executive summery - siddharta sahasiddhartasaha.weebly.com/uploads/3/7/7/9/3779388/... · network...
Post on 28-Sep-2018
214 Views
Preview:
TRANSCRIPT
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
1
Executive Summery
In the last quarter of century the world has seen a tremendous growth in IT and IT enabled
services. IT infrastructure of any organization is the most precious since business process of
today’s world is based totally on IT. Conventionally IT infrastructure of any organization
comprises of desktop clients, servers, storage, printers, networking equipments, IP Phones etc.
As Information Technology has grown, various types of threats on such valuable assets and data
have also increased exponentially. Viruses, hackers, intruders are some of the big threats. Luckily
there are applications and practices to combat against such evils and keep your IT enabled
business process secure. But network administrators and security engineer find it often
challenging to secure their infrastructure in spite of having adopted the recommended security
norms. This is because many times such standards are not implemented to the fullest. Or the
security appliance is not tuned properly to provide adequate level of security. Moreover
traditional security practices have lot of dependencies on the end users. For example all clients in
the network may be loaded with anti viruses but daily updates may be dropped by a general user
because he thinks, “it would take a lot of time and I have important works to do”. This is a
common approach of end users in almost every organization. This is to remember at this point
that an outdated anti virus is as bad as having none. The end user in this case has not only made
itself vulnerable but brought treats to the entire organization. Moreover traditional security
solutions work on the clients that are already connected to the network and have sufficient
access to cause trouble in the infrastructure. This situation is very dangerous if the nature of
threat is new to the security system. These “zero day” attacks may not be prevented by
traditional security system.
IT managers find it very difficult to avoid such situations and deploy security polices in all the
equipments and users across all the hierarchy.
There are two well-known approaches to address these issues developed by two major IT Giant
Microsoft Corporation and Cisco Systems which shall be discussed in the following sections.
1) Network Access Protection (NAP) by Microsoft Corporation.
2) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access
Control in some of the literatures)
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
2
Index
Introduction …………………………………………………………………………………………………………. 3
Network Access Protection (NAP) ………………………………………………………………………. 4
Network Access Control (NAC) ……………………………………………………………………………. 7
Case Study …………………………………………………………………………………………………………. 9
Conclusion …………………………………………………………………………………………………………. 13
Reference …………………………………………………………………………………………………………. 14
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
3
Introduction
With the number of threats increasing day by day IT managers often finds it very difficult to keep
the security level of the connected client up to the desired level. Even spending so much on
protecting the resources from the external source of attack it is a big task to secure the network
from the internal threats. Outdated anti virus, non patched OS etc bring element of threat to the
entire network.
Even if the policy and the procedure in place IT managers find it difficult to enforce
the policy on the end users.
There are two well-known approaches to address these issues developed by two major IT Giant
Microsoft Corporation and Cisco Systems
3) Network Access Protection (NAP) by Microsoft Corporation.
4) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access
Control in some of the literatures)
Both of the technologies implement the same basic philosophy in their own
way. Any client is tested against the security polices to find out its compliance. Only after the
client successfully complies with the security standards it is allowed inside the network.
Otherwise it may be diverted to a special remediation zone where security polices would be
enforced on it to make it safe for the actual IT infrastructure. Or the client shall be allowed a very
limited access to the resources. Otherwise access to the network and resources may be out right
rejected due to noncompliance.
In the following sections we shall discuss about both of the technologies, their components and
the way various policies can be implemented. At the end we shall also document a case study
based on one of these technology.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
4
Network Access Protection (NAP) Network Access Protection is new technology developed by Microsoft Corporation to protect the
IT assets of any organization from threats that may have been caused by lose security policy
deployment such as inadequate access restriction on access to the resources, compromised client
stations etc. It also aims to reduce the burden on the security and networking team of the
organization, reduce the operational cost and increase availability.
The way it works
Components Depending on the type of enforcement policy organization chose to deploy some or all of the
components described below may be installed.
Network Policy Server (NPS): In this server health check and validation policies are defined. The
definition of the policy may differ as per the enforcement type and policy is adapted by the
organization. SoH sent by the clients are validated in it. Microsoft Windows Longhorn and above
are capable of being NPS. An NPS has the following functional units
System Health Validator (SHV) to validate SoH
Active Directory (AD) to store information about the user accounts and their network
access profiles.
Health Policy (HP) to define exact policy for specific enforcement plan.
Admin Sever takes the actual decision about the fate of the client based on the feedback
from the SHV.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
5
NAP Agent:
Remediation Server (RS): A Remediation Server offers limited access to the client that has failed
to comply with the policy due to improper SoH. It allows such end devices to download/ install
patches/ updates that are required to improve the SoH to comply with the policy. An RS may be
implemented in a single server or a group of servers and may have the following components.
DNS server
Proxy server (only allowing web access to the Microsoft and anti virus site)
A local anti virus update mirror inside the intranet.
Enforcement options
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
6
Network Access Control by Cisco Systems
NAC essentially has the same philosophy as NAP; “do not allow any device to enter into the
network unless it complies with the security policy of the organization”. The architecture and
implementation is also somewhat similar. But in NAC may define not only whom to give access
but also how the client would be able to access the network. It addresses the requirement of any
organization by offering following features.
Role based access control:
Guest Access: It provides access policy definitions and access restriction for the guest
users. Like a manager comes from a business partner, he should be allowed internet
access after health checkup.
Client device security enforcement: Any device should qualify as per the security policy of
the organization before it is granted access in the network.
Remediation: Help noncompliant clients to improve the help status so that it qualifies to
enter into the network.
Control of peripheral and non PC devices:
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
7
Components of NAC
Depending on the policy adapted by the organization a NAC may have some or all of the
following components.
NAC server: It is the heart of the NAC environment. It does the device health checks and enforces
policy laid by administrator on the end devices. Can be deployed in L2 ( locally) or at L3 (globally)
network.
NAC Manager: It managers the NAC server and provides web based user interface to the
administrator for creating and managing NAC policies. It also allows to manage the user like
creating role based policies and user authentication.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
8
Case Study
Pinnacle School of Business Management (PSBM) is a top notch institution for
Business studies. Each year a large number of students enroll for both residential and part time
courses on various topics of business management. It also offers distant learning e-courses to the
students who can not attend the class room. The school has full WiFi coverage inside the campus
including hostels.
Students access various course materials by using laptops and tablets.
Residential students use their laptops at classrooms and dormitories and the evening students
also bring their laptops in the campus. Both of the groups of users access digital library online
that has a wide range of books and other electronic study materials.
Students of distant learning courses connect to the e-learning server through
IPSec and also access the digital library.
Concerns: Though the IT team offers to install anti virus to the laptops of resident users free of cost
some of them either do not install it thinking it would make the laptop slow.
Many students turn off the regular updates as it may slow their surfing speed.
Students often do not scan the removable media because they are “ in hurry”
Evening students bring their laptops, which they use at home and their office networks
and do not update the OS patches and anti virus.
Remote students also access the network by IPSec but there is no control over their
sanity in terms of virus and Trojans.
All such users create a lot of problems in the network. Even after
spending huge amount on the firewall and anti virus software the network Administrator of
PSBM can not rest in peace. The clients with outdated anti virus , OS patch and other security
holes not only compromising their own security but also putting the network and other IT
resources at stake.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
9
In one recent incident a laptop of one student from Marketing Dept. was infected by a
“MAC spoofing” virus. It spoofed the gateway address and diverted all outbound traffic to itself.
All traffic to the internet stopped. It stuff found it a Herculean task to identify and remove the
culprit. It was found that the anti virus would have easily removed the virus but the anti virus
definition of the laptop was not updated since last 2 months!
Solution The dean of the PSBM decided to enforce the security policy on all clients that wants to access
the IT resources of the school. The message was loud and clear “NO COMPLIANCE, NO ACCESS”.
The IT team of PSBM has come up with a solution to deploy Microsoft NAP in their network. The
selected NAP instead of Cisco NAC for two reasons. The network of PSBM has equipments not
only from Cisco but from other vendors also. The existing servers of school are running on
Windows 2008 Sever ™ and so the deployment of NAP would be easy and time saving.
Policy and Enforcement.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
10
The way the systems work at PSBM
IP Sec Enforcement
802.1x Enforcement
NAP agent of laptop/ tablet send request for access to the 802.1x access point. Along with
the SoH.
SoH is validated as per the health policy (HP) at NPS.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
11
If the client complies with the policy then they are allowed to access the network and
resources as per user roles and privileges defined by the Active Directory.
All the non complaint clients are sent to the remediation zone.
The remediation zone has a DNS server and Proxy server. The proxy server allows limited
web access to the clients (only to the website of major anti virus vendors and Microsoft,
Apple etc) so that they can improve their SoH.
Components used:
Results: Results are quite stunning the incidents of virus and worm spread inside the network ha reduced
by 97%. Now the students are more careful about OS antivirus and other security updates
because now they have understood clearly “NO COMPLIANCE, NO ACCESS”.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
12
Conclusion Traditional security solutions work on the clients that are already connected to the network and
have sufficient access to cause trouble in the infrastructure. This situation is very dangerous if the
nature of threat is new to the security system. These “zero day” attacks may not be prevented by
traditional security system.
IT managers find it very difficult to avoid such situations and deploy
security polices in all the equipments and users across all the hierarchy.
Microsoft Network Access Protection and Cisco Network Admission
Control is new breed of security enforcement system which eliminated many problems of
traditional security systems. Having any or both of the system inside an enterprise network does
not eliminate the necessarily of a traditional firewall or anti virus. Rather enforcing end users to
adhere to the policies and norms that are laid by the administrator of the network.
© Siddharta Saha
Downloaded from http://siddhartasaha.weebly.com
13
Reference
top related