View
221
Download
0
Category
Tags:
Preview:
Citation preview
2005 Symantec Corporation, All Rights Reserved
Sygate ProductsEndpoint protection and complianceRicardo Hernández CallejaSales Engineer – Security Solutions
14 Diciembre 2006
2 – 2005 Symantec Corporation, All Rights Reserved
Magic Quadrant for Personal Firewalls, 1Q06Gartner RAS Core Research Note G00139942, John Girard, 27 June 2006, R1901 06302007
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Symantec.
The Magic Quadrant is copyrighted June 2006 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
3 – 2005 Symantec Corporation, All Rights Reserved
Customer List
Some Global CustomersSome Southern Europe &
Benelux Customers
TimeWarner
4 – 2005 Symantec Corporation, All Rights Reserved
Framing the Security Problem
Worms targeting multi-layered vulnerabilitiesand are growing in complexity
5 – 2005 Symantec Corporation, All Rights Reserved
0 50 100 150 200 250
Zotob—8/05
Sasser—04/04
Witty—03/04
Blaster/Welchia—07/03
WebDAV vuln—03/03
Slapper—07/02
SQL Slammer—07/02
Spida—04/02
Digispid—03/02
Code Red—06/01
Ramen/Adore—06/00
Vulnerability—Exploit Gap Decreasing
Days Until First Attack
Vu
lner
abili
ty A
nn
ou
nce
d
5 variants, 359,000 machines infected
75 variants, 500,000+ machines infected
17 variants, 1,000,000+ machines infected
6 – 2005 Symantec Corporation, All Rights Reserved
Vulnerabilities in the Enterprise
Old Patch
Recent Patch
New Vulnerability
Misconfiguration
0-Day
IPS
Agent+PFW+Host Integrity
Vulnerabilities Exploited—Gartner
7 – 2005 Symantec Corporation, All Rights Reserved
Symantec Endpoint Compliance Solution
Symantec Network Access Control
Symantec Embedded Security
Symantec On-Demand Protection
Symantec Sygate Enterprise Protection
8 – 2005 Symantec Corporation, All Rights Reserved
Symantec Sygate Enterprise Protection
Problem
Propagation of malicious code
Leakage of sensitive information
Lost user productivity
Increased support costs
Solution
Ridding the network ofnon-compliant endpoints with Symantec network access control
Ensuring compliance on contact™ across all entry points
Protecting endpoints with host intrusion prevention
9 – 2005 Symantec Corporation, All Rights Reserved
Two Symantec SygateEnterprise Protection Agents
Symantec Enforcement Agent
NAC/NAP
DHCP/LAN/Gateway/APIEnforcement
HI and RemediationHost Integrity
Auto-Location SwitchingAdaptive Policies
Symantec Protection Agent NAC/NAP
DHCP/LAN/Gateway/APIEnforcement
OS Protection (File, Registry, Process Control)
System Lockdown (Application Control)
Buffer Overflow Protection
Peripheral Device Control
OSProtection
HI and Remediation
IF...Then...ElseHost Integrity
Auto-Location SwitchingAdaptive Policies
Signature-based IDSIDS
Desktop FirewallFW
10 – 2005 Symantec Corporation, All Rights Reserved
Symantec Protection Agent
Adaptive policies– Change firewall and/or HIPS policies:
By network (IP, subnet, DNS server, DNS resolution, SPM connection, network adapter)
By host integrity result(quarantine policy)
Application-centric firewall– Granular traffic control
– Adapter-specific rules(e.g., Ethernet, wireless, VPN)
– Application learning
Intrusion Prevention Signatures
11 – 2005 Symantec Corporation, All Rights Reserved
Symantec Protection Agent
Host intrusion prevention system– OS protection behavioral IPS
Configure application accesscontrols for files, registry keys,ability to launch/terminate aprocess, and load a DLL
Downloadable templates
– System lockdown Application control whitelist
– Universal buffer overflow protection OS services or all applications
12 – 2005 Symantec Corporation, All Rights Reserved
Symantec Protection Agent
Peripheral Device Control– Block Devices by type (Windows® Class ID)
– Supports all common ports USB, Infrared, Bluetooth, Serial, Parallel,
FireWire, SCSI, PCMCIA
– Can block read/write/execute from removable drives
– Example: Block all USB devices except USB mouse and keyboard
13 – 2005 Symantec Corporation, All Rights Reserved
Enterprise-Class Management
Scalable Multi-Server Architecture– Policy and Log Replication
– Policy Distribution (Push/Pull)
– Configurable Priority/Load Balancing
Policy Management– Group hierarchy w/ inheritance
– Manage by computer or user
– Reusable policy objects
– AD user and group synchronization
Centralized Logging and Reporting– Event forwarding (Syslog, SIMs)
– Daily or Weekly E-mailed Reports
14 – 2005 Symantec Corporation, All Rights Reserved
Symantec Network Access Control
Problem
Propagation of malicious
Leakage of sensitive information
Lost user productivity
Increased support costs
Solution
Discovering endpoints & their compliance with security policies
Enforcing network access throughout the entire network
Remediating non-compliant endpoints
Monitoring the network continuously
15 – 2005 Symantec Corporation, All Rights Reserved
Symantec Open Network Access Control
Host Integrity– Verify process/application (FW, A/V, etc.)
– Verify service pack/hotfix
– Verify files/registry keys (patches, etc.)
– Sophisticated decision tree logic (IF … THEN … ELSE)
– Templates
Enforcement– Check agent status and Host Integrity result
before allowing network access
Automatic Remediation– Run local command
– Download and execute file
– Custom Checks Set registry value, log event, run program or
script, popup dialog box
Policy
16 – 2005 Symantec Corporation, All Rights Reserved
Symantec Open Network Access Control
Endpoint Enforcement
– Switch to Quarantine Policy when HI fails
Sygate Gateway Enforcer
– In-line network bridge at gatewayVPN, RAS, etc.
– Authenticate agent, verify policy, check HI status
– Block/quarantine when validation failsCaptive proxy redirection
Enforcement API
– Provide agent status to third-party applications
– Integrated VPN EnforcementNortel, Netscreen/Neoteris, Checkpoint, Aventail, Cisco,
iPass
17 – 2005 Symantec Corporation, All Rights Reserved
Symantec Open Network Access Control
LAN Enforcement (802.1X)
– Switch challenges network devices when attached
– Non-compliant devices blocked by switch or moved to remediation VLAN
– Sygate LAN Enforcer acts as RADIUS proxyVerify agent running, policy current, Host Integrity status
– SSA and/or third-party supplicantPolicy Compliance or Authentication + Compliance
18 – 2005 Symantec Corporation, All Rights Reserved
Symantec Open Network Access Control
DHCP Enforcement
– Evaluates a computer’s compliance with security policy before allowing the system to obtain a valid DHCP lease (and IP address).
DHCP Gateway Microsoft DHCP Plug In Lucent VitalQIP Server Plug In
Cisco NAC Enforcement
– Integration with Cisco Trust Agent
20 – 2005 Symantec Corporation, All Rights Reserved
Corporate Network Is Continually Exposed
WirelessNetworks
WebApplications
GuestsInternet Kiosks& Shared Computers
Consultants
IPsec VPNEmployees
Working at Home
WANs& Extranets
SSL VPN
“Because of worms and other threats, you can no longer leave your networks open to unscreened devices and users.” Protect Your Network with a NAC Process, Gartner ID# G00124992
21 – 2005 Symantec Corporation, All Rights Reserved
It Begins At The Endpoint …
Compromised and non-compliant endpoints endanger the network and your data
Every user accesses the network and the Internet from an endpoint
But not all endpoints are protected and compliant
For employees, the endpoint may be– Company-issued laptop that hasn’t had a
patch or AV update in two weeks
– Personal computer – desktop or laptop
– Kiosk computer in an airport, hotel, or office center
For guests, the endpoint could be anything, with no ability to know its security health
Endpoints are at risk even when not connected to the corporate network
22 – 2005 Symantec Corporation, All Rights Reserved
Authorizing Endpoints, Not Just Users
Network Access Control = Control who can access your network by creating a closed system
Ensure that required patches, configuration, and protection signatures are in place before the endpoint connects to the network
Automatic endpoint remediation– Enforce policy before access is granted
Authorized User
Authorized Endpoint+
Protected Network
Antivirus installed and current? Firewall installed and running? Required patches and service packs?
Required configuration?
23 – 2005 Symantec Corporation, All Rights Reserved
Enterprise NAC Requirements
Pervasive Endpoint Coverage
• Managed devices
• Laptops
• Servers
• Desktops
• Unmanaged devices
• Guests
• Contractors
• Home computers & kiosks
• Printers & other devices
Universal Enforcement
• Deployable in all enterprise environments:
• LAN
• 802.1x
• DHCP
• WLAN
• VPN
• SSL
• IPSec
• Web portal
Integration Support
• Standards
• 802.1x
• TCG TNC
• Frameworks
• Cisco NAC
• Microsoft NAP
Automated Remediation
• Tie into existing tools and workflow
• No end-user intervention required
• Configurable deferral options
Enterprise Management
• Centralized
• Scalable
• Flexible
• Redundant
• Multi-tier
“Automated remediation will minimize productivity loss and help desk labor costs for deployments that encompass a large number of managed endpoints.” Understanding Benefits of Installed Endpoint Agents for NAC, Gartner ID# G00140811
Learning Mode
• Preserve productivity during patch cycles
24 – 2005 Symantec Corporation, All Rights Reserved
Network Access Control: Multiple Dimensions
Onsite
Nodes connected directly in the LAN switching infrastructure
– Workstations– Laptops
Remote
Nodes connected indirectly to thecorporate LAN via VPN
Managed
Nodes that are owned and administered by the corporate IT group Have expected AV, firewall, and other client protection components
– Workstations– Company-issued laptops
Unmanaged
Nodes outside the authority or control of the corporate IT group
– Guest and contractor laptops– Employee home computers– Kiosk workstations
25 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC:Covering the Endpoint Security Problem
Gateway Enforcer
SEP Self-Enforcement
VPN API Integration
LAN Enforcer (802.1x)
– Transparent and full 802.1x modes
DHCP Enforcer
Cisco NAC
SEP Self-Enforcement
Symantec On-Demand Protection Guest Enforcement
Symantec On-Demand Protection
UNMANAGED
MANAGED
REMOTE
ONSITE
26 – 2005 Symantec Corporation, All Rights Reserved
Symantec Network Access Control:Defining Policy and Compliance Symantec NAC can perform a wide range of host integrity (HI)
checks for endpoint security policy compliance– Most Anti-Virus
– Microsoft Patches
– Microsoft Service Packs
– Most Personal Firewalls
Unique template feature– Delivered from Symantec
Security Response
– Updated online
– Provides integration with 3rd party tools such as patch management systems
Remediation
27 – 2005 Symantec Corporation, All Rights Reserved
Symantec Network Access ControlCustom Host Integrity Checking
Most robust capability of any NAC solution
Powerful If…Then…Else syntax
Many checks available, including:– Registry entries—exist, specific
value, more– Files—exist, date, size,
checksum, more– AV Signature file age, date, size– Patches installed– Process running, OS version– More
Actions also programmable:– Set a registry entry– Run a Script or Program– Download and execute an installer, and more
2005 Symantec Corporation, All Rights Reserved
Symantec Network Access Control
Technologies Overview
29 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC Self-Enforcement
The ability of the agent to quarantine its system if it falls out of compliance
– Quarantine policies defined on Policy Manager
– Policies set for host integrity (HI), OSP, and firewall
The agent can quarantine itself by switching to a quarantine firewall policy
– Firewall restricts access to specific IP addresses or segments
Allows rapid deployment of basic endpoint security– No network-level systems or configuration needed
Includes market-leading personal firewall (Gartner 2006 PFW Magic Quadrant)
Requires Symantec Enterprise Protection agent
30 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC Self-Enforcement:How It Works
Onsite or Remote Laptop
Symantec Policy
Manager
RemediationResources
Client connects to network and
validates policy
SEP Agent performs
self-compliance
checksCompliance fail:
Apply “Quarantine” firewall policy
Compliance pass: Apply “Office” firewall policy
Host Integrity Rule Status
Anti-Virus On Anti-Virus Updated Personal Firewall On Service Pack Updated
Patch Updated
Symantec Sygate Enterprise
Protection Agent with NAC Protected
Network
Quarantine
Patch Updated
31 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC Gateway Enforcer In-line appliance segments networks into secure and insecure
zones– Transparent deployment
– Integrates easily with existing network infrastructure
If a client is non-compliant (HI fail or no Agent present), Enforcer can– Block the client or simply log their compliance status
– Restrict access to certain network resources (e.g., patch and update server)
Typically used to enforce endpoint security for nodes connecting through
– IPSec VPN - Wireless LAN
– WAN - Dial-up RAS
Guest access for local unmanaged users (conference rooms, guest offices, etc.)
32 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC Gateway Enforcement:How It Works
Remote User
Symantec Sygate Policy Manager
RemediationResources
Protected Network
Clientattempts to connect to network
Gateway Enforcer requests policy & compliance data
Enforcer validates policy & checks compliance status
Host Integrity Rule Status
Anti-Virus On
Anti-Virus Updated
Personal Firewall On Service Pack Updated
Patch Updated
Symantec NAC Enforcement Agent
Gateway Enforcement Options
Block Client
HTTP Redirect for Client
Display Pop-up on Client
Restrict Network Access
Agent present & compliance pass: Allow access
IPSec VPN Gateway Enforcer
Patch Updated
33 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC LAN Enforcer 802.1x Standards-Based
– Supports wired and wireless– Supports all standards-based 802.1x implementations– Provides most secure remediation – Nearly all vendors supported
Two Deployment Options
– NAC status (transparent mode)– NAC+User credentials (full 802.1x mode)
Transparent mode reduces complexity– Only 802.1x-capable switch infrastructure is required– Username/password is not part of admission decision:
only the compliance status of the endpoint is considered– Benefits:
No third-party No backend RADIUS server No user authentication at switch layer Fewer logins to manage
34 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC LAN Enforcement:How It Works
LAN Desktop
Symantec Sygate Policy Manager
RemediationResources
RADIUS Server
Symantec LAN Enforcer
QuarantineVLAN
Protected Network
Client connects & sends login, compliance, and policy data via EAP
Switch forwards data to LAN Enforcer
HI fail: Assign to quarantine VLAN
HI pass: Open port on switch
LAN Enforcer checks policy & validates compliance status
LAN Enforcer checks user login on RADIUS server
Full 802.1x ModeHost Integrity Rule Status
Anti-Virus On
Anti-Virus Updated
Personal Firewall On Service Pack Updated
Patch Updated
EAP Status
User Name
Password
Token
Patch Updated
Symantec NAC Enforcement Agent
35 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC LAN Enforcement:How It Works
Local User
Symantec Sygate Policy Manager
RemediationResources
Symantec LAN Enforcer
QuarantineVLAN
Protected Network
Client connects & sends login, compliance, and policy data via EAP
Switch forwards data to LAN Enforcer
HI fail: Assign to quarantine VLAN
HI pass: Open port on switch
LAN Enforcer checks policy & validates compliance status
Transparent ModeHost Integrity Rule Status
Anti-Virus On
Anti-Virus Updated
Personal Firewall On Service Pack Updated
Patch Updated
Patch Updated
Symantec NAC Enforcement Agent
36 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC DHCP Enforcer
DHCP-Based solution is universal– Supports wired and wireless
– Supports any network infrastructure without upgrade
Two deployment options– Network-based DHCP Enforcer: Deploy as a policy-enforcing bridge to
protect an internal network
– DHCP Enforcer Plug-In that runs directly on a Microsoft DHCP server
Non-compliant clients are left in quarantine address space– Clients only able to interact with Quarantine network resources
(remediation server, etc.) and Symantec Policy Manager until they are compliant
Failover configurations supported for high-availability deployments
37 – 2005 Symantec Corporation, All Rights Reserved
Symantec NAC DHCP Enforcement:DHCP Enforcer Plug-In – How It Works
LAN Desktop orOnsite Wireless Client
Symantec Sygate Policy Manager
Remediation Resources
DHCP Server
Protected Network
Client sends DHCP request
Enforcer assigns a ‘quarantined’ IP address; requests compliance & policy data
Enforcer initiates DHCP release & renew on client
Enforcer validates policy & checks compliance status
Host Integrity Rule Status
Anti-Virus On
Anti-Virus Updated
Personal Firewall On Service Pack Updated
Patch Updated
Client receives access to production network
QuarantineIPs
Symantec NAC DHCP Plug-In running on MSFT DHCP server
Symantec NAC Enforcement Agent
38 – 2005 Symantec Corporation, All Rights Reserved
Symantec Network Access ControlEnforcement Methods – Proven ExperienceNAC Method Sygate Support
API Enforcement June, 2001
Gateway Enforcement December, 2001
Self Enforcement August, 2003
On-Demand Enforcement September 2003
802.1x (W)LAN Enforcement February, 2004
DHCP Enforcement Mid 2005
Cisco NAC, v1 Mid 2005
TCG’s Trusted Network Connect Late 2005
DHCP Enforcer Plug-In July 2006
Microsoft NAP Vista / Longhorn
TNC When specifications released
39 – 2005 Symantec Corporation, All Rights Reserved
SNAC Enforcer Appliance
Symantec Network Access Control Enforcer 6100 Series Appliance
The Enforcer appliance is a new Enforcer option being added to the existing SNAC solution
The appliance is NOT a standalone NAC solution. Operates in conjunction with the Symantec Sygate Policy Manager and Symantec Enforcement Agents
Enforcer can be utilized as:– LAN Enforcer– Gatway Enforcer– DHCP Enforcer
Benefits– Rapid implementation – Simplified management
Base Unit 2.8GHz/1MB cache - P4 800MHz front side bus
Memory 1GB DDR2, 533MHz, 2x512 single-ranked DIMMs,
Hard drive
160GB, SATA, 1-inch, 7.2K RPM hard drive
Network adapters
Two network adapters
Size & Weight
Form Factor: 1U Rack
Height: 1.68" (4.27 cm)
Width: 17.60" (44.70 cm)
Depth: 21.50" (54.61 cm)
Weight: ~ 26.0 lbs. (11.80kg)
40 – 2005 Symantec Corporation, All Rights Reserved
Symantec GatewayEnforcer
Server
Desktop
GuestWireless
Radius
Remediation
DHCP
Applications
Router
Switch
Symantec PolicyManager
Symantec LAN Enforcer
Symantec DHCP Enforcer
Hackers
Kiosk
Mobile User
Telecommuter
Partner
Thieves
IPSEC VPN
SSL VPN
UNPROTECTED
NETWORKS
Symantec On-DemandPolicy Manager
Symantec Network Access ControlHow it works… 802.1x Enforcement
Compliant
Password
Token
User Name
StatusEAP
Patch Updated
Service Pack Updated
Personal Firewall On
Anti-Virus Updated
Anti-Virus On
StatusHost Integrity Rule
Password
Token
User Name
StatusEAP
Patch Updated
Service Pack Updated
Personal Firewall On
Anti-Virus Updated
Anti-Virus On
StatusHost Integrity Rule
Non-CompliantRemediationGuest Access
Gateway/API Enforcement
Compliant
Patch Updated
Service Pack Updated
Personal Firewall On
Anti-Virus Updated
Anti-Virus On
StatusHost Integrity Rule
Patch Updated
Service Pack Updated
Personal Firewall On
Anti-Virus Updated
Anti-Virus On
StatusHost Integrity Rule
Non-Compliant
41 – 2005 Symantec Corporation, All Rights Reserved
The real world – Using multiple solutions
WAN?
Lan Enforcement
DHCP Enforcement
Plug In
Gateway Enforcement
Gateway Enforcement
42 – 2005 Symantec Corporation, All Rights Reserved
Roadmap Symantec: Full Integration
SAV
Adaptive Policies
IDS
FW2
Ma
na
ge
me
nt C
on
so
les
Symantec Client Security
Enforcement
Host Integrity
OSProtection
Adaptive Policies
IDS
FW
En
terp
rise
Ma
na
ge
me
nt
Symantec Sygate
Enterprise Protection 5.1
Enforcement
Host Integrity
OSProtection
Adaptive Policies
IDS
FW
En
terp
rise
Ma
na
ge
me
nt
Anti-Crimeware
Anti-Spyware
Antivirus
Integrated Suite
AntiVirus
Ma
na
ge
me
nt
Symantec AntiVirus
AntiSpyware
43 – 2005 Symantec Corporation, All Rights Reserved
Symantec On-Demand Protection
Problem
Eavesdropping and theft of data from unmanaged devices
Unprotected or compromised devices connecting to the enterprise via web infrastructure
Delivering endpoint security to unmanaged devices (contractors, kiosks, home machines)
Solution
Protects confidential data by creating a secure environment that provides encryption and file deletion upon session termination
Protection from viruses, worms by enforcing AV, personal firewall via host integrity
Lower TCO by delivering endpoint protection on-demand via existing web infrastructure
44 – 2005 Symantec Corporation, All Rights Reserved
Six Critical Requirement for On-Demand Security:
The Market in Which Symantec On-Demand Plays—Gartner Has Defined the Market…
Client integrity checkers– SODA host integrity
Browser cache file cleanup– SODA cache cleaner
Behavioral malicious code scanners– SODA malicious code prevention
Personal firewall mini-engines: – SODA connection control
Protected virtual user sessions– SODA virtual desktop
Dynamic user access policies– SODA adaptive policies
Source: “Access From Anywhere Drives Innovation for On-Demand Security, Gartner, ID Number: G00126242”, March 21, 2005.
45 – 2005 Symantec Corporation, All Rights Reserved
Symantec GatewayEnforcer
Server
Desktop
Guest
Wireless
Radius
Remediation
DHCP
Web Applications
Router
Switch
Symantec PolicyManager
Symantec LANEnforcer
Symantec DHCPEnforcer
Hackers
Kiosk
Mobile User
Telecommuter
Partner
Thieves
IPSEC VPN
SSL VPN
UNPROTECTED NETWORKS
Symantec On-DemandPolicy Manager
SODP ArchitectureHow it works… Administrator Creates
Symantec On-Demand AgentAdministrator Uploads
On-Demand AgentUser Connects to Login
Page
Symantec On-Demand Agent
Downloads (Java)
Symantec On-Demand AgentAdapts Policies to
Environment
Adaptive Policies
Device Type
Network Location
Policy
Corporate-owned, running agent
Airport WLAN
Trusted
Employee Home
Home Network
VD, HI, Persistent
Guest Laptop
Internal LAN
VD, HI
Kiosk Public Internet
VD, HI
Symantec On-Demand AgentVerifies Host Integrity
Patch Updated
Service Pack Updated
Personal Firewall On
Anti-Virus Updated
Anti-Virus On
StatusHost Integrity Rule
If compliant, On-Demand launches the Virtual Desktop
or Cache Cleaner
Virtual Desktop or Cache Cleaner then launches the
login process
User logs into SSL VPM/Web app and gets access to the network
User can securely download, view, modify,
and upload corporate information
Upon inactivity or closing, VD is closed and data
erased
Recommended