Transcript TITLE, DIN-BOLD 40PT, UPPERCASE

Auto-Protecting Networks
Powered by IPS-Based NAC
Ken Low CISSP GSLC
Security Lead, Asia Pacific
2
Outline
The Challenges of NAC
Trends: Where is NAC Heading?
Intrusion Prevention Systems (IPS)
Auto-Protecting Networks
IPS-based NAC
3
Section Divider
The Challenges
Why Is Software-Based NAC Failing?
If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology.
— Bruce Schneier
4
The Problem
>Administrators want to automatically prevent the spread of worms and
malicious traffic through their networks
>Most vendors attempt this through host integrity checking via a
software agent
>If the host passes a security profile check (updated OS patch level
and updated AV signature file), it is allowed onto the network
>Sounds simple enough, but…
All those Agents…
Spyware / Adware Blockers
Pop-up Blockers
Personal Firewalls
Content Filters
..On their own
release schedules…
Each with its own
licensing to track
Antivirus
Spam Filters
IPSec Clients
1,000s of devices
(are all covered?)
= Administration Nightmare
5
What we don’t need more of
Client Software Applications
Pop Up Blocker
Spyware
Adware
Anti-Virus
MORE
CLIENT
SOFTWARE
Personal FW
Content Filter
Spam Filter
X 1000’s of users = Unmanageable
IPSec Client
•OS dependent
Citrix Client
•Device dependent
•Updating nightmare
•Disparate solution set
The market does not need another endpoint software security application to
purchase, configure, distribute, install, maintain, and manage.
6
Software-based NAC
 Security Agent (SA) is software residing on host. SA available in 2
forms:

As stand alone agent

Included in partners’ AV clients
 SA checks for updated OS patch and AV signature on host, and
communicates host’s profile to a Trusted Agent (TA)
 TA receives policy from policy server
 If endpoint fits security policy, then TA forwards credentials to
infrastructure devices
7
How NAC Works
AV Server (Optional)
AAA RADIUS Policy Server
3: Checks acceptable policy
4: If acceptable, Trusted Agent instructs
network infrastructure to allow connectivity
Trusted Agent
on PC
2: Passes profile info to
1:
Client AV
& / or
Security
Agent
Windows
PC
8
Why Networks Need Quarantine
Secure
Vulnerable
Perimeter
Internal
LAN Segment
FW/VPN
IPS
Internet
Enterprise
Network
Wi-Fi
LAN Segment
Remote
Branch
X
Attacks
Blocked
Attacks enter
from LAN
endpoints
9
NAC Limitations
AAA RADIUS Policy Server
Requires
Infrastructure
Modification –
new AAA server
Requires
Manual Policy
Updates
Only works
with limited /
proprietary
network gear
Trusted Agent on PC
Requires
Additional
Software
Clients
Client AV
& / or
Supports All AV
Products?
Security
Agent
Forces visitors to
adopt new policy or
receive a default
access policy
Windows
PC
Does not support
many 3rd party
network devices
Excludes Mac, Linux,
VoIP, Printers, PDAs
10
NAC Failures
AAA RADIUS Policy Server
Trusted Agent on PC
Client AV
& / or
Security
Agent
Windows
PC
Zero-Day Threat with no OS
patch or AV signature
11
NAC Failures
AAA RADIUS Policy Server
DDoS Attack
Trusted Agent on PC
Client AV
& / or
Security
Agent
Windows
PC
A malicious user passes profile
check, then launches attack
12
Enterprise Endpoint Security
 Enterprise Endpoint Security
 Agent Based
 Similar to NAC, but better
 Works with desktop firewall products e.g. Symantec NAC, InfoExpress
 Agents forward profile info to assessment server/auth server
 Network Based
 If no agent is present, endpoint is scanned with VA and OS patch scan tools
 Requires purchase and tuning of scanning for different types of devices –

Error prone

Must create new scan profiles for each type of device

Must update policy

NAC will have this in Phase 2 release
 Even the network based solution works like an agent based solution, bringing the same complications of:
 forcing all nodes to comply to your security profile which will at some point block authorized users and generate help
desk calls
 failing to prevent malicious users who pass a sec policy from launching attacks
 failing to provide infrastructure based security mechanisms (i.e. IPS devices to control segments)
 doesn’t verify AV at all, so network is still vulnerable to all exploits that are not addressed by an OS patch
 doesn’t block day zero threats
 contain an infection –no behavioral security enforcement
13
Other NAC Problems
Limitations
 “NAC won’t scale” – lots of legacy and even new equipment that don’t support
NAC e.g. VoIP phones
 “What is 802.1X?” – many legacy hardware, printers and other devices don’t
support 802.1X protocol to enforce access policies before systems are
assigned an IPS address
Exploits
 “Attack The Unmanaged Switch” – hackers can find their way into network by
connecting through a switch not supported by NAC
 “Spoofing” – hackers can spoof MAC and IP addresses for “known” systems
that are allowed access
 “Alter Desktop & AV Software” – make infected endpoints appear to be
adequately patched and have up to date antivirus definitions
 “Attack The Quarantine Network” – introduce zero day exploit to quarantined
devices, then remediate and control them
14
Section Divider
Trends: Where is NAC
Heading?
A Survey Of The NACscape
If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology.
— Bruce Schneier
15
The NAC Market Yesterday
Proprietary single vendor solutions
Proprietary device support
Limited OS support
Limited AV support
Limited Patch support
Limited network access control policies
Proprietary or limited authentication
support
No or incomplete open standards
16
The NAC Market Today
Client/Server
IPS-Based
AVAILABLE
NOW!
Major Players
•TCG’s TNC
Methodology
•Microsoft’s NAP
•Clientless & Network-Based
•Cisco’s Network
Admission Control
•Standards-Based (RADIUS /
802.1x)
•Endpoint agnostic
•Endpoint dependent
•Enforce network access
policies
•Limited protection checks for AV and
patches only
(vulnerability scans
unrealistic)
•Greater protection beyond AV
& patches e.g. DDoS, Zero
Day Attacks, VoIP, Protocol
Attacks, Phishing, Spyware,
Instant Messaging etc.
•Enforces network
access policies
•Ease of installation, admin &
maintenance
Methodology
17
The NAC Market Tomorrow (Future)
 TCG’s TNC open standards gaining support from
several partners (ref. Interop NY Aug’06).
 Microsoft’s NAP will work with Longhorn (Microsoft’s
new server OS) available in 6 to 12 months’ time.
Extensive support from Microsoft partners.
 Cisco NAC’s proprietary grip will erode e.g. customers
can choose to use NAP or NAC client in Microsoft’s Vista
and more Cisco products will support TNC, joining other
network vendors in the embrace of open standards.
 Within 2 to 3 years, Microsoft’s NAP, TCG’s TNC and
Cisco’s NAC will mature and possibly
integrating/consolidating to a single solution.
 IPS-based NAC (e.g. TippingPoint Quarantine) will
continue to provide more comprehensive & sophisticated
protection for networks as an extention of network IPS.
There will be more powerful integration between IPSbased NAC with the major NAC schemes.
18
Section Divider
Intrusion Prevention
Systems (IPS)
Stopping The Attack Before It Happens
Securing a computer system has traditionally been a battle of wits: the
penetrator tries to find the holes, and the designer tries to close them.
— M. Gosser
19
Convergence of Network and Security
Security is
embedded in
the network
itself
20
Proactive Defense Through Intelligence and Power
Attacks are detected
and blocked at full
network speed.
TippingPoint IPS
functions as a
“network patch” or
“virtual software patch”
Attacks are stopped before they
can cause damage to your
infrastructure.
21
Closing the Gap with TippingPoint Intrusion Prevention
PROTECTS:
FROM:
• Worms/Walk-in Worms
• Microsoft Applications &
• Viruses
Operating Systems
• Trojans
• Oracle Applications
DDoS AttacksHardware
High
• Linux
O/S Performance •Custom
• Internal Attacks
• VoIP
 Highly Advanced Prevention
Filters
• Unauthorized Access
• Spyware
 Constant Update Protection
Service
FROM:
PROTECTS:
 5 Gbps Throughput
• Worms/Walk-in Worms
• Routers (e.g. Cisco IOS)
• Viruses
Switch-Like Latency
• Switches
• Trojans
• Firewalls
(e.g.
2M Sessions
• DDoS Attacks
Netscreen, CheckPoint
 FW1)
250K Sessions/Second
• SYN Floods
• Traffic Anomalies
• VoIP
Total Flow Inspection
 64K Rate Shaping Queues
 10K Parallel FiltersFROM:
PROTECTS:
• Bandwidth
• Server Capacity
• Missions-Critical Traffic
• Peer-to-Peer Apps
• Unauthorized Instant
Messaging
• Unauthorized Applications
• DDoS Attacks
22
World Class Security Research
The Digital Vaccine service is the most comprehensive, accurate
and automatic protection service available.
> Coverage
—
—
—
—
Vendors
Threat organizations
Independent researchers (ZDI)
Internal Threat Management
Center
> Timeliness
— Weekly filter distribution
— Zero Day Initiative
— Same day Microsoft Tuesday
coverage
> Accuracy
— Designed to block
— 5 years of filter writing experience
— No performance degradation
> Extensibility
— Signatures, vulnerabilities, traffic
and protocol anomalies
— New Threats: P2P, Instant
Messaging, Spyware, Phishing,
VOIP
23
Current TippingPoint Product Line
TippingPoint X505
TippingPoint X505
IPS, Firewall, Bandwidth Mgmt, Content Filtering
TippingPoint 200E
200 Mbps • 2 Segments • Copper
TippingPoint 2400
2 Gbps • 4 Segments • Copper/Fiber
TippingPoint 50
50 Mbps • 1 Segment • Copper
TippingPoint 400
400 Mbps • 4 Segments • Copper/Fiber
TippingPoint 5000E
5 Gbps • 4 Segments • Copper/Fiber
TippingPoint 200
200 Mbps • 2 Segments • Copper
TippingPoint 1200
1.2 Gbps • 4 Segments • Copper/Fiber
TippingPoint SMS
TippingPoint SMS
Security Management System
24
World’s Most Awarded IPS – 31 Awards
Best Security
Solution 2005
> TippingPoint IPS Overall Winner in
SC Global Awards
> Over 1,000 products nominated
NSS Gold Award
> TippingPoint’s Intrusion
Prevention System is the FIRST
and ONLY product to win the
coveted NSS Gold Award in the
IPS space.
> The world's leading awards program
for the information security industry
25
Gartner Magic Quadrant Leader
ABILITY TO EXECUTE
3Com/TippingPoint
COMPLETENESS OF VISION
26
TippingPoint Market Leadership
CY05 Worldwide Dedicated IPS
Appliance Revenue M arket Share
35%
33%
u
30%
25%
17%
16%
20%
15%
12%
15%
7%
10%
5%
Ti
O
th
er
fe
e
cA
M
IS
S
Ju
ni
pe
r
co
C
is
pp
in
gP
oi
nt
0%
“TippingPoint comes out on top;
they have an incredibly high
percentage of customers running
their product not only in-line, but
running their default
recommended settings of over
800 filters; they have a 33%
share in 2005, nearly double that
of their next closest competitor.”
Jeff Wilson, Infonetics
May 2006
Source: Infonetics Research Network Intrusion Prevention Market Outlook
May 17, 2006
27
World’s 1st ICSA-Certified Multi-Gigabit Network IPS
17 ICSA Consortium
Members
10 Testing Participants
(Confidential)
3 Gbps
84 µsec latency
3 Certified Vendors
100 Mbps
441 µsec latency
350 Mbps
398 µsec latency
28
Section Divider
Auto-Protecting Networks
The Future Of NAC Now
The user's going to pick dancing pigs over security every time.
- Bruce Schneier
29
Meanwhile in Dad’s Office .....
Previously
Now
Closing
 Son uses Dad’s (CEO)
computer in the office to
surf the Internet.
Son is now in his teens
Son, employees and
contractors are using various
access devices e.g. PDA
phones, Wi-Fi laptops, iPods,
Laptops etc.
 Unknowingly visits a
malicious website and is
stopped by the company’s
new Network Access
Control (NAC) system and
the alarms go off.
 Dad walks into the room,
finds out what’s happening
and smiles at him.
 PDA phone (e.g. Blackberry)
infected with a new virus
connects to Wi-Fi network
automatically.
No alarms go off this time,
the virus spreads in the
network very quickly and
network goes down
Dad doesn’t smile this time,
summons his CSO.
Dad asks, “is everything
OK?”
Everyone smiles and look at
the CSO who carries a
technical manual entitled ....
30
31
32
Section Divider
IPS-based NAC
Powered by TippingPoint Quarantine
We only need to be lucky once. You need to be lucky every time.
— The Irish Republican Army (IRA) to Margaret Thatcher,
after a failed assassination attempt.
33
Three Quarantine Configurations
1. IPS Only
2. IPS+SMS
3. IPS+SMS+NMS
34
Quarantine Configuration #1: IPS Only
Remediation Page
5500 Switch
Internet
Core
8800 Switch
TippingPoint IPS
8800 Switch
1200 Switch
Catalyst 6500
WLANs
1. Client authenticates to network
2. Malicious traffic blocked by IPS
3. IPS performs policy-based
thresholding
4. Remediation web page sent from IPS
to quarantined user
5. All subsequent outbound traffic
blocked by IPS
35
HTTP Redirect
36
Quarantine Configuration #2: IPS + SMS
TippingPoint SMS
Radius
5500 Switch
Internet
Core
8800 Switch
TippingPoint IPS
8800 Switch
1200 Switch
1. Client Authenticates via SMS
2. SMS acts as Radius proxy, learning
MAC/Switch/Port via RADA
3. Malicious activity blocked by IPS
4. Event data sent to SMS
5. SMS performs policy-based
thresholding
6. SMS resolves IP to MAC
Other Vendors
WLANs
7. MAC Address is placed into a blacklist
and policy set
8. SMS forces re-authentication of
compromised device
9. Device is contained within the set
policy at the access switch ingress
port
37
Quarantine Configuration #3: IPS + SMS + NMS
TippingPoint SMS
NMS facilitates
automatic or
manual action
NMS
Radius
5500 Switch
Internet
Core
8800 Switch
TippingPoint IPS
8800 Switch
1200 Switch
Other Vendors
WLANs
1. Client authenticates to network
2. Malicious activity blocked by IPS
3. Event data sent to SMS
4. SMS performs policy-based
thresholding
5. SMS sends trap to NMS for
administrator and/or automated action
38
Wireless Quarantine
Remote Branch
Wireless
Controller
Tipping Point IPS
Trusted Client
w/ Bad Behavior
WAN
Router
WAN
Headquarters
Wireless
Controller
Tipping Point IPS
Wireless Quarantine
1.
2.
3.
4.
5.
IPS Identifies bad behavior
SMS tells RADIUS - block User
WX Sends SSID disassociate
User rejected re-authentication
User sent to remediation page
WAN Router
TP SMS
AAA Proxy
AAA Server
Network
Core
Core
Switch
39
3 Quarantine Configurations
1. IPS Only
2. IPS+SMS
3. IPS+SMS+NMS












Blocks outgoing malicious traffic
Serves remediation page
Does not prevent intra-segment infection
Does not disconnect user from network
SMS shuts down port
MAC-based policy enforcement
All communication is halted or allowed on Quarantined VLAN only
Wholly automated solution
SMS sends SNMP trap to NMS
Notification of problem and user location
Allows admin to react or set automated action set through NMS
Provides additional visibility and flexibility into network activities
40
Quarantine Actions
> Display remediation web page (transparently by IPS)
> Block non-HTTP Traffic (at IPS)
> Redirect to a URL (by IPS)
—
HTTP 302 or transparent redirect
—
IPS provides information to destination web server about nature of infection
> Place client in remediation VLAN (Access switch)
> Apply access-list to switch port or router (Switch or router)
> Block IP address and or switch port/MAC address (block all traffic)
—
Works in conjunction with other Quarantine Actions
> White list
—
Exceptions created for IP addresses or ranges
—
Ex. Servers for mission critical applications, router and switch IP addresses, the CEO’s laptop machine, etc.
—
Even if a white list is configured, the administrator is notified of infected machines (logging information); simply
no Quarantine Action will be enforced
> Internal and External IP addresses
—
Different actions based on whether an IP address is internal or external
—
Ex. External addresses may need to be blocked immediately for a period of time such as twelve hours, one
day, or one week, but not have a remediation web page
—
Internal IP addresses may need a remediation page presented, be blocked on day three, and stay blocked for
one week
41
Setting a Quarantine Policy
Quarantine Policy Summary Page
42
Advantages of Network-Based Quarantine
No client software to buy/manage/install
Supports all operating systems (Linux, Macintosh)
Agentless
Protects all devices (printers, VoIP phones, Wireless)
Guest users not required to conform to new security policy or install
client
Extends IPS protection to endpoints
IPS-based
Signature, protocol, and behavioral protection
Continually updated to protect against zero-day threats
Prevents malicious activities of internal users
Flexibility through white lists for VIPs or mission-critical systems
Centrally
Managed
Will interoperate with Microsoft NAP
Infuses security into the network infrastructure
Creates an automated threat elimination system
43
Summary
 The Challenges of NAC –
Limitations & Exploits
 Trends: Where is NAC Heading?
– Yesterday, Today & Tomorrow
 Intrusion Prevention Systems
(IPS) – the role of the fastest
growing security technology in NAC
 Auto-Protecting Networks –
transform your network today
 IPS-based NAC – easiest way to
deploy NAC and prevent network
intrusions now and wait for
NAP/TNC/NAC to stabilize
44
Auto-Protecting Networks
Powered by IPS-Based NAC
Ken Low CISSP GSLC
Security Lead, Asia Pacific
To Be Completed
47