Protecting Network Assets

Slides:

Advertisements

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

Advertisements

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

The State of Security Management By Jim Reavis January 2003.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Security and Policy Enforcement Mark Gibson Dave Northey

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~

Office of Information Technologies CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ Protecting Network Assets.

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Website Hardening HUIT IT Security | Sep

Windows 2003 and 802.1x Secure Wireless Deployments.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.

Selecting the Right Network Access Protection Architecture

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

70-411: Administering Windows Server 2012

Implementing Network Access Protection

SALSA-FWNA Activity Update Kevin Miller Duke University Internet2 Member Meeting May 2005.

SALSA-NetAuth Joint Techs Vancouver, BC July 2005.

Module 14: Configuring Server Security Compliance

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Chapter 6 of the Executive Guide manual Technology.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 8: Configuring Network Access Protection

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Configuring Network Access Protection

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Module 6: Network Policies and Access Protection.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

IS3220 Information Technology Infrastructure Security

Module 5: Network Policies and Access Protection

Kevin Watson and Ammar Ammar IT Asset Visibility.

REMOTE MANAGEMENT OF SYSTEM

Network Admission Control: A Survey of Approaches Educause 2008

D-Link Wireless AP with NAP 802.1x solution

Module 8: Networking Services

Implementing Network Access Protection

Control system network security issues and recommendations

EA C451 Vishal Gupta.

Security in Networking

IS4550 Security Policies and Implementation

IS4680 Security Auditing for Compliance

Contact Center Security Strategies

Security and identity (Network Access Protection, Parental Controls)

Intel Active Management Technology

Network Access Control

Designing IIS Security (IIS – Internet Information Service)

SCCM in hybrid world Predrag Jelesijević Microsoft 7/6/ :17 AM

Presentation transcript:

Protecting Network Assets CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ

Agenda- DRAFT, needs to be updates Automated Security and Policy Enforcement History New Challenges Background/Roles of: NAC IdM Network Segmentation What might we do? Firewall traversal Grid case Standards

Session Abstract Can IAM be helpful in managing network intrusions and access policies? Can IAM correctly correlate identity to an endpoint device by combining network registration and personal identification? Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes? This session will explore these questions and how one can identify the person behind the device or address.

Managing Network Intrusions? Initial NAC deployments were not driven by architectural decisions Large numbers of unmanaged systems connected to campus network Primarily in residence halls Battle scars from Code Red, Nimda, and Blaster However, we did leverage campus IAM successfully And we effectively created a device registry Even if we didn’t integrate this data with our IAM

How we got here…or, before NAC was cool… Why “Automate Security and Policy Enforcement”? From the SALSA-Netauth document Strategies for Automating Network Policy Enforcement: “(A) major security challenge facing university residential networks and other large-scale end-user networks is the thousands of privately owned and unmanaged computers directly connected to an institution's relatively open, high-speed Internet connections. Security policy enforcement is often lax due to a lack of central control over end-user computers and an inability to tie the actions of these computers to particular individuals. A few times a year there are surge events, including the predictable start of each semester and the unpredictable and increasingly frequent reactions to large-scale security incidents, that require massive support intervention.

Even though it wasn’t cool, we implemented NAC

And here we are…I guess NAC is cool now.. Network Access Control: Vendor Definitions “Using the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources” – Cisco “…combines user identity and device security state information with network location information, to create a unique access control policy…“ - Juniper

Why did we implement NAC systems? Only automated approaches can scale and respond rapidly to large-scale incidents. Preventative policy enforcement reduces risk: overall number of security vulnerabilities the success of any particular attack technique. Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.

Network Access Control Higher education created many early systems of what is now termed NAC (Network Access Control) Southwestern Netreg, CMU Netreg, Packetfence, others Currently there are many commercial offerings in the space 30+ vendors at last count Major deployments by Cisco, Microsoft, Juniper and others Content Slide

Network Access Control in Higher Ed Characteristics of higher ed networks lead to unique challenges Large numbers of unmanaged systems connected to campus network Residence halls Heterogeneous computing base Frequently no ubiquitous administration structure Complex network Use Cases

Network Access Control in Higher Ed Associating a device with an identity Is the user a member of the campus community? Leveraging campus IdM Determining a host’s posture Is the host compliant with local policy? Measuring device state against campus IT security standards Role-based network assignment What network perimeter is appropriate for this host? vLAN, subnet, firewalls, ids

NAC Basics Registration options include: Enforcement types include: Open DHCP (“free love”) DHCP with MAC registration (“netreg”) Web middlebox (“portal”) 802.1x (“supplicant”) Enforcement types include: vLAN isolation/DHCP scope isolation Network-based firewall/Host-based filters Class of Service (rate limit)

NAC: Posture assessment Original implementations used active network-based scanning Windows XP SP2 rained on this parade But security staff didn’t compliance Many sites migrated to client-based posture assessment Running code on endpoints to validate compliance Could be implemented in the 802.1x supplicant

NAC is Complicated

Federations have a role here also Enable members of one institution to authenticate to the wireless network at another institution using their home credentials E,g, eduroam which stands for Education Roaming, is a RADIUS-based infrastructure that uses 802.1X security technology to allow for inter-institutional roaming. “Being part of eduroam allows users visiting another institution connected to eduroam to log on to the WLAN using the same credentials(username and password) the user would use if he were at his home institution. “ Effectively need to achieve identity discovery Also applicable to Grid environments

Correlating identity to device to privilege We’ve done a pretty effective job so far But the drivers were not traditional IAM drivers Can we assign a meaningful Level of Assurance to this correlation? Not so sure. Are we willing to use this correlation to grant privileges? Dynamic vLAN assignments? Firewall traversal capabiltiies?

Correlating identity to device to privilege We need to understand the relationship between user identity, device identity, and host integrity (posture) This is complicated further in a federated environment Does (user + device) == privilege? What about users with multiple roles? Is this a network, security, or idm problem? D) All of the above Perhaps we need to step back and take an architectural view of this…

Drivers for NAC standards Community desire for interoperable components Heterogeneous campus environment Modular network architecture Ability to use commercial and open source components Vendor-made switches Open-source registration and remediation

NAC Standards space Trusted Computing Group Vendor ‘standards’ Trusted Network Connect Vendor ‘standards’ Cisco NAC Microsoft NAP IETF NEA Chartered only for client-server protocols