1 / 38

Alcatel-Lucent’s Safe NAC for Network Access Control

Alcatel-Lucent’s Safe NAC for Network Access Control. Presenter. Agenda. Enterprise Security by Alcatel-Lucent Safe Network Access Control Solution Solution Overview OmniSwitch Security for NAC on Corporate LAN VitalQIP for Ubiquitous DHCP Initiated NAC

jayme-whitley
Download Presentation

Alcatel-Lucent’s Safe NAC for Network Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alcatel-Lucent’s Safe NACfor Network Access Control Presenter

  2. Agenda • Enterprise Security by Alcatel-Lucent • Safe Network Access Control Solution • Solution Overview • OmniSwitch Security for NAC on Corporate LAN • VitalQIP for Ubiquitous DHCP Initiated NAC • OmniAcess Initiated NAC for Wireless • Dynamic NAC For Corporate LAN • Safe NAC for VPN and Wireless • Case Studies • Professional Services • Why Alcatel-Lucent for Security

  3. Enterprise Security By Alcatel-LucentOpen. Trusted. Dynamic. Market Context

  4. Creating The Trusted Dynamic Enterprise • Open and Secure Interfaces to • Communications, Data and Services • Enable new collaborative business models • Managed risk • Protected data • Controlled costs • Security Is a Positive Enabler for Business Performance

  5. Alcatel-Lucent’s Enterprise Security Blueprint User Centric Security Delivered from Within the Network Global Corporate-Wide Security • Consistent Application of Security Voice, Data, and Mobility • Independent Chain of Control • Security is Transparent to the User • Security is Always-On • Security is Highly Available For more detail, see Creating the Trusted, Dynamic Enterprise white paper by Alcatel-Lucent http://enterprise.all.alcatel-lucent.com/private/active_docs/WhitePaper_Security-Blueprint_EN_July2009_EPG3310090513.pdf • Security Across Networks, People, Processes & Knowledge

  6. Alcatel-Lucent Security Solutions • A Comprehensive Portfolio

  7. Safe NACNetwork Access Control SolutionGuest Access, Host Integrity Check, Compliance Market Context

  8. 4. KNOWLEDGE The Challenge • Guest Access • Partner Access • Contractor Access • Services Unavailable • Non Compliant Endpoints • Infected Endpoints • Rogue Endpoints • Malware Containment 1. NETWORK 2.PEOPLE LOSS OF PRODUCTIVITY OPEN ENDED THREATS • Non-Productive Applications • Multi-Endpoint Platforms • Multi-Authentication • Manage Help Desk Costs • Reduce Management Costs • Increase Compliance Score Card • Data Protection • Control USB Key Usage 3.PROCESS NEW MANDATE FOR THE CIO NEW BUSINESS MODELS

  9. Key Features Access Control for Guests, LAN & Wireless Endpoint Malware Protection Verify OS and End Point Configuration Controls Automatic Remediation Role-based Post Admission Control Audit Reports for Compliance • Trusted Dynamic Enterprise Safe Network Access Control Differentiation • Non Disruptive Multi-vendor Deployment • Support for Multi-authentication, Multi-endpoint environments • Integration with Multiple Network Elements Provides Reduced Cost • Centralized Management Reference Customers • Iona College (US) • Wolf Creek (Canada) • HanseatiCContor

  10. Comprehensive Enterprise NAC Solution • Multi-Vendor Environments • Integration with Alcatel-Lucent OmniSwitches • Integration with VitalQIP • DNAC technology for 3rd Party switches LAN Users Wireless Users • Integration with Alcatel-Lucent Wireless • CyberGatekeeper Remote in-line appliance 802.1x Users • CyberGatekeeper Policy Server VPN Users • CyberGatekeeper Remote in-line appliance Guests • On-demand Web agent - Windows, Linux, and Mac • Continuous Surveillance, Highly Available Solution

  11. OmniSwitch Security for NAC on Corporate LAN

  12. OmniSwitch Network Embedded Security Authentication, Host Integrity Check, Dynamic Access Control • Authentication of endpoints and users • MAC based, Captive Portal, 802.1x • Network enforced host integrity check • Dynamic access control is profile-based • QoS, Network Resources, LAN segments • Control is via ACL, not VLAN or IP changes • VLAN not the principle security mechanism • Security applied on individual MAC address • Endpoints connected to VoIP phones are secured • Endpoints behind rogue routers are detected • Enhanced Security with Reduced Costs

  13. Security with Authentication, HIC and Dynamic Access Control

  14. Unique NAC Solution For Network Edge 4 3 OmniSwitch redirects traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OnmiSwitch if the device has passed or failed. 2 CyberGatekeeper Policy Server OmniSwitch provides authentication and identifies user profile. It checks if HIC check is needed for this user. (802.1x, MAC, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the network Alcatel-Lucent OmniSwitch If HIC Passed , OmniSwitch selectively allows device traffic to production network following policy in user profile. If HIC Failed, OmniSwitch restricts traffic to remediation network only Regular LAN User Production Network Guest Resident or On-demand Agent Continuous Surveillance

  15. Powerful NAC Solution with OmniSwitch as In-line Policy Enforcer 5 4 CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the Policy Enforcer if the device has passed or failed. If HIC check required, the Policy Enforcer restricts traffic to the CyberGatekeeper Policy Server and the remediation servers via User Network Profile. 3 The Alcatel-Lucent Policy Enforcer checks that a valid domain credential has been supplied, and if HIC check is required on the endpoint based upon MAC address and User Network Profile. 2 CyberGatekeeper Policy Server Remediation Server(s) The edge switch provides connectivity and possibly authentication Edge Switch 1 802.1x User 6 Employee, contractor or guest connects to the network Regular LAN User If HIC Passed, the Policy Enforcer selectively allows device traffic to production network following policy in User Network Profile. If HIC Failed, Policy Enforcer restricts traffic to remediation network only Alcatel-Lucent Policy Enforcer Guest Network Core (Production) Resident or On-demand Agent Continuous Surveillance

  16. VitalQIP for Ubiquitous DHCP Enforced NAC VitalQIP

  17. Ubiquitous and Network Initiated Host Integrity Check • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for IP devices • Can be deployed by network segment • Allows multiple NAC strategies • Dynamic NAC, SSL, VPN, 802.1x, and in-line • Enhanced Security with Easy to Deploy Solution

  18. Remediation Servers Unique IP Address Management with Host Integrity Check Solution • DHCP discover/request packets are “intercepted” by the plug-in module in VitalQIP. • The plug-in queries the CyberGatekeeper policy server to check whether endpoint is compliant. • Depending on the results (pass/fail/unknown), the plug-in module inserts user class options into the DHCP discover/request packets. • If a security policy violation is detected the endpoint is quarantined with access to the remediation servers. • VitalQIP assigns access based on the assigned user class. • CyberGatekeeper integrates with VitalQIP using a plug-in module. • Deployment requires no significant network modifications • 1MB Agent for Windows, Mac, Linux • Management of the plug-in module is integrated into the VitalQIP user interface • Enforcement using standard DHCP options • Relies on standard DHCP attributes

  19. OmniAcess Initiated NACfor Wireless

  20. Complete Access Control for Wireless Networks • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for endpoints • Supports multiple authentication methodologies • 802.1x, and Captive Portal, MAC • Supports existing role based access controls • Integrated policy management for LAN and Wireless • Enhanced Security for Wireless Deployment

  21. Integrated NAC Solution for Wireless 4 3 OmniAccess restricts traffic to the CyberGatekeeper Policy Server and the remediation servers. CyberGatekeeper policy server receives HIC report from CyberGatekeeper Agent and informs the OmniAccess Controller if the device has passed or failed. 2 CyberGatekeeper Policy Server The OmniAccess Controller provides authentication and identifies user network profile. (802.1x, Captive Portal) Remediation Server(s) 1 802.1x User 5 Employee, contractor or guest connects to the wireless network Alcatel-Lucent OmniAccess Wireless Controller If HIC Passed, the OmniAccess controller allows device traffic to production network with the endpoint placed in the correct VLAN. If HIC Failed, OmniAccess restricts traffic to remediation network only Employee Production Network Guest Resident or On-demand Agent Continuous Surveillance

  22. Dynamic NAC For Corporate LAN

  23. Dynamic NAC - A Different Approach for Host Integrity Check Enforcer Endpoints Police Endpoints Compliant Endpoints Granted Access Guest Endpoints Audit Only Unauthorized Endpoints Quarantine • LAN Switch Agnostic Existing endpoints provide enforcement Creates a community of endpoints like “Neighborhood Watch” Select endpoints are designated as enforcers Enforcers identify and quarantine unknown endpoints DNAC strengths No network upgrades or changes Authentication agnostic Friendly fail-open design Provides real-time network visibility

  24. Each LAN Segment Self-Organizes CyberGatekeeper Policy Server

  25. Safe NAC for VPN and Wireless

  26. Access Control for VPN and Wireless Networks • Enhanced security with network enabled host integrity check • No modification to existing network • Simple to manage solution • Complete coverage for endpoints • Supports multiple NAC strategies • SSL, IPSec, 802.1x, and in-line enforcement • Enhanced Security with Easy to Deploy Solution

  27. CyberGatekeeper Remote In-line Policy Enforcement (Wireless) 4 5 If HIC check required, the CyberGatekeeper Remote restricts traffic to the CyberGatekeeper Remote and the remediation servers. CyberGatekeeper remote server receives HIC report from CyberGatekeeper Agent. 3 The CyberGatekeeper Remote checks if HIC is required on the endpoint. 2 Remediation Server(s) The Wireless Controller provides authentication and identifies user network profile. (802.1x, Captive Portal) Wireless Controller 1 802.1x User Employee, contractor or guest connects to the network 6 Employee If HIC Passed, the Remote allows device traffic to production network. If HIC Failed, the Remote restricts traffic to remediation network only CyberGatekeeper Remote Guest Production Network Resident or On-demand Agent Continuous Surveillance

  28. CyberGatekeeper Remote In-line Policy Enforcement (VPN) 4 5 If HIC check required, the CyberGatekeeper Remote restricts traffic to the remediation servers. CyberGatekeeper Remote receives HIC report from CyberGatekeeper Agent 3 The CyberGatekeeper Remote checks if HIC is required on the endpoint. 2 Remediation Server(s) The Firewall VPN provides authentication and terminates the VPN Tunnel 1 Firewall VPN Employee, contractor or guest connects over the WAN and starts VPN Client 6 Employee If HIC Passed, the Remote allows device traffic to production network. If HIC Failed, the Remote restricts traffic to remediation network only Guest CyberGatekeeper Remote Resident or On-demand Agent Continuous Surveillance Production Network

  29. Case Studies

  30. Iona College Chooses Safe NAC • IONA College, New Rochelle, New York selects CyberGatekeeper to protect their Wireless Network and seamlessly enable Host Integrity Checking/Campus Network Policy on Students’ laptops. • Solution selected as a replacement for Symantec CIM. • Solution scans Symantec A/V to make sure it is not out-of-date. • Using self remediation through the CyberGatekeeper they will be able to deliver the proper A/V package to all the students without the need to touch the laptops. • ‘Desirable Mode’ enables testing policies before deployment. • Client notification capabilities on policy changes well-liked. • Support for Vista and MAC Platforms was key.

  31. Wolf Creek Public School: Approximately 7200 students, from Kindergarten to Grade 12, employs approximately 475 teachers and 350 support staff. There are 33 schools in the division, operating budget for the 2008-2009 school year was $65.2 million. Business Requirements Host integrity check for all endpoints Secure and controlled guest access Encourage students to bring their own laptops Controlled access to resources once connected Minimal additional operational costs Academic Requirements Enable one-to-one mobile computing research Use SaaS as a technology approach for rapid application deployment Use NAC as a technology for securely extending services to student-owned devices Technical Requirements Authentication for all devices (laptops, VoIP phones, Printers, etc) Support for different endpoint platforms (Windows, Mac) Support for unmanaged machines with no pre-installed agent Why Alcatel-Lucent? Ability to provide detailed audit of endpoint configuration Ability to classify endpoints at the MAC layer Ability to apply UNP to restrict or enable access based upon ACLs Ability to leverage existing infrastructure Wolf Creek Chooses Safe NAC

  32. HanseatiCContor Chooses Safe NAC • HanseatiCContor, Germany selects OnmiSwitch NAC & CyberGatekeeper to secure its new converged communications network service customers, guests, and mobile workers. • OmniSwitch & CyberGatekeeper option selected to provide NAC and HIC • Every device connected to the network is authenticated • Access is granted based upon a profile • Different customers are placed into proper network segment • All endpoints are verified to be compliant before allowed onto the network • All critical patches applied, Anti-virus in place, and personal firewall enabled • Unauthorized applications are disabled • If a device changes status it is placed into quarantine • Always-on, with low operational costs was a key factor Needed a secure and manageable communications infrastructure to accommodate a complex business environment

  33. Professional Services

  34. Professional Services • Smart Start Service Package: provides on-site Alcatel-Lucent Professional Services (3 Days Max) for the scoping and the design of the host integrity check solution, includes: • Interviews with the customer organization’s engineering and operations staffs to understand their objectives. • Explanation of industry best practices and recommend the policy configuration that applies to specifically to the customer environment. • If additional work is required SOW and a detailed quotation will be prepared. • Basic Installation Service: provides on-site Alcatel-Lucent Professional Services for the installation of the CyberGatekeeper product, including • Configuration and deployment of one CyberGatekeeper appliance • Building and deploying 10 CyberGatekeeper agents • Integration and testing with OmniSwitch • Optional Redundancy Installation Service: provides on-site Installation and failover testing of redundant CyberGatekeeper appliance. • Policy Manager Installation Service: provides on-site Alcatel-Lucent Professional Services for the installation of the CyberGatekeeper Policy Manager (CPM), including • Configuration of the CyberGatekeeper Policy Manager, integration in the production network and coupling with the CyberGatekeeper appliances. • Basic testing with standard user policies is also provided • Optional Policy Manager Redundancy Installation Service:provides on-site Installation and failover testing of redundant CyberGatekeeper Policy Manager.

  35. 4. KNOWLEDGE Meeting the Challenge • Secured Guest Access • Secured Partner Access • Secured Contractor Access • Services are Available • Endpoints are Compliant • Malware is Contained • No Rogue Endpoints • Continuous Surveillance 1. NETWORK 2.PEOPLE PRODUCTIVITY ENHANCED THREAT PROTECTION • Supports Existing Infrastructure • Multi-Vendor Networks • Multiple Endpoint platforms • Multiple Authentication Methods • Reduced Help Desk Costs • Reduced Management Costs • Enterprise is Compliant • Data is Protected 3.PROCESS ENTERPRISE IS SECURE DEPLOYMENT IS SIMPLE

  36. For More Information on Safe NAC http://enterprise.alcatel-lucent.com/?solution=Security&page=SafeNetworkAccess

  37. Why Alcatel-Lucent? World Class R&D with Bell Labs (X.805 setting the Standard) [ITU-T & ISO] • Security, Network & Mobile Technology • Web 2.0, Cloud Computing, Encryption Research Carrier Class security for enterprise • Unmatched scalability and reliability • Understand new deployment models (Web 2.0, Cloud) Open Standards based solution enabling • Best of breed product selection Security Ecosystem provides access to collaboration and research with industry leading government and standards bodies User Centric Approach providing the fine grained control and audit that enables business performance Security Blueprint that enables open, trusted, dynamic security for voice, data and mobility. www.alcatel-lucent.com/enterprise/security • Trusted Advisor for Unique Security Solutions

  38. www.alcatel-lucent.com www.alcatel-lucent.com/enterprise/security

More Related