all successful attacks occur from the inside (malicious insider, rogue wireless,
the ‘cleaning company’ tapping of your network with an unknown and untrusted laptop)
Company Confidential
6
Fact: Exponential Growth of Malware Propagation Internally!
http://www.virusbtn.com
Your favorite anti-virus program catches no more than 70-90% of malware!
We agent-lessly catch the new zero-day malware that they miss!
Company Confidential
7
So what is the solution?
Inside-Out Network Security™…is the solution!
Inside-out Network Security™ is about…
1.
2.
3.
4.
5.
Dramatically Reducing your Internal Risk
Helping you Harden Your Internal Systems
Controlling Who Gets On Your Network
Stopping Malicious Insiders, Criminals and Malware
Documenting Regulatory Compliance in the Protection of
Customer Records (PII), Internally
Company Confidential
9
Inside-Out Network Security™: Managing Internal Risk
Risk = Threats x Vulnerabilities x Assets
•PATENTED agent-less detection, alerting, documenting and controlling:
•Internal Threats
– Zero-day “new” Malware
– Untrusted and Guest Access
– Malicious Insiders
•Internal Vulnerabilities
– Finds all major CVE®s in all network attached devices;
includes holes in wireless, firewalls, voip, desktops, servers, laptops, PDAs, iTouch, iPhone,
BlackBerry, etc.
– Differential Audits – Proving Due Care and Due Diligence
•Internal Assets
– Creating USER/IP/MAC/HOST/OS “USER/DEVICE FINGERPRINT”
– Capturing Untrusted Assets and Quarantining them
– Blocking assets and moving assets agentlessly across VLANs
Company Confidential
Page 10
NACwalls: Inside-Out Network Security™ Appliances
From the Smallest NAC Appliances in the
world to the most scaleable Enterprise
Appliances with a built-in Command Center
1. Harden your network from the inside-out: Find
all your network holes (CVE®s) on the inside of
your network and show you how to fix them.
2. If you trust someone but their device is infected
with new (zero-day) malware, we’ll stop it from
affecting anyone else, automatically.
3. Control access by any and all types of devices –
if you don’t want them on the network, they don’t
get on the network.
Company Confidential
Page 11
NACwalls: Agent-lessly Helping Protect All Endpoints
Endpoint Protection
NACwalls augment your existing endpoint security methods such as
patch, firewall and antivirus by going after root cause and new
problems they don’t catch including:
Fingerprinting all endpoints on the network and blocking those that
don’t belong on the network or are trusted but on the wrong VLAN
Finding all CVEs (holes) after latest patches, to help harden systems
against exploitation.
Blocking New (zero-day) Malware propagation and taking infected
systems offline.
Endpoint Protection – CVE Auditing
Endpoint Protection – Zero-day Malware
How do you keep it up to date
with the latest threats, exploitable
holes and new types of devices?
NACwall Next Gen Cloud Updates Services
Threat Service: Zero-day malware heuristics updates are updated several times per day.
Vulnerability Service: Common Vulnerabilities and Exposures (CVE) tests are updated daily.
Assets Fingerprint Service: Network Asset signatures are updated as necessary to help
control access and identify newly manufactured IP devices.
(Remember the Risk Formula…. Risk = Threats x Vulnerabilities x Assets)
Firmware Update Service: Provides firmware updates for new features and bug fixes.
Company Confidential
16
What do Analysts, Customers and
Independent Labs Have to Say
About It?
Next Generation NAC, According to Gartner…
“When evaluating NAC solutions, look for vendors
that understand the consumerization trend and
support, or have plans to support, policies for
managing the non-Microsoft endpoints that will
inevitably attempt to connect to your network….
NetClarity is the vendor that targets SMBs and can manage all
endpoints. Its family of NACwall appliances use an agentless (no
additional software on the PCs) approach to baseline the health of
the endpoints. NACwalls are deployed out of band in LANs, so they
install easily and are not in the line of traffic…”
Gartner NAC Report, 2010
Company Confidential
18
Sample Customer Testimonial
“We were so impressed with NetClarity’s NACwall
Next Gen appliances that we chose them over all
the big brand name 1G NAC vendors.”
Mr. Fahd M. Al-Ghamdi - Infrastructure Services Section Head,
Saudi International Petrochemical Company (www.sipchem.com).
Deployment: 16 remote offices, H.Q., Datacenter
Deployment Time: 1 week
2 Enterprise 100 with Command Center, 16 Branch Pro Units
Savings over competitive quotes: $2M USD, infrastructure upgrades and 6 months to deploy
More testimonials across all major verticals: http://www.netclarity.net/testimonials.html
Education
Health Care
Financial
Government
Power
Transportation
Company Confidential
Retail
Page 19
Sample Awards…
“Most Innovative New
Security Product for 2011”
“NetClarity – Who’s Who of NAC”
- Channel Reseller News (CRN.com)
- Awarded during RSA 2011 by InfoSec Products Guide
…and many more…
Company Confidential
Page 20
…and many more…
“NetClarity Picks Up Where Firewalls,
Anti-virus, Intrusion Detection Systems
and Intrusion Prevention Systems
Leave Off”
– John Gallant, President, Network World
“The only Next Gen. NAC solution to be
integrated with RSA enVision® for
enterprise-wide internal risk management”
“The Most
Innovative NAC
Vendor in the World”
– Apurva More, RSA Secured Program Manager
– Network Products Guide, Hot
Companies, 2009, 2010, 2011
Company Confidential
Page 21
Can it really be that easy
to setup and deploy?
(15 minute challenge…)
“Live” Next Generation NAC Demo
Initial Setup in 15 Minutes to an Hour!
Company Confidential
Page 23
NACwall Advantages
 Instantly Stops Criminals and New Malware Attacks
 No Network Infrastructure Upgrades Necessary
 Non-inline and Agentless (no client software necessary)
 Works with All Operating Systems and Attached Devices
 From Gas Pumps, to Barcode Scanners to VoiP Phones, Droids, Blackberries,
iTouches, iPhones to Desktops, Laptops, Netbooks and Critical Servers
 Easily Secures Both Wired and Wireless Networks
 Fits in your Closet, on your Rack and within your Budget.
Company Confidential
Page 24
Can it scale to fit my needs?
(and my budget)
Introducing the Nano: Game Changing!






External 60 watt power adapter, 100-240VAC
More than 150GB of available Storage for logs and reports
Low heat, low power design, 1.5GHz dual core processor
Two 10/100/1000 Ethernet Connections
Weighs only 5 lbs and fits on any wall
Internationally Certified: CEC, RoHS, IEC320, C14, C8, C6,
UL/CUL UL60065, UL60950, TUV/GS EN/IEC 6065, EN/IEC 60950
Let’s compare Nano to other NAC solutions…
Branch Office NAC Functionality
NACwall NANO
ALL OTHER NAC
SOLUTIONS
Works across all hubs and unmanaged switches
YES
NO
Can be managed no matter where it is located in the world,
securely through SSL over the public internet
YES
NO
Protects all Cisco and other vendor VoIP Phones and VoiP
Gateways
YES
NO
Works with old Cisco Catalysts and all other major vendor
switches, automatically
YES
NO
Protects Cisco wireless controllers and access points and all other
major wireless equipment
YES
NO
Audits all Cisco, Microsoft and non-Windows equipment for CVEs
(holes), agentlessly and shows how to remediate, with daily
updates
YES
NO
Average Cost and Time required to Deploy Per Branch office of
10-25 employees including setup, support, consulting, etc.
Under $2,000 USD
and 15 minutes
$120,000 USD and two
weeks
Enterprise Appliances Manage Nanos…
Configurations: Nano to Branch to Enterprise
Nano 25, 100
wallmountable
15 minutes or
less
Enterprise 250
Branch Pro
Enterprise 10
Enterprise 100
1u rack mount
1u rackmount
1u rackmount
1u rackmount
30 minutes
under an hour
1-2 hours
2-4 hours
YES
YES
YES
YES
YES
Agent -less NAC
YES
YES
YES
YES
YES
Agent -less CVE® Audits
Agent -less Malware
Blocking
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Multiple User Logins
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
Workflow Engine
YES
YES
YES
YES
YES
NO
NO
YES
YES
YES
Compliance Reports
Command Center
YES
NO
YES
NO
YES
YES
YES
YES
YES
YES
Controllable Units
N/A
YES
N/A
YES
up to 10 remote
YES
up to 100 remote
YES
Up to 250 remote
YES
25 or 100
500
1000
1500
2000
10 VLANs
20 VLANs
40 VLANs
60 VLANs
80 VLANs
150 GB
250 GB
500 GB
500 GB
1000 GB (1 TB)
2
2
4
6
8
Form Factor
Setup Time
Agent -less Active
Directory (AD) Support
Auto Device Discovery
Inventory Alerting
MAC Spoof Detection
MAC & IP Spoof Block
ISO 27001 Policy Tools
Manageable
*Protected Nodes
802.1q Tagged VLANs
Storage for Logs
Ethernet Ports
Company Confidential
Page 29
Next Steps?
Questions?
Thank you.
CHANNEL SUPPORT:
USA/INTERNATIONAL:
[email protected]
EUROPE:
[email protected]
ASIA:
[email protected]
DIRECT ACCESS
TO OUR CEO:
[email protected]
Company Confidential
Page 31