* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download TITLE, DIN-BOLD 40PT, UPPERCASE
Survey
Document related concepts
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Network tap wikipedia , lookup
Computer security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Auto-Protecting Networks Powered by IPS-Based NAC Ken Low CISSP GSLC Security Lead, Asia Pacific 2 Outline The Challenges of NAC Trends: Where is NAC Heading? Intrusion Prevention Systems (IPS) Auto-Protecting Networks IPS-based NAC 3 Section Divider The Challenges Why Is Software-Based NAC Failing? If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier 4 The Problem >Administrators want to automatically prevent the spread of worms and malicious traffic through their networks >Most vendors attempt this through host integrity checking via a software agent >If the host passes a security profile check (updated OS patch level and updated AV signature file), it is allowed onto the network >Sounds simple enough, but… All those Agents… Spyware / Adware Blockers Pop-up Blockers Personal Firewalls Content Filters ..On their own release schedules… Each with its own licensing to track Antivirus Spam Filters IPSec Clients 1,000s of devices (are all covered?) = Administration Nightmare 5 What we don’t need more of Client Software Applications Pop Up Blocker Spyware Adware Anti-Virus MORE CLIENT SOFTWARE Personal FW Content Filter Spam Filter X 1000’s of users = Unmanageable IPSec Client •OS dependent Citrix Client •Device dependent •Updating nightmare •Disparate solution set The market does not need another endpoint software security application to purchase, configure, distribute, install, maintain, and manage. 6 Software-based NAC Security Agent (SA) is software residing on host. SA available in 2 forms: As stand alone agent Included in partners’ AV clients SA checks for updated OS patch and AV signature on host, and communicates host’s profile to a Trusted Agent (TA) TA receives policy from policy server If endpoint fits security policy, then TA forwards credentials to infrastructure devices 7 How NAC Works AV Server (Optional) AAA RADIUS Policy Server 3: Checks acceptable policy 4: If acceptable, Trusted Agent instructs network infrastructure to allow connectivity Trusted Agent on PC 2: Passes profile info to 1: Client AV & / or Security Agent Windows PC 8 Why Networks Need Quarantine Secure Vulnerable Perimeter Internal LAN Segment FW/VPN IPS Internet Enterprise Network Wi-Fi LAN Segment Remote Branch X Attacks Blocked Attacks enter from LAN endpoints 9 NAC Limitations AAA RADIUS Policy Server Requires Infrastructure Modification – new AAA server Requires Manual Policy Updates Only works with limited / proprietary network gear Trusted Agent on PC Requires Additional Software Clients Client AV & / or Supports All AV Products? Security Agent Forces visitors to adopt new policy or receive a default access policy Windows PC Does not support many 3rd party network devices Excludes Mac, Linux, VoIP, Printers, PDAs 10 NAC Failures AAA RADIUS Policy Server Trusted Agent on PC Client AV & / or Security Agent Windows PC Zero-Day Threat with no OS patch or AV signature 11 NAC Failures AAA RADIUS Policy Server DDoS Attack Trusted Agent on PC Client AV & / or Security Agent Windows PC A malicious user passes profile check, then launches attack 12 Enterprise Endpoint Security Enterprise Endpoint Security Agent Based Similar to NAC, but better Works with desktop firewall products e.g. Symantec NAC, InfoExpress Agents forward profile info to assessment server/auth server Network Based If no agent is present, endpoint is scanned with VA and OS patch scan tools Requires purchase and tuning of scanning for different types of devices – Error prone Must create new scan profiles for each type of device Must update policy NAC will have this in Phase 2 release Even the network based solution works like an agent based solution, bringing the same complications of: forcing all nodes to comply to your security profile which will at some point block authorized users and generate help desk calls failing to prevent malicious users who pass a sec policy from launching attacks failing to provide infrastructure based security mechanisms (i.e. IPS devices to control segments) doesn’t verify AV at all, so network is still vulnerable to all exploits that are not addressed by an OS patch doesn’t block day zero threats contain an infection –no behavioral security enforcement 13 Other NAC Problems Limitations “NAC won’t scale” – lots of legacy and even new equipment that don’t support NAC e.g. VoIP phones “What is 802.1X?” – many legacy hardware, printers and other devices don’t support 802.1X protocol to enforce access policies before systems are assigned an IPS address Exploits “Attack The Unmanaged Switch” – hackers can find their way into network by connecting through a switch not supported by NAC “Spoofing” – hackers can spoof MAC and IP addresses for “known” systems that are allowed access “Alter Desktop & AV Software” – make infected endpoints appear to be adequately patched and have up to date antivirus definitions “Attack The Quarantine Network” – introduce zero day exploit to quarantined devices, then remediate and control them 14 Section Divider Trends: Where is NAC Heading? A Survey Of The NACscape If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier 15 The NAC Market Yesterday Proprietary single vendor solutions Proprietary device support Limited OS support Limited AV support Limited Patch support Limited network access control policies Proprietary or limited authentication support No or incomplete open standards 16 The NAC Market Today Client/Server IPS-Based AVAILABLE NOW! Major Players •TCG’s TNC Methodology •Microsoft’s NAP •Clientless & Network-Based •Cisco’s Network Admission Control •Standards-Based (RADIUS / 802.1x) •Endpoint agnostic •Endpoint dependent •Enforce network access policies •Limited protection checks for AV and patches only (vulnerability scans unrealistic) •Greater protection beyond AV & patches e.g. DDoS, Zero Day Attacks, VoIP, Protocol Attacks, Phishing, Spyware, Instant Messaging etc. •Enforces network access policies •Ease of installation, admin & maintenance Methodology 17 The NAC Market Tomorrow (Future) TCG’s TNC open standards gaining support from several partners (ref. Interop NY Aug’06). Microsoft’s NAP will work with Longhorn (Microsoft’s new server OS) available in 6 to 12 months’ time. Extensive support from Microsoft partners. Cisco NAC’s proprietary grip will erode e.g. customers can choose to use NAP or NAC client in Microsoft’s Vista and more Cisco products will support TNC, joining other network vendors in the embrace of open standards. Within 2 to 3 years, Microsoft’s NAP, TCG’s TNC and Cisco’s NAC will mature and possibly integrating/consolidating to a single solution. IPS-based NAC (e.g. TippingPoint Quarantine) will continue to provide more comprehensive & sophisticated protection for networks as an extention of network IPS. There will be more powerful integration between IPSbased NAC with the major NAC schemes. 18 Section Divider Intrusion Prevention Systems (IPS) Stopping The Attack Before It Happens Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. — M. Gosser 19 Convergence of Network and Security Security is embedded in the network itself 20 Proactive Defense Through Intelligence and Power Attacks are detected and blocked at full network speed. TippingPoint IPS functions as a “network patch” or “virtual software patch” Attacks are stopped before they can cause damage to your infrastructure. 21 Closing the Gap with TippingPoint Intrusion Prevention PROTECTS: FROM: • Worms/Walk-in Worms • Microsoft Applications & • Viruses Operating Systems • Trojans • Oracle Applications DDoS AttacksHardware High • Linux O/S Performance •Custom • Internal Attacks • VoIP Highly Advanced Prevention Filters • Unauthorized Access • Spyware Constant Update Protection Service FROM: PROTECTS: 5 Gbps Throughput • Worms/Walk-in Worms • Routers (e.g. Cisco IOS) • Viruses Switch-Like Latency • Switches • Trojans • Firewalls (e.g. 2M Sessions • DDoS Attacks Netscreen, CheckPoint FW1) 250K Sessions/Second • SYN Floods • Traffic Anomalies • VoIP Total Flow Inspection 64K Rate Shaping Queues 10K Parallel FiltersFROM: PROTECTS: • Bandwidth • Server Capacity • Missions-Critical Traffic • Peer-to-Peer Apps • Unauthorized Instant Messaging • Unauthorized Applications • DDoS Attacks 22 World Class Security Research The Digital Vaccine service is the most comprehensive, accurate and automatic protection service available. > Coverage — — — — Vendors Threat organizations Independent researchers (ZDI) Internal Threat Management Center > Timeliness — Weekly filter distribution — Zero Day Initiative — Same day Microsoft Tuesday coverage > Accuracy — Designed to block — 5 years of filter writing experience — No performance degradation > Extensibility — Signatures, vulnerabilities, traffic and protocol anomalies — New Threats: P2P, Instant Messaging, Spyware, Phishing, VOIP 23 Current TippingPoint Product Line TippingPoint X505 TippingPoint X505 IPS, Firewall, Bandwidth Mgmt, Content Filtering TippingPoint 200E 200 Mbps • 2 Segments • Copper TippingPoint 2400 2 Gbps • 4 Segments • Copper/Fiber TippingPoint 50 50 Mbps • 1 Segment • Copper TippingPoint 400 400 Mbps • 4 Segments • Copper/Fiber TippingPoint 5000E 5 Gbps • 4 Segments • Copper/Fiber TippingPoint 200 200 Mbps • 2 Segments • Copper TippingPoint 1200 1.2 Gbps • 4 Segments • Copper/Fiber TippingPoint SMS TippingPoint SMS Security Management System 24 World’s Most Awarded IPS – 31 Awards Best Security Solution 2005 > TippingPoint IPS Overall Winner in SC Global Awards > Over 1,000 products nominated NSS Gold Award > TippingPoint’s Intrusion Prevention System is the FIRST and ONLY product to win the coveted NSS Gold Award in the IPS space. > The world's leading awards program for the information security industry 25 Gartner Magic Quadrant Leader ABILITY TO EXECUTE 3Com/TippingPoint COMPLETENESS OF VISION 26 TippingPoint Market Leadership CY05 Worldwide Dedicated IPS Appliance Revenue M arket Share 35% 33% u 30% 25% 17% 16% 20% 15% 12% 15% 7% 10% 5% Ti O th er fe e cA M IS S Ju ni pe r co C is pp in gP oi nt 0% “TippingPoint comes out on top; they have an incredibly high percentage of customers running their product not only in-line, but running their default recommended settings of over 800 filters; they have a 33% share in 2005, nearly double that of their next closest competitor.” Jeff Wilson, Infonetics May 2006 Source: Infonetics Research Network Intrusion Prevention Market Outlook May 17, 2006 27 World’s 1st ICSA-Certified Multi-Gigabit Network IPS 17 ICSA Consortium Members 10 Testing Participants (Confidential) 3 Gbps 84 µsec latency 3 Certified Vendors 100 Mbps 441 µsec latency 350 Mbps 398 µsec latency 28 Section Divider Auto-Protecting Networks The Future Of NAC Now The user's going to pick dancing pigs over security every time. - Bruce Schneier 29 Meanwhile in Dad’s Office ..... Previously Now Closing Son uses Dad’s (CEO) computer in the office to surf the Internet. Son is now in his teens Son, employees and contractors are using various access devices e.g. PDA phones, Wi-Fi laptops, iPods, Laptops etc. Unknowingly visits a malicious website and is stopped by the company’s new Network Access Control (NAC) system and the alarms go off. Dad walks into the room, finds out what’s happening and smiles at him. PDA phone (e.g. Blackberry) infected with a new virus connects to Wi-Fi network automatically. No alarms go off this time, the virus spreads in the network very quickly and network goes down Dad doesn’t smile this time, summons his CSO. Dad asks, “is everything OK?” Everyone smiles and look at the CSO who carries a technical manual entitled .... 30 31 32 Section Divider IPS-based NAC Powered by TippingPoint Quarantine We only need to be lucky once. You need to be lucky every time. — The Irish Republican Army (IRA) to Margaret Thatcher, after a failed assassination attempt. 33 Three Quarantine Configurations 1. IPS Only 2. IPS+SMS 3. IPS+SMS+NMS 34 Quarantine Configuration #1: IPS Only Remediation Page 5500 Switch Internet Core 8800 Switch TippingPoint IPS 8800 Switch 1200 Switch Catalyst 6500 WLANs 1. Client authenticates to network 2. Malicious traffic blocked by IPS 3. IPS performs policy-based thresholding 4. Remediation web page sent from IPS to quarantined user 5. All subsequent outbound traffic blocked by IPS 35 HTTP Redirect 36 Quarantine Configuration #2: IPS + SMS TippingPoint SMS Radius 5500 Switch Internet Core 8800 Switch TippingPoint IPS 8800 Switch 1200 Switch 1. Client Authenticates via SMS 2. SMS acts as Radius proxy, learning MAC/Switch/Port via RADA 3. Malicious activity blocked by IPS 4. Event data sent to SMS 5. SMS performs policy-based thresholding 6. SMS resolves IP to MAC Other Vendors WLANs 7. MAC Address is placed into a blacklist and policy set 8. SMS forces re-authentication of compromised device 9. Device is contained within the set policy at the access switch ingress port 37 Quarantine Configuration #3: IPS + SMS + NMS TippingPoint SMS NMS facilitates automatic or manual action NMS Radius 5500 Switch Internet Core 8800 Switch TippingPoint IPS 8800 Switch 1200 Switch Other Vendors WLANs 1. Client authenticates to network 2. Malicious activity blocked by IPS 3. Event data sent to SMS 4. SMS performs policy-based thresholding 5. SMS sends trap to NMS for administrator and/or automated action 38 Wireless Quarantine Remote Branch Wireless Controller Tipping Point IPS Trusted Client w/ Bad Behavior WAN Router WAN Headquarters Wireless Controller Tipping Point IPS Wireless Quarantine 1. 2. 3. 4. 5. IPS Identifies bad behavior SMS tells RADIUS - block User WX Sends SSID disassociate User rejected re-authentication User sent to remediation page WAN Router TP SMS AAA Proxy AAA Server Network Core Core Switch 39 3 Quarantine Configurations 1. IPS Only 2. IPS+SMS 3. IPS+SMS+NMS Blocks outgoing malicious traffic Serves remediation page Does not prevent intra-segment infection Does not disconnect user from network SMS shuts down port MAC-based policy enforcement All communication is halted or allowed on Quarantined VLAN only Wholly automated solution SMS sends SNMP trap to NMS Notification of problem and user location Allows admin to react or set automated action set through NMS Provides additional visibility and flexibility into network activities 40 Quarantine Actions > Display remediation web page (transparently by IPS) > Block non-HTTP Traffic (at IPS) > Redirect to a URL (by IPS) — HTTP 302 or transparent redirect — IPS provides information to destination web server about nature of infection > Place client in remediation VLAN (Access switch) > Apply access-list to switch port or router (Switch or router) > Block IP address and or switch port/MAC address (block all traffic) — Works in conjunction with other Quarantine Actions > White list — Exceptions created for IP addresses or ranges — Ex. Servers for mission critical applications, router and switch IP addresses, the CEO’s laptop machine, etc. — Even if a white list is configured, the administrator is notified of infected machines (logging information); simply no Quarantine Action will be enforced > Internal and External IP addresses — Different actions based on whether an IP address is internal or external — Ex. External addresses may need to be blocked immediately for a period of time such as twelve hours, one day, or one week, but not have a remediation web page — Internal IP addresses may need a remediation page presented, be blocked on day three, and stay blocked for one week 41 Setting a Quarantine Policy Quarantine Policy Summary Page 42 Advantages of Network-Based Quarantine No client software to buy/manage/install Supports all operating systems (Linux, Macintosh) Agentless Protects all devices (printers, VoIP phones, Wireless) Guest users not required to conform to new security policy or install client Extends IPS protection to endpoints IPS-based Signature, protocol, and behavioral protection Continually updated to protect against zero-day threats Prevents malicious activities of internal users Flexibility through white lists for VIPs or mission-critical systems Centrally Managed Will interoperate with Microsoft NAP Infuses security into the network infrastructure Creates an automated threat elimination system 43 Summary The Challenges of NAC – Limitations & Exploits Trends: Where is NAC Heading? – Yesterday, Today & Tomorrow Intrusion Prevention Systems (IPS) – the role of the fastest growing security technology in NAC Auto-Protecting Networks – transform your network today IPS-based NAC – easiest way to deploy NAC and prevent network intrusions now and wait for NAP/TNC/NAC to stabilize 44 Auto-Protecting Networks Powered by IPS-Based NAC Ken Low CISSP GSLC Security Lead, Asia Pacific To Be Completed 47