Cisco Network Admission Control

Download Report

Transcript Cisco Network Admission Control

Security Strategy Update
Self Defending Network Initiative
Network Admission Control
February 5, 2004
Tempe, Arizona
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
1
Security Paradigm is Changing
The burden on StateNet’s members to secure all
aspects of the network and business is rapidly
growing heavier
- Assessing Security Risks
- Defining & Authoring Security Policy
- Designing & Implementing Security Infrastructure
- Enforcement of Security Policy
Self Defending Network Initiative (SDNI) will result in
the network making intelligent admission and
defense decisions while helping to enforce security
policy compliance.
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
2
Threat Evolution
Target and
Scope of
Damage
Seconds
Self Defending
Network
Global
Infrastructure
Impact
Minutes
Integrated
Security
Regional
Networks
Days
Point Products
Multiple
Networks
Individual
Networks
Weeks
1st Gen
• Boot viruses
Individual
Computer
8426_07_2003_Richardson_c11
1980s
2nd Gen
•
•
•
•
Macro viruses
Email
DoS
Limited
hacking
1990s
© 2003, Cisco Systems, Inc. All rights reserved.
3rd Gen
• Network DoS
• Blended threat
(worm + virus+
trojan)
• Turbo worms
• Widespread
system
hacking
Today
Next Gen
• Infrastructure
hacking
• Flash threats
• Massive
worm driven
• DDoS
• Damaging
payload
viruses and
worms
Future
3
Cisco’s Security Vision
Multi-phased initiative
to dramatically improve
the network’s ability
to identify, prevent, and adapt
to threats
INTEGRATED
SECURITY
INDUSTRY
COLLABORATION
SYSTEM LEVEL
SOLUTION
Secure Connectivity
Threat Defense
Trust and Identity
Network Admission
Control Program
Dynamically identify,
prevent, and respond
to threats
End-to-End
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
4
Cisco Network Admission Control (NAC)
•
Cisco Network Admission Control (NAC) is Cisco-led, industry
program focused on limiting damage from emerging security threats
such as viruses and worms
•
NAC is a significant step forward in security policy compliance and
enforcement
•
In NAC, customers can allow network access only to compliant and
trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict
the access of non-compliant devices
•
Initial NAC co-sponsors include Network Associates, Symantec, and
Trend Micro
•
NAC is the first phase of the Cisco Self-Defending Network Initiative
•
These efforts are designed to dramatically improve the ability of
networks to identify, prevent, and adapt to threats
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
5
Cisco NAC Solution Overview
NAC Characteristics:
NAC Solution: Leverage the network to
intelligently enforce access privileges based
on endpoint security posture. The Cisco
network helps force corporate security
compliance.
Ubiquitous solution for all
connection methods
Validates all endpoints/hosts
Endpoint
Attempting
Network
Access
Network Access
Devices
Policy Server
Decision Points
Cisco Secure
ACS Policy
(AAA) Svr
Credentials
Credentials
AV Vendor
Svr
Notification
Cisco
Trust
Agent
Deployment scalability
Comply?
Enforcement
8426_07_2003_Richardson_c11
Quarantine & remediation services
Credentials
RADIUS
Access
Rights
Leverages customer investments
in Cisco network and AV solutions
© 2003, Cisco Systems, Inc. All rights reserved.
NAC enforces the security
policies as defined on the ACS
by the user. It does not author
the policies.
6
Cisco Network Admission Control (NAC)
Cisco Network Admission Control
Cisco
Secure ACS
Policy/ AAA
RADIUS
Server
Security Credential Checking
Endpoints
attempting
Network Access
AntiVirus
client
Cisco
Security
Agent
Cisco Network
Access Device
Cisco
Trust
Agent
Permit, deny,
quarantine,
restrict
Security Policy
Enforcement
•
AV Vendor Policy
Server
Security Policy
Creation
AV Policy
Evaluation
NAC is not yet shipping. The Cisco Business Unit is still determining
how we will license and charge for NAC on the access devices. It is
expected the end-point Trust Agent will be free.
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
7
Phase 1 Deployment Scenarios
Router-Based compliance enforcement
•
Branch office compliance
Branch Office
• Focus first on less
trusted/managed offices
•
Main Office
Extranet compliance
• Partner hosts are patched
and comply
•
Internet compliance
Private
WAN
VPN
Edge
Data Center
Lab compliance
• Production network access
only for compliant devices
•
AAA & AV Svrs
VPN Edge
• Ensure hosts are hardened
prior to browsing
•
Users
Internet
Internet
Edge
Data center protection
Lab
• Devices accessing
protected servers must
comply
Partner
8426_07_2003_Richardson_c11
Partner
WAN
© 2003, Cisco Systems, Inc. All rights reserved.
Extranet
Edge
8
NAC Schedule (best efforts to accelerate)
Phase 1
Phase 2
Phase 3
Q2 CY04
2HCY04
TBD
Network
Devices
IOS Routers
17xx – 72xx
Switches
Wireless Access
Points
Security Devices
VPN Concentrators
Cisco Trust
Agent
Support
Windows
NT, 2000, XP
Windows 2003
Red Hat Linux
Solaris
IP Phones
Cisco Appliances
MAC OS, HPUX, AIX
Industry
Partners
AV Vendors
OS Vendors
Mgmt Vendors
Device
Communications
Layer 3
EAP/UDP
Layer 2
EAP/802.1x
Broad Vendor
Support
HTTP/SSL?
VPN Management System (VMS) will configure the NAC settings across access devices in
masse.
Secure Information Management System (SIMS) will be the management tool for reporting and
monitoring. A “SIMS Lite” is being considered for small to medium customers.
There are third party management software companies writing to NAC, so there will be options
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
9
Cisco Integrated Security Portfolio
MANAGEMENT
AND
ANALYSIS
• Centralized security management
• Security policy, security event monitoring and analysis
• Threat validation and investigation
• Embedded device management
COMPLETE
COVERAGE
Protecting Desktops, Servers and Networks
FLEXIBLE
DEPLOYMENT
SECURITY
SERVICES
SECURE
INFRASTRUCTURE
Security
Appliances
VPN /
SSL
Switches
Firewall
Routers
IDS
Identity
Security
Software
Behavior
Device Authentication, Port Level Security, Secure
and Trusted Devices, Secure Access, Transport Security
ADVANCED SECURITY SERVICES
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
10
Summary Statement
Industry collaboration in support of Cisco’s Self Defending
Network Initiative will result in the network making intelligent
admission and defense decisions while helping to enforce
security policy compliance.
Thank you for your time.
8426_07_2003_Richardson_c11
© 2003, Cisco Systems, Inc. All rights reserved.
11