Устройство Устройство контроля доступа к контроля...
DESCRIPTION
Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200TRANSCRIPT
© 2009 Extreme Networks, Inc. All rights reserved.
Sentriant™ AG 5.0 –централизованныйконтроль доступаконечныхпользователей к сети
Oleksandr Khomenko
Systems Engineer
Extreme Networks Associate
Tel.: 380 (44) 406-56-06
© 2009 Extreme Networks, Inc. All rights reserved. Page 2
BlackDiamond 20808BlackDiamond 10808 BlackDiamond 12804
BlackDiamond 8800 a, e, c-series
Summit ® X450aGigabit Aggregation
Summit X450e
Gigabit Edge
Summit X250e10/100 Edge
SummitStack™
Switching Product PortfolioAltitude 450 802.11n Altitude™ 350 a/b/g
Summit WM2000
200 APsSummit WM200
100 APs32 APs
Summit ® WM20
Wireless Product Portfolio
Summit X150 Summit X350
Service WatchPolicy Manager EPICenter
Management ProductsSummit X65010Gigabit Core
Security Product PortfolioSentriant NG 300 Sentriant AG 5.0
Page 3© 2009 Extreme Networks, Inc. All rights reserved.
Sentriant™ AG 5.0
PWR HDD
eth0CONSOLE eth1
SentriantSentriantSentriantSentriantTM
AG200AG200AG200AG200
•Intel Dual Core (Core 2 Duo/Xeon 5100 series) processor at 1.86GHz
•2GB RAM (or greater) •80GB SATA disk (or greater) •Two 10/100/1000 Ethernet
interfaces•CD ROM drive•An Internet connection orproxy server that allowsoutbound SSL communications
�Hardware �Software
© 2009 Extreme Networks, Inc. All rights reserved. Page 4
The Endpoint Threat to the Network
� Lack of institutional control over who and what is co nnecting to the network
� Traditional defenses (firewall, AV, IDS/IPS, VPN) off er ineffective protection against endpoint-based threats
� Hackers now targeting unpatched, unmaintained endpoint s� What makes endpoints dangerous?
� Spyware, worms, trojans� Unpatched OSs and applications� Out-of-date AV and anti-spyware definitions� Human factors: high-risk activities (Peer-to-Peer, IM, harmful
downloads)
"By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated , targeted malware that evaded their traditional perim eter and host defenses." - Gartner, Inc.
© 2009 Extreme Networks, Inc. All rights reserved. Page 5
Network Access Control (NAC)
� Answers the question: Is it safe to let this endpoint onto the network?
� Improves overall security posture of the network� Proactively protects the network from compromised or harmful endpoints� Further protects the endpoint itself, beyond what’s provided by AV and
personal firewalls
� Enforces corporate security policies� Policy compliant endpoints are provided access while non-compliant
endpoints can be denied access or quarantined � Helps to meet SOX, HIPAA, PCI-DSS requirements
�Augments limited IT resources and staff � Automated process alleviates the need for manual intervention � Facilitates remediation of non-compliant endpoints to reduce IT
help desk activity
© 2009 Extreme Networks, Inc. All rights reserved. Page 6
Sentriant™ AG Product Overview
� Protects the network from harmful endpoints
� Provides compliance with security policies
� Quarantines noncompliant endpoints and facilitates repair activities
� Maintains complete endpoint access history
Works with new or existing network infrastructure
© 2009 Extreme Networks, Inc. All rights reserved. Page 7
Sentriant™ AG Process
© 2009 Extreme Networks, Inc. All rights reserved. Page 8
Sentriant™ AG—Key Capabilities
� Advanced Endpoint Integrity Testing� Customizable access policies with hundreds of security checks� Multiple testing options including a completely agent-less solution� Minimal impact on end users� Automatic quarantine and remediation on non-compliance endpoints
� Flexible Deployment Options� Multiple standards-based enforcement methods� Graduated levels of enforcement� Single-server or multi-server deployment� Clustering for high availability (HA) and load balancing
� Enterprise-Class Management and Administration� Centralized management� Multi-user, role-based administration� Powerful reporting capabilities and open APIs
Page 9© 2009 Extreme Networks, Inc. All rights reserved.
Advanced Endpoint Integrity Testing
© 2009 Extreme Networks, Inc. All rights reserved. Page 10
Point-and-Click Access Policy Definition
� Three out-of-the-box access policies are provided� Custom policies can be created for different network
locations, devices or end-user types
Select Tests for Inclusion in Access Policy Refine Selected Test
Specify Enforcement When Endpoint Fails Test
© 2009 Extreme Networks, Inc. All rights reserved. Page 11
Deep Endpoint Testing
� Test categories include� OS service packs and hotfixes
� Browser and OS security settings
� Network and wireless settings
� Anti-virus (installed and up-to-date)
� Personal firewall (installed and up-to-date)
� Anti-spyware (installed and up-to-date)
� Peer-to-Peer applications (presence of)
� Worms, viruses, trojans, spyware (presence of)
� Required or prohibited software (administrator defined)
� Tests added continuously as new threats emerge
� Open, extensible testing engine� Custom tests for organization-specific needs
© 2009 Extreme Networks, Inc. All rights reserved. Page 12
Testing Options
� Multiple options provide coverage for all categories of users and devices
1. Agent—lightweight persistent agent
2. ActiveX—tests endpoint through browser
3. Agent-less—no client software required
� Support for both Windows and Mac endpoints
� No degradation in testing depth for any option
Page 13© 2009 Extreme Networks, Inc. All rights reserved.
Off-the-Shelf Tests (1 of 2)�Kaspersky AntiVirus for FileServers
� Kaspersky AntiVirus for Workstations
� McAfee VirusScan
� McAfee Enterprise VirusScan 7.1.0
� McAfee Enterprise VirusScan 8.0i
� McAfee Enterprise VirusScan 8.5i
� McAfee Enterprise VirusScan
� McAfee Internet Security Suite 8.0
� McAfee Internet Security Suite 2007 / Total Protection
� McAfee Managed VirusScan
� NOD32 AntiVirus
� Norton AntiVirus 2004
� Norton AntiVirus 2007
� Norton Internet Security 2007
� Panda Internet Security
� Sophos Anti-Virus
� Symantec Corporate AntiVirus
� Trend Micro AntiVirus
� Trend Micro OfficeScan Corporate Edition
� ZoneAlarm Security Suite
Software Required / Not Allowed� Administratively Defined
High Risk Software� Google Desktop
Miscellaneous Software� Avaya IP Softphone Version Check
Security Settings – OS XAirport Preference
Airport WEP Enabled
Bluetooth
Internet Sharing
Services
Firewall
Security Updates
Anti-Spyware (installed and up-to-date)� Ad-Aware SE Personal
� Ad-Aware Plus
� Ad-Aware Professional
� McAfee AntiSpyware
� CounterSpy
� PestPatrol
� Shavlik NetChk 5.8 and above
� Spyware Eliminator
� Webroot Spy Sweeper
� Windows Defender
Anti-Virus (installed and up-to-date)� Avast 4 Professional Edition
� AVG AntiVirus Free Ed
� BitDefender AntiVirus / Internet Security v10
� ClamWin Free AntiVirus
� Computer Associates eTrust EZ AntiVirus
� F-Secure AntiVirus
� Kaspersky Internet Security / AntiVirus 6.0
Operating Systems - WindowsWindows 2000 hotfixes
Windows Server 2003 SP1 hotfixes
Windows Server 2003 hotfixes
Windows XP SP2 hotfixes
Windows XP hotfixes
Windows Media Player Hotfixes
Internet Explorer Hotfixes
Service HotFixes
Service Packs
Windows automatic updates
Security Settings - WindowsAllowed Networks
MS Excel macros
MS Outlook macros
MS Word macros
Services not allowed
Services required
Windows bridge network connection
Simultaneous wired/wireless connections
Wireless network SSID connections
Windows security policy
Browser Security Policy - WindowsBrowser version
IE internet security zone
IE local intranet security zone
IE restricted site security zone
IE trusted sites security zone
Page 14© 2009 Extreme Networks, Inc. All rights reserved.
Off-the-Shelf Tests (2 of 2)� VBS.Shania
� W32.Beagle.A
� W32.Beagle.AB
� W32.Beagle.AG
� W32.Beagle.AO
� W32.Beagle.AZ
� W32.Beagle.B
� W32.Beagle.E
� W32.Beagle.J
� W32.Beagle.K
� W32.Blaster.K.Worm
� W32.Blaster.Worm
� W32.Doomhunter
� W32.Dumaru.AD
� W32.Dumaru.AH
� W32.Esbot.A.1
� W32.Esbot.A.2
� W32.Esbot.A.3
� W32.Galil.F
� W32.HLLW.Anig
� W32.HLLW.Cult.M
� W32.HLLW.Deadhat
� W32.HLLW.Doomjuice
� W32.HLLW.Doomjuice.B
� W32.HLLW.Lovgate
� W32 Hiton
� W32.IRCBot.C
� W32.Kifer
DICE
� dIRC
� Hotline Connect Client
� IceChat IRC client
� ICQ Pro
� leafChat
� Metasquarer
� mlRC
� Morpheus
� MyNapster
� MyWay
� NetIRC
� NexIRC
� Not Only Two
� P2PNet.net
� PerfectNav
� savIRC
� Skype
� Trillian
� Turbo IRC
� Visual IRC
� XFire
� Yahoo! Messenger
Viruses, Worms, Trojans, Spyware� CME-24
� Keylogger.Stawin
� Trojan.Mitglieder.C
Personal Firewalls (installed and up-to-date)� AOL Security Edition
� Black ICE Firewall
� Computer Associates EZ Firewall
� Internet Connection Firewall (Pre XP SP2)
� McAfee Personal Firewall
� Norton Personal Firewall / Internet Security
� Norton Internet Securit 2007
� Senforce Advanced Firewall
� Sygate Personal Firewall
� Symantec Client Firewall
� Tiny Personal Firewall
� Trend Micro Personal Firewall
� Windows Firewall
� ZoneAlarm Personal Firewall
P2P and Instant Messaging� AOL instant messenge
� Altnet
� BitTorrent
� Gator
� Kazaa
� Kazaa Lite
� K++
� Chatbot
�W32.Klez.gen
� W32.Korgo.G
� W32.Mimail.Q
� W32.Mimail.S
� W32.Mimail.T
� W32.Mydoom.A
� W32.Mydoom.AX-1
� W32.Mydoom.AX
� W32.Mydoom.B
� W32.Mydoom.M
� W32.Mydoom.Q
� W32.Netsky.B
� W32.Netsky.C
� W32.Netsky.D
� W32.Netsky.K
� W32.Netsky.P
� W32.Rusty@m
� W32.Sasser.B
� W32.Sasser.E
� W32.Sasser.Worm
� W32.Sircam.Worm
� W32.Sober.O
� W32.Sober.Z
� W32.Welchia.Worm
� W32.Zotob.E
© 2009 Extreme Networks, Inc. All rights reserved. Page 15
Minimal End User Impact
� Testing completes in only seconds� Succinct information on testing activity
and steps required to achieve compliance� Administrator-customizable messaging
� Communication is as visible or as invisible as environment requires
© 2009 Extreme Networks, Inc. All rights reserved. Page 16
Non-Compliant Endpoint Remediation
� Automated repair� Through integration with leading patch
management systems
� End-user self remediation� Through on-screen directions (shown at
right)
� Access 'grace period’� Provides temporary window of access (e.g.,
3 days) to facilitate remediation
End-User Endpoint Repair Instructions
© 2009 Extreme Networks, Inc. All rights reserved.
Flexible Deployment Options
© 2009 Extreme Networks, Inc. All rights reserved. Page 18
Multiple Enforcement Methods
� Out-of-band or inline options� Accommodates wide range of network topologies and equipment� Provides coverage of all network regions and entry points
© 2009 Extreme Networks, Inc. All rights reserved.
Enterprise-Class Management and Administration
© 2009 Extreme Networks, Inc. All rights reserved. Page 20
Management Console
Network Wide Visibility
At-a-Glance Security Status
Drill-Down to Details
Centralized Policy Management and Configuration
© 2009 Extreme Networks, Inc. All rights reserved. Page 21
Multi-User, Role-Based Administration
� Four standard administrative roles—custom roles can be defined
� Permissions may be further restricted by server or cluster� Allows for shared administrative use across multiple IT
groups
© 2009 Extreme Networks, Inc. All rights reserved. Page 22
Comprehensive Reporting
� Designed for� Auditors/Compliance
� Management
� Network and Security Administrators
� Reports include � Endpoint list
� Policy results
� Test details
� Test results
�Reports can be refined by additional search/filter criteria
�Documented SQL interface for integration with third-party reporting packages
Test Details Report
Test Results Report
© 2009 Extreme Networks, Inc. All rights reserved. Page 23
SummaryAdvantages of Sentriant™ AG Solution� Infrastructure compatibility
� Reduces cost of implementing network access control (NAC)
� Fast pre-connect endpoint scanning� Does not disrupt end user access to the network
� Comprehensive testing across the full range of endpoint devices� Ensures maximum protection and policy compliance
� Advanced clustering technology� Allows for incremental system scalability and continuous operations
� Centralized management� Lowers operational complexity for coverage in all network regions and
locations
� Shared administrative use among multiple IT groups� Minimizes the overhead of day-to-day operations
Conclusion
© 2009 Extreme Networks, Inc. All rights reserved.
Thank You
Let us know if you are interested in a complimentary 30-day evaluation license of
Sentriant™ AG
www.telco.uaTel.: 380 (44) 406-56-06