Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Control
Ask your network
For Security…
Security Threat Landscape
is a Changing
StrategicAsset Security Pivot …Why?Why?How?
 Reduce millions of
logs to actionable
intelligence.
 Complete Network,
Poli...
Rumor: green M & M’s
are an aphrodisiac?
Security like Candy?
hard candy
shell
originally designed
as a treat for
soldiers...
Lateral
Persistence
Foothold
Target
Threat Intel
Escalate
Report context
Breach
Forensics
Log analysis
Remediate
Search fo...
Do you have…
Is Your Firm’s Environment Secure?
 Port scanning and remediation
 Perimeter vulnerability scanning
 Timel...
Attack your security gap
What is your Pucker Factor?
kRisk Assessment
Commodity Threats
Breach (event)
SOC (time to detect...
Keep
Last building in
castle to fall
Moat / Main Gate
Outer perimeter controlling
castle access
Inner Perimeter
Stronghold...
Defense in Depth: A Cascade of Security Zones
Access Control
De-Militarized
Zone (DMZ)
Outer Perimeter
Internal Network
(I...
Search & Pivot - IPS
Internet
DMZ
IPS
IPS
Core
Network
IPS
IPS User
Net
workIDS
Management
Server
Broad Attacks
Multi-face...
Use your network as a key part
of your Security Framework
Access
Visibility
Protection
Analytics
AutomationCommand
Control...
How can your networks be protected from your
own users? (NAC, BYOD, Identity)
Infections
persists because
End point
secur...
What is a SOC, Ciso or Analyst?
Solution Benefits
 Accurate User ID to IP
mapping to eliminate
potential attacks and
provide reliable, out of the
box use...
Allow
Single
SSID/VLAN
Rate Limit
Contain
Multiple
VLANs
Deny
A port is what it is because what
or who is connected to it....
Policy
Components
Through Layer 4
Any device, location, application
if X + Y, then Z
“if ” user matches a
defined attribut...
Policy-based Networking (Guest Onboarding)
18
Policies can be
applied to the
entire network
with a single
click
Passive po...
Policy role-based administration
Through Layer 4
if X + Y, then Z
Centrally
Managed
Layer 1- L3
 No Scripts
 No Element ...
Role Based Policy
Role Based Policy – Secure
Enterprise
1. User Role
(Guest/Finance/Engineering/Administr
ators)
2. User/D...
if X + Y = ? then then Z
Role Based Policy –
Platform Scaling
X620
X440-G2
X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63...
Policy = Ethernet “like a Mux”
Through Layer 4Layer 1- L3
COS Capabilities:
 802.1D Priority Marking
 IP ToS Overwrite
...
QoS Components Application Awareness
ExtremeXOS®
End to End
Data
Path
signalingclassification Routing
Control
Plane
Policy...
L4 Networking
(Automated Policy for Control)
Layer 1: Physical
Layer 2: Data Link
Layer 3: Network
Layer 4: Transport
Devi...
Transparent Authentication
Intranet
Mail
Servers
CRM
Active Directory Server
RADIUS Server
LDAP Server
User logs into the
...
Role-based Access Control
0
Role Internet Intranet Mail CRM/Database VLAN
Unauthenticated Yes No No No Default
Contractor ...
Take IT configurable actions on
Extreme Networks switching
infrastructure
… a User or Device is
connects to the network…
I...
Event based Triggers
0
Automation through
customized scripting:
Trigger Type Variables:
Device
User Authentication
Time...
Time-of-Day Profiles
• Timer Triggered
• Applications
– Disable guest VLAN
access
– Shutdown wireless
service in closed
bu...
Automation through customized scripting
Trigger Type Variables:
Device
User Authentication
Time based
EMS (Event
Manag...
Role Based Policy – Platform Limits
Features X450-G2 X460-G2 X670-G2 X770
Policy Profiles 63 63 63 63
Rules per Role (Prof...
Ideal Model - Authentication and Authorization
Intuitively, we want the protocol to behave “as if” a trusted third party c...
Wireless Threat Landscape
Why Are Wireless LANs Prone to Attack?
 “Open air” No physical barriers to intrusion - Silent a...
IP spoofing
Target
Friend
impersonation
A
10.10.10.1
B
B
134.117.1.60
It must be OK, my
friend sent it. Yum Yum
10.10.10.1...
Session hijacking
Bad
Actor
Server a User b
reset
Server a
address
User b drops
connection
Target
Intercept
Exploit
Bad
Ac...
Denial of service(DOS)
Server a
Target
Bad
Actor
Zombie
Zombie
Zombie
Zombie
Zombie
Observation: malicious
behavior need n...
“who” gets access and “what” they can do
Control at each Switch Port or Access Point
 Only Authorized users can get Netwo...
War Driving for open Frequency Range
Counter measures for Wireless Attacks
Anti-war driving software makes it more difficu...
802.1X
Web
MAC
MUALogic
Chris: Filter ID  Policy X
Dave: Filter ID  Policy Y
Authentication
Method:
MAC
Authentication
M...
Access Control Possibilities Authentication Messages
Data Messages
Edge Switch Authentication
Server
MAC Authentication RA...
Whitelist Backlist
User or
Device
Identity Management
Increased visibility and management of device identities
Roles based...
network
Access Control in OS
 Assume secure channel from user
 Authenticate user by local
password
 Map user to her use...
Authentication
Authentication is identification and
assurance of origin of information
Unauthorized assumption of
another’...
Port-based 802.1Q
Pros
Separate broadcast domains for trusted internal users and
untrusted guest users – groups unable to ...
“Network Login” captive
portal
Captive Portal Features
 Fully customizable
formatting and content
 HTTPS redirection and...
captive portal
AAA Features - Using Hotspot Authentication
 Bandwidth Management Policies
 Dynamic VLAN Assignments
 LD...
MAC Auth Other Non-802.1X-Capable Endpoints
Unsupported devices: Integrity and authentication: only someone who knows KEY ...
WEP Keys (Static Keys)
1.) Laptop send authentication
Frame saying want to authenticate
2.) AP sends a challenge text
3.) ...
WPA & WPA2 Personal Security
 WPA replaces WEP with TKIP
 WPA2 uses a stronger data
encryption method called AES-
CCMP i...
Summit
Port-based Network Access Control (PNAC).
1.) Device
asks to join.
2.) AP asks device to verify
identity becomes th...
Summit
Identity Based Network Services
IEEE 802.1X…
Supplicant
Authenticator
AAA Radius Server
802.1x Authentication Serve...
Summit
Comprehensive NAC Solution
IEEE 802.1X…
Supplicant
Authenticator
Login + Certificate
Login Verified
End user attemp...
Summit
EAPClient
AuthenticationServer
Request Identity
Response Identity (anonymous) Response Identity
TLS Start
Certifica...
IKEv2 with EAP & Server Certificate
ResponderInitiator UDP/500
Client
IDi IDr
AAA
Server
KEi Ni KErNr
Authr
Server
RADIUS
...
Distribution of Public Keys - certificate authority (CA)
Public announcement or public directory
 Risks: forgery, tamperi...
What Is NAC, Really?
Beyond “Who Is It? ” Goal:
Decide whether to grant a
request to access an object
Quarantine &
Enforce...
Network Access Control
NAC Client
Enforcement PointAccess Controlled
Subnet
Isolation
Network
NAC Server
allow QuarantineR...
Network Endpoint Assessment (NEA)
NEA ServerNEA Client
Posture
Broker
Client
Posture
Collectors
(1 .. N)
Posture
Collector...
Fingerprint – Who、What、When、Where、How
 Sigle SSID –
Multiple Topologies –
Multiple Solutions
 Control traffic
Traffic t...
Purview Everywhere (more than CoreFlow2)
Available Today
Standalone Application
Sensor
Core / DataCenter –
CoreFlow S/K ...
Identity and Application
Awareness
Deep Packet
Inspection
SSL
Visibility
Application A
Application B
Employee A
Employee B...
Logs
Events Alerts
Configuration
information
System
audit trails
External
threat feeds
E-mail and
social activity
Network ...
Page 63
Host Integrity—Summary
Microsoft Network Access Protection (NAP)—(9/2006)
– Open framework—Major security vendors ...
SIEM
Correlation
A
CB
Logging Compliance
Forensics
• Maintain an adequate internal control structure
• Procedures for fina...
Dynamic Security Policies
Conceptual View
1. Administrator configures user
group policies in Netsite.
Policy includes VLAN...
IP Security
Conceptual View (Trusted DHCP)
DHCP Server
Endpoint 1
IP: 192.168.0.8
Default GW: 192.168.0.1
MAC: 00:0B:7D:25...
IP Security
Conceptual View (DHCP Snooping)
DHCP Server
Trusted Port
Un-trusted Ports
MAC IP
00:0B:7D:25:F7:23 192.168.0.8...
IP Security
Conceptual View (Gratuitous ARP Protection)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2...
IP Security
Conceptual View (IP Source Lockdown)
DHCP Server
MAC IP
00:0B:7D:25:F7:23 192.168.0.8
00:0B:7D:31:AD:F2 192.16...
Upcoming SlideShare
Loading in …5
×

19.) security pivot (policy byod nac)

292 views

Published on

Data Center Aggregation/Core Switch
The proposed solution must provide a high-density chassis based switch solution that meets the requirements provided below. Your response should describe how your offering would meet these requirements. Vendors must provide clear and concise responses, illustrations can be provided where appropriate. Any additional feature descriptions for your offering can be provided, if applicable.
• Must offer a chassis-based switch solution that provides eight I/O module slots, two management module slots and four fabric module slots. Must support a variety of I/O modules providing support for 1GbE, 10GbE, 40GbE and 100GbE interfaces. Please describe the recommended switching solution and the available I/O modules.
• Switch must offer switching capacity up to 20.48 Tbps. Please describe the performance levels for the recommended switching solution.
• Switch system must support high availability for the hardware preventing single points of failure. Please describe the high availability features.
• It is preferred that the 10 Gigabit Ethernet modules will also be able to accept standard Gigabit SFP transceivers. Please describe the capability of your switch.
• Must support an N+1 redundant power supplies
• Must support N+1 redundant fan trays
• Must support a modular operating system that is common across the entire switching profile. Please describe the OS and advantages.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

19.) security pivot (policy byod nac)

  1. 1. 1 Control Ask your network For Security…
  2. 2. Security Threat Landscape is a Changing
  3. 3. StrategicAsset Security Pivot …Why?Why?How?  Reduce millions of logs to actionable intelligence.  Complete Network, Policy And Compliance Solution.  Automated correlation and analytics  Router  IPS/IDS  Firewall  Switches  Servers  DMZ  VPN Network Components
  4. 4. Rumor: green M & M’s are an aphrodisiac? Security like Candy? hard candy shell originally designed as a treat for soldiers! Caution: Extreme Metaphor
  5. 5. Lateral Persistence Foothold Target Threat Intel Escalate Report context Breach Forensics Log analysis Remediate Search for evidence (IOCs) SOC IR Call back Automate Go Unnoticed While Roaming Freely on the Network Valid User Credentials Pivot Now What? 15:009:00
  6. 6. Do you have… Is Your Firm’s Environment Secure?  Port scanning and remediation  Perimeter vulnerability scanning  Timely OS patching  Network-level DDOS detection and prevention  Auditing of all operator access and actions  Just-in-time elevations  Automatic rejection of non-background-check employees to high-privilege access  Automatic account deletion  When employee leaves  When employee changes groups  When there is lack of use  Isolation between mail environment and production access environment for all employees  Automated tooling for routine activities
  7. 7. Attack your security gap What is your Pucker Factor? kRisk Assessment Commodity Threats Breach (event) SOC (time to detect) IR (Time to Respond) Analytics Targeted (APT) Intel (contain) Pivot identify Potential Risk (shiny Objects) SIEM logs activity in the XYZ Account compute environment. intelligence to respond what actions should XYZ Account take Logs or Events Analytics CAD Oracle Netflix It is all about time Bad Actor
  8. 8. Keep Last building in castle to fall Moat / Main Gate Outer perimeter controlling castle access Inner Perimeter Stronghold, higher walls create a containment area between Inner & Outer Perimeters Traditional Castle Defenses
  9. 9. Defense in Depth: A Cascade of Security Zones Access Control De-Militarized Zone (DMZ) Outer Perimeter Internal Network (Intranet) Inner Perimeter Stronghold Mission Critical Systems Internal Firewall Keep Dynamic State Tables Dynamic State Tables Dynamic State Tables
  10. 10. Search & Pivot - IPS Internet DMZ IPS IPS Core Network IPS IPS User Net workIDS Management Server Broad Attacks Multi-faceted Targeted Attacks Commodity Threats Advanced Persistent Threat (APT) Worms & Bots Advanced Targeted Attacks
  11. 11. Use your network as a key part of your Security Framework Access Visibility Protection Analytics AutomationCommand Control Enforcement Scout Front lines
  12. 12. How can your networks be protected from your own users? (NAC, BYOD, Identity) Infections persists because End point security fails because applications can be manipulated and unintentionally messed up. Time Gap between new virus and virus repair. Endpoint Security  Identity alone fails against unauthorized access but not malware. Identifies users but not devices Identity Network security alone fails because firewalls do not block legit ports and VPNs can not block legit users. Malware signatures must be known so detection occurs after-the- fact. Network Security Fails verses Targeted attack Company encrypted tunnels can nor be tested Time on the side of bad actor Multisector
  13. 13. What is a SOC, Ciso or Analyst?
  14. 14. Solution Benefits  Accurate User ID to IP mapping to eliminate potential attacks and provide reliable, out of the box user information to Palo Alto  Improved security that blocks/limits user access at the point of entry without impacting other users  More accurate network mapping for dynamic policy enforcement and reporting Solution with Palo Alto Networks
  15. 15. Allow Single SSID/VLAN Rate Limit Contain Multiple VLANs Deny A port is what it is because what or who is connected to it. District Owned Approved BYOD Unapproved BYOD Directory Unaware Guest Device Device? Wireless Web based MAC Wired 802.1x Access? Library Gym 5ft from an Acess Pt Hall way Classroom Location? Policy? Application Delivery in Minutes Guest Student Fac / Staff Admin User? HTTP Online Testing Youtube Twitter Facebook SIS VDI Application? Weekends Holidays M–F 8 am–6 pm Anytime Time?
  16. 16. Policy Components Through Layer 4 Any device, location, application if X + Y, then Z “if ” user matches a defined attribute or value … …. “then” place user into a defined ROLE Faculty Student Guest Roles Optimized Performance Services Rules Device Level Layer 1- L3 classification rule behavior based upon L2, L3, and L4 packet fields Services are simply Policy Manager Containers for groups of similar Rules.
  17. 17. Policy-based Networking (Guest Onboarding) 18 Policies can be applied to the entire network with a single click Passive policies for what-if scenarios prior to enforcing Rules allow, deny, rate limit or contain Built-in Access Control + Policy +ACLs. CDPv2 & LLDP + Sampled Netflow Layer 1- L3 Through Layer 4 IT Admin Employee Guest Oracle VPNAdmin. AllowHTTP AllowHTTPS AllowIPSec AllowSAP RateLimit AllowPing AllowTelnet AllowEmail AllowTFTP AllowSNMP AllowOracle DenyBlast
  18. 18. Policy role-based administration Through Layer 4 if X + Y, then Z Centrally Managed Layer 1- L3  No Scripts  No Element Management  Can be applied to the entire network with a single click
  19. 19. Role Based Policy Role Based Policy – Secure Enterprise 1. User Role (Guest/Finance/Engineering/Administr ators) 2. User/Device authentication, policy definition and Management 3. Rules & Services enforcement for secured access 4. Secure Application Access XoS delivers 1024 Authenticated users per switch. Built-in Access Control + Policy +ACLs. CDPv2 & LLDP + Sampled Netflow Layer 1- L3 Through Layer 4
  20. 20. if X + Y = ? then then Z Role Based Policy – Platform Scaling X620 X440-G2 X450-G2 X460-G2 X670-G2 X770 Policy Profiles 63 63 63 63 63 Rules per Role (Profile) Up to 440 Up to 952 Up to 952 Up to 952 Up to 952 Authenticated Users /Switch Up to 256 1024 1024 512 512 Authenticated Users /Port Unlimited up to 256 Unlimited up to 1024 Unlimited up to 1024 Unlimited up to 512 Unlimited up to 512 Unique Permit/Deny Rules 440 952 952 952 952 MAC Rules N/A 256 256 256 256 IPv6 Rules N/A 256 256 256 256 IPv4 Rules 256 256 256 256 256 L2 Rules 184 184 184 184 184 Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB* CoS MIB* Actions Quality of Experience Business Services Users / Devices
  21. 21. Policy = Ethernet “like a Mux” Through Layer 4Layer 1- L3 COS Capabilities:  802.1D Priority Marking  IP ToS Overwrite  Inbound Rate Limiting  Rate Shaping COS is integrated with existing EXOS QOS leveraging much of the existing infrastructure.
  22. 22. QoS Components Application Awareness ExtremeXOS® End to End Data Path signalingclassification Routing Control Plane Policy Server Admission Control Traffic Conditioning Scheduling Shaping Outpout I/F
  23. 23. L4 Networking (Automated Policy for Control) Layer 1: Physical Layer 2: Data Link Layer 3: Network Layer 4: Transport Device Identity, User Identity, Virtual Machine Identity, Application Identity, etc… Layer 7: Application
  24. 24. Transparent Authentication Intranet Mail Servers CRM Active Directory Server RADIUS Server LDAP Server User logs into the Active Directory domain with user name and password 1 ExtremeXOS® network “snoops” the Kerberos login by capturing the user name 2 Active Directory validates and approves user credentials and responds to host 3 ExtremeXOS grants network access based on AD server response 4 Username IP MAC Computer Name VLAN Location Switch Port # John_Smith 10.1.1.101 00:00:00:00:01 Laptop_1011 1 24 Success Summit
  25. 25. Role-based Access Control 0 Role Internet Intranet Mail CRM/Database VLAN Unauthenticated Yes No No No Default Contractor Yes Yes No No Default Employee Yes Yes Yes Yes Default Internet Intranet Mail Servers Data Center Active Directory Server RADIUS Server LDAP Server Role Derivation • Users are assigned to a “role” based on their attributes (e.g. job function, location, etc…) • Roles contains dynamic policies that control access to network resources regardless location Who is John? LDAP Response Match Department = EmployeeUser: John Role: Employee Resource Access = Permit All Who is Alice? LDAP Response Match Company = IBM User: Alice Role: Contractor Resource Access = Deny Mail and CRM No Authentication Detected = Unauthenticated Role User: Bob Role: Unauthenticated Resource Access = Internet Only Summit
  26. 26. Take IT configurable actions on Extreme Networks switching infrastructure … a User or Device is connects to the network… If… then... Communicate with LDAP server for user/device profile Place Device or User into Role Dynamically create an ACL Rate limit device or user Blacklist or de-blacklist and/or and/or and/or and/or Send out email alert or generate Syslog event and/or Auto provision Users and Devices that connect to the network Automation through Power Management Time of day = 5:00pm Take IT configurable actions on Extreme Networks switching infrastructure If… then... Disable POE Power to Wireless AP Hibernate Chassis Line Card and/or Send out email alert or generate Syslog event and/or
  27. 27. Event based Triggers 0 Automation through customized scripting: Trigger Type Variables: Device User Authentication Time based EMS (Event Management System) User Input Values for Respective Variables: Value x Value y Value z … Execute Script File If the following events are triggered… … and matches the following values … then execute the corresponding profile script
  28. 28. Time-of-Day Profiles • Timer Triggered • Applications – Disable guest VLAN access – Shutdown wireless service in closed buildings – Timed backup of configurations, policies, ... – Timed check on statistics Trigger Condition Device-Detect Specific device detected by the system Device- Undetect Specific device is no longer present or a timeout has occurred. Port properties return to a known state. User- Authenticated Specified user authenticated User- Unauthenticat ed Specified authenticated user has been unauthenticated. Port properties return to a known state. Timer-AT Timer scheduled to occur AT a specified time has occurred Timer-AFTER Timer scheduled to occur AFTER an event or specified interval has occurred. Can be a one-time occurrence or can be reoccurring. User-Request Profile was triggered remotely by the administrator through the CLI Events that Trigger Profiles
  29. 29. Automation through customized scripting Trigger Type Variables: Device User Authentication Time based EMS (Event Management System) User Input Values for Respective Variables: Value x Value y Value z … Execute Script File If the following events are triggered… … and matches the following values … then execute the corresponding profile script
  30. 30. Role Based Policy – Platform Limits Features X450-G2 X460-G2 X670-G2 X770 Policy Profiles 63 63 63 63 Rules per Role (Profile) Up to 928 Up to 928 Up to 928 Up to 928 Authenticated Users /Switch 1024 1024 512 512 Authenticated Users /Port Unlimited up to 1024 Unlimited up to 1024 Unlimited up to 512 Unlimited up to 512 Unique Permit/Deny Rules 928 928 928 928 MAC Rules 256 256 256 256 IPv6 Rules 256 256 256 256 IPv4 Rules 256 256 256 256 L2 Rules 184 184 184 184 Rate Limiting CoS MIB* CoS MIB* CoS MIB* CoS MIB* 802.1X Web MAC MUALogic Chris: Filter ID  Policy X Chris: Filter ID  Policy Y Authentication Method: MAC Authenticat ion Method: 802.1X Chris :802.1X Credentials Chris :MAC Credentials Chris :802.1X Chris :MAC Policy Profile YChris MAC = A:A Dynamic Admin Rule for Policy Y (SMAC = A:A) Multiple authentication agents on the same port.  802.1X  EXOS Web Authentication  MAC Authentication Multiple policy profiles per port.  Each Policy profile is assigned to a subset of the traffic  Policy is applied to ingress traffic based on user sourced it  Users/devices may be implementing different auth methods
  31. 31. Ideal Model - Authentication and Authorization Intuitively, we want the protocol to behave “as if” a trusted third party collected the parties’ inputs and computed the desired functionality  Computation in the ideal model is secure by definition!  Given a statement s, authentication answers the question “who said s?”  Given an object o, authorization answers the question “who is trusted to access o?” “who” refers to a principal Principal = Abstraction of “Who” Secrecy Integrity A B x1 f2(x1,x2)f1(x1,x2) x2 [Goldreich-Micali-Wigderson 1987]
  32. 32. Wireless Threat Landscape Why Are Wireless LANs Prone to Attack?  “Open air” No physical barriers to intrusion - Silent attacks  Standard 802.11 protocol, Well-documented and understood. Most common attacks against WLAN networks are targeted at management frames  Unlicensed, Easy access to inexpensive technology Wireless Access Outside of Physical/Wired Boundaries Physical Security Bad Actor Target NetStumbler Kismet AirSnort WEPCrack Tools of the trade
  33. 33. IP spoofing Target Friend impersonation A 10.10.10.1 B B 134.117.1.60 It must be OK, my friend sent it. Yum Yum 10.10.10.1 Src_IP 134.117.1.60 dst_IP Any (>1024) Src_port 80 dst_port 11.11.11.1 Src_IP 134.117.1.60 dst_IP Any (>1024) Src_port 80 dst_port spoofed Bad Actor Eavesdropping, packet sniffing, illegal copying Better not to trust any individual router Can assume that some fraction of routers is good, but don’t know which
  34. 34. Session hijacking Bad Actor Server a User b reset Server a address User b drops connection Target Intercept Exploit Bad Actor Server a User b user b address User b ignores server Malicious commands Bad Actor User b Authorized connection Server a Target Internet is designed as a public network  Wi-Fi access points, network routers see all traffic that passes through them  Routing information is public  IP packet headers identify source and destination  Even a passive observer can easily figure out who is talking to whom Encryption does not hide identities  Encryption hides payload, but not routing information  Even IP-level encryption (tunnel- mode IPsec/ESP) reveals IP addresses of IPsec gateways
  35. 35. Denial of service(DOS) Server a Target Bad Actor Zombie Zombie Zombie Zombie Zombie Observation: malicious behavior need not involve system call anomalies Malicious code communicates with its master by “piggybacking” on normal network I/O Hide malicious code inside a server Hook into a normal execution path
  36. 36. “who” gets access and “what” they can do Control at each Switch Port or Access Point  Only Authorized users can get Network Access  Unauthorized users can be placed into “Guest” VLANs  Prevents unauthorized APs Identity Based Network Access Unauthorized Users/Devices Authorized Users/Devices User Based Policies Applied (BW, QoS etc)
  37. 37. War Driving for open Frequency Range Counter measures for Wireless Attacks Anti-war driving software makes it more difficult for attackers to discover your wireless LAN  Honeypots - Servers with fake data to snare intruders  FakeAP and Black Alchemy Fake AP, Software that makes fake Access Points.  Use special paint to stop radio from escaping your building Radio Frequency Based Threats  Client Mis-Association - Client-to-Client Connections Bypass Infrastructure Security Checkpoints  Rogue Access Points - Employees Connect to an External WLAN, Creating Portal to Enterprise Wired Network  Denial of Service Attacks - Malicious Hackers Disrupt Critical Business Services  Ad-hoc Wireless Networks - Employees Unknowingly Create Opening to Enterprise Network Bad Actor Target Ad-hoc Networks Mis- association Networks Rogue Networks
  38. 38. 802.1X Web MAC MUALogic Chris: Filter ID  Policy X Dave: Filter ID  Policy Y Authentication Method: MAC Authentication Method: 802.1X Chris :802.1X Credentials Dave :MAC Credentials Chris :802.1X Dave :MAC RADIUS Server Policy Profile X Policy Profile Y Dave MAC = B:B Chris MAC = A:A Dynamic Admin Rule for Policy X (SMAC = A:A) Dynamic Admin Rule for Policy Y (SMAC = B:B) Allows for assignment of multiple policy profiles per port.  Each Policy profile is assigned to a subset of the traffic received  Policy profile is applied to ingress traffic based on which user sourced it  Users/devices may be implementing different authentication methods Multi-User Authentication (MUA)
  39. 39. Access Control Possibilities Authentication Messages Data Messages Edge Switch Authentication Server MAC Authentication RADIUS Encryption Non- Intelligent Devices MACbased HTTPS Authentication (encrypted) RADIUS Encryption Browser Only Client Web-based 802.1X Client 802.1X Authentication (PEAP/MD5/TLS/TTLS) RADIUS Encryption 802.1x-based No Encryption No Encryption No Encryption No Encryption No Encryption No Encryption Summit Server
  40. 40. Whitelist Backlist User or Device Identity Management Increased visibility and management of device identities Roles based on LLDP parameters Whitelists and Blacklists Roles based on MAC, IP, Port Whitelist Allow all traffic from and to the identity Blacklist Deny all traffic from the identity Client / Device Attributes • MAC OUI • MAC Address • IP Address SummitSummit Blacklist Whitelist Whitelist Users mapped to a whitelist based on user/MAC/IPv4 Creates ACL to permit all traffic if match all {Ethernet-source-address 00:00:00:00:00:02;} then {permit;} Blacklist Users mapped to a blacklist based on user/MAC/IPv4 Creates ACL to block all traffic if match all {Ethernet-source-address 00:00:00:00:00:02;} then {deny;} Server
  41. 41. network Access Control in OS  Assume secure channel from user  Authenticate user by local password  Map user to her user ID + group IDs  Local database for group memberships  Access control by ACL on each resource  OS kernel is usually the reference monitor  Any RPC target can read IDs of its caller  ACLs are lists of IDs  A program has IDs of its logged-in user Port put in forwarding mode User logs in, MAC Address Detected Authenticated 1 2 3 Radius Server
  42. 42. Authentication Authentication is identification and assurance of origin of information Unauthorized assumption of another’s identity Q: Who is the sender of the message? (who might have been able to create it) Q: Who is the sender of the message? (who might have been able to modify it) network Integrity is prevention of unauthorized changes Intercept messages, tamper, release again f: ({0,1}*)K ({0,1}*)K K inputs (one per party); each input is a bitstring K outputs Functionality MAC Learning 802.1x AuthWebbased Login MAC Mask Network Login Authenticator Local Database RADIUSAuthentication Server Authenticator URL Hijacking EAP/RADIUS User / passwd VLAN VSA User / passwd VLAN VSA Port # Supplicants
  43. 43. Port-based 802.1Q Pros Separate broadcast domains for trusted internal users and untrusted guest users – groups unable to communicate directly Trusted internal PCs cannot contract viruses from untrusted guest PCs Untrusted guest users are unable to access private internal servers Use of VLAN Trunking Protocol eases VLAN management Cons No measure to prevent untrusted guests from connecting to private ports Misconfiguration of a port will provide trusted network access Use of separate subnets leads to inefficient use IP address space Switches may be vulnerable to attacks related to MAC flooding, tagging, multicast brute force, etc. Summit (Network Security (VLANs) for network and user segregation Server
  44. 44. “Network Login” captive portal Captive Portal Features  Fully customizable formatting and content  HTTPS redirection and capture  Internal and external hosting  Logout on browser close  Login, welcome and failed pages  Unbranded login pages for concealment Bad Actor Client Switch IP DHCP-Response (short lease) DHCP-Request HTTP Login-Prompt (redirected) HTTP request to any external webserver address (for example www.yahoo.com) RADIUS Access-Accept, VLAN Assignment RADIUS Access-RequestHTTP Username/Password DHCP-Response DHCP-Request DHCP Speed Bump Login DHCP DHCP or static IP RADIUS Radius Summit
  45. 45. captive portal AAA Features - Using Hotspot Authentication  Bandwidth Management Policies  Dynamic VLAN Assignments  LDAP authentication support  RADIUS authentication and accounting  Time-based access policies  Time of day and day of week access policies  Web browser-based authentication  Web browser-based guest user admin CoovaChilli (morphed from Chillispot) http://coova.org/wiki/index.php/CoovaChilli Uses RADIUS for access and accounting. CoovaAP openWRT-based firmware. Open Source M0n0wall http://m0n0.ch/wall/ Embedded firewall appliance solution built on FreeBSD. http://m0n0.ch/wall/images/screens/service s_captiveportal.png Server
  46. 46. MAC Auth Other Non-802.1X-Capable Endpoints Unsupported devices: Integrity and authentication: only someone who knows KEY can compute MAC for a given message  For the devices like network printers, Ethernet-based electronics like environmental sensors, cameras, wireless phones , etc.  One way: Media Access Control (MAC) address filtering. Usually implemented by permitting instead of preventing.  Win 2K & XP allow easy change for MAC addresses. MAC address is not an authentication mechanism… Native Client Support EAP-PEAP EAP-TLS EAP-TTLS XBOX 360 NO NO NO XBOX One MAYBE MAYBE MAYBE PlayStation 3 & 4 NO NO NO Nintendo Wii / Wii U NO NO NO KEY KEY message MAC (usually based on a cryptographic hash, aka “digest”) message, MAC(KEY,message) = ? Recomputes MAC and verifies whether it is equal to the MAC attached to the message
  47. 47. WEP Keys (Static Keys) 1.) Laptop send authentication Frame saying want to authenticate 2.) AP sends a challenge text 3.) Laptop encrypts challenge text with shared key and returns 4.) AP compares encrypted text with its own 5.) AP sends Authentication frame back to the device  Given: both parties already know the same secret  Goal: send a message confidentially Shared key authentication Symmetric Encryption
  48. 48. WPA & WPA2 Personal Security  WPA replaces WEP with TKIP  WPA2 uses a stronger data encryption method called AES- CCMP instead of TKIP encryption.  Still uses PSK (Pre-Shared Key) authentication. People may send the key by e-mail or another insecure method. Cracking WPA TLS GSS_API Kerberos PEAP MS-CHAPv2 TLS IKEMD5 EAP PPP 802.3 802.5 802.11 Other… method layer EAP layer media layer Summit
  49. 49. Summit Port-based Network Access Control (PNAC). 1.) Device asks to join. 2.) AP asks device to verify identity becomes the middleman for authentication server. 3.) Device sends identity to authentication server. 4.) Authentication server verifies identity. 5.) Device can join wireless LAN. 1) Initialization On detection of a new supplicant on the switch port. 2) Initiation the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. 3) Negotiation – The authentication server sends a Access-Challenge packet) to the authenticator. 4) Authentication - If the authentication server and supplicant agree EAP- Success message sent and port set to the "authorized" state. IEEE 802.1X…Supplicant Authenticator 802.1X Authentication progression 802.1x Header EAP Payload RADIUS Header EAP PayloadUDP HeaderServer
  50. 50. Summit Identity Based Network Services IEEE 802.1X… Supplicant Authenticator AAA Radius Server 802.1x Authentication Server Login + Certificate Login Verified Login Good! Apply Policies. Verify Login and Check with Policy DB IEEE802.1x + VLANS + VVID + ACL + QoS Switch applies policies and enables port.  Set port to enable  set port vlan 10 Authentication Server LDAP or Active Directory Server Login and Certificate Services
  51. 51. Summit Comprehensive NAC Solution IEEE 802.1X… Supplicant Authenticator Login + Certificate Login Verified End user attempts to access network Initial access is blocked Single-sign-on or web loginNAC Server gathers and assesses user/device information Username and password Device configuration and vulnerabilities Noncompliant device or incorrect login  Access denied  Placed to quarantine for remediation Quarantine Role NAC Server THE GOAL Intranet/ Network 1 2 3a 3b Device is compliant  Placed on “certified devices list”  Network access granted Authentication Server LDAP or Active Directory Server Login and Certificate Services
  52. 52. Summit EAPClient AuthenticationServer Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS Authenticator EAPOL Start Native Client Support EAP-PEAP EAP-TLS EAP-TTLS Windows 8 YES YES YES Windows 7 / Vista / XP YES YES NO Mac OS X YES YES YES Linux YES** YES YES iOS YES YES YES* Android YES** YES YES Chrome OS YES** YES YES** Windows Phone 8.1 YES YES (rumored) UNK Windows Phone 7/8 YES NO** NO BlackBerry 10 YES YES YES BlackBerry 7 YES YES YES
  53. 53. IKEv2 with EAP & Server Certificate ResponderInitiator UDP/500 Client IDi IDr AAA Server KEi Ni KErNr Authr Server RADIUS EAP Challenge EAP Identity IDr Certr EAP Response PSK PSK Prot. Ver. Packet Type Packet Body... PAE Ethernet Type Packet Body Length
  54. 54. Distribution of Public Keys - certificate authority (CA) Public announcement or public directory  Risks: forgery, tampering Public-key certificate  Signed statement binding a public key to an identity  sigAlice(“Bob”, PKB) Common approach: An agency responsible for certifying public keys  Browsers are pre-configured with 100s of trusted CAs  135 trusted CA certificates in Firefox 3  A public key for any website in the world will be accepted by the browser if certified by one of these CAs ? private key public key public key Bad Actor Given: Everybody knows public key Only Bob knows the corresponding private key Goal: Laptop sends a “digitally signed” message To create a valid signature, must know the private key To verify a signature, enough to know the public key Summit Authentication Server
  55. 55. What Is NAC, Really? Beyond “Who Is It? ” Goal: Decide whether to grant a request to access an object Quarantine & Enforce Update & Remediate Scan & Evaluate Authenticate & Authorize Where is it coming from? Who owns it? What do you have? What’s the preferred way to check or fix it? NAC Server is an IP passive bump in the wire, like a transparent firewall. Guards control access to valued resources Resource Authentication Server
  56. 56. Network Access Control NAC Client Enforcement PointAccess Controlled Subnet Isolation Network NAC Server allow QuarantineRemediate CheckSummit Authentication Server
  57. 57. Network Endpoint Assessment (NEA) NEA ServerNEA Client Posture Broker Client Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Broker Server Posture Collectors (1 .. N) Posture Collectors (1 .. N) Posture Validators (1 .. N) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Clients (1 .. K) Posture Transport Servers (1 .. K) PA PB PT
  58. 58. Fingerprint – Who、What、When、Where、How  Sigle SSID – Multiple Topologies – Multiple Solutions  Control traffic Traffic type and QoS  Control access resources based on Who, what, when, where, how …  Ensure compliance Who Where When What device type How
  59. 59. Purview Everywhere (more than CoreFlow2) Available Today Standalone Application Sensor Core / DataCenter – CoreFlow S/K Series Future Use IPFix and packet mirroring in the Summits X460s (future XoS16.2) looks at 1st 15 packets for Deep Packet. Wireless - IdentiFi APs & Controllers 60 Purview CoreFlow Wireless Controller Wireless AP Virtual Network Standalone Access Switches
  60. 60. Identity and Application Awareness Deep Packet Inspection SSL Visibility Application A Application B Employee A Employee B Prohibited Application Attack Traffic Employee C Botnet Traffic Good Application Clean Traffic Network Traffic and Flows Inbound Traffic Outbound Traffic Protection, visibility, and control Regular client SSL server1. ClientHello 2. ServerHello (send public key) 3. ClientKeyExchange (encrypted under public key) Exchange data encrypted with new shared key Summit Authentication Server
  61. 61. Logs Events Alerts Configuration information System audit trails External threat feeds E-mail and social activity Network flows and anomalies Identity context Business process data Malware information Now: Intelligence •Real-time monitoring •Context-aware anomaly detection •Automated correlation and analytics Then: Collection •Log collection •Signature-based detection Log collection - threat landscape
  62. 62. Page 63 Host Integrity—Summary Microsoft Network Access Protection (NAP)—(9/2006) – Open framework—Major security vendors involved – Integration and Testing in progress. Demonstrated at RSA 2/2006. – Microsoft availability with Vista/Longhorn beta and XP/2003 Service Pack in the future Network Access Device CLIENT Microsoft Quarantine Agent Partner Health Agent Network Policy Server (IAS) Partner Enforcement Client Partner and Microsoft Servers e.g. a/v, patch policy Microsoft Quarantine Server Switch, Access Point VPN, 802.1X, IPsec Quarantine VLAN Clean-up Host Integrity Check Fail Servers Virus Update OS Patch Update etc. RADIUS User Auth Host Integrity Action Pass Pass Corporate VLAN Pass Fail Put into Quarantine VLAN Fail Pass Close Port Fail Fail Close Port
  63. 63. SIEM Correlation A CB Logging Compliance Forensics • Maintain an adequate internal control structure • Procedures for financial reporting. • Assess the effectiveness of internal control structures Sarbanes- Oxley - Publicly Traded Companies must • Maintain administrative, technical and physical safeguards to ensure integrity and confidentiality • Protect against threats or hazards; • unauthorized uses or disclosures HIPAA - Patient Information, Firms Must: • Build and maintain a secure network • Protect and encrypt cardholder data • Regularly monitor and test networks, including wireless PCI - All Merchants Using Payment Cards, Must
  64. 64. Dynamic Security Policies Conceptual View 1. Administrator configures user group policies in Netsite. Policy includes VLAN, 802.1p priority, extension mapped to user group 2. Netsite pushes policy to switch 3. User logs on to the network 5. Policy is applied and switch configures VLAN, 802.1p priority and ACLs on the port 4. RADIUS server returns policy name for user Netsite Server RADIUS Server
  65. 65. IP Security Conceptual View (Trusted DHCP) DHCP Server Endpoint 1 IP: 192.168.0.8 Default GW: 192.168.0.1 MAC: 00:0B:7D:25:F7:23 192.168.0.1 00:04:96:10:46:60 Rogue DHCP Server Un-Trusted Ports Block DHCP servers Trusted Port Allow DHCP servers
  66. 66. IP Security Conceptual View (DHCP Snooping) DHCP Server Trusted Port Un-trusted Ports MAC IP 00:0B:7D:25:F7:23 192.168.0.8 00:0B:7D:31:AD:F2 192.168.0.22 … … DHCP Binding Table Endpoint 1 IP: 192.168.0.8 Default GW: 192.168.0.1 MAC: 00:0B:7D:25:F7:23 Endpoint 2 IP: 192.168.0.22 Default GW: 192.168.0.1 MAC: 00:0B:7D:31:AD:F2 192.168.0.1 00:04:96:10:46:60 Uses DHCP snooping to build trusted DHCP binding table
  67. 67. IP Security Conceptual View (Gratuitous ARP Protection) DHCP Server MAC IP 00:0B:7D:25:F7:23 192.168.0.8 00:0B:7D:31:AD:F2 192.168.0.22 … … DHCP Binding Table Endpoint 1 IP: 192.168.0.8 Default GW: 192.168.0.1 MAC: 00:0B:7D:25:F7:23 Endpoint 2 IP: 192.168.0.22 Default GW: 192.168.0.1 MAC: 00:0B:7D:31:AD:F2 192.168.0.1 00:04:96:10:46:60 (1) Sends gratuitous ARP "I have IP address 192.168.0.1 and my MAC address is ..:F2” (2) ARP cache poisoned 192.168.0.1 →..:F2 (4) Sends Gratuitous ARP “For IP address 192.168.0.1 the correct MAC address is ..:60” (5) ARP cache restored 192.168.0.1 →..:60 (3) Detects invalid ARP entry
  68. 68. IP Security Conceptual View (IP Source Lockdown) DHCP Server MAC IP 00:0B:7D:25:F7:23 192.168.0.8 00:0B:7D:31:AD:F2 192.168.0.22 … … DHCP Binding Table Endpoint 1 IP: 192.168.0.8 Default GW: 192.168.0.1 MAC: 00:0B:7D:25:F7:23 Endpoint 2 IP: 192.168.0.22 Default GW: 192.168.0.1 MAC: 00:0B:7D:31:AD:F2 192.168.0.1 00:04:96:10:46:60 (1) Sends traffic with source IP address of 192.168.0.8 (2) Blocks traffic since source IP addressed is spoofed

×