Auto-Protecting NetworksPowered by IPS-Based NAC

Ken Low CISSP GSLC Security Lead, Asia Pacific

2

3

Outline

The Challenges of NAC

Trends: Where is NAC Heading?

Intrusion Prevention Systems (IPS)

Auto-Protecting Networks

IPS-based NAC

4

Section Divider

Why Is Software-Based NAC Failing?

The Challenges

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

— Bruce Schneier

5

The Problem

>Administrators want to automatically prevent the spread of worms and malicious traffic through their networks

>Most vendors attempt this through host integrity checking via a software agent

>If the host passes a security profile check (updated OS patch level and updated AV signature file), it is allowed onto the network

>Sounds simple enough, but…

Spam Filters

All those Agents…

Pop-up Blockers

Spyware / Adware Blockers

Antivirus

Personal Firewalls

Content Filters IPSec Clients

= = Administration Administration NightmareNightmare

..On their ownrelease schedules…

1,000s of devices(are all covered?)

Each with its own licensing to track

6

What we don’t need more of

Pop Up Blocker

Spyware

Adware

Anti-Virus

Personal FW

Content Filter

Spam Filter

IPSec Client

Citrix Client

X 1000’s of users = Unmanageable

•OS dependent

•Device dependent

•Updating nightmare

•Disparate solution set

The market does not need another endpoint software security application to purchase, configure, distribute, install, maintain, and manage.

MORE CLIENT

SOFTWARE

Client Software Applications

7

Software-based NAC

Security Agent (SA) is software residing on host. SA available in 2 forms: As stand alone agent

Included in partners’ AV clients

SA checks for updated OS patch and AV signature on host, and communicates host’s profile to a Trusted Agent (TA)

TA receives policy from policy server

If endpoint fits security policy, then TA forwards credentials to infrastructure devices

8

How NAC Works

Trusted Agenton PC

2: Passes profile info to

Client AVSecurity

Agent

3: Checks acceptable policy

& / or Windows PC

1:

4: If acceptable, Trusted Agent instructsnetwork infrastructure to allow connectivity

AAA RADIUS Policy Server

AV Server (Optional)

9

Why Networks Need Quarantine

Perimeter Internal

Internet

LAN Segment

LAN Segment

EnterpriseNetwork Wi-Fi

IPSFW/VPN

Remote Branch

Secure Vulnerable

X Attacks

Blocked

Attacks enter from LAN endpoints

10

NAC Limitations

Trusted Agent on PC

Client AVSecurity

Agent& / or Windows PC

Requires Additional Software Clients

Requires Infrastructure Modification –new AAA server

Only works with limited / proprietary

network gear

Supports All AV Products?

Excludes Mac, Linux, VoIP, Printers, PDAs

Does not support many 3rd party

network devices

Requires Manual Policy Updates

Forces visitors to adopt new policy or receive a default access policy

AAA RADIUS Policy Server

11

NAC Failures

Trusted Agent on PC

Client AVSecurity

Agent& / or Windows PC

Zero-Day Threat with no OS patch or AV signature

AAA RADIUS Policy Server

12

NAC Failures

AAA RADIUS Policy Server

Trusted Agent on PC

Client AVSecurity

Agent& / or Windows PC

A malicious user passes profile check, then launches attack

DDoS Attack

13

Enterprise Endpoint Security

Enterprise Endpoint Security Agent Based

Similar to NAC, but better

Works with desktop firewall products e.g. Symantec NAC, InfoExpress

Agents forward profile info to assessment server/auth server

Network Based If no agent is present, endpoint is scanned with VA and OS patch scan tools

Requires purchase and tuning of scanning for different types of devices –

Error prone

Must create new scan profiles for each type of device

Must update policy

NAC will have this in Phase 2 release

Even the network based solution works like an agent based solution, bringing the same complications of:

forcing all nodes to comply to your security profile which will at some point block authorized users and generate help desk calls

failing to prevent malicious users who pass a sec policy from launching attacks

failing to provide infrastructure based security mechanisms (i.e. IPS devices to control segments)

doesn’t verify AV at all, so network is still vulnerable to all exploits that are not addressed by an OS patch

doesn’t block day zero threats

contain an infection –no behavioral security enforcement

14

Other NAC Problems

Limitations

“NAC won’t scale” – lots of legacy and even new equipment that don’t support NAC e.g. VoIP phones

“What is 802.1X?” – many legacy hardware, printers and other devices don’t support 802.1X protocol to enforce access policies before systems are assigned an IPS address

Exploits

“Attack The Unmanaged Switch” – hackers can find their way into network by connecting through a switch not supported by NAC

“Spoofing” – hackers can spoof MAC and IP addresses for “known” systems that are allowed access

“Alter Desktop & AV Software” – make infected endpoints appear to be adequately patched and have up to date antivirus definitions

“Attack The Quarantine Network” – introduce zero day exploit to quarantined devices, then remediate and control them

15

Section Divider

A Survey Of The NACscape

Trends: Where is NAC Heading?

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

— Bruce Schneier

16

The NAC Market Yesterday

Proprietary single vendor solutions

Proprietary device support

Limited OS support

Limited AV support

Limited Patch support

Limited network access control policies

Proprietary or limited authentication support

No or incomplete open standards

17

The NAC Market Today

Client/Server IPS-Based

Major Players

•TCG’s TNC

•Microsoft’s NAP

•Cisco’s Network Admission Control

Methodology

•Endpoint dependent

•Limited protection - checks for AV and patches only (vulnerability scans unrealistic)

•Enforces network access policies

Methodology

•Clientless & Network-Based

•Standards-Based (RADIUS / 802.1x)

•Endpoint agnostic

•Enforce network access policies

•Greater protection beyond AV & patches e.g. DDoS, Zero Day Attacks, VoIP, Protocol Attacks, Phishing, Spyware, Instant Messaging etc.

•Ease of installation, admin & maintenance

AVAILABLE NOW!

18

The NAC Market Tomorrow (Future)

TCG’s TNC open standards gaining support from several partners (ref. Interop NY Aug’06).

Microsoft’s NAP will work with Longhorn (Microsoft’s new server OS) available in 6 to 12 months’ time. Extensive support from Microsoft partners.

Cisco NAC’s proprietary grip will erode e.g. customers can choose to use NAP or NAC client in Microsoft’s Vista and more Cisco products will support TNC, joining other network vendors in the embrace of open standards.

Within 2 to 3 years, Microsoft’s NAP, TCG’s TNC and Cisco’s NAC will mature and possibly integrating/consolidating to a single solution.

IPS-based NAC (e.g. TippingPoint Quarantine) will continue to provide more comprehensive & sophisticated protection for networks as an extention of network IPS. There will be more powerful integration between IPS-based NAC with the major NAC schemes.

19

Section Divider

Stopping The Attack Before It Happens

Intrusion Prevention Systems (IPS)

Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them.

— M. Gosser

20

Convergence of Network and Security

Security is embedded in the network

itself

21

Proactive Defense Through Intelligence and Power

Attacks are detected and blocked at full network speed. TippingPoint IPS functions as a “network patch” or “virtual software patch”

Attacks are stopped before they can cause damage to your

infrastructure.

22

Closing the Gap with TippingPoint Intrusion Prevention

High Performance Custom Hardware Highly Advanced Prevention Filters Constant Update Protection Service

5 Gbps Throughput Switch-Like Latency 2M Sessions 250K Sessions/Second Total Flow Inspection 64K Rate Shaping Queues 10K Parallel Filters

PROTECTS:• Routers (e.g. Cisco IOS)

• Switches• Firewalls (e.g. Netscreen, CheckPoint FW1)

• VoIP

FROM:• Worms/Walk-in Worms

• Viruses• Trojans• DDoS Attacks• SYN Floods• Traffic Anomalies

PROTECTS:• Microsoft Applications & Operating Systems

• Oracle Applications

• Linux O/S• VoIP

FROM:• Worms/Walk-in Worms

• Viruses• Trojans• DDoS Attacks• Internal Attacks• Unauthorized Access

• Spyware

PROTECTS:• Bandwidth• Server Capacity• Missions-Critical Traffic

FROM:• Peer-to-Peer Apps• Unauthorized Instant Messaging

• Unauthorized Applications

• DDoS Attacks

23

World Class Security Research

>Coverage— Vendors— Threat organizations— Independent researchers (ZDI)— Internal Threat Management

Center

>Timeliness— Weekly filter distribution— Zero Day Initiative— Same day Microsoft Tuesday

coverage

>Accuracy— Designed to block— 5 years of filter writing

experience— No performance degradation

>Extensibility— Signatures, vulnerabilities,

traffic and protocol anomalies— New Threats: P2P, Instant

Messaging, Spyware, Phishing, VOIP

The Digital Vaccine service is the most comprehensive, accurate and automatic protection service available.

24

TippingPoint X505

Current TippingPoint Product Line

TippingPoint SMS

TippingPoint 50

50 Mbps • 1 Segment • Copper

TippingPoint 200

200 Mbps • 2 Segments • Copper

TippingPoint 200E

200 Mbps • 2 Segments • Copper 400 Mbps • 4 Segments • Copper/Fiber

TippingPoint 400 TippingPoint 1200

1.2 Gbps • 4 Segments • Copper/Fiber

2 Gbps • 4 Segments • Copper/Fiber

TippingPoint 2400 TippingPoint 5000E

5 Gbps • 4 Segments • Copper/Fiber Security Management System

TippingPoint SMS

IPS, Firewall, Bandwidth Mgmt, Content Filtering

TippingPoint X505

25

World’s Most Awarded IPS – 31 Awards

NSS Gold Award

> TippingPoint’s Intrusion Prevention System is the FIRST and ONLY product to win the coveted NSS Gold Award in the IPS space.

Best Security Solution 2005> TippingPoint IPS Overall Winner in

SC Global Awards

> Over 1,000 products nominated

> The world's leading awards program for the information security industry

26

COMPLETENESS OF VISION

AB

ILIT

Y T

O E

XE

CU

TE

Gartner Magic Quadrant Leader

3Com/TippingPoint

27

TippingPoint Market Leadership

“TippingPoint comes out on top; they have an incredibly high percentage of customers running their product not only in-line, but running their default recommended settings of over 800 filters; they have a 33% share in 2005, nearly double that of their next closest competitor.”Jeff Wilson, InfoneticsMay 2006

Source: Infonetics Research Network Intrusion Prevention Market OutlookMay 17, 2006

Tippin

gPoint

28

World’s 1st ICSA-Certified Multi-Gigabit Network IPS

17 ICSA Consortium Members

3 Certified Vendors

10 Testing Participants

(Confidential)

3 Gbps84 µsec latency

350 Mbps398 µsec latency

100 Mbps441 µsec latency

29

Section Divider

Auto-Protecting Networks

The Future Of NAC Now

The user's going to pick dancing pigs over security every time.

- Bruce Schneier

30

Meanwhile in Dad’s Office .....

Previously

Son uses Dad’s (CEO) computer in the office to surf the Internet.

Unknowingly visits a malicious website and is stopped by the company’s new Network Access Control (NAC) system and the alarms go off.

Dad walks into the room, finds out what’s happening and smiles at him.

Now

Son is now in his teens

PDA phone (e.g. Blackberry) infected with a new virus connects to Wi-Fi network automatically.

No alarms go off this time, the virus spreads in the network very quickly and network goes down

Dad doesn’t smile this time, summons his CSO.

Closing

Son, employees and contractors are using various access devices e.g. PDA phones, Wi-Fi laptops, iPods, Laptops etc.

Dad asks, “is everything OK?”

Everyone smiles and look at the CSO who carries a technical manual entitled ....

31

32

33

Section Divider

Powered by TippingPoint Quarantine

We only need to be lucky once. You need to be lucky every time.

— The Irish Republican Army (IRA) to Margaret Thatcher, after a failed assassination attempt.

IPS-based NAC

34

Three Quarantine Configurations

1. IPS Only

2. IPS+SMS

3. IPS+SMS+NMS

35

Quarantine Configuration #1: IPS Only

1. Client authenticates to network

2. Malicious traffic blocked by IPS

3. IPS performs policy-based thresholding

4. Remediation web page sent from IPS to quarantined user

5. All subsequent outbound traffic blocked by IPS

Internet Core

TippingPoint IPS8800 Switch 8800 Switch

Catalyst 6500

5500 Switch

WLANs

1200 Switch

Remediation Page

36

HTTP Redirect

37

Quarantine Configuration #2: IPS + SMS

Internet Core

Radius

TippingPoint SMS

TippingPoint IPS8800 Switch 8800 Switch

Other Vendors

5500 Switch

WLANs

1200 Switch

1. Client Authenticates via SMS

2. SMS acts as Radius proxy, learning MAC/Switch/Port via RADA

3. Malicious activity blocked by IPS

4. Event data sent to SMS

5. SMS performs policy-based thresholding

6. SMS resolves IP to MAC

7. MAC Address is placed into a blacklist and policy set

8. SMS forces re-authentication of compromised device

9. Device is contained within the set policy at the access switch ingress port

38

Quarantine Configuration #3: IPS + SMS + NMS

1. Client authenticates to network

2. Malicious activity blocked by IPS

3. Event data sent to SMS

4. SMS performs policy-based thresholding

5. SMS sends trap to NMS for administrator and/or automated action

Internet Core

NMS Radius

TippingPoint SMS

TippingPoint IPS8800 Switch 8800 Switch

Other Vendors

5500 Switch

WLANs

1200 Switch

NMS facilitates automatic or manual action

39

Headquarters

Wireless Controller

Wireless Controller

AAA Server

Tipping Point IPS

Tipping Point IPS

Core Switch

Wireless Quarantine

WAN Router

WANWAN

Remote Branch

WAN Router

TP SMSAAA Proxy

1. IPS Identifies bad behavior2. SMS tells RADIUS - block User3. WX Sends SSID disassociate4. User rejected re-authentication5. User sent to remediation page

Trusted Clientw/ Bad Behavior

Wireless Quarantine

NetworkNetworkCoreCore

40

3 Quarantine Configurations

1. IPS Only

Blocks outgoing malicious traffic

Serves remediation page

Does not prevent intra-segment infection

Does not disconnect user from network

2. IPS+SMS

SMS shuts down port

MAC-based policy enforcement

All communication is halted or allowed on Quarantined VLAN only

Wholly automated solution

3. IPS+SMS+NMS

SMS sends SNMP trap to NMS

Notification of problem and user location

Allows admin to react or set automated action set through NMS

Provides additional visibility and flexibility into network activities

41

Quarantine Actions

>Display remediation web page (transparently by IPS)

>Block non-HTTP Traffic (at IPS)

>Redirect to a URL (by IPS)— HTTP 302 or transparent redirect

— IPS provides information to destination web server about nature of infection

>Place client in remediation VLAN (Access switch)

>Apply access-list to switch port or router (Switch or router)

>Block IP address and or switch port/MAC address (block all traffic)— Works in conjunction with other Quarantine Actions

>White list— Exceptions created for IP addresses or ranges

— Ex. Servers for mission critical applications, router and switch IP addresses, the CEO’s laptop machine, etc.

— Even if a white list is configured, the administrator is notified of infected machines (logging information); simply no Quarantine Action will be enforced

>Internal and External IP addresses— Different actions based on whether an IP address is internal or external

— Ex. External addresses may need to be blocked immediately for a period of time such as twelve hours, one day, or one week, but not have a remediation web page

— Internal IP addresses may need a remediation page presented, be blocked on day three, and stay blocked for one week

42

Setting a Quarantine Policy

Quarantine Policy Summary Page

43

Advantages of Network-Based Quarantine

Agentless

No client software to buy/manage/install

Supports all operating systems (Linux, Macintosh)

Protects all devices (printers, VoIP phones, Wireless)

Guest users not required to conform to new security policy or install client

IPS-based

Extends IPS protection to endpoints

Signature, protocol, and behavioral protection

Continually updated to protect against zero-day threats

Prevents malicious activities of internal users

Centrally Managed

Flexibility through white lists for VIPs or mission-critical systems

Will interoperate with Microsoft NAP

Infuses security into the network infrastructure

Creates an automated threat elimination system

44

Summary

The Challenges of NAC – Limitations & Exploits

Trends: Where is NAC Heading? – Yesterday, Today & Tomorrow

Intrusion Prevention Systems (IPS) – the role of the fastest growing security technology in NAC

Auto-Protecting Networks – transform your network today

IPS-based NAC – easiest way to deploy NAC and prevent network intrusions now and wait for NAP/TNC/NAC to stabilize

Auto-Protecting NetworksPowered by IPS-Based NAC

Ken Low CISSP GSLC Security Lead, Asia Pacific

47

To Be Completed