Introducing Mirage NAC
advertisement
Risk Management using Network Access Control and Endpoint Control for the Enterprise Kurtis E. Minder – Mirage Networks i 2 - CONFIDENTIAL - Agenda Drivers of NAC Key Elements of NAC Solutions Identify Assess Monitor Mitigate NAC Landscape 3 - CONFIDENTIAL - Business Needs Drive Security Adoption 3 Ubiquitous Security technologies Anti-virus - Business driver: File sharing Firewalls - Business driver: Interconnecting networks (i.e. Internet) VPNs - Business driver: Remote connectivity Today’s top security driver - Mobile PCs and devices Broadband access is everywhere Increased percentage of the time devices spend on unprotected networks Perimeter security is rendered less effective because mobile devices bypass it and aren’t protected by it Mobility of IP devices is driving the need for Network Access Control solutions Leading source of network infections More unmanaged devices on the network than ever - guest and personal devices 4 - CONFIDENTIAL - The Traditional Approach to Network Security Isn’t Enough 5 - CONFIDENTIAL - The Problem NAC Should Address Today, endpoint devices represent the greatest risk to network security — by propagating threats or being vulnerable to them. “Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users. By year-end 2007, 80 percent of enterprises will have implemented network access control policies and procedures.” Infected Devices propagate threats, resulting in loss of productivity & hours of cleanup Gartner, Protect Your Resources With a Network Access Control Process Unknown Devices like home PCs, contractor PCs, & WiFi phones can introduce new threats or compromise data security Out-of-Policy Devices are more vulnerable to malware attacks, while running services that could jeopardize security 6 - CONFIDENTIAL - The Cost 1 mi2g Intelligence Unit, Malware Damage in 2004 2 ICSA Labs, 9th Annual Computer Virus Prevalence Survey 7 - CONFIDENTIAL - The Numbers Tell the Story “Protection” is in place… 98% use firewalls1 97% of companies protect machines with antivirus software 1 79% use anti-spyware 1 61% use email monitoring software 1 But it’s not enough! Cost of malware: $14.2B 2 80% of companies experienced 1 or more successful attacks, 30% had more than 10 3 Average net loss for malware incidents in US companies is nearly $168,000 per year1 Worldwide, 32% of companies experience attacks involving business partners 43% of those were infections, while 27% were unauthorized access4 75% of enterprises will be infected with malware that evaded traditional defenses5 1 Computer Security Institute/FBI’s 2006 Computer Crime and Security Survey 2 Computer Economics, 2006 3 ICSA Labs, 9th Annual Computer Virus Prevalence Survey 4 Cybertrust, Risky Business, September 2006 5 Gartner, Gartner’s Top Predictions for IT Organizations and Users, 2007 & Beyond, December 2006 8 - CONFIDENTIAL - The Problem is Expected to Get Worse 2006 Statistics Steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals Microsoft Corp issued fixes for 97 (versus 37 in 2005) security holes assigned "critical" label 14 of of the critical became "zero day" threats. Experts worry that businesses will be slow to switch to Vista. Pre-Vista MS Office is expected to remain in widespread use for the next 5-10 years. Source: Washington Post, Dec 2006, Cyber Crime Hits the Big Time in 2006 9 - CONFIDENTIAL - NAC Market Expectations NAC Appliance vendors will sell $660m worldwide in 2008 NAC Appliances will gain 17% worldwide share of the NAC market by 2008, up from 6% in 2005 Research reveals World Network Access Control (NAC) Products and Architectures Markets earned revenues of over $85 million in 2006 and estimates this to reach over $600 million in 2013 Gartner estimates that the NAC market was $100M in 2006 and will grow by over 100% by YE 2007 10 - CONFIDENTIAL - Increasing Number of Targets to Protect Sans Institute 2006 Top Attack Targets* Operating Systems Cross Platform Applications Internet Explorer Web Applications Windows Libraries Database Software Microsoft Office P2P File Sharing Applications Windows Services Instant Messaging Windows Configuration Weaknesses Media Players Mac OSX DNS Servers Linux Configuration Weaknesses Backup Software Network Devices VoIP Phones & Servers Network & Other Devices Common Configuration Weaknesses Security, Enterprise, and Directory Management Servers Security Policy & Personnel Excessive User Rights & Unauthorized Devices Users (Phishing/Spear Phishing) * SANS Institute Top 20 Internet Security Attack Targets (2006 Annual Update), v7.0, 11.15.06 11 - CONFIDENTIAL - What Class of NAC Solutions to Deploy? Don't know, 3% Pre-admission (at network connect), 30% Both, 60% Post-admission (continuous monitoring), 7% Aberdeen Research, 2006 12 - CONFIDENTIAL - Top Drivers Influencing NAC Solutions 59% Reduce incidents of malware propagation Control network access for staff, partners and contractors 53% Enforce endpoint software configurations 42% Enforce security policy compliance 41% 24% Improve network uptime Reduce time required to recover from malware outbreak 22% Automate remediation of policy / configuration violations 17% Improve endpoint visibility 12% Reduce IT operations cost 12% 11% Meet regulatory requirements 0% Aberdeen Research, 2006 10% 20% 30% 40% % of Respondents All Respondents 50% 60% 70% 13 - CONFIDENTIAL - Top Features Required in a NAC Solution Day zero malware control 37% Integration with current network infrastructure 34% 30% Identity-based control Prevent infection of your endpoints by remote control,… 28% Ease of management 24% 23% Network infrastructure independent Endpoint configuration posture check (continuous/ongoing) 19% Ease of deployment 17% Endpoint configuration posture check (on admission) 16% Redirection of users to remediation resources 14% Visibility to endpoint threats 14% Reporting 12% 11% Scalability / fault tolerance 7% Threat propagation detection / IDS 6% Visibility to endpoint configurations 0% 10% 20% 30% 40% % of Respondents Aberdeen Research, 2006 All Respondents 14 - CONFIDENTIAL - Key Elements of NAC Solutions Common NAC Elements NAC is an evolving space with evolving capabilities NAC solution elements - some or all Identify - Detect & authenticate new devices Assess - Endpoint integrity checks to determine levels of risk and adherence to security policy Monitor - Watch the device’s activity for change of assessed state with respect to policy and threat status Mitigate - Take appropriate action upon any device that is identified as a security risk by previous three elements 16 - CONFIDENTIAL - Identify - Find/Authenticate New Devices Question - How do you know when a new device comes on the network? Is it a known or unknown device? Is it an authenticated user? Common approaches Leverage 802.1x or network infrastructure OS • Authenticate through existing EAP infrastructure to pass credentials to authentication server Special purpose DHCP server • Authentication usually web based and tied to authentication server Authentication proxy • NAC solution serves as a proxy between device and authentication server Inline security appliances (i.e. security switches) • Serve as a proxy between device and authentication server Real time network awareness • Authentication usually web based and tied to authentication server All approaches trigger off entry on the network by a new IP device 17 - CONFIDENTIAL - Identify - Pros & Cons of Various Approaches 802.1x approach Pros: Device detected and authenticated prior to IP address assignment Cons: Often is a costly and time consuming installation • Requires switch upgrade/reconfiguration • Endpoints must be 802.1x enabled - requires supplicant software • Must create guest/remediation VLANs DHCP approach Pros: Easier to deploy, independent of network infrastructure, covers both managed and unmanaged devices Cons: Bypassed by static IP address assignment, remediation typically to a broadcast VLAN (cross infection risk) 18 - CONFIDENTIAL - Identify - Pros & Cons of Various Approaches cont. Authentication proxy Pros: Good hook for checking managed devices Cons: Unknown devices may never authenticate, but still could have network access; may not check all IP devices In-line security appliance/switch Pros: Sees all devices both managed and unmanaged and doesn’t require agent based software Cons: If it is not inline with, or does not replace the access switch then it will not see the device as it comes on the network Out of band appliances with network awareness Pros: Sees all devices as they enter the network both managed and unmanaged; easier to implement than many of the other approaches Cons: May require switch integration for mitigation of problems 19 - CONFIDENTIAL - Assess Assess Endpoint Integrity Question: Even if a device is allowed on my network, how do I ensure it meets my security policies and risk tolerance? Answer: Endpoint integrity checks Operating system identification and validation checks • Typically requires an agent • Must establish a policy relating to acceptable patch level (latest patch on company SMS server, no older than X months, most recent patch available from software vendor) • What do you do for unknown devices? Usually requires an agent for these checks Security software checks - AV, personal firewall, spyware, etc. • • • • Is it up and running Is it in the right configuration Is it up to date - both the software and the database Usually requires an agent for these checks 21 - CONFIDENTIAL - Assess Endpoint Integrity cont. Endpoint integrity checks cont. Endpoint configuration - find unauthorized servers and services • Web servers, FTP servers, mail servers, etc. • Vulnerable or high risk ports, i.e. port 445 exploited by Zotob • These checks can be done from the network or with an agent Threat detection • Scan the device for active infections or backdoors • Not commonly implemented on entry to the network – Too much latency – Risk profile substituted for deep scans (i.e. AV is up to date and had a current scan) Elements for endpoint integrity checks Network scanning server (Optional) Endpoint software - permanent or transient (Optional) Policy server (Required) - must have somewhere to define what is allowed/disallowed 22 - CONFIDENTIAL - Monitor Monitoring Post Network Entry The forgotten element of Network Access Control Why is monitoring a critical element of NAC? • Can’t effectively check for all threats on entry - takes too long • Security policy state can change post entry - users initiate FTP after access is granted • Infection can occur post entry - e-mail and web threats can change security state of the device What Gartner says in their paper “Protect Your Resources With a Network Access Control Process” • “The network traffic and security state of systems that are connected to the network must be monitored for anomalous behavior or system changes that bring them out of compliance with security policies.” Why isn’t this simply another network security function? Monitoring is both for threats and policy adherence - takes advantage of policy definition of NAC solution Works hand in hand with NAC quarantine services 24 - CONFIDENTIAL - Traditional Approach to Network Security Traditional Approach • Firewall/IPS at the Perimeter • AV, HIDS/HIPS on the Endpoint External Environment • New technologies • New threats • Regulatory requirements This approach leaves a soft underbelly through which unmanaged, out-of-policy and infected endpoints can easily gain access. 25 - CONFIDENTIAL - Exploiting the Network’s Weakness …bringing Infected endpoints businessbypass to a the perimeter… halt and creating costly cleanup. …generating rapidly propagating threats that take over a network in minutes… 26 - CONFIDENTIAL - Monitoring Approaches Agent based approaches Host Intrusion Prevention Systems Personal firewalls Both require integration with a network policy server to be an element of NAC Doesn’t cover unknown/unmanaged/unmanageable devices Network based approaches In-line: Typically evolution of IPS vendors into NAC capabilities; also includes Network Based Anomaly Detection (NBAD) vendors Out-of-band: Most commonly NBAD and old Distributed Denial of Service (DDoS) security vendors Key considerations Does the security device watch for policy violations as well as threats? Does it see devices as they enter the network? Can they work across both voice and data networks without negatively impacting quality and performance? What is the management overhead associated with both approaches? 27 - CONFIDENTIAL - Mitigate Mitigation Approaches for NAC Two elements for NAC mitigation Quarantine capabilities (required) • On-entry restrict access for devices not meeting requirements • Post-entry take a device off the network and send to quarantine zone if they violate policy or propagate a threat • Ideally should be able to assign to different quarantine server based on problem, i.e. registration server for guests, AV scanner for infected devices, etc. Remediation services for identified problems (optional) • Additional diagnostic tools for deeper checks – Vulnerability scanners – AV scanners, etc. • Tools for fixing identified problems – OS patch links – AV signature update and malware removal tools – Registration pages for unknown devices 29 - CONFIDENTIAL - Quarantine Approaches DHCP integration Uses DHCP process for identification and endpoint integrity checks on entry to the network. Pros: Assigns appropriate IP and VLAN according to their risk level Cons: After IP address is assigned they don’t have an independent quarantine capability; Static IPs bypass their enforcement Switch integration Uses either ACLs or 802.1x ACLs - not commonly used because of negative performance impact and access requirements in the network 802.1x - forces device to re-authenticate and assigns new VLAN Pros: Effective both pre and post admission, uses standards based approach in 802.1x Cons: Can negatively impact switch performance; Usually not granular in quarantine server assignment; If using broadcast quarantine VLAN there is a cross-infection risk 30 - CONFIDENTIAL - Quarantine Approaches cont. In-line blocking with web redirect Pros: Improved performance over ACLs; Can granularly block suspect traffic; has the capability of sending web traffic to appropriate quarantine server based on problem Cons: Doesn’t see downstream traffic so can only block and redirect traffic that comes through it; May require additional integration with network for mitigation because of this ARP management Security appliance selectively goes inline for a single host and becomes its default gateway by ARP manipulation Pros: No network integration required for full quarantine capabilities; enables surgical, problem specific quarantine without cross-infection risk; effective both pre and post admission Cons: If implemented improperly network equipment can misidentify this as an attack and drop this traffic 31 - CONFIDENTIAL - Today’s NAC Landscape Evolving proprietary standards Cisco Network Admission Control (CNAC) • Three critical elements - Cisco Trust Agent (CTA), updated Network Access Device (NAD), Cisco Access Control Server (ACS) • Integration with endpoint agents to communicate with ACS regarding appropriate access level to the network Microsoft Network Access Protection (NAP) • • • • Available in Vista Endpoint needs System Health Agent (SHA) SHA reports to System Health Validator (SHV) to do policy checks Network isolation through enforcement integrations – DHCP Quarantine Enforcement Server (QES) – VPN QES – 802.1x Trusted Network Connect open standard TNC compliant client required on endpoints Policy Decision Point (PDP) for security policy comparisons Policy Enforcement Point (PEP) for quarantining 32 - CONFIDENTIAL - Summary NAC is an evolving technology space Know what problems are most important to address Unknown/unauthenticated user control Policy enforcement for endpoints Preventing threats on your network Understand implementation tradeoffs Quarantine flexibility Performance impact Cost of solution IT effort to implement Keep track of early evolving standards 33 - CONFIDENTIAL - About Mirage Background & Key Accomplishments Company Highlights First GA Product: January, 2004, V3 Launched in July, 2006 Acquisition of WholePoint Corporation - Dec 04 1 NAC Patent Granted; 10 Pending Customer/Partner Momentum 1100+ units sold and deployed 350+ Production Customers Key Verticals: EDU, H/C, FIN, TEC, MFG, S&L, PRO 120 Channel Partners (93% of Revenues) Strategic Relationships: IBM/ISS, Extreme, Mitsui, AT&T, Avaya Industry Recognition Info Security Hot Companies 2007 Best Anti-Worm, Anti-Malware, SC Magazine/RSA 2006 InfoSecurity Customer Trust Product Excellence Award, 2006 Software Development magazine: four star product review, May 2005 35 - CONFIDENTIAL - Mirage Networks Management Team Greg Stock, President & CEO Manugistics, Vastera, e-security, IBM Thomas Brand, VP, WW Field Operations Vastera, Toyota, Chrysler David Thomas, VP, Products NovusEdge, Vignette, IBM Michael D’Eath, VP, Business Development Waveset, Tivoli, Novell Grant Hartline, CTO Cisco, Dell, NEC David Settle, CFO Exterprise, Dazel, Convex Computer Corp 36 - CONFIDENTIAL - Mirage Board of Directors/Investors Greg Stock, Mirage Networks Tim McAdam, Trinity Ventures Martin Neath, Adams Capital Bill Bock, CFO, Silicon Labs George Kurtz, EVP McAfee Howard Schmidt, Former CISO EBAY, Microsoft 37 - CONFIDENTIAL - Strategic Partners IBM Internet Security Systems (formerly ISS) has formed an alliance with Mirage Networks to provide Network Access Control to global enterprise customers. (Signed November, 2006) Extreme Networks provides organizations with the resiliency, adaptability and simplicity required for a truly converged network that supports voice, video and data over a wired or wireless infrastructure, while delivering high-performance and advanced security features. (Signed March, 2005) Mitsui Bussan Secure Directions, a subsidiary of Mitsui & Co., Ltd. - one of the world’s most diversified and comprehensive trading and services companies - powers Mirage NAC sales in the Japanese marketplace. (Signed October, 2004) AT&T resells Mirage NAC in its managed services portfolio. Marketed as AT&T Managed IPS™, it represents the AT&T commitment to enabling business to be conducted effectively, efficiently and securely across both wired and wireless IP networks. (Signed March, 2005) Part of the Avaya DevConnect Program, Mirage works with Avaya to develop world-class interior network defense solutions, particularly for emerging IP telephony technology. 38 - CONFIDENTIAL - Selected Customers Finance Government Healthcare Professional Services Higher Education K-12 Manufacturing Other 39 - CONFIDENTIAL - Mirage Networks Endpoint Control Network Access Control •Comprehensive Endpoint Control •On-entry Risk Assessment •Policy Enforcement •IP Telephony Enabled •Wireless Support •Out-of-Band •Agentless Policy Enforcement •Surgical Quarantining •Customized remediation •Infrastructure-Independent •No Network Re-architecture •Flexible Self-Remediation Options •ARP Management - No VLAN of Death Day-Zero Threat Protection •Patented Behavioral Technology •No Signatures, No Updates •Leverages Dark IP Space •Minimal False Positives •Customized Policies •Day Zero Network Intelligence •Central Mgmt •Asset Tracking •Network Visibility •Executive Reports •Cross Network Correlation •Compliance & Audit Support 40 - CONFIDENTIAL - Behavioral Rules Example: Threat Propagation Mirage continually monitors the dark IP space on the network. When a device attempts to connect to multiple dark IPs, Mirage’s behavioral rules immediately identify this as an attack and quarantine the offending device. 41 - CONFIDENTIAL - Attack Deception Mirage leverages the dark IP space to create device decoys that lock up a wouldbe attacker (whether inside or outside the network) in a lengthy, non-productive dialog. 42 - CONFIDENTIAL - Mirage NAC is the Answer Full Cycle: Pre- and Post-Admission Policy Enforcement Out of Band Deployment; no latency, switch integration Infrastructure Independent: All networks, All devices, All OSs Zero Day protection without signatures Agentless: Easy to Deploy and Manage Check on Connect Pre-Admission Quarantines without switch integration Policy Enforcement Patented technology Zero Day Threat Prevention Post Admission 43 - CONFIDENTIAL - Thank You Kurtis Minder, CISSP - Mirage Networks Download “Getting the Knack of NAC”, 29 Page Industry Whitepaper at www.miragenetworks.com
