W&M 2009 – NAC – creating the inherently secure cross platform network

439 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
439
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

W&M 2009 – NAC – creating the inherently secure cross platform network

  1. 1. NAC – creating the inherently secure cross platform network<br />
  2. 2. Who are we?<br /><ul><li> Identity Management / Network Access Control
  3. 3. Wired and Wireless (Incl. RFID / RTLS)
  4. 4. Security and Compliance Solutions
  5. 5. Designing, Implementing and supporting LAN/WAN
  6. 6. Security / Health / Vulnerability Audits
  7. 7. Training (Manufacturer & Bespoke)
  8. 8. Data and Voice (VoIP) Solutions
  9. 9. Fully Managed Services (24x7x365)
  10. 10. BS7799 / ISO 27001 Compliance
  11. 11. Network Management and Monitoring
  12. 12. Bespoke and Tailored Services</li></li></ul><li>NAC – creating the inherently secure cross platform network<br />What does that mean?<br />
  13. 13. Anyone know what this is?<br />NAC Version 1<br />Lockdown Network – Power off at 18:00<br />Open Network – Power on at 09:00<br />
  14. 14. “They say NAC is”<br />Goal of NAC<br />Limit access to network resources based on a user’s business needs and the real-time security risk of the user or networked device<br />Components of NAC<br />Assess Identity: sets access privileges based on dynamic user-centric criteria so that policies move with the user and are not bound to specific ports or hardware<br />Ensure Compliance: ensures that all communications are authenticated, authorized, and free from viruses, worms, and malware<br />Enforce Policy:allows entry by only valid users, and quarantines/remediates unauthorized and/or harmful devices on the basis of stateful-firewall roles<br />5<br />
  15. 15. In Reality NAC Solutions are<br />
  16. 16. In Reality it’s<br /><ul><li>Very Difficult to prevent Staff from plugging in their own devices especially in multi-site environments
  17. 17. About Audits / Compliance; Present Network Information i.e. devices or users, where they are, when they were on, are they authorised?
  18. 18. Do they connect Wired and Wireless?
  19. 19. Difficult to allow temporary access for guests, visitors and contractors
  20. 20. Difficult To solve, traditionally you need;
  21. 21. Independent Solutions on wired & wireless networks =
  22. 22. Multiple Platforms to Manage/Support =
  23. 23. Increased Support / Maintenance Costs =
  24. 24. Inefficiency in resolving problems!</li></li></ul><li>Business needs to be easier not harder<br />Devices HAVE to connect easily<br />Networks must be SECURE by design<br />Users have to be able to use their systems<br />Access has to be FLEXIBLE<br />NAC should be about improving resource access<br />
  25. 25. Anywhere, Anyhow, Anyone<br />Imagine a world ;<br /><ul><li>Any device can connect to any wired port on your network
  26. 26. Any device can connect to your wireless network
  27. 27. Irrespective of whether it belongs to staff / visitor
  28. 28. The device and user is identified and authorised
  29. 29. The device can be checked it is safe to connect
  30. 30. The user and device are given the relevant access
  31. 31. Details of the device and user Access is logged
  32. 32. You can find and control every device & user across your network</li></li></ul><li>More than NAC<br />Corporate Network<br />Easy for wired / wireless users to connect<br />Auto provision of printers, CCTV, Servers, Scanners, VoIP<br />Security Team<br />Confidence the Network is Secure<br />IT Dept<br />Full visibility of network devices & users. The ability to delegate some tasks<br />Unwanted Users / Devices<br />Reception / Department Mgrs<br />Can create temp users and allocate roles (i.e. Contractor / Visitor etc)<br />Audit and Compliance<br />Full audit trail<br />
  33. 33. It’s about<br /><ul><li>VISIBILITY;
  34. 34. Automatically Identify and Track ‘every’ device on wired / wireless networks
  35. 35. Automatic Inventory of what has been and is on your network
  36. 36. Automatically Scan devices for compliance
  37. 37. CONTROL
  38. 38. Automatically Block, Alert and Record Unauthorised Access Attempts
  39. 39. Automatically Register devices by department (if allowed)
  40. 40. Automatically Register devices if they meet a “confidence” level
  41. 41. Automatically Enforce ‘global’ or department policies
  42. 42. Enable ‘guest’ access without compromising security
  43. 43. AUDIT
  44. 44. Real-Time & Historical Audit of ‘ALL’ activity
  45. 45. Audit & Regulatory Compliance (PCI, CoCo, etc)</li></li></ul><li>100% Out of Band Architecture<br />12<br />
  46. 46. The Bradford Networks Product Range<br />13<br />
  47. 47. Licensing<br />There are various elements available for licensing:-<br />You can buy limited functionality and build up to a full NAC Product<br />A brief summary is shown below – <br />
  48. 48. Unmatched Interoperability<br />Interoperability with over 300 models of networking equipment from 20 leading vendors<br />15<br />
  49. 49. Quick Status<br />
  50. 50. Client View<br />Seven points of identity<br />Filter returns 44 clients out of a total of 475<br />Data can be exported to .csv<br />
  51. 51. Contractor User<br />Department Manager<br />IT Manager<br />Guest User<br />Receptionist<br />Multi-User Conference<br />Guests and Conferences<br />Sponsor for: <br /><ul><li> Contractors</li></ul>IT Manager can empower non-technical employees to set up network access for specific visiting users.<br />Sponsor for: <br /><ul><li> Guests
  52. 52. Conferences</li></li></ul><li>• Simple discovery mechanism<br />• Multiple profiling parameters to establish type of device<br />• Automated control actions per device type <br />Automate Network Provision<br />19<br />
  53. 53. • Network service by device type<br />• Multiple edge control options (Role/VLAN, Port Location, Port CLI/ACLs, etc.)<br />• Device without a matching profile kept off the network<br />Confidence = Network Access<br />20<br />
  54. 54. • Visibility, tracking and access control rights passed down to functional groups<br />• Automated access rules defined in device templates help maintain IT control<br />Workflow<br />21<br />
  55. 55. Example: Adding a Printer<br />22<br />
  56. 56. Setting Confidence<br />23<br />
  57. 57. Visibility<br />SWITCH VIEW<br />Rogue Device Plugged into Switch Port<br />Rogue Device could be - persons own laptop, a NAT device - wireless / wired router , printer - ANYTHING<br />
  58. 58. Control<br />EMAIL ALARM<br />Email Alarms Fully Customisable “Rogue Connected”<br />Email Alert with full details<br />Email with full details of alarm; Rogue Device Detected; Mac Address, IP Address, Time, Date, Location<br />Email sent to Groups, Individuals etc<br />
  59. 59. Auto-Enforcement<br />SWITCH VIEW<br />Rogue Device Immediately Disabled / Removed from Network<br />LOCKING DOWN & SECURING YOUR networks<br />
  60. 60. Audit<br />EVENT VIEW<br />“Rogue Connection” Event Recorded<br />Search in real-time and historically<br />
  61. 61.
  62. 62. Microsoft Vista NAP<br />DHCP<br />RADIUS<br />RADIUS<br />
  63. 63. Trusted Network Connect<br />(TNC) Architecture<br />
  64. 64. “More than NAC”<br />KEY FEATURES<br /><ul><li>Full Visibility of entire network (all sites) and connected devices
  65. 65. Real-Time and Historical audit trail
  66. 66. Security and Control; Block unknown / unauthorised ‘rogues’
  67. 67. Distributed and Automated Device Management
  68. 68. Foundation to build a full Network Access Control Architecture;
  69. 69. End Point Policy Enforcement (Client-less / Client Scanning)
  70. 70. Allow Secure Guest / Visitor Access
  71. 71. Remote Scan – check device before arrival</li></li></ul><li>“Minimal Impact”<br />KEY BENEFITS<br /><ul><li>Fits ‘ANY’ Network Design
  72. 72. Network Independent (wired or wireless)
  73. 73. “Out of Band” (not “In-Line”) solution;
  74. 74. NO Network Re-Design
  75. 75. NO Single Point of Failure
  76. 76. NO Network Downtime during implementation
  77. 77. Phased Roll Out: Granular – Port By Port
  78. 78. Client-less Policy Enforcement
  79. 79. Scalable;
  80. 80. One system secures up to 12,000 devices, across multiple sites
  81. 81. Cost effective and ‘proven’ solution
  82. 82. Over 600 customers worldwide, 100 UK & Ireland</li></li></ul><li>“Why customers buy”<br />GOVERNMENT ORGANISATION (CANNOT BE NAMED BUT REFERENCE AVAILABLE)<br />PROBLEM / REQUIREMENTS<br /><ul><li>Required visibility of all remote sites (7 across the UK)
  83. 83. Unauthorised Network Access forbidden but not easily enforced
  84. 84. Complex to secure different Vendor devices (including hubs)
  85. 85. Roaming staff / devices needed to be controlled / VLAN’d off
  86. 86. Solution MUSTnot disrupt network / users</li></ul>KHIPU’S SOLUTION <br /><ul><li>Single Central system, securing all remote devices
  87. 87. Phased and Controlled Roll Out with NO downtime
  88. 88. Prevents ‘Rogue’ device access
  89. 89. Manages devices by switching them into appropriate VLAN’s
  90. 90. Completely ‘locked down’ network</li></li></ul><li>We should probably talk!<br />Questions and Answers<br />Come and see us at stand 1816<br />T: +44 (0) 845 2720900 Khipu Networks Limited<br /> Infineon House<br />Minley Road<br /> Fleet <br />http://www.khipu-networks.com Hampshire GU51 2RD<br /> United Kingdom<br />

×