MSIT 458 – The Chinchillas

• Introduction of Problem
• Pros and Cons of Existing Security Systems
• Possible Solutions
• Recommended Solution
• Solution Implementation
• Final Recommendation
2

3

Viruses, worms, and botnets are often spread by unknowing victims. These victims may be your own network users.
How can the network be protected from your own users?
4

5

6

Symantec anti-virus deployed to individual workstations and servers in the data center
Cisco personal firewall software installed on laptops with remote access enabled
Pros
Centrally managed anti-virus can identify workstations without updated virus definitions.
Local firewall policy enforcement cannot be disabled by end users.
Cons
Anti-virus software slows machine performance to the point where users disable automatic updates and stop scans. There is no way to prevent users from altering the anti-virus software.
Only users with VPN access have the protection provided by local firewall policy enforcement.
There is no anti-spyware or host intrusion prevention solution deployed.
7

Four distinct user directories:
Authentication
• Access request forms required for creation of user accounts in each directory
• Written password policy requires strong passwords and password expiration maintained/enforced separately in each directory
Authorization
• Authorization policies maintained in each directory by local administrators
• Manual process for account termination, user access must be removed from each directory
Accounting
• Weekly directory access reviews compared against termination reports
Pros
Reduced risk when an account in one directory is compromised
Cons
Policies cannot be maintained or enforced centrally
Lots of passwords to keep track of → “loose” password management
Maintenance and SOX compliance nightmare
8

Port-based 802.1Q virtual local area networks
(VLANs) for network and user segregation
Pros
Separate broadcast domains for trusted internal users and untrusted guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from untrusted guest PCs
Untrusted guest users are unable to access private internal servers
Use of VLAN Trunking Protocol eases VLAN management
Cons
No measure to prevent untrusted guests from connecting to private ports
Misconfiguration of a port will provide trusted network access
Use of separate subnets leads to inefficient use IP address space
Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc.
9

• Policies for endpoint security are not enforceable
• Users are not authenticated before access to the network. Identification is instead performed by the application
• Several entry points: wireless, wired and VPN
• Different types of users: full-time employees, vendors, partners and guests
• VLAN assignment is not dictated by identity or security posture
10

11

• Deploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilities
• Define and enforce policies that do not allow end users to disable these protections
• Deploy personal firewall software to all computers, not only VPN enabled systems
• Design an employee education campaign stressing the importance of maintaining up to date security software definitions
12

Identity Store Integration
Identity Based
Authentication
Authorized User
Unauthorized External
Wireless User
Valid Credentials
Corporate
Network
Invalid/No Credentials
X
No Access
802.1X
Corporate
Resources
13

Virtual Private Networks
• Provided by vendors such as Cisco and F5
• Ensures confidentiality and integrity, but only for point to point connections
Intrusion Detection and Prevention Systems
• Provided by vendors such as Sourcefire, 3Com, and IBM
• Able to use both predefined (and regularly updated) signatures and statistics to detect and prevent attacks
• May cost tens of thousands of dollars per Gbps of inspection with no guaranteed return
Firewalls
• Provided by vendors such as Check Point, Juniper Networks, etc.
• Control what hosts can access on other networks by port, protocol, or
IP address
• Unless installed on every PC, not useful between hosts on internal
LANs 14

THE GOAL
1 End user attempts to access network
 Initial access is blocked
 Single-sign-on or web login
Authentication
Server
NAC Server
NAC Manager
2 NAC Server gathers and assesses user/device information


Username and password
Device configuration and vulnerabilities
3a Noncompliant device or incorrect login


Access denied
Placed to quarantine for remediation
Intranet/
Network
Quarantine
Role
3b Device is compliant
 Placed on “certified devices list”
 Network access granted
15

16

17
Image Source: Gartner

Device Posture
Microsoft NAP Juniper UAC Cisco NAC
Cisco NAC Juniper UAC Microsoft NAP
✔
Requires MS
✔
Requires group current
✔
Full support Limited Very Limited
Support
Guest Access
Guest Access
Portal
Portal
Asset
Management
Requires 3 rd
None
Only MS Only MS
No temporary
No temporary logins
IDs
Manual
Full support
No support
Automated
18

19

Number of users supported: Up to 10,000, including guests
Initial Hardware/Software Cost = $125,000
Implementation Cost = $25,000
Maintenance Cost = $72,000 per year
Power & Cooling Cost = $3,000 per year
TCO = $150,000 + $75,000 per year = $225,000 initial year cost
TCO ≈ $500,000 after 5 years
20

• Fewer infections result in fewer incidents and help desk calls
Identifying and locating noncompliant machine
Bringing non-compliant machine into compliance
Man Hours Cost/hour
.66
Potential cost savings per non-compliant user
1
$75/hr
$75/hr
$125
• The break-even point is 4,000 incidents over 5 years.
21

Industry
Energy
Manufacturing
Retail
Banking
Media
Total Industry Average
Revenue/Employee Hour
$569.20
$134.20
$244.37
$130.52
$119.74
$205.55
Source: http://www.competitivereviews.com/metasecurity.pdf
22

• Already a Cisco network, so NAC would simply be an add-on to current network
• Entry points can easily be identified
• Anti-virus and other end-point protections already deployed to users
• Non-compliance problems currently occur at a rate of 6 per day, indicating a positive ROI on a potential NAC investment
23

We conclude that a comprehensive NAC system such as Cisco’s Network Admission Control would be a better investment than piecemeal improvements to the company’s current network security systems.
24

25