Устройство Устройство контроля доступа к контроля...

24
© 2009 Extreme Networks, Inc. All rights reserved. Sentriant™ AG 5.0 – централизованный контроль доступа конечных пользователей к сети Oleksandr Khomenko Systems Engineer Extreme Networks Associate [email protected] Tel.: 380 (44) 406-56-06

Upload: anatoliy-grishin

Post on 14-Mar-2016

258 views

Category:

Documents


1 download

DESCRIPTION

Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

TRANSCRIPT

Page 1: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved.

Sentriant™ AG 5.0 –централизованныйконтроль доступаконечныхпользователей к сети

Oleksandr Khomenko

Systems Engineer

Extreme Networks Associate

[email protected]

Tel.: 380 (44) 406-56-06

Page 2: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 2

BlackDiamond 20808BlackDiamond 10808 BlackDiamond 12804

BlackDiamond 8800 a, e, c-series

Summit ® X450aGigabit Aggregation

Summit X450e

Gigabit Edge

Summit X250e10/100 Edge

SummitStack™

Switching Product PortfolioAltitude 450 802.11n Altitude™ 350 a/b/g

Summit WM2000

200 APsSummit WM200

100 APs32 APs

Summit ® WM20

Wireless Product Portfolio

Summit X150 Summit X350

Service WatchPolicy Manager EPICenter

Management ProductsSummit X65010Gigabit Core

Security Product PortfolioSentriant NG 300 Sentriant AG 5.0

Page 3: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

Page 3© 2009 Extreme Networks, Inc. All rights reserved.

Sentriant™ AG 5.0

PWR HDD

eth0CONSOLE eth1

SentriantSentriantSentriantSentriantTM

AG200AG200AG200AG200

•Intel Dual Core (Core 2 Duo/Xeon 5100 series) processor at 1.86GHz

•2GB RAM (or greater) •80GB SATA disk (or greater) •Two 10/100/1000 Ethernet

interfaces•CD ROM drive•An Internet connection orproxy server that allowsoutbound SSL communications

�Hardware �Software

Page 4: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 4

The Endpoint Threat to the Network

� Lack of institutional control over who and what is co nnecting to the network

� Traditional defenses (firewall, AV, IDS/IPS, VPN) off er ineffective protection against endpoint-based threats

� Hackers now targeting unpatched, unmaintained endpoint s� What makes endpoints dangerous?

� Spyware, worms, trojans� Unpatched OSs and applications� Out-of-date AV and anti-spyware definitions� Human factors: high-risk activities (Peer-to-Peer, IM, harmful

downloads)

"By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated , targeted malware that evaded their traditional perim eter and host defenses." - Gartner, Inc.

Page 5: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 5

Network Access Control (NAC)

� Answers the question: Is it safe to let this endpoint onto the network?

� Improves overall security posture of the network� Proactively protects the network from compromised or harmful endpoints� Further protects the endpoint itself, beyond what’s provided by AV and

personal firewalls

� Enforces corporate security policies� Policy compliant endpoints are provided access while non-compliant

endpoints can be denied access or quarantined � Helps to meet SOX, HIPAA, PCI-DSS requirements

�Augments limited IT resources and staff � Automated process alleviates the need for manual intervention � Facilitates remediation of non-compliant endpoints to reduce IT

help desk activity

Page 6: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 6

Sentriant™ AG Product Overview

� Protects the network from harmful endpoints

� Provides compliance with security policies

� Quarantines noncompliant endpoints and facilitates repair activities

� Maintains complete endpoint access history

Works with new or existing network infrastructure

Page 7: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 7

Sentriant™ AG Process

Page 8: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 8

Sentriant™ AG—Key Capabilities

� Advanced Endpoint Integrity Testing� Customizable access policies with hundreds of security checks� Multiple testing options including a completely agent-less solution� Minimal impact on end users� Automatic quarantine and remediation on non-compliance endpoints

� Flexible Deployment Options� Multiple standards-based enforcement methods� Graduated levels of enforcement� Single-server or multi-server deployment� Clustering for high availability (HA) and load balancing

� Enterprise-Class Management and Administration� Centralized management� Multi-user, role-based administration� Powerful reporting capabilities and open APIs

Page 9: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

Page 9© 2009 Extreme Networks, Inc. All rights reserved.

Advanced Endpoint Integrity Testing

Page 10: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 10

Point-and-Click Access Policy Definition

� Three out-of-the-box access policies are provided� Custom policies can be created for different network

locations, devices or end-user types

Select Tests for Inclusion in Access Policy Refine Selected Test

Specify Enforcement When Endpoint Fails Test

Page 11: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 11

Deep Endpoint Testing

� Test categories include� OS service packs and hotfixes

� Browser and OS security settings

� Network and wireless settings

� Anti-virus (installed and up-to-date)

� Personal firewall (installed and up-to-date)

� Anti-spyware (installed and up-to-date)

� Peer-to-Peer applications (presence of)

� Worms, viruses, trojans, spyware (presence of)

� Required or prohibited software (administrator defined)

� Tests added continuously as new threats emerge

� Open, extensible testing engine� Custom tests for organization-specific needs

Page 12: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 12

Testing Options

� Multiple options provide coverage for all categories of users and devices

1. Agent—lightweight persistent agent

2. ActiveX—tests endpoint through browser

3. Agent-less—no client software required

� Support for both Windows and Mac endpoints

� No degradation in testing depth for any option

Page 13: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

Page 13© 2009 Extreme Networks, Inc. All rights reserved.

Off-the-Shelf Tests (1 of 2)�Kaspersky AntiVirus for FileServers

� Kaspersky AntiVirus for Workstations

� McAfee VirusScan

� McAfee Enterprise VirusScan 7.1.0

� McAfee Enterprise VirusScan 8.0i

� McAfee Enterprise VirusScan 8.5i

� McAfee Enterprise VirusScan

� McAfee Internet Security Suite 8.0

� McAfee Internet Security Suite 2007 / Total Protection

� McAfee Managed VirusScan

� NOD32 AntiVirus

� Norton AntiVirus 2004

� Norton AntiVirus 2007

� Norton Internet Security 2007

� Panda Internet Security

� Sophos Anti-Virus

� Symantec Corporate AntiVirus

� Trend Micro AntiVirus

� Trend Micro OfficeScan Corporate Edition

� ZoneAlarm Security Suite

Software Required / Not Allowed� Administratively Defined

High Risk Software� Google Desktop

Miscellaneous Software� Avaya IP Softphone Version Check

Security Settings – OS XAirport Preference

Airport WEP Enabled

Bluetooth

Internet Sharing

Services

Firewall

Security Updates

Anti-Spyware (installed and up-to-date)� Ad-Aware SE Personal

� Ad-Aware Plus

� Ad-Aware Professional

� McAfee AntiSpyware

� CounterSpy

� PestPatrol

� Shavlik NetChk 5.8 and above

� Spyware Eliminator

� Webroot Spy Sweeper

� Windows Defender

Anti-Virus (installed and up-to-date)� Avast 4 Professional Edition

� AVG AntiVirus Free Ed

� BitDefender AntiVirus / Internet Security v10

� ClamWin Free AntiVirus

� Computer Associates eTrust EZ AntiVirus

� F-Secure AntiVirus

� Kaspersky Internet Security / AntiVirus 6.0

Operating Systems - WindowsWindows 2000 hotfixes

Windows Server 2003 SP1 hotfixes

Windows Server 2003 hotfixes

Windows XP SP2 hotfixes

Windows XP hotfixes

Windows Media Player Hotfixes

Internet Explorer Hotfixes

Service HotFixes

Service Packs

Windows automatic updates

Security Settings - WindowsAllowed Networks

MS Excel macros

MS Outlook macros

MS Word macros

Services not allowed

Services required

Windows bridge network connection

Simultaneous wired/wireless connections

Wireless network SSID connections

Windows security policy

Browser Security Policy - WindowsBrowser version

IE internet security zone

IE local intranet security zone

IE restricted site security zone

IE trusted sites security zone

Page 14: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

Page 14© 2009 Extreme Networks, Inc. All rights reserved.

Off-the-Shelf Tests (2 of 2)� VBS.Shania

� W32.Beagle.A

� W32.Beagle.AB

� W32.Beagle.AG

� W32.Beagle.AO

� W32.Beagle.AZ

� W32.Beagle.B

� W32.Beagle.E

� W32.Beagle.J

� W32.Beagle.K

� W32.Blaster.K.Worm

� W32.Blaster.Worm

� W32.Doomhunter

� W32.Dumaru.AD

� W32.Dumaru.AH

� W32.Esbot.A.1

� W32.Esbot.A.2

� W32.Esbot.A.3

� W32.Galil.F

� W32.HLLW.Anig

� W32.HLLW.Cult.M

� W32.HLLW.Deadhat

� W32.HLLW.Doomjuice

� W32.HLLW.Doomjuice.B

� W32.HLLW.Lovgate

� W32 Hiton

� W32.IRCBot.C

� W32.Kifer

DICE

� dIRC

� Hotline Connect Client

� IceChat IRC client

� ICQ Pro

� leafChat

� Metasquarer

� mlRC

� Morpheus

� MyNapster

� MyWay

� NetIRC

� NexIRC

� Not Only Two

� P2PNet.net

� PerfectNav

� savIRC

� Skype

� Trillian

� Turbo IRC

� Visual IRC

� XFire

� Yahoo! Messenger

Viruses, Worms, Trojans, Spyware� CME-24

� Keylogger.Stawin

� Trojan.Mitglieder.C

Personal Firewalls (installed and up-to-date)� AOL Security Edition

� Black ICE Firewall

� Computer Associates EZ Firewall

� Internet Connection Firewall (Pre XP SP2)

� McAfee Personal Firewall

� Norton Personal Firewall / Internet Security

� Norton Internet Securit 2007

� Senforce Advanced Firewall

� Sygate Personal Firewall

� Symantec Client Firewall

� Tiny Personal Firewall

� Trend Micro Personal Firewall

� Windows Firewall

� ZoneAlarm Personal Firewall

P2P and Instant Messaging� AOL instant messenge

� Altnet

� BitTorrent

� Gator

� Kazaa

� Kazaa Lite

� K++

� Chatbot

�W32.Klez.gen

� W32.Korgo.G

� W32.Mimail.Q

� W32.Mimail.S

� W32.Mimail.T

� W32.Mydoom.A

� W32.Mydoom.AX-1

� W32.Mydoom.AX

� W32.Mydoom.B

� W32.Mydoom.M

� W32.Mydoom.Q

� W32.Netsky.B

� W32.Netsky.C

� W32.Netsky.D

� W32.Netsky.K

� W32.Netsky.P

� W32.Rusty@m

� W32.Sasser.B

� W32.Sasser.E

� W32.Sasser.Worm

� W32.Sircam.Worm

� W32.Sober.O

� W32.Sober.Z

� W32.Welchia.Worm

� W32.Zotob.E

Page 15: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 15

Minimal End User Impact

� Testing completes in only seconds� Succinct information on testing activity

and steps required to achieve compliance� Administrator-customizable messaging

� Communication is as visible or as invisible as environment requires

Page 16: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 16

Non-Compliant Endpoint Remediation

� Automated repair� Through integration with leading patch

management systems

� End-user self remediation� Through on-screen directions (shown at

right)

� Access 'grace period’� Provides temporary window of access (e.g.,

3 days) to facilitate remediation

End-User Endpoint Repair Instructions

Page 17: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved.

Flexible Deployment Options

Page 18: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 18

Multiple Enforcement Methods

� Out-of-band or inline options� Accommodates wide range of network topologies and equipment� Provides coverage of all network regions and entry points

Page 19: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved.

Enterprise-Class Management and Administration

Page 20: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 20

Management Console

Network Wide Visibility

At-a-Glance Security Status

Drill-Down to Details

Centralized Policy Management and Configuration

Page 21: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 21

Multi-User, Role-Based Administration

� Four standard administrative roles—custom roles can be defined

� Permissions may be further restricted by server or cluster� Allows for shared administrative use across multiple IT

groups

Page 22: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 22

Comprehensive Reporting

� Designed for� Auditors/Compliance

� Management

� Network and Security Administrators

� Reports include � Endpoint list

� Policy results

� Test details

� Test results

�Reports can be refined by additional search/filter criteria

�Documented SQL interface for integration with third-party reporting packages

Test Details Report

Test Results Report

Page 23: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved. Page 23

SummaryAdvantages of Sentriant™ AG Solution� Infrastructure compatibility

� Reduces cost of implementing network access control (NAC)

� Fast pre-connect endpoint scanning� Does not disrupt end user access to the network

� Comprehensive testing across the full range of endpoint devices� Ensures maximum protection and policy compliance

� Advanced clustering technology� Allows for incremental system scalability and continuous operations

� Centralized management� Lowers operational complexity for coverage in all network regions and

locations

� Shared administrative use among multiple IT groups� Minimizes the overhead of day-to-day operations

Conclusion

Page 24: Устройство Устройство контроля доступа к контроля доступа к сети Sentriant AG200

© 2009 Extreme Networks, Inc. All rights reserved.

Thank You

Let us know if you are interested in a complimentary 30-day evaluation license of

Sentriant™ AG

[email protected]

www.telco.uaTel.: 380 (44) 406-56-06