1 / 78

OmniAccess SafeGuard Solutions Overview

OmniAccess SafeGuard Solutions Overview. Alec Leschin Huy Nguyen. Agenda. SafeGuard Product Overview SafeGuard Product Demo Competitive Overview Technical Sales Qualification. WLAN coverage. FW/IDS/IPS. Internet. Mobile user. What’s Pushing Security at the Edge of the Network.

otto-castaneda
Download Presentation

OmniAccess SafeGuard Solutions Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OmniAccess SafeGuardSolutions Overview Alec Leschin Huy Nguyen

  2. Agenda • SafeGuard Product Overview • SafeGuard Product Demo • Competitive Overview • Technical Sales Qualification

  3. WLAN coverage FW/IDS/IPS Internet Mobile user What’s Pushing Security at the Edge of the Network • Battle front is “everywhere” • Mobility has broken down the traditional perimeter • The network infrastructure must be part of the defense system • The network must offer state of the art network level protection • Time between exploit and signature definition increases • Users out of corporate environment at increased risk • Day-zero protection emerging requirement • Network infrastructure can authenticate users/stations and observe traffic patterns • User-aware security required by law • SoX, HIPAA and other federal regulation mandate to keep track of user activity and resources access • The network infrastructure is user-aware and is ideally positioned to keep logs of user activities 1 2 Signature Published Vulnerability Announced Exploit released 3 Compliance with government regulations HIPAA, SOX,…

  4. Potential Market to be Addressed • Infonetics – Revenue (in $M) per network access control device type • Customer study • 7% of ports are ports in the visitor area, 25% of LAN ports are used by non-employees (contractors, consultants,…) • 50% of Enterprises consider employees to be un-trusted (from an IT security stand point) • $3.75B market potential

  5. OmniAccess 2400 SafeGuard OmniAccess 1000 SafeGuard Internet Security overlay model for the existing LAN infrastructure Building a Secure Network Infrastructure OmniVista SafeGuard Mgr Router Security overlay model • No change to existing network Ideal when access layer (workgroup switches, WiFi) is heterogeneous • Consolidated access security framework • For mix of OmniSwitch, OmniAccess Wireless, 3rd party access layer Firewall GUI-based LAN tracking, incident reports, and policy setting IDS/IPS Core Switch Access Switch AD Server RADIUS Server Database Server, etc.. Access Switch WLAN Switch Data Center

  6. OmniAccess SafeGuard Overview 10/100 out-of-band management port OAG-2400 Dual build-in power supplies (AC or DC) RS-232 Console Compact Flash slot 10 Gbps secured throughput Up to 2,000 users 20 GigE ports (SFP connectors) 10 Gig in / 10 Gig out 4 GigE ports (SFP connectors) Port mirroring / HA synchro OAG-1000 4 Gbps Secured Throughput Up to 800 users 8 GigE ports (SFP connectors) 4 Gig in / 4 Gig out 2 GigE ports (SFP connectors) Port mirroring / HA synch

  7. Corporate LAN OmniAccess Security Overlay Features Audit Track and monitor user activity up to Layer 7 Threat Control Protect the LAN against zero-day worms Identity-Based Control Control Access to Resource from Layer 2 - Layer 7 Host Integrity Check Only compliant systems enter the LAN Authenticate Only valid users get on the LAN

  8. LANShieldVisualizer LANShield Accelerator LANShield CPU Underlying Architecture • Hardware assisted solution • Custom 128-core CPU hardware • Combined with 2 custom ASICs • 10Gbps Secure Throughput • Inline operation model • Enables application, content, & user awareness • Real-time action and response • Seamless integration with existing infrastructure • No upgrade to infrastructure • Lower cost to implement

  9. OmniAccess SafeGuard Feature Overview Authentication and Host Integrity • Authentication • Passive authentication: snooping of 802.1x/RADIUS, snooping of MSFT domain authentication • Active authentication: captive portal • White lists – Can be used to classify IP phones / thin WiFi access points • User role extraction • RADIUS Attributes and VSA • LDAP server query upon authentication event (extraction of A.D. attributes) • Mapping between set of attributes and user role • Host integrity • Dissolvable agent for managed, unmanaged devices • Customizable remediation

  10. OmniAccess SafeGuard Feature Overview Identity-Based Control • Role-based control • To resources – “network zones” • Applications – for example: HTTP, FTP, SMB/CIFS, IM • Transactions - FTP user/file name, HTTP URL/content, CIFS user/file name • Universal policy • Regardless of medium, location (L2, L3 connectivity), device • Protects against misuse of networks • Limits protocol use – e.g., only SIP to call manager • Limits destination – e.g., only phones reach call manager • Also applies to “white”-list devices (printers, VoIP terminals)

  11. OmniAccess SafeGuard Feature OverviewThreat Control • Malware containment • Behavior-based algorithms • Does not require any learning • Trigger on spikes in connection rates, ratio of failed connections – by application • Containment policies • Block user traffic – FW based quarantine • Block mis-behaving application, all other applications unaffected • Syslog to OV Quarantine Manager to configure other network areas

  12. OmniAccess SafeGuard Feature Overview Audit • Dashboards • Actionable information • Incident response • All activity resolved to the user • Easy drill-down • Full app decode/heuristic identification • Control mechanism • Historical data on flows, tied to the user

  13. OmniAccess SafeGuard Integration:OmniVista 2500 integration • Topology Integration • Auto-discovery of OmniAccess SafeGuard appliances • Mapping of OmniAccess SafeGuard appliances on network map • Unified Event Panel • OmniVista 2500 alarm management • Right-click launch of OmniVista SafeGuard Manager for quick drill-down • In-depth troubleshooting • SafeGuard appliances configuration Right-click Launch OmniVista SafeGuard Manager OmniVista 2500

  14. OmniAccess SafeGuard Integration:OmniVista 2770 Quarantine Manager integration • Compatible with OmniVista 2770 Syslog API • Upon anomaly event syslog message is sent to OmniVista 2770 Quarantine Manager • Reaction throughout network edge • OmniVista 2770 Quarantine Manager black-list/quarantines mis-behaving device throughout edge of the network OmniVista 2500 w/2770 Quarantine Manager SNMP Configuration Syslog

  15. OmniAccess SafeGuard Product LineComplementing OmniSwitch within CrystalSec framework • OmniAccess SafeGuard to be positioned in PCI, HIPAA, SoX compliance projects. Also positioned in “high risk” network areas: guest access areas, contractor access areas.

  16. Solutions Demo

  17. Corporate LAN OmniAccess Security Overlay Features Audit Track and monitor user activity up to Layer 7 Threat Control Protect the LAN against zero-day worms Identity-Based Control Control Access to Resource from Layer 2 - Layer 7 Host Integrity Check Only compliant systems enter the LAN Authenticate Only valid users get on the LAN

  18. Authenticate, Posture Check, and Derive RolesControlling which users and machines are allowed on the LANPassive Authentication: Active Directory (Kerberos), 802.1x RADIUS, DHCPActive Authentication:Captive Portal Web Login, backend to RADIUS and Active Directory

  19. Active Directory validates and approves user credentials and responds to host Users log into the Active Directory domain with username and password Alcatel “snoops” the Kerberos login by capturing the username Internet Alcatel “snoops” the Kerberos return packet and grants network access based on AD server response 5 Alcatel tracks and decodes all traffic up to L7 and sends data to InSight 4 1 2 3 Passive Authentication (Active Directory, 802.1X/Radius, or DHCP) Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard Access Switch User Bob Failed Authentication = Deny Successful Authentication = Allow User Alice

  20. User enters in credentials via Captive Portal Login Screen Web Page Alcatel hijacks session and sends user a Captive Portal web login page. Alcatel forwards credentials to backend AD or RADIUS Server Guest user or unmanaged user initiates a web page request Internet 5 Alcatel tracks and decodes all traffic, up to Layer 7, for Guest and Contractor user. Information is sent to the Insight. AD or RADIUS Server validates user credentials and responds to Alcatel 4 3 2 1 6 Active Authentication with Captive Portal Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard Access Switch User Bob User Guest User Admin

  21. Agent scan takes 3-5 seconds and supports: • spyware • adware • security scans • signature updates • policy enforcement • anti-virus compliance • Windows Service Packs compliance • Windows Registry Scan • remediation help Internet Alcatel triggers host posture verification and downloads dissolvable Active X or Java agent onto the hosts Network access granted (or denied, restricted, etc.) 4 3 2 1 After authentication, client initiates network request via HTTP Host Integrity Checking Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard Access Switch User Bob User Guest User Alice

  22. Internet Deriving Roles for Authenticated Users Once a user successfully authenticates, Alcatel can query the AD server (or match against Radius, DHCP, and System Attributes) and place users into a specific Role. Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard Access Switch

  23. Employee Role Sales Role Engineering Role Marketing Role Contractor Role Visitor Role User-Defined Role Deriving Roles for Authenticated Users “then” place user in the following defined “Role”. For example: “if ” user matches a defined attribute value Active Directory Attributes City Comment Common Name Company Country Department Description Distinguished Name Email Address Employee ID Host Common Name Host Description Host Distinguished Name Host DNS Name Host Member of Host Operating System Host Operating System Service Pack Host Operating System Version Manager Member Of Phone Home Phone Home Other Postal Code State Street Address Telephone Number Title User Principle Name DHCP Attributes Domain Name Host Name Lease Time Network Mask Router Service IP User Class Vendor Class Radius Attributes Called Station Calling Station Filter ID Login IP Login Service Login TCP Port NAS Framed IP NAS Framed Netmask NAS ID NAS IP NAS Port NAS Port Type NAS Service Type Reply User Name Alcatel Role Name System Attributes Auth. Type Domain Name Map Type Matched Rules Port Number Role Name Source IP Source MAC Time of Day User Name VLAN ID

  24. Identity-Based Access ControlNetwork Policies from L2 – L7Based on the User’s Role:Control what resources users are allowed to accessControl where they are allowed to go on the networkControl what applications they can execute on the networkControl what content can be transferred/accessed across the network

  25. Network Resource Access Control

  26. Internet Network Policies from Layer 2 - 7 User Bob (Engineering Role): • Deny: Sales Zone • Deny: URL hosts containing “torrent” • Deny: FTP and CIFS transfer of Excel files • Dynamically Mirror: SSH Traffic User Guest (Visitor Role): • Allow:Internet access only • Deny: All internal corporate resources. • Deny: FTP, Telnet, Instant Messaging Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard User Alice (Sales Role): • Deny: Engineering Zone • Log: Sales Zone Access Access Switch User Bob User Guest User Alice

  27. Threat ControlNetwork Worm ContainmentMitigate network worm propagation to a specific user or to a specific application on the user machine

  28. Track connection attempts by user and by app Compare against typical rate for each app High rate of attempts over short time = worm Malware Statistically Deviant normal Normal Detecting Fast Worms connection attempts time

  29. Track connection attempts and responses by user Compare attempts to successful responses High ratio of failed vs. attempted = worm normal statistically deviant malware Detecting Blind Worms successful responses connection attempts

  30. Detect: TCP and UDP Port Scans Detect: ICMP DoS Attacks Detect: SYN DoS Attacks Detect: TCP / UDP / ICMP IP Scans 1 3 4 2 Detecting Malware Reconnaissance Windows XP Host Alcatel SafeGuard Alcatel OmniVista SafeGuard Destination IP: 1.1.1.200 TCP port: 20 TCP port: 20 TCP port: 80 TCP port: 20 TCP port: 80 TCP port: 8080 TCP port: 80 TCP port: 8080 UDP port: 58 UDP port: 58 TCP port: 8080 Infected Host UDP port: 58 UDP port: 137 UDP port: 137 UDP port: 445 UDP port: 445 UDP port: 137 UDP port: 445

  31. Alcatel mitigates the offending host or only the offending application, as to not disrupt critical workflows. Worm reconnaissance activity occurs on the network (network scans / blind scans) and vulnerable host identified and infected Contractor accidentally brings in malware and the worm propagates on the network. Internet 1 2 Malware Propagation Router Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Alcatel OmniVista SafeGuard Access Switch User Bob User Guest User Contractor User Alice

  32. AuditIncident Reporting (L2-L7)Tracking and auditing user activity (resource, application, and content)Information tied to User Identity (not MAC or IP Address)

  33. Alcatel performs L7 decode to identify apps regardless of port number Enables detection of port-cloaking attacks Alcatel decodes these apps at Layer 7: • HTTP • FTP • DNS • AD-Kerberos • Radius • DHCP • SMB/CIFS • RTP • RTSP • MSRPC • SUNRPC • MS Media • H.323 • SIP • Oracle = port-hopping apps Decoding Applications Some apps negotiate dynamic port assignments Many apps use well-known ports 0 -1024 1025 - 65K TCP / UDP ports

  34. Internet OmniVista SafeGuard Manager Global Awareness Router Incident Reporting Firewall IDS/IPS Core Switch AD Server RADIUS Server LDAP Server OmniAccess SafeGuard Traffic Tied to Username L7 Application Decodes Alcatel OmniVista SafeGuard Access Switch User Bob User Contractor User Admin

  35. Conclusion Audit Threat Containment Identity-Based Control Host Integrity Check Authenticate

  36. Competitive Overview

  37. eTrust Network Behavior Analysis Desktop Lifecycle Mgmt Identity Management NAC IDS/IPS SIM/SEM 802.1X Switch Identity MGR Tivoli Identity MGR End-Point Solution Tivoli Out-of-Band Solution … and others Tivoli In-Line Solution ZENworks Unicenter Select Identity Identity Mgmt Suite … and others … and others Cisco MARS SMS OpenView PC Mgmt Suite … and others … and others … and others … and others … and others Market Landscape … and others

  38. Internet guest End Point Agent-Based Enforcement Agent Software installed on client • User traffic is permitted or denied by the agent • Some central policy server is necessary to control agents • (Note: most agent software doesn’t enforce) WAN router VPN IDS/IPS Acitve Directory Agent Policy Server

  39. Internet guest Out-of-band Solution Server-grade appliance controlling edge Ethernet switch • Switch Control occurs through SNMP or 802.1x • Out-of-band means the controlling device doesn’t see user data WAN router VPN IDS/IPS Acitve Directory SNMPor 801.1x (RADIUS) Off-path Controller

  40. Internet guest In-line Solution Purpose-built In-line Security Appliance • Sitting behind the edge switch (In-line Controller) WAN router In-line controller VPN IDS/IPS Acitve Directory Edge Switching Central Policy

  41. Tier 1 Competitors Cisco Juniper

  42. Positioning Against Cisco Clean Access (CCA) Summary: • Higher Cost to Deploy • Limited Deployment Options • Intrusive and Complex to Deploy • Incomplete LAN Security Solution • Limited Performance

  43. Cisco CCA Higher Cost to Deploy • Increase in operational costs • Required to upgrade a non-Cisco network (or older Cisco networks) to CCA-enabled Cisco switches and to CCA-compatible switch OS • When deployed out-of-band (OOB) mode, hardware support is Cisco-specific and switch OS-specific. Limited Deployment Options • Not designed for multi-hop Layer 3 Networks • CCA can not provide LAN segmentation because in L3 OOB it can not determine which port to change the VLAN

  44. Cisco CCA Intrusive and Complex to Deploy • Requires change in day-to-day operation • Does not provide “passive” authentication for Active Directory users or existing 802.1X/RADIUS users. Users require captive portal or Cisco agent for authentication • Lack of Role Derivation requires more time to deploy • Inability to query AD server for AD attributes • Management complexity • Posture checking requires a “hard” agent installed on every endpoint

  45. Cisco CCA Incomplete LAN Security Solution • No post admission control • Only an authentication and posture checking appliance. Traffic only goes to CCA for authentication and posture. • Users are free to roam once on the network • Lack of L2-L7 policies to control user activity (resource, content, application) for compliance • Incident reporting & real-time monitoring is not captured • Zero incident correlation between user and application/resources, not even at L4

  46. Cisco CCA Incomplete LAN Security Solution • Risk of network downtime • No threat control. Cannot contain a network outbreak and protect network switches or routers once a worm has propagated the internal LAN. • Higher Security Risk • Controls switch infrastructure via SNMP • OOB Deployment = loss of control and visibility = higher risk of downtime

  47. Cisco CCA Limited Performance • Off-the-shelf appliance = OOB deployment only! • Runs on a general purpose processor, which is not designed to forward network traffic at high rates. • OOB deployment masquerades performance limitation • Inline deployment or OOB = 1Gbps performance only!

  48. Alcatel vs. Cisco Clean Access

  49. Alcatel vs. Cisco Self Defending Network

  50. Positioning Against Juniper UAC • Buy MANY Firewalls: New installs will require a multitude of firewalls to act as Infranet Enforcers. • Upgrade, Upgrade, Upgrade: Minimum 5.3 OS required. Existing accounts are still required to re-deploy perimeter firewalls to internal segments. If not enough, buy more!!! • Disruptive User Experience: No Passive Authentication. For example, Active Directory users must use Web Portal. • Perimeter Firewall Performance: Not sufficient to protect the internal LAN at 10Gig speeds. • Limited Post Admission Control: Relies mainly on L2/L3/L4 ACLs

More Related