1 / 25

Network Access Control

Network Access Control. MSIT 458 – The Chinchillas. Agenda. Introduction of Problem Pros and Cons of Existing Security Systems Possible Solutions Recommended Solution Solution Implementation Final Recommendation. Introduction of Problem. The Problem.

lorand
Download Presentation

Network Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Access Control MSIT 458 – The Chinchillas

  2. Agenda • Introduction of Problem • Pros and Cons of Existing Security Systems • Possible Solutions • Recommended Solution • Solution Implementation • Final Recommendation

  3. Introduction of Problem

  4. The Problem Viruses, worms, and botnets are often spread by unknowing victims. These victims may be your own network users. How can the network be protected from your own users?

  5. The Problem

  6. Pros and Cons of Existing Security Systems

  7. Endpoint Security Pros • Centrally managed anti-virus can identify workstations without updated virus definitions. • Local firewall policy enforcement cannot be disabled by end users. Cons • Anti-virus software slows machine performance to the point where users disable automatic updates and stop scans. There is no way to prevent users from altering the anti-virus software. • Only users with VPN access have the protection provided by local firewall policy enforcement. • There is no anti-spyware or host intrusion prevention solution deployed.

  8. Four distinct user directories: Authentication Access request forms required for creation of user accounts in each directory Written password policy requires strong passwords and password expiration maintained/enforced separately in each directory Authorization Authorization policies maintained in each directory by local administrators Manual process for account termination, user access must be removed from each directory Accounting Weekly directory access reviews compared against termination reports Pros Reduced risk when an account in one directory is compromised Cons Policies cannot be maintained or enforced centrally Lots of passwords to keep track of → “loose” password management Maintenance and SOX compliance nightmare Identity My Passwords

  9. Network Security Port-based 802.1Q virtual local area networks (VLANs) for network and user segregation Pros • Separate broadcast domains for trusted internal users and untrusted guest users – groups unable to communicate directly • Trusted internal PCs cannot contract viruses from untrusted guest PCs • Untrusted guest users are unable to access private internal servers • Use of VLAN Trunking Protocol eases VLAN management Cons • No measure to prevent untrusted guests from connecting to private ports • Misconfiguration of a port will provide trusted network access • Use of separate subnets leads to inefficient use IP address space • Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc.

  10. Gap Analysis in Current Solution • Policies for endpoint security are not enforceable • Users are not authenticated before access to the network. Identification is instead performed by the application • Several entry points: wireless, wired and VPN • Different types of users: full-time employees, vendors, partners and guests • VLAN assignment is not dictated by identity or security posture

  11. Possible Solutions

  12. Improve Endpoint Security • Deploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilities • Define and enforce policies that do not allow end users to disable these protections • Deploy personal firewall software to all computers, not only VPN enabled systems • Design an employee education campaign stressing the importance of maintaining up to date security software definitions

  13. Improve Identity CorporateNetwork Valid Credentials Invalid/No Credentials No Access Identity Store Integration Identity Based Authentication Authorized User √ X Corporate Resources Unauthorized External Wireless User 13 802.1X

  14. Improve Network Security Virtual Private Networks • Provided by vendors such as Cisco and F5 • Ensures confidentiality and integrity, but only for point to point connections Intrusion Detection and Prevention Systems • Provided by vendors such as Sourcefire, 3Com, and IBM • Able to use both predefined (and regularly updated) signatures and statistics to detect and prevent attacks • May cost tens of thousands of dollars per Gbps of inspection with no guaranteed return Firewalls • Provided by vendors such as Check Point, Juniper Networks, etc. • Control what hosts can access on other networks by port, protocol, or IP address • Unless installed on every PC, not useful between hosts on internal LANs • MANAGEMENT NIGHTMARE!

  15. 3b 3a 1 2 Comprehensive Solution THEGOAL • End user attempts to access network • Initial access is blocked • Single-sign-on or web login Authentication Server NAC Manager NAC Server Intranet/Network NAC Server gathers and assesses user/device information • Username and password • Device configuration and vulnerabilities • Device is compliant • Placed on “certified devices list” • Network access granted Quarantine Role • Noncompliant deviceor incorrect login • Access denied • Placed to quarantine for remediation

  16. Recommended Solution

  17. Industry Analyst Viewpoint on NAC Vendors Image Source: Gartner

  18. NAC Vendor Comparison

  19. Solution Implementation

  20. Total Cost of Ownership Number of users supported: Up to 10,000, including guests Initial Hardware/Software Cost = $125,000 Implementation Cost = $25,000 Maintenance Cost = $72,000 per year Power & Cooling Cost = $3,000 per year TCO = $150,000 + $75,000 per year = $225,000 initial year cost TCO ≈ $500,000 after 5 years

  21. ROI Information • Fewer infections result in fewer incidents and help desk calls • The break-even point is 4,000 incidents over 5 years.

  22. Potential Loss by Industry Source: http://www.competitivereviews.com/metasecurity.pdf

  23. Feasibility Analysis • Already a Cisco network, so NAC would simply be an add-on to current network • Entry points can easily be identified • Anti-virus and other end-point protections already deployed to users • Non-compliance problems currently occur at a rate of 6 per day, indicating a positive ROI on a potential NAC investment

  24. Final Recommendation We conclude that a comprehensive NAC system such as Cisco’s Network Admission Control would be a better investment than piecemeal improvements to the company’s current network security systems.

  25. Questions?

More Related