思科网络准入控制管理

Slide Title, 2006 Cisco Systems, Inc. All rights reserved.,Cisco Confidential,Presentation_ID,44,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,Slide Title, 2007 Cisco Systems, Inc. All rights reserved.,Cisco Confidential,Presentation_ID,*,Body Text,Second Level,Third Level,Fourth Level,Fifth Level,思科网络准入控制管理,Network Access Control (NAC),安全趋势与网络准入控制,思科网络准入控制管理简介,思科网络准入控制功能介绍,思科网络准入控制部署和应用,议程,全球电子犯罪率上升迅速！,Malicious Software Strains,exploded,from 30K/40K per month to 170,000 from February to March 2008,Phishing e-mails,doubled,400,000 a day in August to nearly 800,000 a day in November),Ads for stolen identity information doubled or tripled in price,in Fall 2008 (stolen identity that once cost $5, for instance, now sells for $15).,Over 100 million credit/debit card transactions compromised,due to malware at a large US Payment Processor ,possibly the largest data breach to date, (,WashingtonP - Jan 20, 2009,),Theres been a marked increase in the number of attacks and the number of successful fraud attemptsThis is the busiest practice has ever been.”,Gartner 2008,“,In periods of recession or slow growth, companies are going to turn their attentions to customer retention rather than customer acquisitionThe last thing you need in that environment is a data breach and the associated brand damage.“,Forrester 2008,企业重要数据泄漏统计,Unauthorized application use:,70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.,Misuse of corporate computers,: 44% of employees share work devices with others without supervision.,Unauthorized access:,39% of IT said they have dealt with an employee accessing unauthorized parts of a companys network or facility.,Remote worker security:,46% of employees to transfer files between work and personal computers.,Misuse of passwords:,18% of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.,终端应用安全现状,Windows, Linux,笔记本电脑、台式机或,PDA,打印机或其他公司资产,系统环境复杂,公司,员工,合同商,访客,未知人员,人员复杂,VPN,局域网,WLAN,广域网,网络环境复杂,防病毒，防间谍软件,个人防火墙,修补工具,安全工具实施难度大,终端遭受严重安全威胁，各种恶意代码攻击，如病毒、蠕虫、木马及混合安全威胁，非法访问，黑客攻击,如何防范？,网络准入控制,NAC,用户受益,威胁控制,减少终端感染,减轻,IT,查毒负担,增强网络复原力,细粒度访问控制,减少安全事故,防敏感数据泄漏,行业规范遵从,提高安全性,满足安全审计需要,提高运维效率,便捷的访客网络,设备自动识别和监控,网络准入控制的好处,Source: Infonetics Research, May 2008,网络准入控制实例统计,0%,20%,40%,60%,80%,100%,Limit the impact of security problems, stop threats from propagating,Protect against loss of sensitive/personal information,Increase overall corporatesecurity posture,Control network access basedon user identity and role,Reduce risk of allowing alldevices to connect to my network,Demonstrate compliance to security/access policies,Protect against lossof intellectual property,Drivers,83%,76%,76%,74%,73%,70%,61%,安全趋势与网络准入控制,思科网络准入控制管理简介,思科网络准入控制功能介绍,思科网络准入控制部署和应用,议程,思科网络准入控制,NAC,领先、创新！,4000+,customers,41%,market,share,1,1 Infonetics, June 2008,2 Frost & Sullivan April 2008, Gartner March 2008, IDC Dec 2007, Infonetics June 2008,3 April 2008 May,Gold Award:,Information Security Readers Choice Awards,3,#1 NAC Vendor,leading analysts,2,Pioneered NAC,launched in 2004,业务策略治理,Governance,2003,2009,2004:,$92m,2006:,$207m,安全访客登录,Secure Guest,用户身份识别,User Identity,设备特征识别,Device Profiling,Who,are,you?,Whats,on your,device?,What other,devices are,connected?,Who else is,connecting?,What are the,conditions,of access?,2005:,$131m,2007:,$354m,Market Size,(source: IDC, June 2007),Value-Add,安全状态评估,Posture Assessment,First to the market,Comprehensive solution,Flexible deployment choices and options,思科网络准入控制,NAC,领先、不断创新！,2008:,$570m,思科,NAC,功能一览,基于角色的访问控制 强制终端安全策略遵从,检测用户权限和终端健康状况,提供员工,/,访客网络访问,Cisco N,AC,完善的企业终端网络准入控制！,识别非,PC,终端，实时监控,终端,修复,思科,NAC,组件,NAC Manager,Centralized management, configuration, reporting, and policy store,Posture, services and enforcement,NAC Server,NAC Profiler,NAC Guest Server,Profiles unmanaged,devices,Full-featured guest provisioning server,802.1x Supplicant,CSSC or Vista embedded supplicant,NAC Agent,No-cost client: Persistent, dissolvable, or web,ACS Server,Access policy system for 802.1x termination,Endpoint,Components,(Optional),NAC Profiler, Guest Server and ACS,(Optional),NAC Manager and Server,(Required),思科,NAC,可部署于各种场景,Endpoint Compliance,Network access only for compliant devices,Guest Compliance,Restricted internet access only for guest users,Wireless Compliance,Secured network access only for compliant wireless devices,VPN User Compliance,Intranet access only for compliant remote access users,Governance Compliance,Ensure user compliance to governance and risk user acceptable policies,802.1Q,Wireless Building 2,Conference Room,in Building 3,Internet,IPSec,Campus Building 1,思科,NAC,部署规模选择,3500 users each,Super,Manager,manages up to 40,Enterprise and,Branch Servers,Enterprise and,Branch Servers,1500 users each,Standard,Manager,manages up to 20,Branch Office,or SMB Servers,100 users,250 users,500 users,Manager,Lite,manages up to 3,Users = online, concurrent,2500 users each,50/100 Users,(ISR NM),安全趋势与网络准入控制,思科网络准入控制管理简介,思科网络准入控制功能介绍,思科网络准入控制部署和应用,议程,Cisco,NAC,四项基本功能,Using the,network,to enforce policies ensures that incoming devices are compliant.,扫描与评估,Agent scan for required versions of hotfixes, AV, etc,Network scan for virus and worm infections and port vulnerabilities,认证与授权,Enforces authorization policies and privileges,Supports multiple user roles,更新与修复,Network-based tools for vulnerability and threat remediation,Help-desk integration,隔离与实施,Isolate non-compliant devices from rest of network,MAC and IP-based quarantine effective at a per-user level,目标,内部网,/,网络,思科,NAC,用户流程概述,2.,用户被重导向到登录页面,Clean Access,验证用户名和密码，并执行设备和网络扫描。以评估设备上的安全漏洞,设备不符合安全策略或登录信息不正确,拒绝用户接入，向其分配一个隔离角色，使其访问在线修复资源,3,a.,隔离,3,b.,设备已“清洁”,机器进入“认证设备列表”，获得接入网络的许可,Clean AccessServer,Clean Access Manager,1.,最终用户尝试访问某一网页或使用一个可选客户端,在有线或无线最终用户提供登录信息之前，禁止其接入网络,验证,服务器,终端体验,4.,Login,Screen,Scan is performed,(types of checks depend on user role),Scan fails,Remediate,两种终端模式,CCA,和,Web agents,Deploy different agents for different Users/Roles,Clean Access agent for Employees,Web agent for Guests and Contractors,思科,NAC,特点,支持所有用户环境,统一整合的解决方案满足,wired, wireless, VPN, remote LANs,的需求,Cisco NAC,战略,注重互操作性,最广泛的支持当前的,OS,、各类型设备、各种第三方应用程序,创新、创新、再创新！,率先实现,SSO, rulesets, profiling, network module, etc.,利用现有的网络平台,最优化支持思科,install base,，同时可协同其它平台良好工作,思科,NAC,身份认证与状态评估,认证方式：,Cisco NAC,支持本地认证、,Kerberos,、,LDAP,、,RADIUS,、,Active Directory,、等集成 ；支持,VPN,、无线客户端和,AD,域的,SSO,设备安全状态评估： 拥有众多,NAC,战略合作伙伴，预定义将近,3,万条的规则集，检测多种应用，可定期从,Cisco,站点更新，同时提供强大的自定义功能,User,Identity,Posture,Assessment,Device,Profiling,Secure,Guest,Governance,Authentication and Posture,思科,NAC,集成自动升级的规则集,Automated Cisco rulesets,简化管理操作，支持超过,350+,厂家的应用软件,提供近,30,000,条预定义检查,AutoUpdates Hotfixes, Service Packs (,direct to WSUS Server),Cisco NAC,Appliance Manager,思科,NAC,创新优势,设备特征识别,设备信息简表,Device Profiling,Cisco Profile Server,能够智能判别,100,多种设备类型，根据接入网络的设备类型执行不同的准入控制策略,User,Identity,Posture,Assessment,Device,Profiling,Secure,Guest,Governance,Non-,PC devices,Cisco,创新,：采用,device profile,技术实现接入设备自动类型识别与管理，解决了存在的安全隐患,如何实现打印机、传真机等非,PC,设备安全上网？,思科,NAC Profiler,自动设备特征识别和接入控制,思科,NAC,创新优势,访客生命周期管理,User,Identity,Posture,Assessment,Device,Profiling,Secure,Guest,Governance,Cisco,创新：,Guest Server,实现访客生命周期管理，为业务伙伴、访客提供安全的互联世界,PROVISIONING,NOTIFICATION,MANAGEMENT,REPORTING,SMS,Email,Print-out,访客生命周期管理,Guest policy,访客登陆界面,访客管理,创建访客账号,访客管理,审计与报告,Sponsor,Information,Guest,Information,Account,Information,安全趋势与网络准入控制,思科网络准入控制简介,思科网络准入控制功能介绍,思科网络准入控制部署和应用,议程,思科,NAC,灵活的部署模式,VPN, wireless, campus, and remote LANs,Enforcement via Appliance,Optimized for Cisco campus LANs (L2, L3),SNMP as control plane,Optimized for Cisco campus LANs (802.1x),RADIUS as control plane,IP WAN,802.1q,NAC Server,NAC Manager,VPN,NAC NM,In-Band,L3,802.1q,NAC Server,NAC Manager,SNMP,Out-of-Band,NACServer,NAC Manager,ACS,Radius,802.1x,802.1x,RADIUS,全球及国内成功案例,制造业：青岛海尔、四川长虹,能源：神华集团总部及多个矿站,电力：上海电力、浙江电力、贵州天生桥发电厂,汽车：东风康明思发动机厂,研究院：中冶南方,政府：江苏地税局、天津港、洋浦港,企业：上海烟草，长兴船务公司,上海公共交通卡股份公司,Cisco NAC,拥有中国最大的,NAC,实施案例：青岛海尔,12000,用户,Cisco NAC,在以高速度增长：,over 500% Y/Y growth,CY08 Q4 NAC4.6,将支持双字节，全面支持中文,案例分享,1,：某集团,主营能源交通,问题和需求：,上市需要遵从,Sarbanes,法案,桌面终端维护工作量大,需要强制更新系统、病毒库和软件升级等,规范员工上网行为,二层,OOB,方案演示,-1,某,PC,连接到接入交换机,Fa0/12,口,CAM,10.128.5.1/24,CAS,LDAP/DHCP,Cisco,二层交换机,A,大楼,交换机,Vlan6,CAM,管理,Vlan598,Untrust vlan,SVI Vlan599,10.X.X.254,A,大楼,网络,核心网络,Vlan598,Trunk,CAS,管理,vlan60,Vlan599,通讯,vlan,Fa0/12,接入交换机,Fa0/12,口分入,untrust vlan598,PC,发起的,DHCP,请求到达,CAS,，,CAS,上,vlan598,和,vlan599,做映射,DHCP,请求,DHCP relay,DHCP,响应并返回,vlan599,段地址,DHCP,获得,10.X.X.73/23,DNS,通过,CAS,向,PC,分配通讯,vlan599,的,IP,地址,PatchServer,Anti-vServer,OOB,方案演示,-2,CAM,10.128.5.1/24,CAS,10.128.4.1/24,LDAP/DHCP,Cisco,二层交换机,A,大楼,交换机,Vlan6,CAM,管理,Vlan598,Untrust vlan,SVI Vlan599,10.X.X.254,A,大楼,网络,核心网络,Vlan598,Fa0/12,PatchServer,Anti-vServer,PC,试图访问网络,CAS,对其认证,当,PC,试图访问网络资源时，必须经过,CAS,，这时,CAS,对其进行认证和安全检查,当认证和安全检查没有通过时,CAS,提示,PC,只能访问相应的服务器资源，在打补丁或安装防病毒软件后可用重新发起认证,PC,未通过,CAS,限制,PC,只能,访问补丁服务器,等有限资源,当,PC,通过了,CAS,的认证和安全检查后，,CAM,会调整接入交换机，使,PC,所接入的,F0/12,端口划分到正常用户的通讯,vlan 599,中,Vlan599,认证通讯,vlan,PC,直接访问,核心网络,进入新,Vlan,后,PC,重新通过,DHCP,获得新地址，并直接通过核心交换机访问核心网络，不再经过,CAS,分入新,Vlan,重新获得地址,DHCP,服务器,再次收到请求，,分发新,vlan,内的,IP,地址给,PC,Trunk,CAS,管理,vlan60,Vlan599,通讯,vlan,二层,IB,方案演示,某,PC,连接到接入交换机,Fa0/13,口,CAM,10.128.5.1/24,CAS,LDAP/DHCP,Cisco,二层交换机,A,大楼,交换机,Vlan6,CAM,管理,Vlan698,SVI Vlan599,10.X.X.254,A,大楼,网络,核心网络,Vlan698,Trunk,CAS,管理,vlan60,Vlan699,通讯,vlan,Fa0/13,接入交换机,Fa0/13,口属于认证,vlan698,，,CAS,上对认证,vlan,和通讯,vlan699,做了映射,CAS,在,vlan698,模拟,vlan699,的网关，,PC,发起的所有流量都必须经过,CAS,完成对外访问,DHCP,请求,DHCP relay,DHCP,响应并返回,vlan599,段地址,DHCP,获得,10.Y.X.73/23,通过将用户分到不同的,role,完成访问控制,PatchServer,Anti-vServer,演示,User login through the browser web interface,NAC authentication interface,Health check,，,find no system patch,Patch interface, users need only click on the bottom left corner of the button, the system prompts the user to install,Pass the health check, login interface,案例分享,2,：某集团,世界第四大白色家电制造商,面临的问题：,每年大量的桌面终端维护工作,大量员工安装下载工具和代理工具,集团推行的软件很少安装,网络带宽占用严重,病毒横行，网络扫描无处不在,急需规范员工上网行为,&,端点安全防护,思科的优势：,适应多种网络环境，多种操作系统,能够对各种类型的接入终端进行检测,提供灵活多样的认证方式，支持多种验证形式,基于角色的用户验证，实现分级分权限管理,对终端设备的全面的安全检测,提供有效的隔离，并有多种手段帮助用户进行修复,易于实施，易于维护，适合大规模应用，支持,HA,实施效果：,规范了用户上网的行为，推广了集团,AD,域和软件安装策略，使加入,NAC,的用户都符合集团统一规范。,案例分享,2,：某集团,世界第四大白色家電製造商,三层,IB,方案演示,客户,PC,保持原有,vlan,不变。,CAM,CAS,LDAP/DHCP,Cisco,二层交换机,A,大楼,交换机,Vlan6,CAM,管理,SVI Vlan599,10.X.X.254,A,大楼,网络,核心网络,Vlan61,Vlan60,由,CAS,做身份验证后对客户,PC,分配到不同的,Role,通过将用户分到不同的,role,完成访问控制,PatchServer,Anti-vServer,Int Vlan 699,PBR,Vlan 699,在网关位置作,PBR,将用户数据导向到,CAS,的,untrust,端口,NAC,部署示意图,运行管理区,核心交换机,6509,应用服务区,Cisco 4506,Cisco 3750,测试开发区,Cisco 3750,Cisco 3750,Cisco 3560,网通,电信,F5-3400,Fortigate 1000A,ASA 5550,IDS 4215,DMZ,区,互联网接入区,合作伙伴专网,接入路由器,合作伙伴接入子区,广域网接入区,MPLS,接入路由器,7606,MPLS,各地分支机构,汇聚交换机,6509,创牌大楼交换机,6509,Cisco 3560,Cisco 2960,各事业部,Cisco 2960,各事业部,Cisco 3560,Cisco 2960,各事业部,Cisco 3560,ASA 5550,2,台,CAM,4,台,CAS,NAC,管理区,2,台,CAS,案例分享,3,：某公司,主营汽車、铸造,1250,个用户，,HA,配置，实现了局域网用户及,VPN,用户的准入控制。,成功实现项目目标：,能判断接入网络的设备的操作系统授权版本,;,能判断接入网络的设备是否安装了要求的操作系统补丁,;,能判断接入网络的设备是否安装并运行了认可的防病毒软件及其病毒库是否为最新,;,能够结合域帐号对接入网络的设备的身份进行验证,;,可针对上述,1,4,的判断结果对交换机的端口进行切换控制,并将端口划分至策略定义的,VLAN,中,;,系统应可同时控制局域网接入用户和,VPN,连接接入用户,;,NAC,项目网络拓扑,VPN,部分,NAC,实施经验,NAC,实施前准备,NAC,的需求要细化,用户分类，制定访问控制策略,调查终端用户技术水平,掌握网络基础条件,NAC,实施注意事项,先小规模搭建，逐步推广,在实施过程中，需要修改状态检测内容时，预先给所有人下发通知和遇到问题的处理建议,网络流量、网络的详细拓扑结构、域和桌面标准化的进展情况,杀毒软件、补丁的处理、程序的监控及,防间谍软件,Questions?,