家中等职业教育改革发展示范学校概述

RiskManagementusingNetworkAccessControlandEndpointControlfortheEnterpriseKurtisE.Minder–MirageNetworksi2-CONFIDENTIAL-AgendaDriversofNACKeyElementsofNACSolutionsIdentifyAssessMonitorMitigateNACLandscape3-CONFIDENTIAL-BusinessNeedsDriveSecurityAdoption3UbiquitousSecuritytechnologiesAnti-virus-Businessdriver:FilesharingFirewalls-Businessdriver:Interconnectingnetworks(i.e.Internet)VPNs-Businessdriver:RemoteconnectivityToday’stopsecuritydriver-MobilePCsanddevicesBroadbandaccessiseverywhereIncreasedpercentageofthetimedevicesspendonunprotectednetworksPerimetersecurityisrenderedlesseffectivebecausemobiledevicesbypassitandaren’tprotectedbyitMobilityofIPdevicesisdrivingtheneedforNetworkAccessControlsolutionsLeadingsourceofnetworkinfectionsMoreunmanageddevicesonthenetworkthanever-guestandpersonaldevices4-CONFIDENTIAL-TheTraditionalApproachtoNetworkSecurityIsn’tEnough5-CONFIDENTIAL-TheProblemNACShouldAddressToday,endpointdevicesrepresentthegreatestrisktonetworksecurity—bypropagatingthreatsorbeingvulnerabletothem.InfectedDevicesUnknownDevicesOut-of-PolicyDevicespropagatethreats,resultinginlossofproductivity&hoursofcleanuplikehomePCs,contractorPCs,&WiFiphonescanintroducenewthreatsorcompromisedatasecurityaremorevulnerabletomalwareattacks,whilerunningservicesthatcouldjeopardizesecurity“Becauseofwormsandotherthreats,youcannolongerleaveyournetworksopentounscreeneddevicesandusers.Byyear-end2007,80percentofenterpriseswillhaveimplementednetworkaccesscontrolpoliciesandprocedures.”Gartner,ProtectYourResourcesWithaNetworkAccessControlProcess6-CONFIDENTIAL-TheCost1mi2gIntelligenceUnit,MalwareDamagein20042ICSALabs,9thAnnualComputerVirusPrevalenceSurvey7-CONFIDENTIAL-TheNumbersTelltheStory“Protection”isinplace…98%usefirewalls197%ofcompaniesprotectmachineswithantivirussoftware

179%useanti-spyware

161%useemailmonitoringsoftware

1Butit’snotenough!Costofmalware:$14.2B

280%ofcompaniesexperienced1ormoresuccessfulattacks,30%hadmorethan10

3AveragenetlossformalwareincidentsinUScompaniesisnearly$168,000peryear1Worldwide,32%ofcompaniesexperienceattacksinvolvingbusinesspartners43%ofthosewereinfections,while27%wereunauthorizedaccess475%ofenterpriseswillbeinfectedwithmalwarethatevadedtraditionaldefenses51ComputerSecurityInstitute/FBI’s2006ComputerCrimeandSecuritySurvey2ComputerEconomics,20063ICSALabs,9thAnnualComputerVirusPrevalenceSurvey4Cybertrust,RiskyBusiness,September20065Gartner,Gartner’sTopPredictionsforITOrganizationsandUsers,2007&Beyond,December20068-CONFIDENTIAL-TheProblemisExpectedtoGetWorse2006StatisticsSteepincreaseinthenumberofsoftwaresecurityvulnerabilitiesdiscoveredbyresearchersandactivelyexploitedbycriminalsMicrosoftCorpissuedfixesfor97(versus37in2005)securityholesassigned"critical"label14ofofthecriticalbecame"zeroday"threats.ExpertsworrythatbusinesseswillbeslowtoswitchtoVista.Pre-VistaMSOfficeisexpectedtoremaininwidespreaduseforthenext5-10years.Source:WashingtonPost,Dec2006,CyberCrimeHitstheBigTimein20069-CONFIDENTIAL-NACMarketExpectationsNACAppliancevendorswillsell$660mworldwidein2008NACApplianceswillgain17%worldwideshareoftheNACmarketby2008,upfrom6%in2005ResearchrevealsWorldNetworkAccessControl(NAC)ProductsandArchitecturesMarketsearnedrevenuesofover$85millionin2006andestimatesthistoreachover$600millionin2013GartnerestimatesthattheNACmarketwas$100Min2006andwillgrowbyover100%byYE200710-CONFIDENTIAL-IncreasingNumberofTargetstoProtectOperatingSystemsInternetExplorerWindowsLibrariesMicrosoftOfficeWindowsServicesWindowsConfigurationWeaknessesMacOSXLinuxConfigurationWeaknessesNetworkDevicesVoIPPhones&ServersNetwork&OtherDevicesCommonConfigurationWeaknesses*

SANSInstituteTop20InternetSecurityAttackTargets(2006AnnualUpdate),v7.0,11.15.06CrossPlatformApplicationsWebApplicationsDatabaseSoftwareP2PFileSharingApplicationsInstantMessagingMediaPlayersDNSServersBackupSoftwareSecurity,Enterprise,andDirectoryManagementServersSecurityPolicy&PersonnelExcessiveUserRights&UnauthorizedDevicesUsers(Phishing/SpearPhishing)SansInstitute2006TopAttackTargets*11-CONFIDENTIAL-WhatClassofNACSolutionstoDeploy?AberdeenResearch,200612-CONFIDENTIAL-TopDriversInfluencingNACSolutionsAberdeenResearch,200613-CONFIDENTIAL-TopFeaturesRequiredinaNACSolutionAberdeenResearch,200614-CONFIDENTIAL-KeyElementsofNACSolutionsCommonNACElementsNACisanevolvingspacewithevolvingcapabilitiesNACsolutionelements-someorallIdentify-Detect&authenticatenewdevicesAssess-EndpointintegritycheckstodeterminelevelsofriskandadherencetosecuritypolicyMonitor-Watchthedevice’sactivityforchangeofassessedstatewithrespecttopolicyandthreatstatusMitigate-Takeappropriateactionuponanydevicethatisidentifiedasasecurityriskbypreviousthreeelements16-CONFIDENTIAL-Identify-Find/AuthenticateNewDevicesQuestion-Howdoyouknowwhenanewdevicecomesonthenetwork?Isitaknownorunknowndevice?Isitanauthenticateduser?CommonapproachesLeverage802.1xornetworkinfrastructureOSAuthenticatethroughexistingEAPinfrastructuretopasscredentialstoauthenticationserverSpecialpurposeDHCPserverAuthenticationusuallywebbasedandtiedtoauthenticationserverAuthenticationproxyNACsolutionservesasaproxybetweendeviceandauthenticationserverInlinesecurityappliances(i.e.securityswitches)ServeasaproxybetweendeviceandauthenticationserverRealtimenetworkawarenessAuthenticationusuallywebbasedandtiedtoauthenticationserverAllapproachestriggeroffentryonthenetworkbyanewIPdevice17-CONFIDENTIAL-Identify-Pros&ConsofVariousApproaches802.1xapproachPros:DevicedetectedandauthenticatedpriortoIPaddressassignmentCons:OftenisacostlyandtimeconsuminginstallationRequiresswitchupgrade/reconfigurationEndpointsmustbe802.1xenabled-requiressupplicantsoftwareMustcreateguest/remediationVLANsDHCPapproachPros:Easiertodeploy,independentofnetworkinfrastructure,coversbothmanagedandunmanageddevicesCons:BypassedbystaticIPaddressassignment,remediationtypicallytoabroadcastVLAN(crossinfectionrisk)18-CONFIDENTIAL-Identify-Pros&ConsofVariousApproachescont.AuthenticationproxyPros:GoodhookforcheckingmanageddevicesCons:Unknowndevicesmayneverauthenticate,butstillcouldhavenetworkaccess;maynotcheckallIPdevicesIn-linesecurityappliance/switchPros:Seesalldevicesbothmanagedandunmanagedanddoesn’trequireagentbasedsoftwareCons:Ifitisnotinlinewith,ordoesnotreplacetheaccessswitchthenitwillnotseethedeviceasitcomesonthenetworkOutofbandapplianceswithnetworkawarenessPros:Seesalldevicesastheyenterthenetworkbothmanagedandunmanaged;easiertoimplementthanmanyoftheotherapproachesCons:Mayrequireswitchintegrationformitigationofproblems19-CONFIDENTIAL-AssessAssessEndpointIntegrityQuestion:Evenifadeviceisallowedonmynetwork,howdoIensureitmeetsmysecuritypoliciesandrisktolerance?Answer:EndpointintegritychecksOperatingsystemidentificationandvalidationchecksTypicallyrequiresanagentMustestablishapolicyrelatingtoacceptablepatchlevel(latestpatchoncompanySMSserver,noolderthanXmonths,mostrecentpatchavailablefromsoftwarevendor)Whatdoyoudoforunknowndevices?UsuallyrequiresanagentforthesechecksSecuritysoftwarechecks-AV,personalfirewall,spyware,etc.IsitupandrunningIsitintherightconfigurationIsituptodate-boththesoftwareandthedatabaseUsuallyrequiresanagentforthesechecks21-CONFIDENTIAL-AssessEndpointIntegritycont.Endpointintegritycheckscont.Endpointconfiguration-findunauthorizedserversandservicesWebservers,FTPservers,mailservers,etc.Vulnerableorhighriskports,i.e.port445exploitedbyZotobThesecheckscanbedonefromthenetworkorwithanagentThreatdetectionScanthedeviceforactiveinfectionsorbackdoorsNotcommonlyimplementedonentrytothenetworkToomuchlatencyRiskprofilesubstitutedfordeepscans(i.e.AVisuptodateandhadacurrentscan)ElementsforendpointintegritychecksNetworkscanningserver(Optional)Endpointsoftware-permanentortransient(Optional)Policyserver(Required)-musthavesomewheretodefinewhatisallowed/disallowed22-CONFIDENTIAL-MonitorMonitoringPostNetworkEntryTheforgottenelementofNetworkAccessControlWhyismonitoringacriticalelementofNAC?Can’teffectivelycheckforallthreatsonentry-takestoolongSecuritypolicystatecanchangepostentry-usersinitiateFTPafteraccessisgrantedInfectioncanoccurpostentry-e-mailandwebthreatscanchangesecuritystateofthedeviceWhatGartnersaysintheirpaper“ProtectYourResourcesWithaNetworkAccessControlProcess”“Thenetworktrafficandsecuritystateofsystemsthatareconnectedtothenetworkmustbemonitoredforanomalousbehaviororsystemchangesthatbringthemoutofcompliancewithsecuritypolicies.”Whyisn’tthissimplyanothernetworksecurityfunction?Monitoringisbothforthreatsandpolicyadherence-takesadvantageofpolicydefinitionofNACsolutionWorkshandinhandwithNACquarantineservices24-CONFIDENTIAL-TraditionalApproachtoNetworkSecurity

TraditionalApproachFirewall/IPSatthePerimeterAV,HIDS/HIPSontheEndpointThisapproachleavesasoftunderbellythroughwhichunmanaged,out-of-policyandinfectedendpointscaneasilygainaccess.ExternalEnvironmentNewtechnologiesNewthreatsRegulatoryrequirements25-CONFIDENTIAL-ExploitingtheNetwork’sWeaknessInfectedendpointsbypasstheperimeter……generatingrapidlypropagatingthreatsthattakeoveranetworkinminutes……bringingbusinesstoahaltandcreatingcostlycleanup.26-CONFIDENTIAL-MonitoringApproachesAgentbasedapproachesHostIntrusionPreventionSystemsPersonalfirewallsBothrequireintegrationwithanetworkpolicyservertobeanelementofNACDoesn’tcoverunknown/unmanaged/unmanageabledevicesNetworkbasedapproachesIn-line:TypicallyevolutionofIPSvendorsintoNACcapabilities;alsoincludesNetworkBasedAnomalyDetection(NBAD)vendorsOut-of-band:MostcommonlyNBADandoldDistributedDenialofService(DDoS)securityvendorsKeyconsiderationsDoesthesecuritydevicewatchforpolicyviolationsaswellasthreats?Doesitseedevicesastheyenterthenetwork?Cantheyworkacrossbothvoiceanddatanetworkswithoutnegativelyimpactingqualityandperformance?Whatisthemanagementoverheadassociatedwithbothapproaches?27-CONFIDENTIAL-MitigateMitigationApproachesforNACTwoelementsforNACmitigationQuarantinecapabilities(required)On-entryrestrictaccessfordevicesnotmeetingrequirementsPost-entrytakeadeviceoffthenetworkandsendtoquarantinezoneiftheyviolatepolicyorpropagateathreatIdeallyshouldbeabletoassigntodifferentquarantineserverbasedonproblem,i.e.registrationserverforguests,AVscannerforinfecteddevices,etc.Remediationservicesforidentifiedproblems(optional)Additionaldiagnostictoolsfordeeperchecks-VulnerabilityscannersAVscanners,etc.ToolsforfixingidentifiedproblemsOSpatchlinksAVsignatureupdateandmalwareremovaltoolsRegistrationpagesforunknowndevices29-CONFIDENTIAL-QuarantineApproachesDHCPintegrationUsesDHCPprocessforidentificationandendpointintegritychecksonentrytothenetwork.Pros:AssignsappropriateIPandVLANaccordingtotheirrisklevelCons:AfterIPaddressisassignedtheydon’thaveanindependentquarantinecapability;StaticIPsbypasstheirenforcementSwitchintegrationUseseitherACLsor802.1xACLs-notcommonlyusedbecauseofnegativeperformanceimpactandaccessrequirementsinthenetwork802.1x-forcesdevicetore-authenticateandassignsnewVLANPros:Effectivebothpreandpostadmission,usesstandardsbasedapproachin802.1xCons:Cannegativelyimpactswitchperformance;Usuallynotgranularinquarantineserverassignment;IfusingbroadcastquarantineVLANthereisacross-infectionrisk30-CONFIDENTIAL-QuarantineApproachescont.In-lineblockingwithwebredirectPros:ImprovedperformanceoverACLs;Cangranularlyblocksuspecttraffic;hasthecapabilityofsendingwebtraffictoappropriatequarantineserverbasedonproblemCons:Doesn’tseedownstreamtrafficsocanonlyblockandredirecttrafficthatcomesthroughit;MayrequireadditionalintegrationwithnetworkformitigationbecauseofthisARPmanagementSecurityapplianceselectivelygoesinlineforasinglehostandbecomesitsdefaultgatewaybyARPmanipulationPros:Nonetworkintegrationrequiredforfullquarantinecapabilities;enablessurgical,problemspecificquarantinewithoutcross-infectionrisk;effectivebothpreandpostadmissionCons:Ifimplementedimproperlynetworkequipmentcanmisidentifythisasanattackanddropthistraffic31-CONFIDENTIAL-Today’sNACLandscapeEvolvingproprietarystandardsCiscoNetworkAdmissionControl(CNAC)Threecriticalelements-CiscoTrustAgent(CTA),updatedNetworkAccessDevice(NAD),CiscoAccessControlServer(ACS)IntegrationwithendpointagentstocommunicatewithACSregardingappropriateaccessleveltothenetworkMicrosoftNetworkAccessProtection(NAP)AvailableinVistaEndpointneedsSystemHealthAgent(SHA)SHAreportstoSystemHealthValidator(SHV)todopolicychecksNetworkisolationthroughenforcementintegrationsDHCPQuarantineEnforcementServer(QES)VPNQES802.1xTrustedNetworkConnectopenstandardTNCcompliantclientrequiredonendpointsPolicyDecisionPoint(PDP)forsecuritypolicycomparisonsPolicyEnforcementPoint(PEP)forquarantining32-CONFIDENTIAL-SummaryNACisanevolvingtechnologyspaceKnowwhatproblemsaremostimportanttoaddressUnknown/unauthenticatedusercontrolPolicyenforcementforendpointsPreventingthreatsonyournetworkUnderstandimplementationtradeoffsQuarantineflexibilityPerformanceimpactCostofsolutionITefforttoimplementKeeptrackofearlyevolvingstandards33-CONFIDENTIAL-AboutMirageBackground&KeyAccomplishmentsCompanyHighlightsFirstGAProduct:January,2004,V3LaunchedinJuly,2006AcquisitionofWholePointCorporation-Dec041NACPatentGranted;10PendingCustomer/PartnerMomentum1100+unitssoldanddeployed350+ProductionCustomersKeyVerticals:EDU,H/C,FIN,TEC,MFG,S&L,PRO120ChannelPartners(93%ofRevenues)StrategicRelationships:IBM/ISS,Extreme,Mitsui,AT&T,AvayaIndustryRecognitionInfoSecurityHotCompanies2007BestAnti-Worm,Anti-Malware,SCMagazine/RSA2006InfoSecurityCustomerTrustProductExcellenceAward,2006SoftwareDevelopmentmagazine:fourstarproductreview,May200535-CONFIDENTIAL-MirageNetworksManagementTeamGregStock,President&CEOManugistics,Vastera,e-security,IBMThomasBrand,VP,WWFieldOperationsVastera,Toyota,ChryslerDavidThomas,VP,ProductsNovusEdge,Vignette,IBMMichaelD’Eath,VP,BusinessDevelopmentWaveset,Tivoli,NovellGrantHartline,CTOCisco,Dell,NECDavidSettle,CFOExterprise,Dazel,ConvexComputerCorp36-CONFIDENTIAL-MirageBoardofDirectors/InvestorsGregStock,MirageNetworksTimMcAdam,TrinityVenturesMartinNeath,AdamsCapitalBillBock,CFO,SiliconLabsGeorgeKurtz,EVPMcAfeeHowardSchmidt,FormerCISOEBAY,Microsoft37-CONFIDENTIAL-StrategicPartnersAT&TresellsMirageNACinitsmanagedservicesportfolio.MarketedasAT&TManagedIPS™,itrepresentstheAT&Tcommitmenttoenablingbusinesstobeconductedeffectively,efficientlyandsecurelyacrossbothwiredandwirelessIPnetworks.(SignedMarch,2005)PartoftheAvayaDevConnectProgram,MirageworkswithAvayatodevelopworld-classinteriornetworkdefensesolutions,particularlyforemergingIPtelephonytechnology.MitsuiBussanSecureDirections,asubsidiaryofMitsui&Co.,Ltd.-oneoftheworld’smostdiversifiedandcomprehensivetradingandservicescompanies-powersMirageNACsalesintheJapanesemarketplace.(SignedOctober,2004)ExtremeNetworksprovidesorganizationswiththeresiliency,adaptabilityandsimplicityrequiredforatrulyconvergednetworkthatsupportsvoice,videoanddataoverawiredorwirelessinfrastructure,whiledeliveringhigh-performanceandadvancedsecurityfeatures.(SignedMarch,2005)IBMInternetSecuritySystems(formerlyISS)hasformedanalliancew