w&m 2009 – nac – creating the inherently secure cross platform network
TRANSCRIPT
NAC – creating the inherently secure cross platform network
Identity Management / Network Access Control
Wired and Wireless (Incl. RFID / RTLS)
Security and Compliance Solutions Designing, Implementing and supporting LAN/WAN
Security / Health / Vulnerability Audits
Data and Voice (VoIP) Solutions
Fully Managed Services (24x7x365) BS7799 / ISO 27001 Compliance
Network Management and Monitoring
Bespoke and Tailored Services
Who are we?
Training (Manufacturer & Bespoke)
NAC – creating the inherently secure cross platform network
What does that mean?
Anyone know what this is?
NAC Version 1
Lockdown Network – Power off at 18:00
Open Network – Power on at 09:00
5
Goal of NAC– Limit access to network
resources based on a user’s business needs and the real-time security risk of the user or networked device
Components of NAC– Assess Identity: sets access privileges based on
dynamic user-centric criteria so that policies move with the user and are not bound to specific ports or hardware
– Ensure Compliance: ensures that all communications are authenticated, authorized, and free from viruses, worms, and malware
– Enforce Policy: allows entry by only valid users, and quarantines/remediates unauthorized and/or harmful devices on the basis of stateful-firewall roles
“They say NAC is”
In Reality NAC Solutions are
Very Difficult to prevent Staff from plugging in their own devices especially in multi-site environments
About Audits / Compliance; Present Network Information i.e. devices or users, where they are, when they were on, are they authorised?
Do they connect Wired and Wireless?
Difficult to allow temporary access for guests, visitors and contractors
Difficult To solve, traditionally you need; Independent Solutions on wired & wireless networks =
Multiple Platforms to Manage/Support = Increased Support / Maintenance Costs =
Inefficiency in resolving problems!
In Reality it’s
Business needs to be easier not harder
Devices HAVE to connect easily
Networks must be SECURE by design
Users have to be able to use their systems
Access has to be FLEXIBLE
NAC should be about improving resource access
Anywhere, Anyhow, Anyone
Imagine a world ;
• Any device can connect to any wired port on your network• Any device can connect to your wireless network• Irrespective of whether it belongs to staff / visitor • The device and user is identified and authorised• The device can be checked it is safe to connect• The user and device are given the relevant access• Details of the device and user Access is logged• You can find and control every device & user across your
network
Corporate Network
Easy for wired / wireless users to connect
Auto provision of printers, CCTV, Servers, Scanners, VoIP
Reception / Department Mgrs
Can create temp users and allocate roles (i.e. Contractor / Visitor etc)
IT Dept
Full visibility of network devices & users. The ability to delegate some tasks
Security Team
Confidence the Network is Secure
Audit and Compliance
Full audit trail
Unwanted Users / Devices
More than NAC
VISIBILITY; Automatically Identify and Track ‘every’ device on wired / wireless networks Automatic Inventory of what has been and is on your network Automatically Scan devices for compliance
CONTROL
Automatically Block, Alert and Record Unauthorised Access Attempts Automatically Register devices by department (if allowed) Automatically Register devices if they meet a “confidence” level Automatically Enforce ‘global’ or department policies Enable ‘guest’ access without compromising security
AUDIT Real-Time & Historical Audit of ‘ALL’ activity Audit & Regulatory Compliance (PCI, CoCo, etc)
It’s about
12
100% Out of Band Architecture
13
The Bradford Networks Product Range
Licensing
There are various elements available for licensing:-You can buy limited functionality and build up to a full NAC Product
A brief summary is shown below – Functionality Full NAC NAC Lite User Tracking GCS
Register Devices Limited
Custom Device Option
Authenticate Users Limited
Policy Scan Limited
Dissolvable Agent
Persistent Agent
Track Devices
Track Users
Enable/Disable Devices
Connection Audit Trail
Guest / Conference Service
3rd Party Security Integration
15
Interoperability with over 300 models of networking equipment from 20 leading vendors
Unmatched Interoperability
Quick Status
Client View
Seven points of identity
Filter returns 44 clients out of a total of 475 Data can be exported to .csv
IT Manager
Department Manager
Contractor User
Receptionist
Guest User
Multi-User Conference
IT Staff Employee “Sponsors” Visiting Users
IT Manager can empower non-technical employees to set up network access for specific visiting users.
Sponsor for: • Contractors
Sponsor for: • Guests
• Conferences
Guests and Conferences
19
• Simple discovery mechanism
• Multiple profiling parameters to establish type of device
• Automated control actions per device type
Automate Network Provision
20
• Network service by device type
• Multiple edge control options (Role/VLAN, Port Location, Port CLI/ACLs, etc.)
• Device without a matching profile kept off the network
Confidence = Network Access
21
• Visibility, tracking and access control rights passed down to functional groups
• Automated access rules defined in device templates help maintain IT control
Workflow
22
Example: Adding a Printer
23
Setting Confidence
Rogue Device Plugged into Switch Port
SWITCH VIEW
Rogue Device could be - persons own laptop, a NAT device - wireless / wired router , printer - ANYTHING
Visibility
Email Alert with full details
Email with full details of alarm; Rogue Device Detected; Mac Address, IP Address, Time, Date, Location
EMAIL ALARM
Email Alarms Fully Customisable “Rogue Connected”
Email sent to Groups, Individuals etc
Control
Rogue Device Immediately
Disabled / Removed from Network
SWITCH VIEW
LOCKING DOWN & SECURING YOUR NETWORKS
Auto-Enforcement
“Rogue Connection” Event Recorded
Search in real-time and historically
EVENT VIEW
Audit
Future NAC
Trusted Network Connect
Microsoft NAP
Bradford Networks
DHCP
RADIUS
RADIUS
Microsoft Vista NAP
Trusted Network Connect(TNC) Architecture
Full Visibility of entire network (all sites) and connected devices
Real-Time and Historical audit trail
Security and Control; Block unknown / unauthorised ‘rogues’
Distributed and Automated Device Management
Foundation to build a full Network Access Control Architecture; End Point Policy Enforcement (Client-less / Client Scanning) Allow Secure Guest / Visitor Access Remote Scan – check device before arrival
KEY FEATURES“More than NAC”
• KEY BENEFITS
Fits ‘ANY’ Network Design Network Independent (wired or wireless) “Out of Band” (not “In-Line”) solution;
NO Network Re-Design NO Single Point of Failure NO Network Downtime during implementation Phased Roll Out: Granular – Port By Port
Client-less Policy Enforcement Scalable;
One system secures up to 12,000 devices, across multiple sites Cost effective and ‘proven’ solution
Over 600 customers worldwide, 100 UK & Ireland
“Minimal Impact”
• GOVERNMENT ORGANISATION (CANNOT BE NAMED BUT REFERENCE AVAILABLE)
• PROBLEM / REQUIREMENTS
Required visibility of all remote sites (7 across the UK) Unauthorised Network Access forbidden but not easily enforced Complex to secure different Vendor devices (including hubs) Roaming staff / devices needed to be controlled / VLAN’d off Solution MUST not disrupt network / users
• KHIPU’S SOLUTION
Single Central system, securing all remote devices Phased and Controlled Roll Out with NO downtime Prevents ‘Rogue’ device access Manages devices by switching them into appropriate VLAN’s Completely ‘locked down’ network
“Why customers buy”
Questions and Answers
Come and see us at stand 1816
T: +44 (0) 845 2720900 Khipu Networks LimitedInfineon HouseMinley RoadFleet
http://www.khipu-networks.com Hampshire GU51 2RDUnited Kingdom
We should probably talk!