Agenda Introduction of Problem Pros and Cons of Existing Security Systems Possible Solutions Recommended Solution Solution Implementation Final Recommendation 2 Introduction of Problem 3 The Problem ID: 635940
Download Presentation The PPT/PDF document "Network Access Control MSIT 458 – The ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Network Access Control
MSIT 458 – The ChinchillasSlide2
AgendaIntroduction of ProblemPros and Cons of Existing Security SystemsPossible Solutions
Recommended SolutionSolution ImplementationFinal Recommendation2Slide3
Introduction of Problem3Slide4
The ProblemViruses, worms, and botnets are often spread by unknowing victims. These victims may be your own network users.
How can the network be protected from your own users?
4Slide5
The Problem5Slide6
Pros and Cons of Existing Security Systems6Slide7
Endpoint Security
Pros
Centrally managed anti-virus can identify workstations without updated virus definitions.
Local firewall policy enforcement cannot be disabled by end users.
Cons
Anti-virus software slows machine performance to the point where users disable automatic updates and stop scans. There is no way to prevent users from altering the anti-virus software.
Only users with VPN access have the protection provided by local firewall policy enforcement.
There is no anti-spyware or host intrusion prevention solution deployed.
7
Symantec anti-virus deployed to individual workstations and servers in the data center
Cisco personal firewall software installed on laptops with remote access enabledSlide8
Identity
Four distinct user directories:
Authentication
Access request forms required for creation of user accounts in each directory
Written password policy requires strong passwords and password expiration maintained/enforced separately in each directory
Authorization
Authorization policies maintained in each directory by local administrators
Manual process for account termination, user access must be removed from each directory
Accounting
Weekly directory access reviews compared against termination reports
Pros
Reduced risk when an account in one directory is compromised
Cons
Policies cannot be maintained or enforced centrally
Lots of passwords to keep track of → “loose” password management
Maintenance and SOX
compliance nightmare
8
My
PasswordsSlide9
Network SecurityPort-based 802.1Q virtual local area networks
(VLANs) for network and user segregationProsSeparate broadcast domains for trusted internal users and
untrusted
guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from
untrusted
guest PCs
Untrusted
guest users are unable to access private internal servers
Use of VLAN Trunking Protocol eases VLAN management
ConsNo measure to prevent untrusted
guests from connecting to private ports
Misconfiguration
of a port will provide trusted network access
Use of separate subnets leads to inefficient use IP address space
Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc.
9Slide10
Gap Analysis in Current SolutionPolicies for endpoint security are not enforceableUsers are not authenticated
before access to the network. Identification is instead performed by the applicationSeveral entry points: wireless, wired and VPNDifferent types of users: full-time employees, vendors, partners and guests
VLAN assignment is not dictated by identity or security posture
10Slide11
Possible Solutions11Slide12
Improve Endpoint SecurityDeploy a comprehensive endpoint solution that includes anti-virus, anti-spyware, and host intrusion prevention capabilitiesDefine and enforce policies that do not allow end users to disable these protections
Deploy personal firewall software to all computers, not only VPN enabled systemsDesign an employee education campaign stressing the importance of maintaining up to date security software definitions
12Slide13
Improve Identity
13
Identity Based Authentication
√
Valid Credentials
Invalid/No Credentials
X
Corporate
Network
No Access
Authorized User
Unauthorized External
Wireless User
Corporate Resources
Identity Store Integration
802.1XSlide14
Improve Network Security14
Virtual Private NetworksProvided by vendors such as Cisco and F5Ensures confidentiality and integrity,
but only for point to point connections
Intrusion Detection and Prevention Systems
Provided by vendors such as
Sourcefire
, 3Com, and IBM
Able to use both predefined (and regularly updated) signatures and statistics to detect and prevent attacks
May cost tens of thousands of dollars per
Gbps of inspection with no guaranteed return
FirewallsProvided by vendors such as Check Point, Juniper Networks, etc.
Control what hosts can access on other networks by port, protocol, or IP address
Unless installed on every PC, not useful between hosts on internal LANs
MANAGEMENT NIGHTMARE!Slide15
Comprehensive Solution
15
THE
GOAL
NAC Server gathers
and assesses
user/device information
Username and password
Device configuration and vulnerabilities
Noncompliant device
or incorrect login
Access denied
Placed to quarantine for remediation
Device is compliant
Placed on “certified devices list”
Network access granted
NAC Server
NAC Manager
End user attempts to
access network
Initial access is blocked
Single-sign-on or web login
Authentication
Server
1
2
3a
3b
Quarantine
Role
Intranet/
NetworkSlide16
Recommended Solution16Slide17
Industry Analyst Viewpoint on NAC Vendors17
Image Source: GartnerSlide18
NAC Vendor Comparison18
Cisco NAC
Juniper UAC
Microsoft NAP
User/Device Authentication
✔
✔
✔
Device Posture
✔
✔
✔
Remediation
Full support
Limited
Very Limited
Full OS Support
MS, Mac OSX
Only MS
Only MS
Guest Access Portal
Full support
No temporary IDs
No support
Microsoft NAP
Juniper UAC
Cisco NAC
Device Posture Assessment
Full support
Full support
Full support
User/Device Authentication
Requires MS RADIUS
Requires group mapping support
Integrates
w
/ current infrastructure
Remediation
Very Limited
Full support
Full support
Full OS Support
Only MS
MS, Mac OSX
MS, Mac OSX
Guest Access Portal
Requires 3
rd
party
No temporary logins
Full support
Asset Management
None
Manual
AutomatedSlide19
Solution Implementation19Slide20
Total Cost of Ownership
Number of users supported: Up to 10,000, including guests
Initial Hardware/Software Cost
= $125,000
Implementation Cost
= $25,000
Maintenance Cost
= $72,000 per year
Power & Cooling Cost
= $3,000 per year
TCO = $150,000 + $75,000 per year = $225,000 initial year cost
TCO ≈
$500,000 after 5 years
20Slide21
ROI Information21
Fewer infections result in fewer incidents and help desk calls
Man Hours
Cost/hour
Identifying and locating
non-compliant machine
.66
$75/hr
Bringing
non-compliant machine into compliance
1
$75/hr
Potential
cost savings per non-compliant user
$125
The break-even point is 4,000 incidents over 5 years. Slide22
Potential Loss by Industry22
Industry
Revenue/Employee Hour
Energy
$569.20
Manufacturing
$134.20
Retail
$244.37
Banking
$130.52
Media
$119.74
Total Industry Average
$205.55
Source: http://
www.competitivereviews.com/metasecurity.pdfSlide23
Feasibility Analysis23Already a Cisco network, so NAC would simply be an add-on to current network
Entry points can easily be identifiedAnti-virus and other end-point protections already deployed to usersNon-compliance problems currently occur at a rate of 6 per day, indicating a positive ROI on a potential NAC investmentSlide24
Final Recommendation24
We conclude that a comprehensive NAC system such as Cisco’s Network Admission Control would be a better investment than piecemeal improvements to the company’s current network security systems. Slide25
Questions?25