self-defending network - cisco.com · self-defending network realizing the vision mauricio martinez...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Self-Defending NetworkRealizing the Vision

Mauricio Martinez

Systems Engineer Commercial Cisco Mexico

30 – Octubre - 08

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialNAC_BDM_May 2

Connected World with Complex Security Challenges

TelePresence/ Video / IM / Email

Mobility

Web 2.0 / Web Services / SOA

Collaboration and Communication

The New Threat Environment

The Eroding Perimeter

SPAM / Malware / Profit Driven Hacking

Data Loss and Theft

The Business Impact of Security

IT Risk Management

Regulatory Compliance

Security as Business Enabler


Solutions for Business Security

Enforce business

policies and protect

critical assets

Decrease IT

administrative

burden and reduce

TCO

Reduce security and

compliance IT risk

Network Security

Endpoint Security

Content Security

Application Security

System ManagementPolicy—Reputation—Identity

Cisco Self-Defending Network:

Best of Breed Security in a Systems Approach


Cisco Network Admission Control Appliance


1 Business Case for NAC

2 Cisco NAC Solution Overview

3 Cisco NAC Solution Benefits

4 Additional Resources – Guest and Profiler

Contents


What Is NAC, Really?

Network

Admission

Control

=

Better criteria for network access beyond

“Who Is It?”

Authenticate & Authorize

Update & Remediate

Quarantine & Enforce

Scan & Evaluate

What’s the preferred

way to check or fix it?

Where is it coming from?

What’s on it?What is it doing?

What do you have?

Who owns it?

=

4 Key Functions






Contents


Cisco Network Admission Control

Using the network to enforce policies ensures that incoming devices are compliant.

Authenticate & Authorize

Enforces authorization policies and privileges

Supports multiple user roles

Update & Remediate

Network-based tools for vulnerability and threat remediation

Help-desk integration

Quarantine & Enforce

Isolate non-compliant devices from rest of network

MAC and IP-based quarantine effective at a per-user level

Scan & Evaluate

Agent scan for required versions of hotfixes, AV, etc

Network scan for virus and worm infections and port vulnerabilities


Cisco NAC Manager

Centralizes management for administrators, support personnel, and operators

Cisco NAC Server

Serves as posture, remediation and enforcement access control

Cisco NAC Agent

Optional lightweight client for device-based registry scans in unmanaged environments

Rule-set Updates

Scheduled automatic updates for anti-virus, critical hot-fixes and other applications

NAC Appliance Components


THE GOAL

Intranet/

Network

Cisco NAC Appliance Overview

2. User logins into optional agent or is redirected to a login web page

Cisco NAC validates username and password, also performs device and network scans to assess vulnerabilities on the device

Device is noncompliant or login is incorrect

User is denied access and assigned to a quarantine role with access to online remediation resources

3a. Quarantine

Role

3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network

NAC Server

NAC Manager

1. End user attempts to access network

Access is blocked until wired or wireless end user provides login information Authentication

Server






Contents


Operational Efficiencies: Part 1

Save time and effort in two ways:

Identifying non-compliant devices

Improving the remediation process through automation

assumes $75/hr labor cost

Person-Hours Cost

Identifying non-compliant computer 1.0 $75.00

Locating non-compliant computer 1.0 $75.00

Bringing computer into compliance 2.0 $150.00

Potential Cost Savings per Computer $300.00


Operational Efficiencies: Part 2

Protect investments:

Reuse existing gear and applications

Best support for Microsoft environments

Works with existing network gear (including

those from other vendors).

Makes existing security applications more

effective by ensuring they exist, and are

running and updated.

. . .and more

Supports corporate Microsoft environments better than any other NAC solution on the market

Vista XP 98 2000 Mac






Contents


NAC Profiler


NAC Gap: Non-PC Endpoint Devices

An enterprise LAN is comprised of myriad endpoint types.Most are undocumented (think DHCP).

Enterprises without VoIPWired Endpoints Distribution

50%Windows

50%Other

33%Windows

33%IP phones

33%Other

Enterprises with VoIPWired Endpoints Distribution


Examples of Non-PC Endpoints

Printers

Fax Machines

IP Phones

IP Cameras

Wireless APs

Managed UPS

Hubs

Cash Registers

Medical ImagingMachines

Alarm Systems

Video Conferencing

Stations

Turnstiles

HVAC Systems

RMON Probes

VendingMachines

. . . and many others


Cisco NAC Profiler: Automation

Cisco NACProfiler

PCs Non-PCs

UPS Phone Printer AP

Dis

covery

Monitorin

g

Endpoint Profiling

Discover all network endpoints by type and location

Maintain real time and historical contextual data for all endpoints

Behavior Monitoring

Monitor the state of the network endpoints

Detect events such as MAC spoofing, port swapping, etc.

Automated process populates devices

into the NAC Manager; and

subsequently, into appropriate NAC

policy


Cisco NAC Profiler Components

NAC Profiler ServerAggregates all data from Collectors and manages

database of endpoint information. Updates the Cisco NAC Appliance Manager, where roles are applied.

Sold as an appliance.

CollectorNAC Collector

Gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling

Sold as a license; co-resident with NAC ApplianceServer


Understanding NAC Profiler Server

1. NAC Profiler Collector discovers and profiles devices and consolidates the information to send to the NAC Profiler Server

2. NAC Profiler Server aggregates all of the information from the Collectors and maintains a database of all network-attached endpoints (e.g. phones, printers, badge readers, modalities, etc.)

3. NAC Profiler Server continuously maintains the Filters List via the NAC API and provisions the appropriate access decisions (allow, deny, check, ―role‖, or ignore)

4. NAC Profiler Collector continuously monitors behavior of profiled devices (to prevent spoofing) and updates Profiler Server

Mac

NAC Appliance Manager

NAC Profiler Server

AAA Server

Windows AD

NAC Appliance Serverwith NAC Collector Application

SPAN 1.

3.

2.4.


Primary Value to Customer:Simplify NAC Deployment and Management

Reduce need for full-time employees

Redeploy human resources to higher value assignments

Enables scalingof network for

growing business

Continual, real-time inventory of devices enables network to grow

without management burden

Increasesaccuracy rate

Reduction of errors helps maintainnetwork security and up-time

Cisco NAC Profiler yields these benefits:

Improves post-admission security

Behavioral monitoring of devicesdetects and prevents MAC spoofing


Return on Investment through Automation

Person-Hours Rate Total Labor Cost

Before NAC Profiler 6,240 $75/hr $468,000

With NAC Profiler 80 $75/hr $6,000

Discovery and Documentation

Save time and effort compiling initial inventory of endpoints

* Source: real customer data from St. John’s Hospital


Cisco NAC Guest Server


―Building a guest network is often the first step in implementing a broader network access control project. Organizations can reduce NAC costs by architecting guest networks with technology that can also be applied to protecting their internal networks from managed PCs.‖ —Gartner, July 2007

Experts Agree:Guest Access Graduates to NAC


What Is Cisco NAC Guest Server?

PROVISIONING

NOTIFICATION

MANAGEMENT

REPORTING

SMSEmail

Print-out

A portal for managing the entire guest user lifecycle


Four Key Components of Guest Access

GUEST

The visitor who needs network access (usually internet only, but could be more)

SPONSOR

The internal user who wants to be able to provide internet access to their guest

NETWORK ENFORCEMENT DEVICE

Web re-direction, authentication and provides access.Wireless LAN Controller or NAC Appliance

NAC GUEST SERVER

Enables sponsor to create guest account; audits; provisions account on network enforcement device


Provisioning > Notification > Management > Reporting

Receptionist (Lobby Ambassador)?

Additional responsibility for receptionist.

Inconvenient if you forget at arrival, or you don’t realize you can get guest access, or don’t think you need it until it is too late.

IT Security?

Additional responsibility

Inconvenient

Costly resource to create guest accounts

IT Help Desk?

Inconvenient

Costly - how much does it cost to open a case?

Anyone?(“Sponsor Self Service”)

Convenient and very quick

Secure - full sponsor auth, permissions, full audit

Low cost

1. Who should create guest accounts?



On Screen

Print Out

Email

SMS

2. How will guests get their login details?



3. What else can the sponsor do?

Extending account times(by the originating sponsor or other sponsor)

Re-sending guest account details(by the originating sponsor or other sponsor)

Suspending accounts, due to leaving early, malicious use, etc.



4. Why is reporting so important?

Security teams cite reporting and auditing as key guest access requirements

Full audit trail: sponsor who created the account guest receiving account details access times of guest IP address used by guest

Management reporting (secondary benefit)

Network utilization

Ongoing usage

Cost justification


Guest Access Walkthrough - Sponsor

Guest

Sponsor

Internet

Wired or Wireless

NAC Appliance

1. Sponsor accessesCisco Guest Server, such as http://guests.yourcompany.com

2. Sponsor authenticates using corporate credentials

3. Sponsor creates account on the guest server

4. Sponsor gives guest account details (email/print/SMS)

5. Guest server provisions account on the Cisco NAC Appliance

Active Directory

1. 2.3.

4.5.

Cisco NACGuest Server

http://guests.yourcompany.com


Guest Access Walkthrough - Guest

Guest

Sponsor

Internet

Wired or Wireless

1. Guest opens Web browser

2. Web traffic is intercepted by network enforcement device and redirected to login page (captive portal)

3. Guest logs in with details provided by sponsor

4. Guest can now access the internet

5. Guest access recorded

6. Guest removed when session time expires

Active Directory

2. 4.

6.5.


NAC Appliance

1.3.


Guest Access Walkthrough - Sponsor

Guest

Sponsor

1. Sponsor accessesCisco NAC Guest Server, e.g. http://guests.yourcompany.com

2. Sponsor authenticates using corporate credentials

3. Sponsor creates account on the Cisco NAC Guest Server

4. Sponsor gives guest account details (email/print/SMS)

Active Directory

1. 2.3.

4.


http://guests.yourcompany.com/


Guest Access Walkthrough - Guest

GuestInternet

1. Guest opens Web browser

2. Web traffic is intercepted by Wireless LAN Controller and redirected to login page (captive portal)

3. Guest logs in with details provided by sponsor

4. WLC authenticates user against guest server using RADIUS

5. Guest can now access the internet

6. Guest access recorded

Active Directory

1.3.

2.5.

6.4.

Wireless Access Point

Wireless LAN Controller



Additional Resources

Product information at:

www.cisco.com/go/nac/appliance

http://www.cisco.com/go/nac/appliance

self-defending network - cisco.com · self-defending network realizing the vision mauricio martinez...

Documents