welcome to network security january 21, 2010
DESCRIPTION
TRANSCRIPT
WELCOME TO
Network SecurityJanuary 21, 2010
Systems Engineering & Administration Technology User Group
Agenda• Introduction• Housekeeping• Tools and Industry news• Network Security• Break• Bradford Networks• Next Meeting
Introduction to SEA-TUG
• Founded in 2001 by Steve Noel and Rob Bergin to help IT professionals in the seacoast collaborate.
• Part of larger user group communities– Boston User Groups– Global IT Community Association (GITCA)
(formerly Culiminis)
• This is YOUR user group – help us make it better. What topics do you want covered? What resources can you contribute?
Housekeeping
• Thank you to the Hilton Garden Inn!• Restrooms / Exits• Parking• Food / Beverages
Tools
• Tech-Ed June 7-10 – New Orleans– Save $200 by registering before Feb. 28
• Win7 Assessment and Planning Toolkit– http://go.microsoft.com/?linkid=9706741
Tonight’s Presentation
Introduction to “NAC” Network Access Control
John SheedyTechnical Marketing Manager
Bradford Networks
Theme title e.g. Network Access Control
© 2010 Bradford Networks. All rights reserved.
Introduction to “NAC” Network Access Control
Adaptive Network Security
John SheedyTechnical Marketing ManagerBradford Networks
© 2010 Bradford Networks. All rights reserved.
Agenda
• Introduction to Network Access Control (NAC)– Problems Addressed
– What It Does And How It Works
– Best Practices For Implementation
• Beyond “NAC”– Adaptive Network Security
– Bradford’s Network Sentry Family
– Sample Use Cases and Solutions
© 2010 Bradford Networks. All rights reserved.
Demands of Today’s Mobile Enterprise
• Highly mobile workforce
– Need anytime/anywhere secure network access
• Guests, Partners, and Contractors
– Require differing levels of access
• Bottom line: everyone now needs network access…– No longer simply a convenience– A business necessity for employees and other users
• So, what about Security? Control?
© 2010 Bradford Networks. All rights reserved.
That’s Where “NAC” Comes In…
• NAC = Network Access Control– Visibility across your entire network– Control over who and what accesses your network– Control over when, where, and how network is accessed
© 2010 Bradford Networks. All rights reserved.
Problems It Addresses
“I have thousands of employees accessing data from more than 40 locations. How do I keep track of them?”
“Regulations require I audit and log network access and we do everything manually.
How do I meet my reporting requirements?”
“I need to provide varying levels of data access to different users based
on title, role, location, and task.”
Logging and Reporting
Visibility
“Worms and viruses have taken down a number of systems and compromised customer data. How do I ensure that every device accessing my network has the latest anti-virus, anti-spyware and security patches installed?”
Security
Policy Enforcement
© 2010 Bradford Networks. All rights reserved.
What It Does
• Identifies network users and their devices
• Assesses security posture of devices
• Enforces access policies– Allows authorized users and devices on
– Blocks unauthorized users and devices
• Logs all activity for reporting and compliance
• Automates the entire process
Identity Management Endpoint Compliance Policy Enforcement
© 2010 Bradford Networks. All rights reserved.
Elements of NAC Solutions
© 2010 Bradford Networks. All rights reserved.
How It Works: Authorized User
Policy Server
Employee
Existing Network
1. User connects
2. Login required
3. Laptop scanned
4. Check policies
5. Allow access
6. Activity logged
New UserConnecting
Username?
Password?
“Bill Smith”
“AbC123”
Allow Access
Employee
Role
© 2010 Bradford Networks. All rights reserved.
Business Considerations
• What problems will be addressed with NAC?– What is the most immediate need?
• Acceptable Use Policy – Does the organization have one?
• What are organizational / political implications?
• What level of financial investment is feasible?
• What is the timeframe for deployment?
• What are the expected benefits / ROI? – How will they be measured?
© 2010 Bradford Networks. All rights reserved.
Technical Considerations
• How can the existing infrastructure be leveraged?
• What authentication methods will be used?
• What is acceptable security posture for devices?
• What enforcement methods will be used?
• How will non-compliant users/devices be handled?
• What remediation methods will be used?
• How will the solution be rolled out?
© 2010 Bradford Networks. All rights reserved.
Deployment Approaches
• Phased Approach– MUCH greater success
• “All In” Approach – NOT recommended!
Rollout Phase 3
Pilot Project
Rollout Phase
1
Rollout Phase 2
© 2010 Bradford Networks. All rights reserved.
Phased Deployment Approaches
• “Monitor-Only” Mode (Visibility)– Identify/Authenticate users and devices
– Assess security posture of host device
– Monitor network access and log all activity
– No Enforcement
• Enforce access policies in later phases
• “Pilot Project” (Enforcement)– Start Small, then expand in later phases
• Building #1, Building #2, etc.• Department #1, Department #2, etc.• User Group #1, User Group #2, etc.
© 2010 Bradford Networks. All rights reserved.
Best Practices Summary
• Plan, Plan, Plan– Define clear goals/objectives and metrics for success
• Engage all stakeholders early and often
• Address the most critical business problem(s) first
• Apply deployment strategy that fits best– “Monitor-Only” – no policy enforcement– “Pilot Project” – start small, then expand
• Solve immediate needs first– Secure Guest Access– Network “Lock Down”
• Choose a solution for short and long term needs
Theme title e.g. Network Access Control
© 2010 Bradford Networks. All rights reserved.
Beyond “NAC”
Adaptive Network Security
© 2010 Bradford Networks. All rights reserved.
Multiple disparate security silos
Security feature built intoNetwork infrastructure
Endpoint security(e.g. AV/AS)
"Security Silos" Dominate Today's Networks
© 2010 Bradford Networks. All rights reserved.
Multiple disparate security silos
Most NAC solutions only validate user Identity and security posture of PCs
NAC Reduces Some of the Silos
© 2010 Bradford Networks. All rights reserved.
Adaptive Network Security integrates with and leveragesthe entire network environment
Adaptive Network Security
© 2010 Bradford Networks. All rights reserved.
Adaptive Network Security
• Integrates with existing infrastructure
• Correlates information
• Automates processes
• Adapts to changing conditions
Adaptive Network Security Platform
CorrelateIntegrate Automate
Engines
Device
Remediation
Policy
Enforcement
Adaptive Network Security Platform
CorrelateIntegrate
Engines
Device
Remediation
Policy
Enforcement
Integrate
• Desktop• Network• Security
Correlate
• Identity• Posture• Policy
Automate
• Discovery• Control• Remediation
ADAPTIVE NETWORK SECURITYPLATFORM
PolicyEngine
DeviceEngine
RemediationEngine
StateEngine
Underlying Technology Platform
© 2010 Bradford Networks. All rights reserved.
Key Functionality
Identify Identify every user and device on the network
Validate Validate security posture of devices
Notify Notify through automated alerts/messages
Remediate Remediate non-compliant devices
Enforce Dynamically enforce security policies
Audit Log and report for regulatory complianceMA
NA
GE
AN
D C
ON
TR
OL
Solving Real-World Security Challenges
© 2010 Bradford Networks. All rights reserved.
Business Value
• Access Control• Policy Enforcement• “Audit Trails” and Reports• Regulatory Compliance
• Visibility and Control• Network Transparency• Centralized Management• Automated Actions
Security IT/Networking
Secure Critical IT Assets and Automate Security Operations
© 2010 Bradford Networks. All rights reserved. 28
Bradford’s Network Sentry Family
FOUNDATIONNetwork Sentry
Foundation
SOLUTIONSAccess
ManagerGuest
ManagerShared Access
TrackerDeviceTracker
EXTENSIONSEndpoint
ComplianceDeviceProfiler
IntegrationSuite
• Adaptive Network Security Platform– Comprehensive Visibility and Control– Integration, Correlation, Automation
© 2010 Bradford Networks. All rights reserved. 29
Non-Intrusive Out-of-Band Architecture
© 2010 Bradford Networks. All rights reserved.
Sample Use Cases
• Traditional “NAC”
• Network Lock-down
• Device Profiling and Control
• Secure Guest/Contractor Access
• Dynamic Edge Response
© 2010 Bradford Networks. All rights reserved.
Traditional “NAC”
SOLUTIONS
FOUNDATION
EXTENSIONS
AccessManager
GuestManager
Shared AccessTracker
DeviceTracker
Network Sentry
EndpointCompliance
DeviceProfiler
IntegrationSuite
Authenticate network users and validate device security posture
Functionality:
• Prevent unauthorized access • Locate and track all users/devices• Enforce access/usage policies• Perform endpoint posture checks• Manage network access activity• Generate logs and reports
Benefits
• Secure valuable IT assets and information from unauthorized access• Ensure endpoint devices connecting to network meet minimum security requirements• Complete visibility of all users and devices attempting to access the network
© 2010 Bradford Networks. All rights reserved.
Network Lock-down
Functionality:
• Prevent unauthorized access • Locate and track all devices• Enforce access/usage policies• Isolate rogue devices• Manage network access activity• Generate logs and reports
SOLUTIONS
FOUNDATION
EXTENSIONS
AccessManager
GuestManager
Shared AccessTracker
DeviceTracker
Network Sentry
EndpointCompliance
DeviceProfiler
IntegrationSuite
Benefits
• Secure valuable IT assets and information from unauthorized access• Logical “first step” in a multi-phased access security deployment• Complete visibility of all endpoint devices attempting to access the network
Lock down the network to allow only known, authorized devices
© 2010 Bradford Networks. All rights reserved.
Device Profiling and Control
SOLUTIONS
FOUNDATION
EXTENSIONS
AccessManager
GuestManager
Shared AccessTracker
DeviceTracker
Network Sentry
EndpointCompliance
DeviceProfiler
IntegrationSuite
Dynamically identify, profile, and manage all network-attached devices
Functionality:
• “Lock-down” network access• Dynamically classify all devices• Delegate device management to
non-IT staff* (by device type)• Enable auto-registration capability• Generate logs and reports
Benefits
• Secure the network environment; allow access by only known/authorized devices• Off-load routine tasks from IT; empower non-technical staff within other business functions• Complete visibility and control of all guests accessing the network
© 2010 Bradford Networks. All rights reserved.
Secure Guest / Contractor Access
SOLUTIONS
FOUNDATION
EXTENSIONS
AccessManager
GuestManager
Shared AccessTracker
DeviceTracker
Network Sentry
EndpointCompliance
DeviceProfiler
IntegrationSuite
Allow secure access for visitors; delegate guest account management
Functionality:
• Identify guests and their devices• Authenticate for secure access• Enforce role-based access policies• Delegate guest account
management to non-IT staff • Provide self-service registration
Benefits
• Secure the network environment while allowing flexible access for guest users• Off-load routine tasks from IT; empower non-technical staff within other business functions• Complete visibility and control of all guests accessing the network
© 2010 Bradford Networks. All rights reserved.
Dynamic Edge Response
SOLUTIONS
FOUNDATION
EXTENSIONS
AccessManager
GuestManager
Shared AccessTracker
DeviceTracker
Network Sentry
EndpointCompliance
DeviceProfiler
IntegrationSuite
Leverage third-party security systems for network-wide control
Functionality:
• “Lock-down” network access• Integrate security systems via
SNMP traps, syslog messages• Correlate various pieces of
information related to threat• Notify IT staff and/or take response
action automatically
Benefits
• Enforce security controls at the LAN edge (i.e., point of access)• Quickly locate the source of a detected security threat• Reduce time to resolve/eliminate an identified threat
© 2010 Bradford Networks. All rights reserved.
Dynamic Edge Response
Leverage third-party security systems for network-wide control
ANOMALY DETECTED. SOURCE IP = 192.168.10.200
IP Address 192.168.10.200
MAC Address 00-1E-52-2D-5B-19
Host Name Bill’s MacBook
User Name Bill Smith
Location Port 42, Switch 10
asdfasd 129384917
qwerqer adsf0987
zxcvzxcv xzcv9898x7c
X
© 2010 Bradford Networks. All rights reserved.
Learn More
• Bradford Network Sentry Familyhttp://www.bradfordnetworks.com/network_sentry_family
• Adaptive Network Security Solutionshttp://www.bradfordnetworks.com/solutions_overview
© 2010 Bradford Networks. All rights reserved.
THANK YOU
© 2010 Bradford Networks. All rights reserved.
BACKUP MATERIAL
© 2010 Bradford Networks. All rights reserved.
Bradford Networks At-A-Glance
• Founded in 1999
• Headquartered in Concord, NH
• Focus On Adaptive Network Security Solutions
• Shipping Products Since 2002
• Over 600 Customers Worldwide Today
• Over 1 Million Network Users Secured
• Venture-Backed to Accelerate Growth
• Record Growth in Last Two Fiscal Years
• Customer-Focused
• Broad Industry Recognition
© 2010 Bradford Networks. All rights reserved.
Milestones
1999 2002
Company founded as
Bradford Software &
Consulting, LLC
Cu
sto
mer
s
Bradford Software
Incorporated as
Bradford Networks
First commercial
network security
product shipped
100 customers
by 2004
200 customers
by 2006
Series A Funding
20082007
2007 Awards:
CRN Emerging
Vendor
SC Magazine
Innovator of the Year
2008 Awards:
Campus Technology
Innovator
SC Magazine
Innovator of the Year
1 MillionUsers
Secured
100
Bradford Networks
1
Suffield Academy
500
2009
600+
2004
200
Forrester Wave
Report Leader
Named “Visionary”
in Gartner Magic
Quadrant
2006
© 2010 Bradford Networks. All rights reserved.
Awards and Recognition
• Innovation
• Strategy and Vision
• Technology Leadership
• Customer Satisfaction
© 2010 Bradford Networks. All rights reserved.43
NAC Studies: Forrester and GartnerNAC Studies: Forrester and Gartner
Source: The Forrester Wave: NAC Q3 2008 Source: Magic Quadrant for NAC, March 2009
© 2010 Bradford Networks. All rights reserved.44
Our Customers