Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 216 times |
Download: | 1 times |
Network Access Control
MSIT 458 – The Chinchillas
Agenda
• Introduction of Problem• Pros and Cons of Existing Security Systems• Possible Solutions• Recommended Solution• Solution Implementation• Final Recommendation
2
Introduction of Problem
3
The ProblemViruses, worms, and botnets are often spread by unknowing
victims. These victims may be your own network users.
How can the network be protected from your own users?4
The Problem
5
Pros and Cons of Existing Security Systems
6
Endpoint Security
ProsCentrally managed anti-virus can identify workstations without updated virus definitions.Local firewall policy enforcement cannot be disabled by end users.
ConsAnti-virus software slows machine performance to the point where users disable automatic updates and stop scans. There is no way to prevent users from altering the anti-virus software. Only users with VPN access have the protection provided by local firewall policy enforcement.There is no anti-spyware or host intrusion prevention solution deployed. 7
Symantec anti-virus deployed to individual workstations and servers in the data centerCisco personal firewall software installed on laptops with remote access enabled
IdentityFour distinct user directories:
Authentication• Access request forms required for creation of user accounts in each directory• Written password policy requires strong passwords and password expiration
maintained/enforced separately in each directory Authorization• Authorization policies maintained in each directory by local administrators• Manual process for account termination, user access must be removed from
each directoryAccounting • Weekly directory access reviews compared against termination reportsPros
Reduced risk when an account in one directory is compromisedCons
Policies cannot be maintained or enforced centrallyLots of passwords to keep track of → “loose” password managementMaintenance and SOX compliance nightmare
8
My
Passwords
Network SecurityPort-based 802.1Q virtual local area networks(VLANs) for network and user segregationPros
Separate broadcast domains for trusted internal users anduntrusted guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from untrusted guest PCsUntrusted guest users are unable to access private internal serversUse of VLAN Trunking Protocol eases VLAN management
ConsNo measure to prevent untrusted guests from connecting to private portsMisconfiguration of a port will provide trusted network accessUse of separate subnets leads to inefficient use IP address spaceSwitches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc. 9
Gap Analysis in Current Solution
• Policies for endpoint security are not enforceable• Users are not authenticated before access to the
network. Identification is instead performed by the application
• Several entry points: wireless, wired and VPN• Different types of users: full-time employees,
vendors, partners and guests• VLAN assignment is not dictated by identity or
security posture10
Possible Solutions
11
Improve Endpoint Security
• Deploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilities
• Define and enforce policies that do not allow end users to disable these protections
• Deploy personal firewall software to all computers, not only VPN enabled systems
• Design an employee education campaign stressing the importance of maintaining up to date security software definitions
12
Improve Identity
13
Identity Based Authentication
√Valid Credentials
Invalid/No Credentials
X
CorporateNetwork
No Access
Authorized User
Unauthorized ExternalWireless User
Corporate Resources
Identity Store Integration
802.1X
Improve Network Security
14
Virtual Private Networks• Provided by vendors such as Cisco and F5• Ensures confidentiality and integrity,
but only for point to point connections
Intrusion Detection and Prevention Systems• Provided by vendors such as Sourcefire, 3Com, and IBM• Able to use both predefined (and regularly updated) signatures and
statistics to detect and prevent attacks• May cost tens of thousands of dollars per Gbps of inspection with no
guaranteed return
Firewalls• Provided by vendors such as Check Point, Juniper Networks, etc.• Control what hosts can access on other networks by port, protocol, or
IP address• Unless installed on every PC, not useful between hosts on internal
LANs
MANAGEMENT NIG
HTMARE!
Comprehensive Solution
15
THE GOAL
NAC Server gathers and assesses user/device information
Username and password Device configuration and vulnerabilities
Noncompliant deviceor incorrect login
Access denied Placed to quarantine for remediation
Device is compliant Placed on “certified devices list” Network access granted
NAC Server
NAC Manager
End user attempts to access network
Initial access is blocked Single-sign-on or web login
AuthenticationServer
1
2
3a3bQuarantine
Role
Intranet/Network
Recommended Solution
16
Industry Analyst Viewpoint on NAC Vendors
17Image Source: Gartner
NAC Vendor Comparison
18
Cisco NAC Juniper UAC Microsoft NAPUser/Device Authentication ✔ ✔ ✔
Device Posture ✔ ✔ ✔Remediation Full support Limited Very LimitedFull OS Support MS, Mac OSX Only MS Only MS
Guest Access Portal Full support No temporary
IDs No support
Microsoft NAP Juniper UAC Cisco NACDevice Posture Assessment Full support Full support Full support
User/Device Authentication
Requires MS RADIUS
Requires group mapping support
Integrates w/ current
infrastructure
Remediation Very Limited Full support Full support
Full OS Support Only MS MS, Mac OSX MS, Mac OSXGuest Access Portal
Requires 3rd party
No temporary logins Full support
Asset Management None Manual Automated
Solution Implementation
19
Total Cost of Ownership
Number of users supported: Up to 10,000, including guests
Initial Hardware/Software Cost = $125,000Implementation Cost = $25,000Maintenance Cost = $72,000 per yearPower & Cooling Cost = $3,000 per year
TCO = $150,000 + $75,000 per year = $225,000 initial year costTCO ≈ $500,000 after 5 years
20
ROI Information
21
• Fewer infections result in fewer incidents and help desk calls
Man Hours Cost/hourIdentifying and locating non-compliant machine
.66 $75/hr
Bringing non-compliant machine into compliance
1 $75/hr
Potential cost savings per non-compliant user $125
• The break-even point is 4,000 incidents over 5 years.
Potential Loss by Industry
22
Industry Revenue/Employee HourEnergy $569.20Manufacturing $134.20Retail $244.37Banking $130.52Media $119.74Total Industry Average $205.55
Source: http://www.competitivereviews.com/metasecurity.pdf
Feasibility Analysis
23
• Already a Cisco network, so NAC would simply be an add-on to current network
• Entry points can easily be identified• Anti-virus and other end-point protections
already deployed to users• Non-compliance problems currently occur at a
rate of 6 per day, indicating a positive ROI on a potential NAC investment
Final Recommendation
24
We conclude that a comprehensive NAC system such as Cisco’s Network Admission Control
would be a better investment than piecemeal improvements to the company’s current
network security systems.
Questions?
25