SOPHOS NACPresented by

MPIRIRWE BYANAGWA STEPHEN

What’s NAC?An approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement”

• Aim: to control endpoint security by unifying it with network device security and the whole network

• Result: End devices that do not comply to the set security policies are identified and quarantined.

Key Concept: Access Is a Function of Authentication

and Environment

What you can

do=

Who You Are

Where You Are Coming From

How Well You Comply with

Policy

+

+

Darn… We just summarized NAC in one slide. What else is there to talk about?

How NAC works? Network Access Control (NAC) checks

computers accessing your network to ensure full compliance with your security policies. NAC makes sure computers, including roaming laptops, are running antivirus, firewalls, and other security applications. It also makes sure that OS service packs are up to date and that Windows Update is active.

NAC Basic Concepts

Pre-admission vs Post-admission enforcement

Agent vs Agentless data collection An agent s/w runs on the endpoint to report the

status Agentless devices

Some devices do not support NAC agent s/w e.g., printers, scanners, phones, photocopiers, and other

special devices NAC uses scanning and network inventory techniques

(whitelisting, blacklisting, ACLs) to discern those characteristics remotely

NAC Basic ConceptsSource:

Out-of-band vs Inline solutionsInline: A single box acts as an internal firewall for access-layer networks and enforces the policyOut-of-band: Agents on end-stations report information to a central console, which in turn control switches to enforce policy.

6

NAC Basic Concepts

Quarantine vs captive portals for remediationQuarantine: A non-compliant end-station is only allowed to access a restricted network with patch and update servers.Captive portals: The captive portal technique forces an HTTP client on a network to see a special web page before gaining full access.

In NAC, a captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computers.

Why NAC? Endpoints that do not comply with

established security policies pose a threat and can introduce a security risk into the network.

Goal of NAC: to prevent vulnerable and noncompliant hosts from obtaining network access

NAC Has Four Components

9

1. Authentication of the user

Authenticate

End users are authenticated before getting network access

Environmental Information Modifies Access or Causes Remediation

10

2. Use environmental information as part of policy decision making

Environment

Where is the user coming from ? When is the access request occurring?What is the End Point Security posture of the end point?

1. Authentication of the user

Authenticate

Access Controls Define Capabilities and Restrict the User

11

3. Control usage based on capabilities of hardware and security policy

Allow or deny access.Put the user on a VLAN.Send user to remediation.Apply ACLs or firewall rules.

2. Use environmental information as part of policy decision making

Environment

1. Authentication of the user

Authenticate Access Control

Management of Policy is the Weak Link in most NAC Solutions

12

4. Manage it all

Usable management and cross-platform NAC normalization

3. Control usage based on capabilities of hardware and security policy

2. Use environmental information as part of policy decision making

1. Authentication of the user

Environment

Authenticate Access Control

Management

Detect & Authenticate 802.1X port based authentication (via

RADIUS) MAC based authentication (via RADIUS) Web based authentication Static port/MAC configuration Dynamic port/MAC configuration (SNMP) Kerberos snooping

Method Conclusions Benefits Disadvantages

802.1X If all requirements are fulfilled, 802.1Xoffers a very scalable and dynamicidentification with a high level ofsecurity at the switch port.

Standard for current systems• Centralized administration• Real time detection• High level of security• Good scalability• Additional information (user, host)

• Many requirements• Subsequent upgrade expensiveMAC

MAC This method is a solution for specialend systems. It is better than staticport/MAC assignment since dynamicand scalability are the same as for802.1X.

• Standard for current systems• Centralizes administration• Real time detection• Good scalability

• Many requirements• Low security• Additional information is limited

Web This method is more an addition thana complete authentication method.It simplifies the administrative effortfor guests and allows access to olderdevices.

• Centralized administration• Real time detection• Good scalability

• Additional service administration• Additional registration portal• Unsecure quarantine

NAC: The case for MAK!!! Makerere’s NAC is based on Sophos NAC and

Sophos Advanced NAC. Sophos NAC Advanced provides comprehensive

and easy-to-deploy enterprise‑ready network access control (NAC).

It allows administrators to define and centrally manage security policies to identify

and isolate all non-compliant, compromised or misconfigured computers accessing the corporate network.

It seamlessly integrates with existing network infrastructures and security applications from a wide range of vendors.

Objectives Compliance e.g right software and up-to-

date patches Monitoring and reporting Increased security and policy deployment Management and control e.g. remote

scans, protect installations from removal, remote policy deployment.

Total security.

NAC flow scenario

Sophos NAC key features: Detect and fix managed endpoint

vulnerabilities Make sure guest computers meet your

security requirements before they access your network

Prevent unauthorized computers from accessing the network

Get standard reporting on endpoint policy compliance

Available from Endpoint Protection management console

Real-time enforcement of enterprise-wide network access control :

TARGET POS An installed agent provides comprehensive compliance

assessment and enforcement of managed computers, both prior to and during a network session.

A web agent provides comprehensive compliance assessment prior to network access for remote or LAN-based unmanaged computers, or on managed computers when an agent is not practical.

DHCP enforcement protects the network from unauthorised computers connecting to the corporate LAN using an enterprise’s existing DHCP infrastructure.

IEEE 802.1x enforcement stops unauthorised computers connecting to the LAN.

RADIUS enforcement protects the network from non-compliant laptops by providing enforcement prior to opening IPSec, SSL-VPN, or wireless connections.

Customisable central policy for all computers

An intuitive web interface offers extensive policy-building capabilities, flexible enforcement control and extensive reporting and alerting features.

Administrators can define and manage unique policies for detecting operating system patches, security applications and signature updates across all computers.

Scans can detect for installation, last engine scan date/time, signature file date/time, running detection for processes, real-time protection status, and version/value

Administrators can choose whether unauthorised or non-compliant computers are isolated, quarantined for remediation, automatically remediated or sent alerts.

Policies can be customised to

ensure no unwanted applications are run.

A customisable landing page provides immediate, easy-to-view NAC compliance

statistics. Custom application creation and

enforcement enables administrators to respond

rapidly to unforeseen threats. Point-and-click contextual operating system patch definitions save administrators hours of configuration time.

Simple, central policy mode control enables enforcement steps to be phased in –from Report Only, through Remediate, to Enforce – avoiding an all-or-nothing approach, and providing optimum control and ease of policy deployment during each stage of implementation.

NAC Activities Installing NAC and other S/Ws i.e.

Compliance dissolver Web agent for guests and unmanaged users DHCP enforcer + Authentication mtds

Verifying NAC URL Server address. Accessing the NAC Manager: The NAC Manager

provides a centralized location for policy definition and endpoint compliance reporting.

NAC Policy customisation Sophos Ent. Config + compliance agent deployment Phased deployment.

Report only Remediate enforcement

Nac products Endpoint Security

Fast and effective antivirus: Delivers complete protection against today’s threats. Protect and manage all your platforms: Windows, OS X, Linux, UNIX, and virtualized environment from a single console.Reduce the risk of data loss and malware infection with built-in control of removable devices like USB keys, drives and wireless networking devices. Active application control: Control the apps that can cause security, legal, productivity or bandwidth problems. Our unique Active Protection approach means we provide and maintain detection of hundreds of Windows applications so you don’t have to. Threat-aware patch assessment: Use our Windows endpoint agent to prioritize the really critical threat-related patches for popular apps including Microsoft, Adobe, Apple and Java.

NAC products Mobile Device ManagementWe make BYOD easy and affordable with easy-to-implement mobile device management (MDM). It lets you secure and manage all your users’ devices: iPhones, iPads, Android, BlackBerry, Windows Phone.

Complete smartphone and tablet controlQuickly establish policies for giving access to corporate email and data, lock or wipe lost or stolen devices, and manage apps. Convenient enterprise app store Easily manage apps with your own enterprise app store to publish and push apps users need while blocking the ones they don't. Lightweight mobile antivirusProtect your users and your data from the growing threat of malicious Android apps. Our Android security app checks for malicious apps and stops them from becoming a problem.

Nac products Web ProtectionThe web is the number one source of malware and threats, which is why we’ve integrated advanced web protection into the endpoint agent. You get the most best web threat detection and malicious site protection available—wherever users go.

Safe browsing, built-in web securityIntegrated advanced web threat detection right into the endpoint agent that scans for malicious web code at the network layer before it’s passed to the browser. Block inappropriate content, web filteringSet a smart surfing policy for the 14 most inappropriate site categories, right from within our console. Policy is enforced on the endpoint, wherever your users go.

Data ProtectionYour confidential data needs protection, and you've got to prove it’s protected to the regulators. With combination of data control with full-disk encryption, along with granular device control and application control, you can easily implement a comprehensive data protection strategy all for the same price as your threat protection.

Proven encryptionencryption is quick, easy and proven to secure your sensitive files. If you need full-disk encryption, that's available too as part of our End-user Data Suite. Built-in data controlunique and simple approach to DLP integrates the scanning for sensitive information into our endpoint engine. Making it easy for you to configure, deploy and manage.

NAC products Network ProtectionA firewall is an essential component of any network infrastructure. And if you have users on the move, they need business-grade firewall protection that travels with them. At the same time, you can’t just let any old computer onto your network. Control who qualifies for access with NAC.

Windows Client firewallOur client firewall protects your users from hackers, intrusions and rogue applications calling home. It’s centrally managed and integrated into our single Windows endpoint agent. Integrated Network Access ControlOur Network Access Control (NAC) checks Windows computers accessing your network to ensure full compliance with your security policies before they join.

Email ProtectionYour mail server is an equally important part of your infrastructure and a major point of attack for spam and threats. That’s why we offer essential protection for your users’ email too.

Proven security for Microsoft ExchangeYou get the latest email protection for Microsoft Exchange to block spam, viruses, spyware and phishing. It scans all inbound, outbound and Exchange message stores.

Demonstrations What’s done? NAC demo Users currently installed Nac policy templates Nac products Etcs….

Short comings Enforcement not ready due to lack of

DHCP enforcer ( windows s/w) , Radius and IEEE 802.xx. They are supposed to be installed on DHCP server which is presently Linux based.

Heterogeneous & complex network structure. Affects detection , deployment and enforcement.

Lack of adequate training especially security.

Lack of enough exposure for best practices.

Recommendation and conclusion

There is a great need to look at internal security as a threat .

There is need for capacity building especially in security for systems unit.

There is need for bench marking. Everyone must get involved.

References http://www.sophos.com/en-us/support/documentation.aspx http://en.wikipedia.org/wiki/Network_Access_Control Joel Snyder, Network access control vendors pass endpoint

security testing - Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond, Network World , June 21, 2010

http://www.networkworld.com/reviews/2010/062110-network-access-control-test-end-point.html

Tutorial: Network Access Control (NAC), July 17, 2007http://www.networkcomputing.com/data-protection/229607166?pgno=3•Good explanation of basic NAC concepts: http://en.wikipedia.org/wiki/Network_Access_Control

FAQ for Network Admission Control (NAC), 2006: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns617/net_design_guidance0900aecd8040bc84.pdf