1 / 51

Bob Reny, Sr. Systems Engineer

Bob Reny, Sr. Systems Engineer. Do you know NAC? Data Connectors - Vancouver. 4/25/2013. The Origin of Network Access Control. Code Red worm – $2 Billion damage. SoBig - $37.1 billion damage. MyDoom - $38.5 billion damage. Sasser - $500 million damage. Blaster - $320 million damage.

varen
Download Presentation

Bob Reny, Sr. Systems Engineer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013

  2. The Origin of Network Access Control Code Red worm – $2 Billion damage SoBig- $37.1 billion damage MyDoom - $38.5 billion damage Sasser - $500 million damage Blaster - $320 million damage

  3. Cisco’s Answer (2004) Source: http://web.archive.org/web/20040603071700/http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html

  4. Cisco’s Answer (2004) Source: http://web.archive.org/web/20040603071700/http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html

  5. Cisco’s Decision to Use 802.1x

  6. Initial Hype – Then Massive Disappointment

  7. Do You Know NAC? Complex architecture Takes forever to implement WRONG! Difficult to manage Not worth the effort Requires 802.1x agents

  8. Today The NAC Market is Booming • BYOD phenomenon • Ubiquitous expectation of wireless networks • Greater concern over data leakage • Need to keep private data from getting onto the wrong devices • Greater realization that desktop security is hard • IT managers want a third-party check on PC security posture • Products are better

  9. Modern Network Access Control Products Great variations exist between vendors’ NAC products, but the best products are: • Simpler, less complex • Easy to deploy and manage • Help you control BYOD • Provide tremendous visibility • Offer a range of enforcement options • Integrate with other security infrastructure (SIEM, MDM, etc.) • Deployment options – physical, virtual, managed services

  10. Why Do You Need NAC? -- Visibility Non-Corporate Corporate Resources Endpoints Antivirus out of date… Unwanted application… Encryption/DLP agent not installed… Network Devices Applications NAC Real-time Visibility and Automated Control Users ? Not Visible Visible Protection Possible No Protection Possible

  11. The Poster Child for Visibility: Smartphones • Smartphones at a major hospital • Believed they had 8,000 devices on the network • They actually had 12,000 • The culprit? Smartphones • No security measure in place

  12. Why Do You Need NAC? -- Cost Savings • Policy automation • Roll out and enforce standardized security policies • User acknowledgement • Guest management automation • Wired and wireless guest registration • Role-based access • Asset management automation • Maintain accurate inventory control • Hardware and software

  13. Why Do You Need NAC? -- BYOD Control

  14. Why Do You Need NAC? -- BYOD Control “NAC provides one of the most flexible approaches to securely supporting BYOD.” “No matter what [BYOD] strategy is selected, the ability to detect when unmanaged devices are in use for business purposes will be required — and that requires NAC.” Gartner, “NAC Strategies for Supporting BYOD Environments”, 22 December 2011, Lawrence Orans and John Pescatore http://mammanatech.wordpress.com/category/cloud-computing/

  15. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security ManagedEndpoints UnmanagedEndpoints

  16. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  17. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  18. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  19. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  20. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Role-based network access control • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  21. Example: Endpoint Security Validation • Agent-based endpoint security solutions are only good if they are installed, running and updated. • Agent-based systems have blind spots. • “We identified that McAfee ePO was pushing DAT files properly, but ForeScout found a couple hundred endpoints where the McShield service was not running.” • “On another occasion, McAfee ePO failed to receive and push DAT files for a week. Desktop operations was unaware because McAfee ePO was unaware. ForeScout noticed the problem and notified the InfoSec team.”

  22. Traditional Security Agents Agentless NAC Why Do You Need NAC? -- Endpoint Security • Ensure security agents are installed, running, and up-to-date • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows, Mac, Linux, iOS, Android, … • Role-based network access control • Detect and control unmanaged endpoints • Detect and control rogue network devices • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Role-based network access control • Protect system from attack (malware) • Protect data (encryption, DLP) • Identify unauthorized applications • Update software and configuration • Compliance and inventory reports • Windows only ManagedEndpoints UnmanagedEndpoints

  23. Why Do You Need NAC? -- Network Access Control HR Sales Finance GuestNetwork Sales HR Finance Contractors Guests Employees

  24. Agenda • History of NAC • Why the NAC market is booming • Selecting a NAC product

  25. What is Network Access Control (NAC)? Technology that identifies users and network-attached devices and automatically enforces security policy. LIMITED FIXED GRANTED BLOCKED

  26. What is Network Access Control (NAC)? • Who are you / group? • What device? • Device configuration? • Security posture? • Device location? • Time of day?

  27. NAC Basics – Form Factor • NAC comes in many flavors ... • Network framework NAC • Endpoint software NAC • Out-of-band appliance NAC • In-line appliance NAC • You have to determine which flavor is best for your environment and users

  28. NAC Basics – Network Enforcement Mechanisms • 802.1x • VLAN change • ARP poisoning • In-line blocking • ACL management • TCP resets • DHCP

  29. NAC Basics – Agent or Agentless • Agent-based • Well, the agent must be working! • Provide deep intelligence • More complex to manage • May impact endpoint performance • May not work in an unmanaged environment (BYOD) • Agent-less • Less complex to operate • Easy integration with network intelligence • Easily adaptable to BYOD environments • Easy integration with network enforcement mechanisms • But may not provide as deep intel as agent-based

  30. NAC Requirements – Accurate Discovery • Guest vs. employee • Computers (Mac, Win, Linux) • Virtual machines • Printers and fax • Handheld devices • VoIP phones • WAP devices • Equipment • USB devices • Software • Processes

  31. NAC Requirements – Health Check • Pre-connection • Comply with security policies • Meet regulatory requirements • Remediate problems • Post-connection • Monitor endpoints to ensure that they remain compliant • Look for abnormal activity on the endpoints • Ensure that approved endpoints remain valid and are not spoofed

  32. NAC Requirements – Flexibility • Support diverse types of users, devices, access methods • Managed and unmanaged devices • Employees, guests, contractors • Wired, wireless, VPN • Provide a range of responses • Audit • Alert/Inform • Allow • Limit • Remediate • Block

  33. Advanced NAC – Integration NAC Policy Engine Antivirus Windows MDM Mac/Linux VPN Wi-Fi SIEM User Dir Switch

  34. Example: Integration with SIEM SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices

  35. Example: Integration with SIEM NAC SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices

  36. Example: Integration with SIEM Endpoint Posture and Context NAC SIEM Databases Applications Switches Wireless VPN Endpoints Security Devices

  37. Example: Integration with SIEM Endpoint Posture and Context NAC SIEM Remediation Actions Databases Applications Switches Wireless VPN Endpoints Security Devices

  38. Example of Best-in-class NAC

  39. ForeScout’s Third Generation NAC • Horizontal visibility • Every device on the network • Vertical visibility • Deep information about the device, software, and user • Extensive range of actions • Inform, educate, remediate, control, block • Easy to implement • Works with your existing network infrastructure

  40. How It Works ForeScout CounterACT • Out of band • Agentless

  41. See Grant Fix Protect ForeScout CounterACT • What type of device? • Who owns it? • Who is logged in? • What applications? ( ( ( ( ( ( (

  42. See Grant Fix Protect

  43. See Grant Fix Protect ForeScout CounterACT • Grant access • Register guests • Block access • Restrict access ( ( ( ( ( ( (

  44. See Grant Fix Protect ForeScout CounterACT • Remediate OS • Fix security agents • Fix configuration • Start/stop applications • Disable peripheral

  45. See Grant Fix Protect • Customized Policy Enforcement • Degree of disruption directly related to degree of violation • Multiple actions and conditions available and can be nested with Boolean logic • Policies are enforced at the point of connection and throughout the duration of the connection • Malicious threat detection is always on with enforcement actions configured by administrator

  46. Install Antivirus • Is the software installed? • Run a script that can install software as an automated action

  47. Start Antivirus • Is AV not running? • Start software • Additional action: • Notify user • Notify administrator

  48. Update Operating System

  49. See Grant Fix Protect ForeScout CounterACT • Detect unexpected behavior • Block insider attack • Block worms • Block intrusions

  50. Example of Best-in-class NAC

More Related