self-defending network - cisco.com · self-defending network realizing the vision mauricio martinez...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Self-Defending NetworkRealizing the Vision
Mauricio Martinez
Systems Engineer Commercial Cisco Mexico
30 – Octubre - 08
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 2
Connected World with Complex Security Challenges
TelePresence/ Video / IM / Email
Mobility
Web 2.0 / Web Services / SOA
Collaboration and Communication
The New Threat Environment
The Eroding Perimeter
SPAM / Malware / Profit Driven Hacking
Data Loss and Theft
The Business Impact of Security
IT Risk Management
Regulatory Compliance
Security as Business Enabler
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 3
Solutions for Business Security
Enforce business
policies and protect
critical assets
Decrease IT
administrative
burden and reduce
TCO
Reduce security and
compliance IT risk
Network Security
Endpoint Security
Content Security
Application Security
System ManagementPolicy—Reputation—Identity
Cisco Self-Defending Network:
Best of Breed Security in a Systems Approach
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cisco Network Admission Control Appliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 5
1 Business Case for NAC
2 Cisco NAC Solution Overview
3 Cisco NAC Solution Benefits
4 Additional Resources – Guest and Profiler
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 6
What Is NAC, Really?
Network
Admission
Control
=
Better criteria for network access beyond
“Who Is It?”
Authenticate & Authorize
Update & Remediate
Quarantine & Enforce
Scan & Evaluate
What’s the preferred
way to check or fix it?
Where is it coming from?
What’s on it?What is it doing?
What do you have?
Who owns it?
=
4 Key Functions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 7
1 Business Case for NAC
2 Cisco NAC Solution Overview
3 Cisco NAC Solution Benefits
4 Additional Resources – Guest and Profiler
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 8
Cisco Network Admission Control
Using the network to enforce policies ensures that incoming devices are compliant.
Authenticate & Authorize
Enforces authorization policies and privileges
Supports multiple user roles
Update & Remediate
Network-based tools for vulnerability and threat remediation
Help-desk integration
Quarantine & Enforce
Isolate non-compliant devices from rest of network
MAC and IP-based quarantine effective at a per-user level
Scan & Evaluate
Agent scan for required versions of hotfixes, AV, etc
Network scan for virus and worm infections and port vulnerabilities
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 9
Cisco NAC Manager
Centralizes management for administrators, support personnel, and operators
Cisco NAC Server
Serves as posture, remediation and enforcement access control
Cisco NAC Agent
Optional lightweight client for device-based registry scans in unmanaged environments
Rule-set Updates
Scheduled automatic updates for anti-virus, critical hot-fixes and other applications
NAC Appliance Components
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 10
THE GOAL
Intranet/
Network
Cisco NAC Appliance Overview
2. User logins into optional agent or is redirected to a login web page
Cisco NAC validates username and password, also performs device and network scans to assess vulnerabilities on the device
Device is noncompliant or login is incorrect
User is denied access and assigned to a quarantine role with access to online remediation resources
3a. Quarantine
Role
3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network
NAC Server
NAC Manager
1. End user attempts to access network
Access is blocked until wired or wireless end user provides login information Authentication
Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 11
1 Business Case for NAC
2 Cisco NAC Solution Overview
3 Cisco NAC Solution Benefits
4 Additional Resources – Guest and Profiler
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 12
Operational Efficiencies: Part 1
Save time and effort in two ways:
Identifying non-compliant devices
Improving the remediation process through automation
assumes $75/hr labor cost
Person-Hours Cost
Identifying non-compliant computer 1.0 $75.00
Locating non-compliant computer 1.0 $75.00
Bringing computer into compliance 2.0 $150.00
Potential Cost Savings per Computer $300.00
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 13
Operational Efficiencies: Part 2
Protect investments:
Reuse existing gear and applications
Best support for Microsoft environments
Works with existing network gear (including
those from other vendors).
Makes existing security applications more
effective by ensuring they exist, and are
running and updated.
. . .and more
Supports corporate Microsoft environments better than any other NAC solution on the market
Vista XP 98 2000 Mac
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 14
1 Business Case for NAC
2 Cisco NAC Solution Overview
3 Cisco NAC Solution Benefits
4 Additional Resources – Guest and Profiler
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 16
NAC Gap: Non-PC Endpoint Devices
An enterprise LAN is comprised of myriad endpoint types.Most are undocumented (think DHCP).
Enterprises without VoIPWired Endpoints Distribution
50%Windows
50%Other
33%Windows
33%IP phones
33%Other
Enterprises with VoIPWired Endpoints Distribution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 17
Examples of Non-PC Endpoints
Printers
Fax Machines
IP Phones
IP Cameras
Wireless APs
Managed UPS
Hubs
Cash Registers
Medical ImagingMachines
Alarm Systems
Video Conferencing
Stations
Turnstiles
HVAC Systems
RMON Probes
VendingMachines
. . . and many others
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 18
Cisco NAC Profiler: Automation
Cisco NACProfiler
PCs Non-PCs
UPS Phone Printer AP
Dis
covery
Monitorin
g
Endpoint Profiling
Discover all network endpoints by type and location
Maintain real time and historical contextual data for all endpoints
Behavior Monitoring
Monitor the state of the network endpoints
Detect events such as MAC spoofing, port swapping, etc.
Automated process populates devices
into the NAC Manager; and
subsequently, into appropriate NAC
policy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 19
Cisco NAC Profiler Components
NAC Profiler ServerAggregates all data from Collectors and manages
database of endpoint information. Updates the Cisco NAC Appliance Manager, where roles are applied.
Sold as an appliance.
CollectorNAC Collector
Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling
Sold as a license; co-resident with NAC ApplianceServer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 20
Understanding NAC Profiler Server
1. NAC Profiler Collector discovers and profiles devices and consolidates the information to send to the NAC Profiler Server
2. NAC Profiler Server aggregates all of the information from the Collectors and maintains a database of all network-attached endpoints (e.g. phones, printers, badge readers, modalities, etc.)
3. NAC Profiler Server continuously maintains the Filters List via the NAC API and provisions the appropriate access decisions (allow, deny, check, ―role‖, or ignore)
4. NAC Profiler Collector continuously monitors behavior of profiled devices (to prevent spoofing) and updates Profiler Server
Mac
NAC Appliance Manager
NAC Profiler Server
AAA Server
Windows AD
NAC Appliance Serverwith NAC Collector Application
SPAN 1.
3.
2.4.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 21
Primary Value to Customer:Simplify NAC Deployment and Management
Reduce need for full-time employees
Redeploy human resources to higher value assignments
Enables scalingof network for
growing business
Continual, real-time inventory of devices enables network to grow
without management burden
Increasesaccuracy rate
Reduction of errors helps maintainnetwork security and up-time
Cisco NAC Profiler yields these benefits:
Improves post-admission security
Behavioral monitoring of devicesdetects and prevents MAC spoofing
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 22
Return on Investment through Automation
Person-Hours Rate Total Labor Cost
Before NAC Profiler 6,240 $75/hr $468,000
With NAC Profiler 80 $75/hr $6,000
Discovery and Documentation
Save time and effort compiling initial inventory of endpoints
* Source: real customer data from St. John’s Hospital
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Cisco NAC Guest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 24
―Building a guest network is often the first step in implementing a broader network access control project. Organizations can reduce NAC costs by architecting guest networks with technology that can also be applied to protecting their internal networks from managed PCs.‖ —Gartner, July 2007
Experts Agree:Guest Access Graduates to NAC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 25
What Is Cisco NAC Guest Server?
PROVISIONING
NOTIFICATION
MANAGEMENT
REPORTING
SMSEmail
Print-out
A portal for managing the entire guest user lifecycle
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 26
Four Key Components of Guest Access
GUEST
The visitor who needs network access (usually internet only, but could be more)
SPONSOR
The internal user who wants to be able to provide internet access to their guest
NETWORK ENFORCEMENT DEVICE
Web re-direction, authentication and provides access.Wireless LAN Controller or NAC Appliance
NAC GUEST SERVER
Enables sponsor to create guest account; audits; provisions account on network enforcement device
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 27
Provisioning > Notification > Management > Reporting
Receptionist (Lobby Ambassador)?
Additional responsibility for receptionist.
Inconvenient if you forget at arrival, or you don’t realize you can get guest access, or don’t think you need it until it is too late.
IT Security?
Additional responsibility
Inconvenient
Costly resource to create guest accounts
IT Help Desk?
Inconvenient
Costly - how much does it cost to open a case?
Anyone?(“Sponsor Self Service”)
Convenient and very quick
Secure - full sponsor auth, permissions, full audit
Low cost
1. Who should create guest accounts?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 28
Provisioning > Notification > Management > Reporting
On Screen
Print Out
SMS
2. How will guests get their login details?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 29
Provisioning > Notification > Management > Reporting
3. What else can the sponsor do?
Extending account times(by the originating sponsor or other sponsor)
Re-sending guest account details(by the originating sponsor or other sponsor)
Suspending accounts, due to leaving early, malicious use, etc.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 30
Provisioning > Notification > Management > Reporting
4. Why is reporting so important?
Security teams cite reporting and auditing as key guest access requirements
Full audit trail: sponsor who created the account guest receiving account details access times of guest IP address used by guest
Management reporting (secondary benefit)
Network utilization
Ongoing usage
Cost justification
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 31
Guest Access Walkthrough - Sponsor
Guest
Sponsor
Internet
Wired or Wireless
NAC Appliance
1. Sponsor accessesCisco Guest Server, such as http://guests.yourcompany.com
2. Sponsor authenticates using corporate credentials
3. Sponsor creates account on the guest server
4. Sponsor gives guest account details (email/print/SMS)
5. Guest server provisions account on the Cisco NAC Appliance
Active Directory
1. 2.3.
4.5.
Cisco NACGuest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 32
Guest Access Walkthrough - Guest
Guest
Sponsor
Internet
Wired or Wireless
1. Guest opens Web browser
2. Web traffic is intercepted by network enforcement device and redirected to login page (captive portal)
3. Guest logs in with details provided by sponsor
4. Guest can now access the internet
5. Guest access recorded
6. Guest removed when session time expires
Active Directory
2. 4.
6.5.
Cisco NACGuest Server
NAC Appliance
1.3.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 33
Guest Access Walkthrough - Sponsor
Guest
Sponsor
1. Sponsor accessesCisco NAC Guest Server, e.g. http://guests.yourcompany.com
2. Sponsor authenticates using corporate credentials
3. Sponsor creates account on the Cisco NAC Guest Server
4. Sponsor gives guest account details (email/print/SMS)
Active Directory
1. 2.3.
4.
Cisco NACGuest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 34
Guest Access Walkthrough - Guest
GuestInternet
1. Guest opens Web browser
2. Web traffic is intercepted by Wireless LAN Controller and redirected to login page (captive portal)
3. Guest logs in with details provided by sponsor
4. WLC authenticates user against guest server using RADIUS
5. Guest can now access the internet
6. Guest access recorded
Active Directory
1.3.
2.5.
6.4.
Wireless Access Point
Wireless LAN Controller
Cisco NACGuest Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 35
Additional Resources
Product information at:
www.cisco.com/go/nac/appliance