End Point Seminar 18th June

Download Report

Transcript End Point Seminar 18th June

access · management
security · performance
Wick Hill Ltd
Value Added Distribution
Check Point End Point
access · management
security · performance
Agenda
•
•
•
•
•
•
Introductions
Part 1 : History - End Point Story
Part 2 : Present – The products right now
Part 3 : Future – Roadmap
Lunch
Go Karting
access · management
security · performance
HISTORY
access · management
security · performance
Brief Product History
• 199X – VPN Clients
• SecuRemote
• SecureClient
• 2003 – ZoneAlarm Purchase
• Integrity
• Integrity Secure Client
• Integrity Clientless Security
• 2006 – Pointsec Purchase
• Pointsec for PC
• Pointsec Mobile
• Pointsec Protector
access · management
security · performance
Historic Licensing
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SecuRemote
SecureClient
Integrity
Integrity Desktop
Integrity Server
Integrity Secure Client
Integrity Clientless Security
Pointsec for PC
Pointsec Protector
Reflex Magnetics DiskNet Pro
Pointsec for MAC
Pointsec Mobile
SecureClient Mobile
SSL Network Extender (SNX)
access · management
security · performance
Confusing Licensing Models
• Bundles of users / Individual
• Need for Server / No server
• Concurrent / Per User
access · management
security · performance
Licensing Simplication
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SecuRemote
SecureClient
Integrity
Integrity Desktop
Integrity Server
Integrity Secure Client
Integrity Clientless Security
Pointsec for PC
Pointsec Protector
Reflex Magnetics DiskNet Pro
Pointsec for MAC
Pointsec Mobile
SecureClient Mobile
SSL Network Extender (SNX)
access · management
security · performance
Licensing Simplication
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
SecuRemote – Now included in GW’s / Appliances
SecureClient – EPSA
Integrity – EPSA
Integrity Desktop – EPSA
Integrity Server – EPSA
Integrity Secure Client – EPSA
Integrity Clientless Security - Connectra
Pointsec for PC – EP FDE
Pointsec Protector – EP MEPP
Reflex Magnetics DiskNet Pro – EP MEPP
Pointsec for MAC
Pointsec Mobile
SecureClient Mobile
Integrity Clientless Security
SSL Network Extender (SNX)
access · management
security · performance
New Product Line Up
•
•
•
•
•
•
•
EndPoint Security Secure Access
EndPoint Security Full Disk Encryption
EndPoint Security Media Encryption
EndPoint Security Total Security
SecureClient Mobile
SSL Network Extender (SNX)
Pointsec for MAC
access · management
security · performance
Pricelist.CheckPoint.Com
access · management
security · performance
Pointsec Mobile
access · management
security · performance
Secure Access / SNX
access · management
security · performance
Wickhill Can Help!!!!
• End Point Pricing Calculator
access · management
security · performance
End Point Secure Access
• Product Features
• Client Firewall
• Program Control
• Anti – Virus
• Anti – Spyware
• Network Access Control
• IPSEC VPN
• Enforcement
• Client IPS
access · management
security · performance
End Point FDE / MEPP
• Product Features
• Full Disk Encryption Client
• Device Control
• Media Encryption
access · management
security · performance
Product Installation /
Managment
• End Point Secure Access
• Server / Client
• Server Integrated with SmartCentre
• End Point Media Encryption
• Server / Client
• End Point Full Disk Encryption
• Client / UNC Path for Central
Managment
access · management
security · performance
Product Walkthrough
DEMO
access · management
security · performance
PRESENT
access · management
security · performance
End Point Secure Access
• Policy Enforcement Options
• Userbased Policies
• LDAP
• RADIUS
• NTLM
• IP Based Policies
• Ranges
• Subnets
• Co-Operative Enforcement with
• Interspect
• Cisco VPN3000 Concentrator
• Nortel Contivity VPN
• CheckPoint VPN-1 Gateway
• 802.1x
access · management
security · performance
802.1x
• IEEE 802.1X / IETF Standards
Track (RFC 2284)
• Improve PPP authentication process
• Address security gaps in WiFi/WLAN
deployments
access · management
security · performance
Standard EAP Session
Enterprise
Network
Supplicant
EAP Start
Start EAP Authentication
EAP Request/ID
Ask Client for Identity
EAP Response/ID
(UserID)
RADIUS Access
Request
EAP Request/
Challenge
RADIUS Access
Challenge: EAP
EAP Response/
Password
RADIUS Reply/
Challenge
EAP Success
RADIUS
Server
Access Point
Access Request
w/ UserID
Perform EAP Sequence
(MD5, TLS, PEAP)
RADIUS Access: Accept
OR,
EAP Success
(restricted access)
RADIUS Access: Restrict
access · management
security · performance
Check Point EAP Integration
Enterprise
Network
Supplicant
RADIUS
“Proxy”
Access Point
RADIUS
Server
Integrity
Server
(Std. EAP Session)
EAP Request/
RADIUS Access
Challenge: ZLX
Challenge: EAP ZLX
RADIUS
Request
Challenge
Policy
Query
Policy
Lookup
RADIUS Access: Accept
Proxy
Accept
EAP Response/
RADIUS Reply/
ZLX (policy)
EAP Success
OR,
EAP Success
(restricted access)
Accept
RADIUS Access: Restrict
(success)
Proxy
(failure)
= New components or data extensions
= EAP existing standard
Reject
access · management
security · performance
NAC is Here to
• Enforce identity-based access policies
• Control who is accessing what
• Prevent guests from unauthorized access
• Allow demonstrable compliance with
growing body of regulatory requirements
• Mitigate the risks of endpoint-borne
attacks
• Check endpoint compliance as a
precondition for network access
• Quarantine and remediate non-compliant
endpoints
• Monitor devices connected on the network
• Protect against attacks on critical resources
access · management
security · performance
Context: NAC and “The
disappearing perimeter”
Internet
• Flat networks are gone.
Networks are becoming
functionally segmented
Partner
Employee
Internal Access
Network
DMZ
Internal
Applications Finance
Employee
Wireless
Database
Sales
Exchange Servers
Partner
• Access controls are being
deployed between
segments
• NAC brings identity
and compliance
awareness into
segmentation and
access control
access · management
security · performance
Network Access Confusion
• NAC has been over-hyped! Now we’re in the
“trough of disillusionment”
• The rate of pilot-to-production is very low
• (and these pilots don’t come cheap!)
• The initial promise of “clientless NAC” is
proving to be a mirage
• Standards are slow to take hold
• In the meantime Cisco – NAC’s largest promoter markets the “Self Defending Network” but sells
only proprietary, 802.1x-incompatible, SW-based
“NAC appliance”
Simplifying NAC
access · management
security · performance
Prediction: NAC is young. You won’t see a one-size-fit-all
solution in 2008
• Get your feet wet
with limited NAC
deployments
• Define a reasonable
life span for your
pending NAC projects
• Define Attainable
security objectives
• Leverage existing
investments
Check Point NAC
1999
• SecureClient SCV (desktop configuration verification)
access · management
security · performance
199x
2002
Leveraging Existing Investment
2003
2004
2005
2007
• Identify aware firewall in VPN-1
• Integrity Client Network Access Control (Client Self-Enforcement)
• Integrity & VPN Gateway Access Control Integration (CP Endpoint
Security and Cisco VPN Gateways)
• Integrity/802.1x LAN Access Control Integration
• Founding Member of Trusted Network Connect (TNC) Initiative
• Clientless Security for Enforcement of Unmanaged PCs
• Cooperative Enforcement with Connectra
• Secure Automated Remediation
• Cooperative Enforcement with VPN-1 Edge (802.1x)
• Unified Management of NAC, Endpoint, and Network Security
Infrastructure
• Enforcement with Intel AMT
2008
• CP EPS with VPN-1 UTM/Power
access · management
security · performance
You can do it today with
Endpoint Security
• Secure Employee Access with:
• Endpoint Security Self-Enforcement
• 802.1x support for VLAN steering
• Cooperative Enforcement for VPN-1 and
UTM-1
• All transparent to users!
 Use Connectra portal for
Guest/Partner access
– Endpoint Security On-Demand
(ICS) provides posture checking
– For partners seeking access to
internal applications, Check Point
Secure Workspace provides a
sanitized virtual platform the
organization can trust
– Use SNX to deliver applications to
partners, when needed
access · management
security · performance
Gateway (Firewall)
Enforcement
Corporate
Network
1. Client Initiates
connection to HR
Resource
HR Database
5. User has access to
HR database but can
not even ping Finance
servers (invisible to
end user)
2. Gateway asks EPS
server if endpoint is known
and in compliance
3. EPS 7.0 Server checks
for policy for AD\jsmith EPS 7 Server
Finance
Database
4. Gateway implements
compliant user firewall rules
R65 Firewall
LDAP
Directory
Perimeter Firewall
Web Server Pool
Internet
• No need to do printer exceptions
• No need to do VoIP phone exceptions
access · management
security · performance
NAC Demo