2005 Symantec Corporation, All Rights Reserved Sygate Products Endpoint protection and compliance...

2005 Symantec Corporation, All Rights Reserved

Sygate ProductsEndpoint protection and complianceRicardo Hernández CallejaSales Engineer – Security Solutions

14 Diciembre 2006

2 – 2005 Symantec Corporation, All Rights Reserved

Magic Quadrant for Personal Firewalls, 1Q06Gartner RAS Core Research Note G00139942, John Girard, 27 June 2006, R1901 06302007

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Symantec.

The Magic Quadrant is copyrighted June 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Customer List

Some Global CustomersSome Southern Europe &

Benelux Customers

TimeWarner


Framing the Security Problem

Worms targeting multi-layered vulnerabilitiesand are growing in complexity


0 50 100 150 200 250

Zotob—8/05

Sasser—04/04

Witty—03/04

Blaster/Welchia—07/03

WebDAV vuln—03/03

Slapper—07/02

SQL Slammer—07/02

Spida—04/02

Digispid—03/02

Code Red—06/01

Ramen/Adore—06/00

Vulnerability—Exploit Gap Decreasing

Days Until First Attack

Vu

lner

abili

ty A

nn

ou

nce

d

5 variants, 359,000 machines infected

75 variants, 500,000+ machines infected

17 variants, 1,000,000+ machines infected


Vulnerabilities in the Enterprise

Old Patch

Recent Patch

New Vulnerability

Misconfiguration

0-Day

IPS

Agent+PFW+Host Integrity

Vulnerabilities Exploited—Gartner


Symantec Endpoint Compliance Solution

Symantec Network Access Control

Symantec Embedded Security

Symantec On-Demand Protection

Symantec Sygate Enterprise Protection


Symantec Sygate Enterprise Protection

Problem

Propagation of malicious code

Leakage of sensitive information

Lost user productivity

Increased support costs

Solution

Ridding the network ofnon-compliant endpoints with Symantec network access control

Ensuring compliance on contact™ across all entry points

Protecting endpoints with host intrusion prevention


Two Symantec SygateEnterprise Protection Agents

Symantec Enforcement Agent

NAC/NAP

DHCP/LAN/Gateway/APIEnforcement

HI and RemediationHost Integrity

Auto-Location SwitchingAdaptive Policies

Symantec Protection Agent NAC/NAP

DHCP/LAN/Gateway/APIEnforcement

OS Protection (File, Registry, Process Control)

System Lockdown (Application Control)

Buffer Overflow Protection

Peripheral Device Control

OSProtection

HI and Remediation

IF...Then...ElseHost Integrity

Auto-Location SwitchingAdaptive Policies

Signature-based IDSIDS

Desktop FirewallFW


Symantec Protection Agent

Adaptive policies– Change firewall and/or HIPS policies:

By network (IP, subnet, DNS server, DNS resolution, SPM connection, network adapter)

By host integrity result(quarantine policy)

Application-centric firewall– Granular traffic control

– Adapter-specific rules(e.g., Ethernet, wireless, VPN)

– Application learning

Intrusion Prevention Signatures



Host intrusion prevention system– OS protection behavioral IPS

Configure application accesscontrols for files, registry keys,ability to launch/terminate aprocess, and load a DLL

Downloadable templates

– System lockdown Application control whitelist

– Universal buffer overflow protection OS services or all applications



Peripheral Device Control– Block Devices by type (Windows® Class ID)

– Supports all common ports USB, Infrared, Bluetooth, Serial, Parallel,

FireWire, SCSI, PCMCIA

– Can block read/write/execute from removable drives

– Example: Block all USB devices except USB mouse and keyboard


Enterprise-Class Management

Scalable Multi-Server Architecture– Policy and Log Replication

– Policy Distribution (Push/Pull)

– Configurable Priority/Load Balancing

Policy Management– Group hierarchy w/ inheritance

– Manage by computer or user

– Reusable policy objects

– AD user and group synchronization

Centralized Logging and Reporting– Event forwarding (Syslog, SIMs)

– Daily or Weekly E-mailed Reports



Problem

Propagation of malicious

Leakage of sensitive information

Lost user productivity

Increased support costs

Solution

Discovering endpoints & their compliance with security policies

Enforcing network access throughout the entire network

Remediating non-compliant endpoints

Monitoring the network continuously


Symantec Open Network Access Control

Host Integrity– Verify process/application (FW, A/V, etc.)

– Verify service pack/hotfix

– Verify files/registry keys (patches, etc.)

– Sophisticated decision tree logic (IF … THEN … ELSE)

– Templates

Enforcement– Check agent status and Host Integrity result

before allowing network access

Automatic Remediation– Run local command

– Download and execute file

– Custom Checks Set registry value, log event, run program or

script, popup dialog box

Policy



Endpoint Enforcement

– Switch to Quarantine Policy when HI fails

Sygate Gateway Enforcer

– In-line network bridge at gatewayVPN, RAS, etc.

– Authenticate agent, verify policy, check HI status

– Block/quarantine when validation failsCaptive proxy redirection

Enforcement API

– Provide agent status to third-party applications

– Integrated VPN EnforcementNortel, Netscreen/Neoteris, Checkpoint, Aventail, Cisco,

iPass



LAN Enforcement (802.1X)

– Switch challenges network devices when attached

– Non-compliant devices blocked by switch or moved to remediation VLAN

– Sygate LAN Enforcer acts as RADIUS proxyVerify agent running, policy current, Host Integrity status

– SSA and/or third-party supplicantPolicy Compliance or Authentication + Compliance



DHCP Enforcement

– Evaluates a computer’s compliance with security policy before allowing the system to obtain a valid DHCP lease (and IP address).

DHCP Gateway Microsoft DHCP Plug In Lucent VitalQIP Server Plug In

Cisco NAC Enforcement

– Integration with Cisco Trust Agent


Network Access Control concepts


Corporate Network Is Continually Exposed

WirelessNetworks

WebApplications

GuestsInternet Kiosks& Shared Computers

Consultants

IPsec VPNEmployees

Working at Home

WANs& Extranets

SSL VPN

“Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users.” Protect Your Network with a NAC Process, Gartner ID# G00124992


It Begins At The Endpoint …

Compromised and non-compliant endpoints endanger the network and your data

Every user accesses the network and the Internet from an endpoint

But not all endpoints are protected and compliant

For employees, the endpoint may be– Company-issued laptop that hasn’t had a

patch or AV update in two weeks

– Personal computer – desktop or laptop

– Kiosk computer in an airport, hotel, or office center

For guests, the endpoint could be anything, with no ability to know its security health

Endpoints are at risk even when not connected to the corporate network


Authorizing Endpoints, Not Just Users

Network Access Control = Control who can access your network by creating a closed system

Ensure that required patches, configuration, and protection signatures are in place before the endpoint connects to the network

Automatic endpoint remediation– Enforce policy before access is granted

Authorized User

Authorized Endpoint+

Protected Network

Antivirus installed and current? Firewall installed and running? Required patches and service packs?

Required configuration?


Enterprise NAC Requirements

Pervasive Endpoint Coverage

• Managed devices

• Laptops

• Servers

• Desktops

• Unmanaged devices

• Guests

• Contractors

• Home computers & kiosks

• Printers & other devices

Universal Enforcement

• Deployable in all enterprise environments:

• LAN

• 802.1x

• DHCP

• WLAN

• VPN

• SSL

• IPSec

• Web portal

Integration Support

• Standards

• 802.1x

• TCG TNC

• Frameworks

• Cisco NAC

• Microsoft NAP

Automated Remediation

• Tie into existing tools and workflow

• No end-user intervention required

• Configurable deferral options

Enterprise Management

• Centralized

• Scalable

• Flexible

• Redundant

• Multi-tier

“Automated remediation will minimize productivity loss and help desk labor costs for deployments that encompass a large number of managed endpoints.” Understanding Benefits of Installed Endpoint Agents for NAC, Gartner ID# G00140811

Learning Mode

• Preserve productivity during patch cycles


Network Access Control: Multiple Dimensions

Onsite

Nodes connected directly in the LAN switching infrastructure

– Workstations– Laptops

Remote

Nodes connected indirectly to thecorporate LAN via VPN

Managed

Nodes that are owned and administered by the corporate IT group Have expected AV, firewall, and other client protection components

– Workstations– Company-issued laptops

Unmanaged

Nodes outside the authority or control of the corporate IT group

– Guest and contractor laptops– Employee home computers– Kiosk workstations


Symantec NAC:Covering the Endpoint Security Problem

Gateway Enforcer

SEP Self-Enforcement

VPN API Integration

LAN Enforcer (802.1x)

– Transparent and full 802.1x modes

DHCP Enforcer

Cisco NAC

SEP Self-Enforcement

Symantec On-Demand Protection Guest Enforcement


UNMANAGED

MANAGED

REMOTE

ONSITE


Symantec Network Access Control:Defining Policy and Compliance Symantec NAC can perform a wide range of host integrity (HI)

checks for endpoint security policy compliance– Most Anti-Virus

– Microsoft Patches

– Microsoft Service Packs

– Most Personal Firewalls

Unique template feature– Delivered from Symantec

Security Response

– Updated online

– Provides integration with 3rd party tools such as patch management systems

Remediation


Symantec Network Access ControlCustom Host Integrity Checking

Most robust capability of any NAC solution

Powerful If…Then…Else syntax

Many checks available, including:– Registry entries—exist, specific

value, more– Files—exist, date, size,

checksum, more– AV Signature file age, date, size– Patches installed– Process running, OS version– More

Actions also programmable:– Set a registry entry– Run a Script or Program– Download and execute an installer, and more



Technologies Overview


Symantec NAC Self-Enforcement

The ability of the agent to quarantine its system if it falls out of compliance

– Quarantine policies defined on Policy Manager

– Policies set for host integrity (HI), OSP, and firewall

The agent can quarantine itself by switching to a quarantine firewall policy

– Firewall restricts access to specific IP addresses or segments

Allows rapid deployment of basic endpoint security– No network-level systems or configuration needed

Includes market-leading personal firewall (Gartner 2006 PFW Magic Quadrant)

Requires Symantec Enterprise Protection agent


Symantec NAC Self-Enforcement:How It Works

Onsite or Remote Laptop

Symantec Policy

Manager

RemediationResources

Client connects to network and

validates policy

SEP Agent performs

self-compliance

checksCompliance fail:

Apply “Quarantine” firewall policy

Compliance pass: Apply “Office” firewall policy

Host Integrity Rule Status

Anti-Virus On Anti-Virus Updated Personal Firewall On Service Pack Updated

Patch Updated

Symantec Sygate Enterprise

Protection Agent with NAC Protected

Network

Quarantine

Patch Updated


Symantec NAC Gateway Enforcer In-line appliance segments networks into secure and insecure

zones– Transparent deployment

– Integrates easily with existing network infrastructure

If a client is non-compliant (HI fail or no Agent present), Enforcer can– Block the client or simply log their compliance status

– Restrict access to certain network resources (e.g., patch and update server)

Typically used to enforce endpoint security for nodes connecting through

– IPSec VPN - Wireless LAN

– WAN - Dial-up RAS

Guest access for local unmanaged users (conference rooms, guest offices, etc.)


Symantec NAC Gateway Enforcement:How It Works

Remote User

Symantec Sygate Policy Manager


Protected Network

Clientattempts to connect to network

Gateway Enforcer requests policy & compliance data

Enforcer validates policy & checks compliance status


Anti-Virus On

Anti-Virus Updated

Personal Firewall On Service Pack Updated

Patch Updated

Symantec NAC Enforcement Agent

Gateway Enforcement Options

Block Client

HTTP Redirect for Client

Display Pop-up on Client

Restrict Network Access

Agent present & compliance pass: Allow access

IPSec VPN Gateway Enforcer

Patch Updated


Symantec NAC LAN Enforcer 802.1x Standards-Based

– Supports wired and wireless– Supports all standards-based 802.1x implementations– Provides most secure remediation – Nearly all vendors supported

Two Deployment Options

– NAC status (transparent mode)– NAC+User credentials (full 802.1x mode)

Transparent mode reduces complexity– Only 802.1x-capable switch infrastructure is required– Username/password is not part of admission decision:

only the compliance status of the endpoint is considered– Benefits:

No third-party No backend RADIUS server No user authentication at switch layer Fewer logins to manage


Symantec NAC LAN Enforcement:How It Works

LAN Desktop



RADIUS Server

Symantec LAN Enforcer

QuarantineVLAN

Protected Network

Client connects & sends login, compliance, and policy data via EAP

Switch forwards data to LAN Enforcer

HI fail: Assign to quarantine VLAN

HI pass: Open port on switch

LAN Enforcer checks policy & validates compliance status

LAN Enforcer checks user login on RADIUS server

Full 802.1x ModeHost Integrity Rule Status

Anti-Virus On

Anti-Virus Updated


Patch Updated

EAP Status

User Name

Password

Token

Patch Updated



Symantec NAC LAN Enforcement:How It Works

Local User




QuarantineVLAN

Protected Network

Client connects & sends login, compliance, and policy data via EAP

Switch forwards data to LAN Enforcer

HI fail: Assign to quarantine VLAN

HI pass: Open port on switch

LAN Enforcer checks policy & validates compliance status

Transparent ModeHost Integrity Rule Status

Anti-Virus On

Anti-Virus Updated


Patch Updated

Patch Updated



Symantec NAC DHCP Enforcer

DHCP-Based solution is universal– Supports wired and wireless

– Supports any network infrastructure without upgrade

Two deployment options– Network-based DHCP Enforcer: Deploy as a policy-enforcing bridge to

protect an internal network

– DHCP Enforcer Plug-In that runs directly on a Microsoft DHCP server

Non-compliant clients are left in quarantine address space– Clients only able to interact with Quarantine network resources

(remediation server, etc.) and Symantec Policy Manager until they are compliant

Failover configurations supported for high-availability deployments


Symantec NAC DHCP Enforcement:DHCP Enforcer Plug-In – How It Works

LAN Desktop orOnsite Wireless Client


Remediation Resources

DHCP Server

Protected Network

Client sends DHCP request

Enforcer assigns a ‘quarantined’ IP address; requests compliance & policy data

Enforcer initiates DHCP release & renew on client

Enforcer validates policy & checks compliance status


Anti-Virus On

Anti-Virus Updated


Patch Updated

Client receives access to production network

QuarantineIPs

Symantec NAC DHCP Plug-In running on MSFT DHCP server



Symantec Network Access ControlEnforcement Methods – Proven ExperienceNAC Method Sygate Support

API Enforcement June, 2001

Gateway Enforcement December, 2001

Self Enforcement August, 2003

On-Demand Enforcement September 2003

802.1x (W)LAN Enforcement February, 2004

DHCP Enforcement Mid 2005

Cisco NAC, v1 Mid 2005

TCG’s Trusted Network Connect Late 2005

DHCP Enforcer Plug-In July 2006

Microsoft NAP Vista / Longhorn

TNC When specifications released


SNAC Enforcer Appliance

Symantec Network Access Control Enforcer 6100 Series Appliance

The Enforcer appliance is a new Enforcer option being added to the existing SNAC solution

The appliance is NOT a standalone NAC solution. Operates in conjunction with the Symantec Sygate Policy Manager and Symantec Enforcement Agents

Enforcer can be utilized as:– LAN Enforcer– Gatway Enforcer– DHCP Enforcer

Benefits– Rapid implementation – Simplified management

Base Unit 2.8GHz/1MB cache - P4 800MHz front side bus

Memory 1GB DDR2, 533MHz, 2x512 single-ranked DIMMs,

Hard drive

160GB, SATA, 1-inch, 7.2K RPM hard drive

Network adapters

Two network adapters

Size & Weight

Form Factor: 1U Rack

Height: 1.68" (4.27 cm)

Width: 17.60" (44.70 cm)

Depth: 21.50" (54.61 cm)

Weight: ~ 26.0 lbs. (11.80kg)


Symantec GatewayEnforcer

Server

Desktop

GuestWireless

Radius

Remediation

DHCP

Applications

Router

Switch

Symantec PolicyManager


Symantec DHCP Enforcer

Hackers

Kiosk

Mobile User

Telecommuter

Partner

Thieves

IPSEC VPN

SSL VPN

UNPROTECTED

NETWORKS

Symantec On-DemandPolicy Manager

Symantec Network Access ControlHow it works… 802.1x Enforcement

Compliant

Password

Token

User Name

StatusEAP

Patch Updated

Service Pack Updated

Personal Firewall On

Anti-Virus Updated

Anti-Virus On

StatusHost Integrity Rule

Password

Token

User Name

StatusEAP

Patch Updated



Anti-Virus Updated

Anti-Virus On


Non-CompliantRemediationGuest Access

Gateway/API Enforcement

Compliant

Patch Updated



Anti-Virus Updated

Anti-Virus On


Patch Updated



Anti-Virus Updated

Anti-Virus On


Non-Compliant


The real world – Using multiple solutions

WAN?

Lan Enforcement

DHCP Enforcement

Plug In

Gateway Enforcement

Gateway Enforcement


Roadmap Symantec: Full Integration

SAV

Adaptive Policies

IDS

FW2

Ma

na

ge

me

nt C

on

so

les

Symantec Client Security

Enforcement

Host Integrity

OSProtection

Adaptive Policies

IDS

FW

En

terp

rise

Ma

na

ge

me

nt

Symantec Sygate

Enterprise Protection 5.1

Enforcement

Host Integrity

OSProtection

Adaptive Policies

IDS

FW

En

terp

rise

Ma

na

ge

me

nt

Anti-Crimeware

Anti-Spyware

Antivirus

Integrated Suite

AntiVirus

Ma

na

ge

me

nt

Symantec AntiVirus

AntiSpyware



Problem

Eavesdropping and theft of data from unmanaged devices

Unprotected or compromised devices connecting to the enterprise via web infrastructure

Delivering endpoint security to unmanaged devices (contractors, kiosks, home machines)

Solution

Protects confidential data by creating a secure environment that provides encryption and file deletion upon session termination

Protection from viruses, worms by enforcing AV, personal firewall via host integrity

Lower TCO by delivering endpoint protection on-demand via existing web infrastructure


Six Critical Requirement for On-Demand Security:

The Market in Which Symantec On-Demand Plays—Gartner Has Defined the Market…

Client integrity checkers– SODA host integrity

Browser cache file cleanup– SODA cache cleaner

Behavioral malicious code scanners– SODA malicious code prevention

Personal firewall mini-engines: – SODA connection control

Protected virtual user sessions– SODA virtual desktop

Dynamic user access policies– SODA adaptive policies

Source: “Access From Anywhere Drives Innovation for On-Demand Security, Gartner, ID Number: G00126242”, March 21, 2005.


Symantec GatewayEnforcer

Server

Desktop

Guest

Wireless

Radius

Remediation

DHCP

Web Applications

Router

Switch

Symantec PolicyManager

Symantec LANEnforcer

Symantec DHCPEnforcer

Hackers

Kiosk

Mobile User

Telecommuter

Partner

Thieves

IPSEC VPN

SSL VPN

UNPROTECTED NETWORKS

Symantec On-DemandPolicy Manager

SODP ArchitectureHow it works… Administrator Creates

Symantec On-Demand AgentAdministrator Uploads

On-Demand AgentUser Connects to Login

Page

Symantec On-Demand Agent

Downloads (Java)

Symantec On-Demand AgentAdapts Policies to

Environment

Adaptive Policies

Device Type

Network Location

Policy

Corporate-owned, running agent

Airport WLAN

Trusted

Employee Home

Home Network

VD, HI, Persistent

Guest Laptop

Internal LAN

VD, HI

Kiosk Public Internet

VD, HI

Symantec On-Demand AgentVerifies Host Integrity

Patch Updated



Anti-Virus Updated

Anti-Virus On


If compliant, On-Demand launches the Virtual Desktop

or Cache Cleaner

Virtual Desktop or Cache Cleaner then launches the

login process

User logs into SSL VPM/Web app and gets access to the network

User can securely download, view, modify,

and upload corporate information

Upon inactivity or closing, VD is closed and data

erased


Muchas Gracias

Date post:	20-Dec-2015
Category:	Documents
View:	221 times
Download:	0 times

2005 Symantec Corporation, All Rights Reserved Sygate Products Endpoint protection and compliance...

Documents