Introducing Mirage NAC

advertisement
Risk Management using Network
Access Control and Endpoint
Control for the Enterprise
Kurtis E. Minder – Mirage Networks
i
2
- CONFIDENTIAL -
Agenda
Drivers of NAC
Key Elements of NAC Solutions




Identify
Assess
Monitor
Mitigate
NAC Landscape
3
- CONFIDENTIAL -
Business Needs Drive Security Adoption
3 Ubiquitous Security technologies
 Anti-virus - Business driver: File sharing
 Firewalls - Business driver: Interconnecting networks (i.e. Internet)
 VPNs - Business driver: Remote connectivity
Today’s top security driver - Mobile PCs and devices
 Broadband access is everywhere
 Increased percentage of the time devices spend on unprotected
networks
 Perimeter security is rendered less effective because mobile
devices bypass it and aren’t protected by it
Mobility of IP devices is driving the need for Network
Access Control solutions
 Leading source of network infections
 More unmanaged devices on the network than ever - guest and
personal devices
4
- CONFIDENTIAL -
The Traditional Approach to Network
Security Isn’t Enough
5
- CONFIDENTIAL -
The Problem NAC Should Address
Today, endpoint devices
represent the greatest risk to
network security — by
propagating threats or being
vulnerable to them.
“Because of worms
and other threats,
you can no longer
leave your
networks open to
unscreened
devices and users.
By year-end 2007,
80 percent of
enterprises will
have implemented
network access
control policies and
procedures.”
Infected Devices
propagate threats, resulting
in loss of productivity &
hours of cleanup
Gartner, Protect Your
Resources With a
Network Access
Control Process
Unknown Devices
like home PCs, contractor PCs, &
WiFi phones can introduce new
threats or compromise data security
Out-of-Policy Devices
are more vulnerable to malware
attacks, while running services that
could jeopardize security
6
- CONFIDENTIAL -
The Cost
1 mi2g Intelligence
Unit, Malware
Damage in 2004
2 ICSA Labs, 9th
Annual Computer
Virus Prevalence
Survey
7
- CONFIDENTIAL -
The Numbers Tell the Story
“Protection” is in place…
98% use firewalls1
97% of companies protect machines with antivirus software 1
79% use anti-spyware 1
61% use email monitoring software 1
But it’s not enough!
Cost of malware: $14.2B 2
80% of companies experienced 1 or more successful attacks, 30% had more than 10 3
Average net loss for malware incidents in US companies is nearly $168,000 per year1
Worldwide, 32% of companies experience attacks involving business partners

43% of those were infections, while 27% were unauthorized access4
75% of enterprises will be infected with malware that evaded traditional defenses5
1 Computer Security Institute/FBI’s 2006 Computer Crime and Security Survey
2 Computer Economics, 2006
3 ICSA Labs, 9th Annual Computer Virus Prevalence Survey
4 Cybertrust, Risky Business, September 2006
5 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 & Beyond, December 2006
8
- CONFIDENTIAL -
The Problem is Expected to Get Worse
2006 Statistics
Steep increase in the number of software security vulnerabilities
discovered by researchers and actively exploited by criminals
Microsoft Corp issued fixes for 97 (versus 37 in 2005) security holes
assigned "critical" label
14 of of the critical became "zero day" threats.
Experts worry that businesses will be slow to switch to Vista.
Pre-Vista MS Office is expected to remain in widespread use for the next
5-10 years.
Source: Washington Post, Dec 2006, Cyber Crime Hits the Big Time in 2006
9
- CONFIDENTIAL -
NAC Market Expectations
NAC Appliance vendors will sell $660m
worldwide in 2008
NAC Appliances will gain 17% worldwide
share of the NAC market by 2008, up from 6%
in 2005
Research reveals World Network Access
Control (NAC) Products and Architectures
Markets earned revenues of over $85 million
in 2006 and estimates this to reach over $600
million in 2013
Gartner estimates that the NAC market was
$100M in 2006 and will grow by over 100% by
YE 2007
10
- CONFIDENTIAL -
Increasing Number of Targets to Protect
Sans Institute 2006 Top Attack Targets*
Operating Systems
Cross Platform Applications
Internet Explorer
Web Applications
Windows Libraries
Database Software
Microsoft Office
P2P File Sharing Applications
Windows Services
Instant Messaging
Windows Configuration Weaknesses
Media Players
Mac OSX
DNS Servers
Linux Configuration Weaknesses
Backup Software
Network Devices
VoIP Phones & Servers
Network & Other Devices Common
Configuration Weaknesses
Security, Enterprise, and Directory
Management Servers
Security Policy & Personnel
Excessive User Rights & Unauthorized
Devices
Users (Phishing/Spear Phishing)
* SANS Institute Top 20 Internet Security Attack Targets (2006 Annual Update), v7.0, 11.15.06
11
- CONFIDENTIAL -
What Class of NAC Solutions to Deploy?
Don't know, 3%
Pre-admission (at network
connect), 30%
Both, 60%
Post-admission
(continuous monitoring),
7%
Aberdeen Research, 2006
12
- CONFIDENTIAL -
Top Drivers Influencing NAC Solutions
59%
Reduce incidents of malware propagation
Control network access for staff, partners and
contractors
53%
Enforce endpoint software configurations
42%
Enforce security policy compliance
41%
24%
Improve network uptime
Reduce time required to recover from malware
outbreak
22%
Automate remediation of policy / configuration
violations
17%
Improve endpoint visibility
12%
Reduce IT operations cost
12%
11%
Meet regulatory requirements
0%
Aberdeen Research, 2006
10%
20%
30%
40%
% of Respondents
All Respondents
50%
60%
70%
13
- CONFIDENTIAL -
Top Features Required in a NAC Solution
Day zero malware control
37%
Integration with current network infrastructure
34%
30%
Identity-based control
Prevent infection of your endpoints by remote control,…
28%
Ease of management
24%
23%
Network infrastructure independent
Endpoint configuration posture check (continuous/ongoing)
19%
Ease of deployment
17%
Endpoint configuration posture check (on admission)
16%
Redirection of users to remediation resources
14%
Visibility to endpoint threats
14%
Reporting
12%
11%
Scalability / fault tolerance
7%
Threat propagation detection / IDS
6%
Visibility to endpoint configurations
0%
10%
20%
30%
40%
% of Respondents
Aberdeen Research, 2006
All Respondents
14
- CONFIDENTIAL -
Key Elements of NAC Solutions
Common NAC Elements
NAC is an evolving space with evolving capabilities
NAC solution elements - some or all
 Identify - Detect & authenticate new devices
 Assess - Endpoint integrity checks to determine levels of risk and
adherence to security policy
 Monitor - Watch the device’s activity for change of assessed state
with respect to policy and threat status
 Mitigate - Take appropriate action upon any device that is identified
as a security risk by previous three elements
16
- CONFIDENTIAL -
Identify - Find/Authenticate New Devices
Question - How do you know when a new device comes on the
network? Is it a known or unknown device? Is it an authenticated user?
Common approaches
 Leverage 802.1x or network infrastructure OS
• Authenticate through existing EAP infrastructure to pass credentials to
authentication server
 Special purpose DHCP server
• Authentication usually web based and tied to authentication server
 Authentication proxy
• NAC solution serves as a proxy between device and authentication server
 Inline security appliances (i.e. security switches)
• Serve as a proxy between device and authentication server
 Real time network awareness
• Authentication usually web based and tied to authentication server
All approaches trigger off entry on the network by a new IP device
17
- CONFIDENTIAL -
Identify - Pros & Cons of Various
Approaches
802.1x approach
 Pros: Device detected and authenticated prior to IP address
assignment
 Cons: Often is a costly and time consuming installation
• Requires switch upgrade/reconfiguration
• Endpoints must be 802.1x enabled - requires supplicant software
• Must create guest/remediation VLANs
DHCP approach
 Pros: Easier to deploy, independent of network infrastructure,
covers both managed and unmanaged devices
 Cons: Bypassed by static IP address assignment, remediation
typically to a broadcast VLAN (cross infection risk)
18
- CONFIDENTIAL -
Identify - Pros & Cons of Various
Approaches cont.
Authentication proxy
 Pros: Good hook for checking managed devices
 Cons: Unknown devices may never authenticate, but still could
have network access; may not check all IP devices
In-line security appliance/switch
 Pros: Sees all devices both managed and unmanaged and doesn’t
require agent based software
 Cons: If it is not inline with, or does not replace the access switch
then it will not see the device as it comes on the network
Out of band appliances with network awareness
 Pros: Sees all devices as they enter the network both managed
and unmanaged; easier to implement than many of the other
approaches
 Cons: May require switch integration for mitigation of problems
19
- CONFIDENTIAL -
Assess
Assess Endpoint Integrity
Question: Even if a device is allowed on my network, how
do I ensure it meets my security policies and risk
tolerance?
Answer: Endpoint integrity checks
 Operating system identification and validation checks
• Typically requires an agent
• Must establish a policy relating to acceptable patch level (latest patch
on company SMS server, no older than X months, most recent patch
available from software vendor)
• What do you do for unknown devices? Usually requires an agent for
these checks
 Security software checks - AV, personal firewall, spyware, etc.
•
•
•
•
Is it up and running
Is it in the right configuration
Is it up to date - both the software and the database
Usually requires an agent for these checks
21
- CONFIDENTIAL -
Assess Endpoint Integrity cont.
Endpoint integrity checks cont.
 Endpoint configuration - find unauthorized servers and services
• Web servers, FTP servers, mail servers, etc.
• Vulnerable or high risk ports, i.e. port 445 exploited by Zotob
• These checks can be done from the network or with an agent
 Threat detection
• Scan the device for active infections or backdoors
• Not commonly implemented on entry to the network
– Too much latency
– Risk profile substituted for deep scans (i.e. AV is up to date and had a
current scan)
Elements for endpoint integrity checks
 Network scanning server (Optional)
 Endpoint software - permanent or transient (Optional)
 Policy server (Required) - must have somewhere to define what is
allowed/disallowed
22
- CONFIDENTIAL -
Monitor
Monitoring Post Network Entry
The forgotten element of Network Access Control
 Why is monitoring a critical element of NAC?
• Can’t effectively check for all threats on entry - takes too long
• Security policy state can change post entry - users initiate FTP after
access is granted
• Infection can occur post entry - e-mail and web threats can change
security state of the device
 What Gartner says in their paper “Protect Your Resources With a
Network Access Control Process”
• “The network traffic and security state of systems that are connected to
the network must be monitored for anomalous behavior or system
changes that bring them out of compliance with security policies.”
Why isn’t this simply another network security function?
 Monitoring is both for threats and policy adherence - takes
advantage of policy definition of NAC solution
 Works hand in hand with NAC quarantine services
24
- CONFIDENTIAL -
Traditional Approach to Network Security
Traditional Approach
• Firewall/IPS at the Perimeter
• AV, HIDS/HIPS on the Endpoint
External Environment
• New technologies
• New threats
• Regulatory requirements
This approach leaves a soft underbelly through
which unmanaged, out-of-policy and infected
endpoints can easily gain access.
25
- CONFIDENTIAL -
Exploiting the Network’s Weakness
…bringing
Infected
endpoints
businessbypass
to a
the perimeter…
halt
and creating costly
cleanup.
…generating rapidly
propagating threats that
take over a network in
minutes…
26
- CONFIDENTIAL -
Monitoring Approaches
Agent based approaches
 Host Intrusion Prevention Systems
 Personal firewalls
 Both require integration with a network policy server to be an element of
NAC
 Doesn’t cover unknown/unmanaged/unmanageable devices
Network based approaches
 In-line: Typically evolution of IPS vendors into NAC capabilities; also
includes Network Based Anomaly Detection (NBAD) vendors
 Out-of-band: Most commonly NBAD and old Distributed Denial of Service
(DDoS) security vendors
Key considerations
 Does the security device watch for policy violations as well as threats?
 Does it see devices as they enter the network?
 Can they work across both voice and data networks without negatively
impacting quality and performance?
 What is the management overhead associated with both approaches?
27
- CONFIDENTIAL -
Mitigate
Mitigation Approaches for NAC
Two elements for NAC mitigation
 Quarantine capabilities (required)
• On-entry restrict access for devices not meeting requirements
• Post-entry take a device off the network and send to quarantine zone if
they violate policy or propagate a threat
• Ideally should be able to assign to different quarantine server based on
problem, i.e. registration server for guests, AV scanner for infected
devices, etc.
 Remediation services for identified problems (optional)
• Additional diagnostic tools for deeper checks – Vulnerability scanners
– AV scanners, etc.
• Tools for fixing identified problems
– OS patch links
– AV signature update and malware removal tools
– Registration pages for unknown devices
29
- CONFIDENTIAL -
Quarantine Approaches
DHCP integration
 Uses DHCP process for identification and endpoint integrity checks
on entry to the network.
 Pros: Assigns appropriate IP and VLAN according to their risk level
 Cons: After IP address is assigned they don’t have an independent
quarantine capability; Static IPs bypass their enforcement
Switch integration
 Uses either ACLs or 802.1x
 ACLs - not commonly used because of negative performance
impact and access requirements in the network
 802.1x - forces device to re-authenticate and assigns new VLAN
 Pros: Effective both pre and post admission, uses standards based
approach in 802.1x
 Cons: Can negatively impact switch performance; Usually not
granular in quarantine server assignment; If using broadcast
quarantine VLAN there is a cross-infection risk
30
- CONFIDENTIAL -
Quarantine Approaches cont.
In-line blocking with web redirect
 Pros: Improved performance over ACLs; Can granularly block
suspect traffic; has the capability of sending web traffic to
appropriate quarantine server based on problem
 Cons: Doesn’t see downstream traffic so can only block and
redirect traffic that comes through it; May require additional
integration with network for mitigation because of this
ARP management
 Security appliance selectively goes inline for a single host and
becomes its default gateway by ARP manipulation
 Pros: No network integration required for full quarantine
capabilities; enables surgical, problem specific quarantine without
cross-infection risk; effective both pre and post admission
 Cons: If implemented improperly network equipment can
misidentify this as an attack and drop this traffic
31
- CONFIDENTIAL -
Today’s NAC Landscape
Evolving proprietary standards
 Cisco Network Admission Control (CNAC)
• Three critical elements - Cisco Trust Agent (CTA), updated Network Access
Device (NAD), Cisco Access Control Server (ACS)
• Integration with endpoint agents to communicate with ACS regarding
appropriate access level to the network
 Microsoft Network Access Protection (NAP)
•
•
•
•
Available in Vista
Endpoint needs System Health Agent (SHA)
SHA reports to System Health Validator (SHV) to do policy checks
Network isolation through enforcement integrations
– DHCP Quarantine Enforcement Server (QES)
– VPN QES
– 802.1x
Trusted Network Connect open standard
 TNC compliant client required on endpoints
 Policy Decision Point (PDP) for security policy comparisons
 Policy Enforcement Point (PEP) for quarantining
32
- CONFIDENTIAL -
Summary
NAC is an evolving technology space
Know what problems are most important to address
 Unknown/unauthenticated user control
 Policy enforcement for endpoints
 Preventing threats on your network
Understand implementation tradeoffs




Quarantine flexibility
Performance impact
Cost of solution
IT effort to implement
Keep track of early evolving standards
33
- CONFIDENTIAL -
About Mirage
Background & Key Accomplishments
Company Highlights

First GA Product: January, 2004, V3 Launched in July, 2006

Acquisition of WholePoint Corporation - Dec 04

1 NAC Patent Granted; 10 Pending
Customer/Partner Momentum

1100+ units sold and deployed

350+ Production Customers

Key Verticals: EDU, H/C, FIN, TEC, MFG, S&L, PRO

120 Channel Partners (93% of Revenues)

Strategic Relationships: IBM/ISS, Extreme, Mitsui, AT&T, Avaya
Industry Recognition

Info Security Hot Companies 2007

Best Anti-Worm, Anti-Malware, SC Magazine/RSA 2006

InfoSecurity Customer Trust Product Excellence Award, 2006

Software Development magazine: four star product review, May 2005
35
- CONFIDENTIAL -
Mirage Networks Management Team
Greg Stock, President & CEO
 Manugistics, Vastera, e-security, IBM
Thomas Brand, VP, WW Field Operations
 Vastera, Toyota, Chrysler
David Thomas, VP, Products
 NovusEdge, Vignette, IBM
Michael D’Eath, VP, Business Development
 Waveset, Tivoli, Novell
Grant Hartline, CTO
 Cisco, Dell, NEC
David Settle, CFO
 Exterprise, Dazel, Convex Computer Corp
36
- CONFIDENTIAL -
Mirage Board of Directors/Investors
Greg Stock, Mirage Networks
Tim McAdam, Trinity Ventures
Martin Neath, Adams Capital
Bill Bock, CFO, Silicon Labs
George Kurtz, EVP McAfee
Howard Schmidt, Former CISO EBAY, Microsoft
37
- CONFIDENTIAL -
Strategic Partners
IBM Internet Security Systems (formerly ISS) has formed an alliance with
Mirage Networks to provide Network Access Control to global enterprise
customers. (Signed November, 2006)
Extreme Networks provides organizations with the resiliency, adaptability
and simplicity required for a truly converged network that supports voice,
video and data over a wired or wireless infrastructure, while delivering
high-performance and advanced security features. (Signed March, 2005)
Mitsui Bussan Secure Directions, a subsidiary of Mitsui & Co., Ltd. - one
of the world’s most diversified and comprehensive trading and services
companies - powers Mirage NAC sales in the Japanese marketplace.
(Signed October, 2004)
AT&T resells Mirage NAC in its managed services portfolio. Marketed as
AT&T Managed IPS™, it represents the AT&T commitment to enabling
business to be conducted effectively, efficiently and securely across both
wired and wireless IP networks. (Signed March, 2005)
Part of the Avaya DevConnect Program, Mirage works with Avaya to
develop world-class interior network defense solutions, particularly for
emerging IP telephony technology.
38
- CONFIDENTIAL -
Selected Customers
Finance
Government
Healthcare
Professional Services
Higher Education
K-12
Manufacturing
Other
39
- CONFIDENTIAL -
Mirage Networks Endpoint Control
Network Access Control
•Comprehensive Endpoint Control
•On-entry Risk Assessment
•Policy Enforcement
•IP Telephony Enabled
•Wireless Support
•Out-of-Band
•Agentless
Policy Enforcement
•Surgical Quarantining
•Customized remediation
•Infrastructure-Independent
•No Network Re-architecture
•Flexible Self-Remediation Options
•ARP Management - No VLAN of Death
Day-Zero Threat Protection
•Patented Behavioral Technology
•No Signatures, No Updates
•Leverages Dark IP Space
•Minimal False Positives
•Customized Policies
•Day Zero
Network Intelligence
•Central Mgmt
•Asset Tracking
•Network Visibility
•Executive Reports
•Cross Network Correlation
•Compliance & Audit Support
40
- CONFIDENTIAL -
Behavioral Rules Example:
Threat Propagation
Mirage continually monitors
the dark IP space on the
network.
When a device attempts to
connect to multiple dark IPs,
Mirage’s behavioral rules
immediately identify this as
an attack and quarantine the
offending device.
41
- CONFIDENTIAL -
Attack Deception
Mirage leverages the dark IP
space to create device
decoys that lock up a wouldbe attacker (whether inside
or outside the network) in a
lengthy, non-productive
dialog.
42
- CONFIDENTIAL -
Mirage NAC is the Answer
Full Cycle: Pre- and Post-Admission Policy Enforcement
Out of Band Deployment; no latency, switch integration
Infrastructure Independent: All networks, All devices, All OSs
Zero Day protection without signatures
Agentless: Easy to Deploy and Manage
Check on Connect
Pre-Admission
Quarantines without switch integration
Policy
Enforcement
Patented technology
Zero Day
Threat Prevention
Post Admission
43
- CONFIDENTIAL -
Thank You
Kurtis Minder, CISSP - Mirage Networks
Download “Getting the Knack of NAC”, 29 Page Industry
Whitepaper at www.miragenetworks.com
Download