welcome to network security january 21, 2010

WELCOME TO

Network SecurityJanuary 21, 2010

Systems Engineering & Administration Technology User Group

Agenda• Introduction• Housekeeping• Tools and Industry news• Network Security• Break• Bradford Networks• Next Meeting

Introduction to SEA-TUG

• Founded in 2001 by Steve Noel and Rob Bergin to help IT professionals in the seacoast collaborate.

• Part of larger user group communities– Boston User Groups– Global IT Community Association (GITCA)

(formerly Culiminis)

• This is YOUR user group – help us make it better. What topics do you want covered? What resources can you contribute?

Housekeeping

• Thank you to the Hilton Garden Inn!• Restrooms / Exits• Parking• Food / Beverages

Tools

• Tech-Ed June 7-10 – New Orleans– Save $200 by registering before Feb. 28

• Win7 Assessment and Planning Toolkit– http://go.microsoft.com/?linkid=9706741

http://go.microsoft.com/?linkid=9706741

Tonight’s Presentation

Introduction to “NAC” Network Access Control

John SheedyTechnical Marketing Manager

Bradford Networks

Theme title e.g. Network Access Control

© 2010 Bradford Networks. All rights reserved.

Introduction to “NAC” Network Access Control

Adaptive Network Security

John SheedyTechnical Marketing ManagerBradford Networks


Agenda

• Introduction to Network Access Control (NAC)– Problems Addressed

– What It Does And How It Works

– Best Practices For Implementation

• Beyond “NAC”– Adaptive Network Security

– Bradford’s Network Sentry Family

– Sample Use Cases and Solutions


Demands of Today’s Mobile Enterprise

• Highly mobile workforce

– Need anytime/anywhere secure network access

• Guests, Partners, and Contractors

– Require differing levels of access

• Bottom line: everyone now needs network access…– No longer simply a convenience– A business necessity for employees and other users

• So, what about Security? Control?


That’s Where “NAC” Comes In…

• NAC = Network Access Control– Visibility across your entire network– Control over who and what accesses your network– Control over when, where, and how network is accessed


Problems It Addresses

“I have thousands of employees accessing data from more than 40 locations. How do I keep track of them?”

“Regulations require I audit and log network access and we do everything manually.

How do I meet my reporting requirements?”

“I need to provide varying levels of data access to different users based

on title, role, location, and task.”

Logging and Reporting

Visibility

“Worms and viruses have taken down a number of systems and compromised customer data. How do I ensure that every device accessing my network has the latest anti-virus, anti-spyware and security patches installed?”

Security

Policy Enforcement


What It Does

• Identifies network users and their devices

• Assesses security posture of devices

• Enforces access policies– Allows authorized users and devices on

– Blocks unauthorized users and devices

• Logs all activity for reporting and compliance

• Automates the entire process

Identity Management Endpoint Compliance Policy Enforcement


Elements of NAC Solutions


How It Works: Authorized User

Policy Server

Employee

Existing Network

1. User connects

2. Login required

3. Laptop scanned

4. Check policies

5. Allow access

6. Activity logged

New UserConnecting

Username?

Password?

“Bill Smith”

“AbC123”

Allow Access

Employee

Role


Business Considerations

• What problems will be addressed with NAC?– What is the most immediate need?

• Acceptable Use Policy – Does the organization have one?

• What are organizational / political implications?

• What level of financial investment is feasible?

• What is the timeframe for deployment?

• What are the expected benefits / ROI? – How will they be measured?


Technical Considerations

• How can the existing infrastructure be leveraged?

• What authentication methods will be used?

• What is acceptable security posture for devices?

• What enforcement methods will be used?

• How will non-compliant users/devices be handled?

• What remediation methods will be used?

• How will the solution be rolled out?


Deployment Approaches

• Phased Approach– MUCH greater success

• “All In” Approach – NOT recommended!

Rollout Phase 3

Pilot Project

Rollout Phase

1

Rollout Phase 2


Phased Deployment Approaches

• “Monitor-Only” Mode (Visibility)– Identify/Authenticate users and devices

– Assess security posture of host device

– Monitor network access and log all activity

– No Enforcement

• Enforce access policies in later phases

• “Pilot Project” (Enforcement)– Start Small, then expand in later phases

• Building #1, Building #2, etc.• Department #1, Department #2, etc.• User Group #1, User Group #2, etc.


Best Practices Summary

• Plan, Plan, Plan– Define clear goals/objectives and metrics for success

• Engage all stakeholders early and often

• Address the most critical business problem(s) first

• Apply deployment strategy that fits best– “Monitor-Only” – no policy enforcement– “Pilot Project” – start small, then expand

• Solve immediate needs first– Secure Guest Access– Network “Lock Down”

• Choose a solution for short and long term needs

Theme title e.g. Network Access Control


Beyond “NAC”



Multiple disparate security silos

Security feature built intoNetwork infrastructure

Endpoint security(e.g. AV/AS)

"Security Silos" Dominate Today's Networks


Multiple disparate security silos

Most NAC solutions only validate user Identity and security posture of PCs

NAC Reduces Some of the Silos


Adaptive Network Security integrates with and leveragesthe entire network environment




• Integrates with existing infrastructure

• Correlates information

• Automates processes

• Adapts to changing conditions

Adaptive Network Security Platform

CorrelateIntegrate Automate

Engines

Device

Remediation

Policy

Enforcement

Adaptive Network Security Platform

CorrelateIntegrate

Engines

Device

Remediation

Policy

Enforcement

Integrate

• Desktop• Network• Security

Correlate

• Identity• Posture• Policy

Automate

• Discovery• Control• Remediation

ADAPTIVE NETWORK SECURITYPLATFORM

PolicyEngine

DeviceEngine

RemediationEngine

StateEngine

Underlying Technology Platform


Key Functionality

Identify Identify every user and device on the network

Validate Validate security posture of devices

Notify Notify through automated alerts/messages

Remediate Remediate non-compliant devices

Enforce Dynamically enforce security policies

Audit Log and report for regulatory complianceMA

NA

GE

AN

D C

ON

TR

OL

Solving Real-World Security Challenges


Business Value

• Access Control• Policy Enforcement• “Audit Trails” and Reports• Regulatory Compliance

• Visibility and Control• Network Transparency• Centralized Management• Automated Actions

Security IT/Networking

Secure Critical IT Assets and Automate Security Operations

© 2010 Bradford Networks. All rights reserved. 28

Bradford’s Network Sentry Family

FOUNDATIONNetwork Sentry

Foundation

SOLUTIONSAccess

ManagerGuest

ManagerShared Access

TrackerDeviceTracker

EXTENSIONSEndpoint

ComplianceDeviceProfiler

IntegrationSuite

• Adaptive Network Security Platform– Comprehensive Visibility and Control– Integration, Correlation, Automation

© 2010 Bradford Networks. All rights reserved. 29

Non-Intrusive Out-of-Band Architecture


Sample Use Cases

• Traditional “NAC”

• Network Lock-down

• Device Profiling and Control

• Secure Guest/Contractor Access

• Dynamic Edge Response


Traditional “NAC”

SOLUTIONS

FOUNDATION

EXTENSIONS

AccessManager

GuestManager

Shared AccessTracker

DeviceTracker

Network Sentry

EndpointCompliance

DeviceProfiler

IntegrationSuite

Authenticate network users and validate device security posture

Functionality:

• Prevent unauthorized access • Locate and track all users/devices• Enforce access/usage policies• Perform endpoint posture checks• Manage network access activity• Generate logs and reports

Benefits

• Secure valuable IT assets and information from unauthorized access• Ensure endpoint devices connecting to network meet minimum security requirements• Complete visibility of all users and devices attempting to access the network


Network Lock-down

Functionality:

• Prevent unauthorized access • Locate and track all devices• Enforce access/usage policies• Isolate rogue devices• Manage network access activity• Generate logs and reports

SOLUTIONS

FOUNDATION

EXTENSIONS

AccessManager

GuestManager


DeviceTracker

Network Sentry

EndpointCompliance

DeviceProfiler

IntegrationSuite

Benefits

• Secure valuable IT assets and information from unauthorized access• Logical “first step” in a multi-phased access security deployment• Complete visibility of all endpoint devices attempting to access the network

Lock down the network to allow only known, authorized devices


Device Profiling and Control

SOLUTIONS

FOUNDATION

EXTENSIONS

AccessManager

GuestManager


DeviceTracker

Network Sentry

EndpointCompliance

DeviceProfiler

IntegrationSuite

Dynamically identify, profile, and manage all network-attached devices

Functionality:

• “Lock-down” network access• Dynamically classify all devices• Delegate device management to

non-IT staff* (by device type)• Enable auto-registration capability• Generate logs and reports

Benefits

• Secure the network environment; allow access by only known/authorized devices• Off-load routine tasks from IT; empower non-technical staff within other business functions• Complete visibility and control of all guests accessing the network


Secure Guest / Contractor Access

SOLUTIONS

FOUNDATION

EXTENSIONS

AccessManager

GuestManager


DeviceTracker

Network Sentry

EndpointCompliance

DeviceProfiler

IntegrationSuite

Allow secure access for visitors; delegate guest account management

Functionality:

• Identify guests and their devices• Authenticate for secure access• Enforce role-based access policies• Delegate guest account

management to non-IT staff • Provide self-service registration

Benefits

• Secure the network environment while allowing flexible access for guest users• Off-load routine tasks from IT; empower non-technical staff within other business functions• Complete visibility and control of all guests accessing the network


Dynamic Edge Response

SOLUTIONS

FOUNDATION

EXTENSIONS

AccessManager

GuestManager


DeviceTracker

Network Sentry

EndpointCompliance

DeviceProfiler

IntegrationSuite

Leverage third-party security systems for network-wide control

Functionality:

• “Lock-down” network access• Integrate security systems via

SNMP traps, syslog messages• Correlate various pieces of

information related to threat• Notify IT staff and/or take response

action automatically

Benefits

• Enforce security controls at the LAN edge (i.e., point of access)• Quickly locate the source of a detected security threat• Reduce time to resolve/eliminate an identified threat


Dynamic Edge Response

Leverage third-party security systems for network-wide control

ANOMALY DETECTED. SOURCE IP = 192.168.10.200

IP Address 192.168.10.200

MAC Address 00-1E-52-2D-5B-19

Host Name Bill’s MacBook

User Name Bill Smith

Location Port 42, Switch 10

asdfasd 129384917

qwerqer adsf0987

zxcvzxcv xzcv9898x7c

X


Learn More

• Bradford Network Sentry Familyhttp://www.bradfordnetworks.com/network_sentry_family

• Adaptive Network Security Solutionshttp://www.bradfordnetworks.com/solutions_overview


THANK YOU


BACKUP MATERIAL


Bradford Networks At-A-Glance

• Founded in 1999

• Headquartered in Concord, NH

• Focus On Adaptive Network Security Solutions

• Shipping Products Since 2002

• Over 600 Customers Worldwide Today

• Over 1 Million Network Users Secured

• Venture-Backed to Accelerate Growth

• Record Growth in Last Two Fiscal Years

• Customer-Focused

• Broad Industry Recognition


Milestones

1999 2002

Company founded as

Bradford Software &

Consulting, LLC

Cu

sto

mer

s

Bradford Software

Incorporated as

Bradford Networks

First commercial

network security

product shipped

100 customers

by 2004

200 customers

by 2006

Series A Funding

20082007

2007 Awards:

CRN Emerging

Vendor

SC Magazine

Innovator of the Year

2008 Awards:

Campus Technology

Innovator

SC Magazine

Innovator of the Year

1 MillionUsers

Secured

100

Bradford Networks

1

Suffield Academy

500

2009

600+

2004

200

Forrester Wave

Report Leader

Named “Visionary”

in Gartner Magic

Quadrant

2006


Awards and Recognition

• Innovation

• Strategy and Vision

• Technology Leadership

• Customer Satisfaction

© 2010 Bradford Networks. All rights reserved.43

NAC Studies: Forrester and GartnerNAC Studies: Forrester and Gartner

Source: The Forrester Wave: NAC Q3 2008 Source: Magic Quadrant for NAC, March 2009

welcome to network security january 21, 2010

Technology

network users

log network access

network control overwhen

access policies

access activity

security policy enforcement

security posture of

network infrastructure