Upload
douglas-colin-stewart
View
224
Download
0
Embed Size (px)
Citation preview
Auto-Protecting NetworksPowered by IPS-Based NAC
Ken Low CISSP GSLC Security Lead, Asia Pacific
2
3
Outline
The Challenges of NAC
Trends: Where is NAC Heading?
Intrusion Prevention Systems (IPS)
Auto-Protecting Networks
IPS-based NAC
4
Section Divider
Why Is Software-Based NAC Failing?
The Challenges
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
— Bruce Schneier
5
The Problem
>Administrators want to automatically prevent the spread of worms and malicious traffic through their networks
>Most vendors attempt this through host integrity checking via a software agent
>If the host passes a security profile check (updated OS patch level and updated AV signature file), it is allowed onto the network
>Sounds simple enough, but…
Spam Filters
All those Agents…
Pop-up Blockers
Spyware / Adware Blockers
Antivirus
Personal Firewalls
Content Filters IPSec Clients
= = Administration Administration NightmareNightmare
..On their ownrelease schedules…
1,000s of devices(are all covered?)
Each with its own licensing to track
6
What we don’t need more of
Pop Up Blocker
Spyware
Adware
Anti-Virus
Personal FW
Content Filter
Spam Filter
IPSec Client
Citrix Client
X 1000’s of users = Unmanageable
•OS dependent
•Device dependent
•Updating nightmare
•Disparate solution set
The market does not need another endpoint software security application to purchase, configure, distribute, install, maintain, and manage.
MORE CLIENT
SOFTWARE
Client Software Applications
7
Software-based NAC
Security Agent (SA) is software residing on host. SA available in 2 forms: As stand alone agent
Included in partners’ AV clients
SA checks for updated OS patch and AV signature on host, and communicates host’s profile to a Trusted Agent (TA)
TA receives policy from policy server
If endpoint fits security policy, then TA forwards credentials to infrastructure devices
8
How NAC Works
Trusted Agenton PC
2: Passes profile info to
Client AVSecurity
Agent
3: Checks acceptable policy
& / or Windows PC
1:
4: If acceptable, Trusted Agent instructsnetwork infrastructure to allow connectivity
AAA RADIUS Policy Server
AV Server (Optional)
9
Why Networks Need Quarantine
Perimeter Internal
Internet
LAN Segment
LAN Segment
EnterpriseNetwork Wi-Fi
IPSFW/VPN
Remote Branch
Secure Vulnerable
X Attacks
Blocked
Attacks enter from LAN endpoints
10
NAC Limitations
Trusted Agent on PC
Client AVSecurity
Agent& / or Windows PC
Requires Additional Software Clients
Requires Infrastructure Modification –new AAA server
Only works with limited / proprietary
network gear
Supports All AV Products?
Excludes Mac, Linux, VoIP, Printers, PDAs
Does not support many 3rd party
network devices
Requires Manual Policy Updates
Forces visitors to adopt new policy or receive a default access policy
AAA RADIUS Policy Server
11
NAC Failures
Trusted Agent on PC
Client AVSecurity
Agent& / or Windows PC
Zero-Day Threat with no OS patch or AV signature
AAA RADIUS Policy Server
12
NAC Failures
AAA RADIUS Policy Server
Trusted Agent on PC
Client AVSecurity
Agent& / or Windows PC
A malicious user passes profile check, then launches attack
DDoS Attack
13
Enterprise Endpoint Security
Enterprise Endpoint Security Agent Based
Similar to NAC, but better
Works with desktop firewall products e.g. Symantec NAC, InfoExpress
Agents forward profile info to assessment server/auth server
Network Based If no agent is present, endpoint is scanned with VA and OS patch scan tools
Requires purchase and tuning of scanning for different types of devices –
Error prone
Must create new scan profiles for each type of device
Must update policy
NAC will have this in Phase 2 release
Even the network based solution works like an agent based solution, bringing the same complications of:
forcing all nodes to comply to your security profile which will at some point block authorized users and generate help desk calls
failing to prevent malicious users who pass a sec policy from launching attacks
failing to provide infrastructure based security mechanisms (i.e. IPS devices to control segments)
doesn’t verify AV at all, so network is still vulnerable to all exploits that are not addressed by an OS patch
doesn’t block day zero threats
contain an infection –no behavioral security enforcement
14
Other NAC Problems
Limitations
“NAC won’t scale” – lots of legacy and even new equipment that don’t support NAC e.g. VoIP phones
“What is 802.1X?” – many legacy hardware, printers and other devices don’t support 802.1X protocol to enforce access policies before systems are assigned an IPS address
Exploits
“Attack The Unmanaged Switch” – hackers can find their way into network by connecting through a switch not supported by NAC
“Spoofing” – hackers can spoof MAC and IP addresses for “known” systems that are allowed access
“Alter Desktop & AV Software” – make infected endpoints appear to be adequately patched and have up to date antivirus definitions
“Attack The Quarantine Network” – introduce zero day exploit to quarantined devices, then remediate and control them
15
Section Divider
A Survey Of The NACscape
Trends: Where is NAC Heading?
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
— Bruce Schneier
16
The NAC Market Yesterday
Proprietary single vendor solutions
Proprietary device support
Limited OS support
Limited AV support
Limited Patch support
Limited network access control policies
Proprietary or limited authentication support
No or incomplete open standards
17
The NAC Market Today
Client/Server IPS-Based
Major Players
•TCG’s TNC
•Microsoft’s NAP
•Cisco’s Network Admission Control
Methodology
•Endpoint dependent
•Limited protection - checks for AV and patches only (vulnerability scans unrealistic)
•Enforces network access policies
Methodology
•Clientless & Network-Based
•Standards-Based (RADIUS / 802.1x)
•Endpoint agnostic
•Enforce network access policies
•Greater protection beyond AV & patches e.g. DDoS, Zero Day Attacks, VoIP, Protocol Attacks, Phishing, Spyware, Instant Messaging etc.
•Ease of installation, admin & maintenance
AVAILABLE NOW!
18
The NAC Market Tomorrow (Future)
TCG’s TNC open standards gaining support from several partners (ref. Interop NY Aug’06).
Microsoft’s NAP will work with Longhorn (Microsoft’s new server OS) available in 6 to 12 months’ time. Extensive support from Microsoft partners.
Cisco NAC’s proprietary grip will erode e.g. customers can choose to use NAP or NAC client in Microsoft’s Vista and more Cisco products will support TNC, joining other network vendors in the embrace of open standards.
Within 2 to 3 years, Microsoft’s NAP, TCG’s TNC and Cisco’s NAC will mature and possibly integrating/consolidating to a single solution.
IPS-based NAC (e.g. TippingPoint Quarantine) will continue to provide more comprehensive & sophisticated protection for networks as an extention of network IPS. There will be more powerful integration between IPS-based NAC with the major NAC schemes.
19
Section Divider
Stopping The Attack Before It Happens
Intrusion Prevention Systems (IPS)
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them.
— M. Gosser
20
Convergence of Network and Security
Security is embedded in the network
itself
21
Proactive Defense Through Intelligence and Power
Attacks are detected and blocked at full network speed. TippingPoint IPS functions as a “network patch” or “virtual software patch”
Attacks are stopped before they can cause damage to your
infrastructure.
22
Closing the Gap with TippingPoint Intrusion Prevention
High Performance Custom Hardware Highly Advanced Prevention Filters Constant Update Protection Service
5 Gbps Throughput Switch-Like Latency 2M Sessions 250K Sessions/Second Total Flow Inspection 64K Rate Shaping Queues 10K Parallel Filters
PROTECTS:• Routers (e.g. Cisco IOS)
• Switches• Firewalls (e.g. Netscreen, CheckPoint FW1)
• VoIP
FROM:• Worms/Walk-in Worms
• Viruses• Trojans• DDoS Attacks• SYN Floods• Traffic Anomalies
PROTECTS:• Microsoft Applications & Operating Systems
• Oracle Applications
• Linux O/S• VoIP
FROM:• Worms/Walk-in Worms
• Viruses• Trojans• DDoS Attacks• Internal Attacks• Unauthorized Access
• Spyware
PROTECTS:• Bandwidth• Server Capacity• Missions-Critical Traffic
FROM:• Peer-to-Peer Apps• Unauthorized Instant Messaging
• Unauthorized Applications
• DDoS Attacks
23
World Class Security Research
>Coverage— Vendors— Threat organizations— Independent researchers (ZDI)— Internal Threat Management
Center
>Timeliness— Weekly filter distribution— Zero Day Initiative— Same day Microsoft Tuesday
coverage
>Accuracy— Designed to block— 5 years of filter writing
experience— No performance degradation
>Extensibility— Signatures, vulnerabilities,
traffic and protocol anomalies— New Threats: P2P, Instant
Messaging, Spyware, Phishing, VOIP
The Digital Vaccine service is the most comprehensive, accurate and automatic protection service available.
24
TippingPoint X505
Current TippingPoint Product Line
TippingPoint SMS
TippingPoint 50
50 Mbps • 1 Segment • Copper
TippingPoint 200
200 Mbps • 2 Segments • Copper
TippingPoint 200E
200 Mbps • 2 Segments • Copper 400 Mbps • 4 Segments • Copper/Fiber
TippingPoint 400 TippingPoint 1200
1.2 Gbps • 4 Segments • Copper/Fiber
2 Gbps • 4 Segments • Copper/Fiber
TippingPoint 2400 TippingPoint 5000E
5 Gbps • 4 Segments • Copper/Fiber Security Management System
TippingPoint SMS
IPS, Firewall, Bandwidth Mgmt, Content Filtering
TippingPoint X505
25
World’s Most Awarded IPS – 31 Awards
NSS Gold Award
> TippingPoint’s Intrusion Prevention System is the FIRST and ONLY product to win the coveted NSS Gold Award in the IPS space.
Best Security Solution 2005> TippingPoint IPS Overall Winner in
SC Global Awards
> Over 1,000 products nominated
> The world's leading awards program for the information security industry
26
COMPLETENESS OF VISION
AB
ILIT
Y T
O E
XE
CU
TE
Gartner Magic Quadrant Leader
3Com/TippingPoint
27
TippingPoint Market Leadership
“TippingPoint comes out on top; they have an incredibly high percentage of customers running their product not only in-line, but running their default recommended settings of over 800 filters; they have a 33% share in 2005, nearly double that of their next closest competitor.”Jeff Wilson, InfoneticsMay 2006
Source: Infonetics Research Network Intrusion Prevention Market OutlookMay 17, 2006
Tippin
gPoint
28
World’s 1st ICSA-Certified Multi-Gigabit Network IPS
17 ICSA Consortium Members
3 Certified Vendors
10 Testing Participants
(Confidential)
3 Gbps84 µsec latency
350 Mbps398 µsec latency
100 Mbps441 µsec latency
29
Section Divider
Auto-Protecting Networks
The Future Of NAC Now
The user's going to pick dancing pigs over security every time.
- Bruce Schneier
30
Meanwhile in Dad’s Office .....
Previously
Son uses Dad’s (CEO) computer in the office to surf the Internet.
Unknowingly visits a malicious website and is stopped by the company’s new Network Access Control (NAC) system and the alarms go off.
Dad walks into the room, finds out what’s happening and smiles at him.
Now
Son is now in his teens
PDA phone (e.g. Blackberry) infected with a new virus connects to Wi-Fi network automatically.
No alarms go off this time, the virus spreads in the network very quickly and network goes down
Dad doesn’t smile this time, summons his CSO.
Closing
Son, employees and contractors are using various access devices e.g. PDA phones, Wi-Fi laptops, iPods, Laptops etc.
Dad asks, “is everything OK?”
Everyone smiles and look at the CSO who carries a technical manual entitled ....
31
32
33
Section Divider
Powered by TippingPoint Quarantine
We only need to be lucky once. You need to be lucky every time.
— The Irish Republican Army (IRA) to Margaret Thatcher, after a failed assassination attempt.
IPS-based NAC
34
Three Quarantine Configurations
1. IPS Only
2. IPS+SMS
3. IPS+SMS+NMS
35
Quarantine Configuration #1: IPS Only
1. Client authenticates to network
2. Malicious traffic blocked by IPS
3. IPS performs policy-based thresholding
4. Remediation web page sent from IPS to quarantined user
5. All subsequent outbound traffic blocked by IPS
Internet Core
TippingPoint IPS8800 Switch 8800 Switch
Catalyst 6500
5500 Switch
WLANs
1200 Switch
Remediation Page
36
HTTP Redirect
37
Quarantine Configuration #2: IPS + SMS
Internet Core
Radius
TippingPoint SMS
TippingPoint IPS8800 Switch 8800 Switch
Other Vendors
5500 Switch
WLANs
1200 Switch
1. Client Authenticates via SMS
2. SMS acts as Radius proxy, learning MAC/Switch/Port via RADA
3. Malicious activity blocked by IPS
4. Event data sent to SMS
5. SMS performs policy-based thresholding
6. SMS resolves IP to MAC
7. MAC Address is placed into a blacklist and policy set
8. SMS forces re-authentication of compromised device
9. Device is contained within the set policy at the access switch ingress port
38
Quarantine Configuration #3: IPS + SMS + NMS
1. Client authenticates to network
2. Malicious activity blocked by IPS
3. Event data sent to SMS
4. SMS performs policy-based thresholding
5. SMS sends trap to NMS for administrator and/or automated action
Internet Core
NMS Radius
TippingPoint SMS
TippingPoint IPS8800 Switch 8800 Switch
Other Vendors
5500 Switch
WLANs
1200 Switch
NMS facilitates automatic or manual action
39
Headquarters
Wireless Controller
Wireless Controller
AAA Server
Tipping Point IPS
Tipping Point IPS
Core Switch
Wireless Quarantine
WAN Router
WANWAN
Remote Branch
WAN Router
TP SMSAAA Proxy
1. IPS Identifies bad behavior2. SMS tells RADIUS - block User3. WX Sends SSID disassociate4. User rejected re-authentication5. User sent to remediation page
Trusted Clientw/ Bad Behavior
Wireless Quarantine
NetworkNetworkCoreCore
40
3 Quarantine Configurations
1. IPS Only
Blocks outgoing malicious traffic
Serves remediation page
Does not prevent intra-segment infection
Does not disconnect user from network
2. IPS+SMS
SMS shuts down port
MAC-based policy enforcement
All communication is halted or allowed on Quarantined VLAN only
Wholly automated solution
3. IPS+SMS+NMS
SMS sends SNMP trap to NMS
Notification of problem and user location
Allows admin to react or set automated action set through NMS
Provides additional visibility and flexibility into network activities
41
Quarantine Actions
>Display remediation web page (transparently by IPS)
>Block non-HTTP Traffic (at IPS)
>Redirect to a URL (by IPS)— HTTP 302 or transparent redirect
— IPS provides information to destination web server about nature of infection
>Place client in remediation VLAN (Access switch)
>Apply access-list to switch port or router (Switch or router)
>Block IP address and or switch port/MAC address (block all traffic)— Works in conjunction with other Quarantine Actions
>White list— Exceptions created for IP addresses or ranges
— Ex. Servers for mission critical applications, router and switch IP addresses, the CEO’s laptop machine, etc.
— Even if a white list is configured, the administrator is notified of infected machines (logging information); simply no Quarantine Action will be enforced
>Internal and External IP addresses— Different actions based on whether an IP address is internal or external
— Ex. External addresses may need to be blocked immediately for a period of time such as twelve hours, one day, or one week, but not have a remediation web page
— Internal IP addresses may need a remediation page presented, be blocked on day three, and stay blocked for one week
42
Setting a Quarantine Policy
Quarantine Policy Summary Page
43
Advantages of Network-Based Quarantine
Agentless
No client software to buy/manage/install
Supports all operating systems (Linux, Macintosh)
Protects all devices (printers, VoIP phones, Wireless)
Guest users not required to conform to new security policy or install client
IPS-based
Extends IPS protection to endpoints
Signature, protocol, and behavioral protection
Continually updated to protect against zero-day threats
Prevents malicious activities of internal users
Centrally Managed
Flexibility through white lists for VIPs or mission-critical systems
Will interoperate with Microsoft NAP
Infuses security into the network infrastructure
Creates an automated threat elimination system
44
Summary
The Challenges of NAC – Limitations & Exploits
Trends: Where is NAC Heading? – Yesterday, Today & Tomorrow
Intrusion Prevention Systems (IPS) – the role of the fastest growing security technology in NAC
Auto-Protecting Networks – transform your network today
IPS-based NAC – easiest way to deploy NAC and prevent network intrusions now and wait for NAP/TNC/NAC to stabilize
Auto-Protecting NetworksPowered by IPS-Based NAC
Ken Low CISSP GSLC Security Lead, Asia Pacific
47
To Be Completed