Presented by MPIRIRWE BYANAGWA STEPHEN

idleheadedceleryΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

93 εμφανίσεις

Presented by

MPIRIRWE BYANAGWA STEPHEN

An approach to computer network security
that attempts to unify

endpoint

security
technology

(such as

antivirus,

host intrusion
prevention, and

vulnerability assessment),
user or system

authentication

and
network
security enforcement



Aim:
to control
endpoint security

by unifying it with
network device security and the whole network


Result:
End devices that do not comply to the set
security policies are identified and quarantined.


What
you can
do

=

Who You Are

Where You Are
Coming From

How Well You
Comply with
Policy

+

+

Darn… We just summarized
NAC in one slide. What else is
there to talk about?


Network Access Control (NAC) checks
computers accessing your network to ensure
full compliance with your security policies.
NAC makes sure computers, including
roaming laptops, are running antivirus,
firewalls, and other security applications. It
also makes sure that OS service packs are up to
date and that Windows Update is active.


Pre
-
admission

vs

Post
-
admission

enforcement



Agent

vs

Agentless

data collection


An agent s/w runs on the endpoint to report the status


Agentless devices


Some devices do not support NAC agent s/w


e.g., printers, scanners, phones, photocopiers, and other special
devices


NAC uses scanning and network inventory techniques
(whitelisting, blacklisting, ACLs) to discern those characteristics
remotely


Out
-
of
-
band

vs
Inline

solutions



Inline: A single box acts as an internal firewall for

access
-
layer networks

and enforces the policy



Out
-
of
-
band: Agents on end
-
stations report information
to a central console, which in turn control switches to
enforce policy.

6

Quarantine

vs
captive portals

for r
emediation


Quarantine:
A non
-
compliant end
-
station is only allowed
to access a restricted network with patch and update servers.


Captive portals:
The

captive portal

technique forces
an

HTTP

client on a network to see a special web page before
gaining full access.


In NAC, a
captive portal
intercepts

HTTP access to web
pages, redirecting users to a web application that
provides instructions and tools for updating their
computers.



Endpoints that do not comply with established
security policies pose a threat and can
introduce a security risk into the network.



Goal of NAC:
to prevent vulnerable and
noncompliant hosts from obtaining network
access




9

1.
Authentication of
the user

End users are
authenticated before
getting network
access

10

2.

Use
environmental
information as
part of policy
decision making

Where is the user coming
from ?

When is the access request
occurring?

What is the End Point
Security posture of the
end point?

1.
Authentication of
the user

11

3.

Control usage
based on
capabilities of
hardware and
security policy

Allow or deny access.

Put the user on a VLAN.

Send user to remediation.

Apply ACLs or firewall rules.

2.

Use
environmental
information as
part of policy
decision making

1.
Authentication of
the user

12

4.

Manage it all

Usable management and
cross
-
platform NAC
normalization

3.

Control usage
based on
capabilities of
hardware and
security policy

2.

Use
environmental
information as
part of policy
decision making

1.
Authentication of
the user


802.1X port based authentication (via RADIUS)


MAC
based authentication (via RADIUS)


Web
based authentication


Static
port/MAC configuration


Dynamic
port/MAC configuration (SNMP)


Kerberos
snooping

Method

Conclusions

Benefits

Disadvantages

802.1X

If all requirements are
fulfilled, 802.1X

offers a very scalable and
dynamic

identification with a high
level of

security at the switch port.

Standard for current systems

• Centralized administration

• Real time detection

• High level of security

• Good scalability

• Additional information (user,
h潳琩

• Many
re煵楲e浥湴m

• Subsequent
upgrade expensive

MAC

MAC

This method is a solution
for special

end systems. It is better
than static

port/MAC assignment
since dynamic

and scalability are the
same as for

802.1X.

• Standard for current systems

• Centralizes administration

• Real time detection

• Good scalability

• Many
re煵楲e浥湴m

• Low security

• Additional
楮景r浡瑩t渠楳i
汩浩瑥m

坥t

qh楳整e潤o楳潲攠an
a摤楴楯n 瑨an

a⁣潭灬整攠a畴h敮e楣i瑩潮t
method.

It simplifies the
administrative effort

for guests and allows
access to older

devices.
• Centralized administration

• Real time detection

• Good scalability

• Additional
獥s癩ve
a摭楮楳瑲a瑩tn

• Additional
re杩獴牡瑩t渠灯r瑡l

• Unsecure
煵qra湴楮n


Makerere’s

NAC is based on Sophos NAC and
Sophos Advanced NAC.


Sophos

NAC

Advanced

provides

comprehensive

and

easy
-
to
-
deploy

enterprise
-
ready

network

access

control

(NAC)
.



It

allows

administrators

to



define

and

centrally

manage

security

policies

to

identify

and

isolate

all

non
-
compliant,

compromised

or

misconfigured

computers

accessing

the

corporate

network
.



It

seamlessly

integrates

with

existing

network

infrastructures

and

security

applications

from

a

wide

range

of

vendors
.


Compliance
e.g

right software and up
-
to
-
date
patches


Monitoring and reporting


Increased security and policy deployment


Management and control e.g. remote scans,
protect installations from removal, remote
policy deployment.


Total security.



Detect and fix managed endpoint
vulnerabilities


Make sure guest computers meet your security
requirements before they access your network


Prevent unauthorized computers from
accessing the network


Get standard reporting on endpoint policy
compliance


Available from
Endpoint
Protection
management console



An installed agent provides comprehensive compliance
assessment
and enforcement
of managed computers,
both prior to and during a network session.


A
web agent provides comprehensive compliance
assessment prior to
network access
for remote or LAN
-
based unmanaged computers, or on
managed computers
when an agent is not practical.


DHCP
enforcement protects the network from
unauthorised computers
connecting to
the corporate
LAN using an enterprise’s existing DHCP infrastructure.


IEEE
802.1x enforcement stops unauthorised computers
connecting to the LAN.


RADIUS
enforcement protects the network from non
-
compliant laptops
by providing
enforcement prior to
opening IPSec, SSL
-
VPN, or wireless connections.


An
intuitive web interface offers
extensive policy
-
building capabilities,
flexible enforcement
control and
extensive reporting and alerting
features.


Administrators
can define and
manage unique policies for detecting
operating system
patches, security
applications and signature updates
across all computers.


Scans
can detect for installation, last
engine scan date/time, signature file
date/time
, running detection for
processes, real
-
time protection status,
and version/value


Administrators
can choose whether
unauthorised or non
-
compliant
computers
are isolated
, quarantined
for remediation, automatically
remediated or sent alerts.


Policies
can be
customised

to ensure
no unwanted applications are run.


A
customisable

landing page provides
immediate, easy
-
to
-
view NAC
compliance


statistics.



Custom application creation and
enforcement enables administrators to
respond


rapidly to unforeseen
threats. Point
-
and
-
click
contextual operating system
patch definitions save
administrators
hours
of configuration time.



Simple, central policy mode control
enables enforcement steps to be
phased in

from
Report Only, through
Remediate, to Enforce


avoiding an
all
-
or
-
nothing approach
, and
providing optimum control and ease
of policy deployment
during each
stage of implementation.


Installing NAC and other S/
Ws

i.e.


Compliance dissolver


Web agent for guests and unmanaged users


DHCP enforcer + Authentication
mtds


Verifying NAC URL Server address.


Accessing the NAC
Manager:
The NAC Manager provides a
centralized location for policy definition and endpoint compliance
reporting.


NAC Policy
customisation


Sophos
Ent
.
Config

+ compliance agent deployment


Phased deployment.


Report only


Remediate


enforcement



Endpoint Security


Fast
and effective
antivirus:

Delivers
complete protection against today’s threats. Protect and
manage all your platforms: Windows, OS X, Linux, UNIX, and
virtualized environment from a single console.

Reduce
the risk of data loss and malware infection with built
-
in
control of removable devices like USB keys, drives and wireless
networking devices.


Active
application
control:

Control
the apps that can cause security, legal, productivity or
bandwidth problems. Our unique Active Protection approach means
we provide and maintain detection of hundreds of Windows
applications so you don’t have to.


Threat
-
aware
patch
assessment:


Use
our Windows endpoint agent to prioritize the really critical
threat
-
related patches for popular apps including Microsoft, Adobe,
Apple and Java.



Mobile Device
Management

We
make BYOD easy and affordable with easy
-
to
-
implement mobile device management (MDM). It lets you
secure and manage all your users’ devices: iPhones,
iPads
,
Android, BlackBerry, Windows Phone.


Complete smartphone and tablet control

Quickly establish policies for giving access to corporate email and
data, lock or wipe lost or stolen devices, and manage apps.


Convenient

enterprise app

store


Easily manage apps with your own enterprise app store to
publish

and push apps users need while blocking the ones they
don't.


Lightweight
mobile antivirus

Protect your users and your data from the growing threat of
malicious Android apps. Our Android security app checks for
malicious apps and stops them from becoming a problem.



Web Protection

The web is the number one source of malware and threats, which is why
we’ve integrated advanced web protection into the endpoint agent. You get
the most best web threat detection and malicious site protection available

wherever users go.


Safe browsing, built
-
in web security

Integrated
advanced web threat detection right into the endpoint agent that scans for
malicious web code at the network layer before it’s passed to the browser.


Block
inappropriate content, web filtering

Set a smart surfing policy for the 14 most inappropriate site categories, right from within our
console. Policy is enforced on the endpoint, wherever your users go.


Data
Protection

Your confidential data needs protection, and you've got to prove it’s protected
to the regulators. With
combination
of data control with full
-
disk encryption,
along with granular device control and application control, you can easily
implement a comprehensive data protection strategy all for the same price as
your threat protection.


Proven encryption

encryption
is quick, easy and proven to secure your sensitive files. If you need full
-
disk
encryption, that's available too as part of our
End
-
user
Data Suite.


Built
-
in
data control

unique
and simple approach to DLP integrates the scanning for sensitive information into
our endpoint engine. Making it easy for you to configure, deploy and manage.



Network Protection

A firewall is an essential component of any network infrastructure. And if you
have users on the move, they need business
-
grade firewall protection that
travels with them. At the same time, you can’t just let any old computer onto
your network. Control who qualifies for access with NAC.


Windows Client firewall

Our client firewall protects your users from hackers, intrusions and rogue applications
calling home. It’s centrally managed and integrated into our single Windows endpoint
agent.


Integrated
Network Access Control

Our Network Access Control (NAC) checks Windows computers accessing your
network to ensure full compliance with your security policies before they join.


Email
Protection

Your mail server is an equally important part of your infrastructure and a
major point of attack for spam and threats. That’s why we offer essential
protection for your users’ email too.


Proven security for Microsoft Exchange

You get the latest email protection for Microsoft Exchange to block spam, viruses,
spyware and phishing. It scans all inbound, outbound and Exchange message stores
.


What’s done?


NAC demo


Users currently installed


Nac

policy templates


Nac

products


Etcs
….


Enforcement not ready due to lack of DHCP
enforcer ( windows s/w) , Radius and IEEE
802.xx. They are supposed to be installed on
DHCP server which is presently Linux based.


Heterogeneous & complex network structure.
Affects detection , deployment and
enforcement.


Lack of adequate training especially security.


Lack of enough exposure for best practices.



There is a great need to look at internal security
as a threat .


There is need for capacity building especially
in security for systems unit.


There is need for bench marking.


Everyone must get involved.



http://
www.sophos.com/en
-
us/support/documentation.aspx


http
://
en.wikipedia.org/wiki/Network_Access_Control


Joel Snyder
,
Network access control vendors pass endpoint security
testing

-

Alcatel
-
Lucent, Bradford, Enterasys,
ForeScout
, McAfee go
above and beyond
, Network World

, June 21, 2010

http://www.networkworld.com/reviews/2010/062110
-
network
-
access
-
control
-
test
-
end
-
point.html



Tutorial: Network Access Control (NAC), July 17, 2007

http://www.networkcomputing.com/data
-
protection/229607166?pgno=3



Good explanation of basic NAC concepts:
http://en.wikipedia.org/wiki/Network_Access_Control



FAQ for Network Admission Control (NAC), 2006:
http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns
617/net_design_guidance0900aecd8040bc84.pdf