资源描述
Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,-,CONFIDENTIAL,-,*,Click to edit Master title style,Risk Management using Network Access Control and Endpoint Control for the Enterprise,Kurtis E. Minder Mirage Networks,i,2,-,CONFIDENTIAL,-,Agenda,Drivers of NAC,Key Elementsof NAC Solutions,Identify,Assess,Monitor,Mitigate,NAC Landscape,3,-,CONFIDENTIAL,-,Business Needs Drive SecurityAdoption,3 UbiquitousSecurity technologies,Anti-virus -Business driver:File sharing,Firewalls -Business driver: Interconnecting networks(i.e.Internet),VPNs -Business driver:Remoteconnectivity,Todays topsecurity driver -MobilePCs and devices,Broadband access is everywhere,Increased percentage ofthe time devices spend on unprotected networks,Perimeter securityis renderedlesseffective becausemobiledevices bypass itand arentprotected byit,Mobility ofIP devices is driving the needfor NetworkAccess Control solutions,Leading source ofnetwork infections,More unmanaged devices on thenetwork thanever- guest andpersonal devices,4,-,CONFIDENTIAL,-,The Traditional Approachto NetworkSecurity Isn,t Enough,5,-,CONFIDENTIAL,-,The ProblemNAC Should Address,Today,endpoint devicesrepresent the greatest risk tonetwork security, by propagating threatsor being vulnerable tothem.,Infected Devices,Unknown Devices,Out-of-Policy Devices,propagate threats,resulting in lossof productivity &hoursof cleanup,like home PCs, contractor PCs,& WiFi phones canintroduce new threats or compromisedatasecurity,are more vulnerable to malwareattacks, while runningservices that could jeopardizesecurity,“Because ofwormsand other threats,you can nolongerleaveyournetworks open to unscreened devicesand users. By year-end 2007, 80 percent ofenterpriseswillhave implemented networkaccess control policiesand procedures.”,Gartner, Protect Your Resources Witha Network AccessControl Process,6,-,CONFIDENTIAL,-,The Cost,1 mi2gIntelligence Unit,Malware Damage in2004,2 ICSALabs,9,th,AnnualComputer Virus Prevalence Survey,7,-,CONFIDENTIAL,-,The NumbersTell the Story,“,Protection”is inplace,98%,use firewalls,1,97%,of companiesprotect machineswith antivirus software,1,79%,use anti-spyware,1,61%,use email monitoring software,1,But it,s notenough!,Cost of malware: $14.2B,2,80% ofcompanies experienced 1or more,successful,attacks, 30%had more than 10,3,Average netloss for malware incidents inUS companiesis nearly $168,000 peryear,1,Worldwide, 32% ofcompanies experience attacks involving businesspartners,43% ofthosewereinfections,while27% were unauthorized access,4,75% ofenterpriseswillbe infectedwith malwarethatevadedtraditionaldefenses,5,1 Computer Security Institute/FBIs2006 Computer Crime andSecurity Survey,2 Computer Economics, 2006,3 ICSALabs,9,th,AnnualComputer Virus Prevalence Survey,4 Cybertrust,RiskyBusiness, September2006,5 Gartner,Gartners Top Predictions forIT Organizations and Users, 2007 & Beyond, December 2006,8,-,CONFIDENTIAL,-,TheProblemis Expectedto Get Worse,2006Statistics,Steep increase in the numberofsoftwaresecurity vulnerabilities discoveredbyresearchersandactivelyexploited by criminals,Microsoft Corp issued fixesfor97 (versus 37 in2005) securityholes assigned critical label,14 of ofthecritical becamezero daythreats.,Expertsworry that businesses will be slow to switchtoVista.,Pre-Vista MSOfficeis expectedto remain inwidespreaduseforthenext5-10 years.,Source:Washington Post,Dec2006, CyberCrime HitstheBigTimein2006,9,-,CONFIDENTIAL,-,NACMarket Expectations,NACAppliance vendors will sell,$660m worldwidein 2008,NACAppliances willgain17%worldwide shareoftheNACmarket by 2008,up from6% in 2005,ResearchrevealsWorld Network Access Control (NAC)ProductsandArchitectures Marketsearned revenuesof over,$85millionin 2006,andestimates this to reachover,$600millionin2013,Gartnerestimates that the NAC market was,$100M in2006,andwill,growbyover100% byYE2007,10,-,CONFIDENTIAL,-,IncreasingNumberofTargetstoProtect,OperatingSystems,InternetExplorer,WindowsLibraries,MicrosoftOffice,WindowsServices,WindowsConfigurationWeaknesses,MacOSX,LinuxConfigurationWeaknesses,NetworkDevices,VoIPPhones&Servers,Network&OtherDevicesCommonConfigurationWeaknesses,*,SANSInstituteTop20InternetSecurityAttackTargets(2006AnnualUpdate),v7.0,11.15.06,CrossPlatformApplications,WebApplications,DatabaseSoftware,P2PFileSharingApplications,InstantMessaging,MediaPlayers,DNSServers,BackupSoftware,Security,Enterprise,andDirectoryManagementServers,SecurityPolicy&Personnel,ExcessiveUserRights&UnauthorizedDevices,Users(Phishing/SpearPhishing),SansInstitute2006TopAttackTargets,*,11,-,CONFIDENTIAL,-,WhatClassofNACSolutionstoDeploy?,AberdeenResearch, 2006,12,-,CONFIDENTIAL,-,TopDriversInfluencingNACSolutions,AberdeenResearch, 2006,13,-,CONFIDENTIAL,-,TopFeaturesRequired ina NAC Solution,AberdeenResearch, 2006,14,-,CONFIDENTIAL,-,KeyElementsofNACSolutions,Common NAC Elements,NACis an evolving spacewith evolving capabilities,NACsolutionelements -someorall,Identify,- Detect& authenticatenewdevices,Assess,- Endpoint integrity checks todetermine levelsof risk andadherence tosecurity policy,Monitor,- Watch the devicesactivityfor changeof assessed state with respect topolicy andthreat status,Mitigate,- Take appropriate actionuponanydevice that isidentifiedas asecurityriskby previous three elements,16,-,CONFIDENTIAL,-,Identify -Find/Authenticate New Devices,Question -Howdo you know when a new devicecomeson the network? Isit aknownor unknown device?Is itan authenticated user?,Common approaches,Leverage 802.1xor network infrastructure OS,Authenticate throughexistingEAP infrastructure to pass credentials to authentication server,SpecialpurposeDHCPserver,Authenticationusuallywebbasedandtiedtoauthenticationserver,Authenticationproxy,NACsolutionservesasaproxybetweendeviceandauthenticationserver,Inlinesecurityappliances(i.e.securityswitches),Serveasaproxybetweendeviceandauthenticationserver,Realtimenetworkawareness,Authenticationusuallywebbasedandtiedtoauthenticationserver,AllapproachestriggeroffentryonthenetworkbyanewIPdevice,17,-,CONFIDENTIAL,-,Identify-Pros&ConsofVariousApproaches,802.1xapproach,Pros:DevicedetectedandauthenticatedpriortoIPaddressassignment,Cons:Oftenisacostlyandtimeconsuminginstallation,Requiresswitchupgrade/reconfiguration,Endpointsmustbe802.1xenabled-requiressupplicantsoftware,Must create guest/remediation VLANs,DHCP approach,Pros:Easierto deploy, independent of network infrastructure,coversboth managedand unmanageddevices,Cons:BypassedbystaticIPaddressassignment,remediationtypicallytoabroadcastVLAN(crossinfectionrisk),18,-,CONFIDENTIAL,-,Identify-Pros&ConsofVariousApproachescont.,Authenticationproxy,Pros:Goodhookforcheckingmanageddevices,Cons:Unknowndevicesmayneverauthenticate,butstillcouldhavenetworkaccess;maynotcheckallIPdevices,In-linesecurityappliance/switch,Pros:Seesalldevicesbothmanagedandunmanagedanddoesn,trequireagentbasedsoftware,Cons:Ifitisnotinlinewith,ordoesnotreplacetheaccessswitchthenitwillnotseethedeviceasitcomesonthenetwork,Outofbandapplianceswithnetworkawareness,Pros:Sees alldevices as they enter the networkbothmanaged and unmanaged; easierto implement than many oftheotherapproaches,Cons:Mayrequire switchintegration for mitigation ofproblems,19,-,CONFIDENTIAL,-,Assess,Assess EndpointIntegrity,Question:Evenif adevice isallowed on mynetwork, how doI ensureit meets my securitypoliciesand risk tolerance?,Answer: Endpoint integrity checks,Operatingsystem identification andvalidation checks,Typicallyrequires an agent,Mustestablisha policy relating toacceptable patch level (latest patch oncompany SMS server,no olderthanX months,mostrecent patch available from software vendor),Whatdo you dofor unknown devices?Usually requires anagent forthese checks,Security software checks- AV,personalfirewall,spyware, etc.,Is itup and running,Is itin the right configuration,Is itup to date - both the software andthedatabase,Usually requires anagentforthesechecks,21,-,CONFIDENTIAL,-,Assess EndpointIntegritycont.,Endpoint integrity checkscont.,Endpoint configuration -findunauthorized serversandservices,Web servers, FTP servers,mailservers,etc.,Vulnerableor high risk ports,i.e.port445exploitedby Zotob,Thesechecks can bedonefromthe network orwithan agent,Threat detection,Scanthe deviceforactive infections orbackdoors,Notcommonlyimplementedonentrytothe network,Toomuchlatency,Risk profilesubstitutedfor deepscans(i.e.AVisuptodateandhad acurrentscan),Elementsforendpointintegrity checks,Network scanning server(Optional),Endpointsoftware- permanentortransient(Optional),Policyserver (Required)-must havesomewhere to definewhat is allowed/disallowed,22,-,CONFIDENTIAL,-,Monitor,Monitoring Post NetworkEntry,The forgotten element ofNetwork Access Control,Why ismonitoringa critical elementof NAC?,Canteffectivelycheckfor all threats onentry- takes toolong,Security policy state can change post entry - users initiateFTP after accessis granted,Infection can occur postentry- e-mail and webthreats canchangesecurity state ofthe device,What Gartnersaysin their paper “ProtectYour Resources With a NetworkAccessControl Process”,“,The networktraffic andsecurity state ofsystems thatare connected tothe networkmust be monitoredfor anomalous behavior or system changes that bring them outof compliance with security policies.”,Why isnt this simply anothernetwork security function?,Monitoring is bothfor threatsand policyadherence -takesadvantage ofpolicy definitionof NAC solution,Workshand in handwithNAC quarantine services,24,-,CONFIDENTIAL,-,TraditionalApproach toNetwork Security,TraditionalApproach,Firewall/IPSat the Perimeter,AV, HIDS/HIPS on the Endpoint,This approach leaves a,soft underbelly,through which unmanaged, out-of-policy and infected endpoints can easily gain access.,External Environment,New technologies,New threats,Regulatory requirements,25,-,CONFIDENTIAL,-,Exploiting the NetworksWeakness,Infected endpointsbypass theperimeter,generatingrapidly propagating threats that take overa network in minutes,bringing business to a halt and creating costly cleanup.,26,-,CONFIDENTIAL,-,Monitoring Approaches,Agentbasedapproaches,Host Intrusion Prevention Systems,Personal firewalls,Both requireintegrationwitha network policy serverto bean element of NAC,Doesnt cover unknown/unmanaged/unmanageable devices,Networkbasedapproaches,In-line:TypicallyevolutionofIPSvendorsintoNACcapabilities;alsoincludesNetworkBasedAnomalyDetection(NBAD)vendors,Out-of-band:MostcommonlyNBADandoldDistributedDenialofService(DDoS)securityvendors,Key considerations,Does the security device watch forpolicyviolations aswell asthreats?,Does itsee devices as theyenter the network?,Can they workacrossboth voice anddata networkswithout negatively impacting quality andperformance?,What isthe management overhead associatedwith both approaches?,27,-,CONFIDENTIAL,-,Mitigate,Mitigation Approachesfor NAC,Two elements for NACmitigation,Quarantine capabilities (required),On-entry restrict access fordevices not meetingrequirements,Post-entry take a device offthe network and sendto quarantinezone if theyviolatepolicyor propagatea threat,Ideallyshouldbe able to assign todifferent quarantineserverbasedon problem, i.e. registration server for guests,AV scanner forinfected devices, etc.,Remediation servicesfor identifiedproblems (optional),Additional diagnostictoolsfor deeperchecks-,Vulnerability scanners,AVscanners,etc.,Toolsforfixing identifiedproblems,OSpatchlinks,AVsignatureupdate andmalware removaltools,Registrationpagesfor unknowndevices,29,-,CONFIDENTIAL,-,Quarantine Approaches,DHCP integration,Uses DHCPprocessforidentificationand endpoint integritychecksonentrytothe network.,Pros:Assigns appropriate IP andVLAN accordingtotheirrisk level,Cons:AfterIPaddress is assigned theydonthaveanindependentquarantine capability; StaticIPsbypass their enforcement,Switchintegration,Uses eitherACLs or 802.1x,ACLs -not commonly usedbecauseofnegativeperformanceimpactand accessrequirementsinthe network,802.1x-forcesdevice to re-authenticateandassignsnewVLAN,Pros:Effective bothpre andpost admission,usesstandardsbasedapproachin802.1x,Cons:Cannegativelyimpactswitch performance;Usually notgranularinquarantine serverassignment;IfusingbroadcastquarantineVLAN there is across-infection risk,30,-,CONFIDENTIAL,-,Quarantine Approachescont.,In-line blocking withweb redirect,Pros:ImprovedperformanceoverACLs;Cangranularlyblocksuspect traffic; hasthecapabilityofsending webtraffic to appropriate quarantineserver based on problem,Cons:Doesn,tseedownstreamtraffic so canonly block andredirecttraffic thatcomesthroughit;May requireadditionalintegrationwith networkfor mitigationbecauseofthis,ARPmanagement,Securityapplianceselectivelygoesinlinefor asingle hostand becomesits defaultgatewaybyARPmanipulation,Pros:Nonetworkintegrationrequiredforfullquarantinecapabilities;enablessurgical,problemspecificquarantinewithoutcross-infectionrisk;effectivebothpreandpostadmission,Cons:Ifimplementedimproperlynetworkequipmentcanmisidentifythisasanattackanddropthistraffic,31,-,CONFIDENTIAL,-,TodaysNACLandscape,Evolvingproprietarystandards,Cisco Network AdmissionControl(CNAC),Three critical elements- CiscoTrust Agent(CTA), updated Network Access Device(NAD),Cisco AccessControlServer(ACS),Integrationwithendpoint agentstocommunicatewithACSregarding appropriate access levelto the network,Microsoft Network AccessProtection(NAP),Available inVista,Endpointneeds System HealthAgent (SHA),SHAreportsto System HealthValidator (SHV)todo policy checks,Networkisolation through enforcement integrations,DHCP Quarantine EnforcementServer(QES),VPN QES,802.1x,Trusted Network Connectopen standard,TNC compliant client requiredon endpoints,PolicyDecision Point (PDP) for security policycomparisons,PolicyEnforcementPoint(PEP)for quarantining,32,-,CONFIDENTIAL,-,Summary,NAC isan evolvingtechnologyspace,Know what problemsare most important to address,Unknown/unauthenticateduser control,Policyenforcementfor endpoints,Preventing threatson your network,Understand implementation tradeoffs,Quarantine flexibility,Performanceimpact,Cost of solution,IT effort toimplement,Keep track of early evolving standards,33,-,CONFIDENTIAL,-,AboutMirage,Background &Key Accomplishments,Company Highlights,FirstGA Product:January, 2004, V3Launched inJuly,2006,Acquisitionof WholePoint Corporation - Dec 04,1 NACPatentGranted; 10Pending,Customer/Partner Momentum,1100+unitssold and deployed,350+ Production Customers,Key Verticals: EDU, H/C,FIN,TEC, MFG, S&L, PRO,120 ChannelPartners (93% of Revenues),Strategic Relationships:IBM/ISS, Extreme,Mitsui, AT&T, Avaya,Industry Recognition,Info Security HotCompanies 2007,Best Anti-Worm, Anti-Malware,SC Magazine/RSA 2006,InfoSecurityCustomer Trust ProductExcellence Award,2006,Software Development magazine:fourstar productreview, May2005,35,-,CONFIDENTIAL,-,MirageNetworks Management Team,Greg Stock,President &CEO,Manugistics,Vastera, e-security, IBM,ThomasBrand, VP,WW Field Operations,Vastera, Toyota, Chrysler,DavidThomas, VP,Products,NovusEdge, Vignette, IBM,Michael DEath, VP, Business Development,Waveset, Tivoli, Novell,GrantHartline, CTO,Cisco,Dell,NEC,DavidSettle, CFO,Exterprise,Dazel,Convex Computer Corp,36,-,CONFIDENTIAL,-,MirageBoardof Directors/Investors,Greg Stock,MirageNetworks,Tim McAdam,Trinity Ventures,MartinNeath, Adams Capital,Bill Bock, CFO, SiliconLabs,GeorgeKurtz, EVPMcAfee,HowardSchmidt, Former CISO EBAY, Microsoft,37,-,CONFIDENTIAL,-,Strategic Partners,AT&T resellsMirage NACin itsmanaged servicesportfolio. Marketed as AT&T ManagedIPS, it represents the AT&Tcommitmentto enablingbusiness tobe conductedeffectively, ef,ficiently and securely acrossboth wired and wirelessIP networks.(Signed March, 2005),Part of theAvayaDevConnect Program, Mirage works with Avaya to developworld-classinterior networkdefense solutions,particularly foremerging IPtelephony technology.,MitsuiBussan Secure Directions, a subsidiary ofMitsui & Co., Ltd. - one of the worlds most diversified and comprehensive tradingand servicescompanies -powers Mirage NACsalesin the Japanese marketplace.(Signed October, 2004),Extreme Networks provides organizations with theresiliency,adaptability andsimplicity required fora truly convergednetwork thatsupports voice, video and data overa wired orwireless infrastructure,whiledeliveringhigh-performance and advancedsecurity features.(Signed March, 2005),IBM InternetSecurity Systems(formerly ISS) hasformed an alliance withMirage Networks to provide NetworkAccessControl toglobalenterprisecustomers.(Signed November,2006),38,-,CONFIDENTIAL,-,Selected Customers,Finance,Government,ProfessionalServices,HigherEducation,K-12,Manufacturing,Healthcare,Other,39,-,CONFIDENTIAL,-,MirageNetworks EndpointControl,Network Intelligence,Central Mgmt,AssetTracking,Network Visibility,Executive Reports,CrossNetwork Correlation,Compliance &AuditSupport,PolicyEnforcement,Surgical Quarantining,Customized remediation,Infrastructure-Independent,No Network Re-architecture,Flexible Self-Remediation Options,ARP Management - No VLANof Death,Network Access Control,Comprehensive Endpoint Control,On-entry Risk Assessment,PolicyEnforcement,IPTelephonyEnabled,WirelessSupport,Out-of-Band,Agentless,Day-ZeroThreatProtection,PatentedBehavioralTechnology,NoSignatures,NoUpdates,LeveragesDarkIPSpace,MinimalFalsePositives,CustomizedPolicies,DayZero,40,-,CONFIDENTIAL,-,BehavioralRulesExample:ThreatPropagation,MiragecontinuallymonitorsthedarkIPspaceonthenetwork.,WhenadeviceattemptstoconnecttomultipledarkIPs,Mirage,sbehavioralrulesimmediatelyidentifythisasanattackandquarantinetheoffendingdevice.,41,-,CONFIDENTIAL,-,AttackDeception,MirageleveragesthedarkIPspacetocreatedevicedecoysthatlockupawould-beattacker(whetherinsideoroutsidethenetwork)inalengthy,non-productivedialog.,42,-,CONFIDENTIAL,-,Mirage NAC is the Answer,FullCycle:Pre-andPost-AdmissionPolicy Enforcement,Outof BandDeployment;no latency,switch integration,Infrastructure Independent:Allnetworks, All devices, All OSs,ZeroDayprotectionwithoutsignatures,Agentless: Easyto Deploy and Manage,Quarantineswithoutswitch integration,Patentedtechnology,Check onConnect,Pre-Admission,ZeroDay,Threat Prevention,PostAdmission,Policy,Enforcement,43,-,CONFIDENTIAL,-,ThankYou,演讲,完,完毕,,,,谢,谢,谢观,看,看!,
展开阅读全文