2. Agenda
• Introduction of Problem
• Pros and Cons of Existing Security Systems
• Possible Solutions
• Recommended Solution
• Solution Implementation
• Final Recommendation
2
4. The Problem
Viruses, worms, and botnets are often spread by unknowing
victims. These victims may be your own network users.
How can the network be protected from your own users?
4
7. Endpoint Security
Pros
Centrally managed anti-virus can identify workstations without
updated virus definitions.
Local firewall policy enforcement cannot be disabled by end users.
Cons
Anti-virus software slows machine performance to the point where
users disable automatic updates and stop scans. There is no way to
prevent users from altering the anti-virus software.
Only users with VPN access have the protection provided by local
firewall policy enforcement.
There is no anti-spyware or host intrusion prevention solution
deployed. 7
Symantec anti-virus deployed to individual workstations
and servers in the data center
Cisco personal firewall software installed on laptops with
remote access enabled
8. Identity
Four distinct user directories:
Authentication
• Access request forms required for creation of user accounts in each directory
• Written password policy requires strong passwords and password expiration
maintained/enforced separately in each directory
Authorization
• Authorization policies maintained in each directory by local administrators
• Manual process for account termination, user access must be removed from
each directory
Accounting
• Weekly directory access reviews compared against termination reports
Pros
Reduced risk when an account in one directory is compromised
Cons
Policies cannot be maintained or enforced centrally
Lots of passwords to keep track of → “loose” password management
Maintenance and SOX compliance nightmare 8
9. Network Security
Port-based 802.1Q virtual local area networks
(VLANs) for network and user segregation
Pros
Separate broadcast domains for trusted internal users and
untrusted guest users – groups unable to communicate directly
Trusted internal PCs cannot contract viruses from untrusted guest PCs
Untrusted guest users are unable to access private internal servers
Use of VLAN Trunking Protocol eases VLAN management
Cons
No measure to prevent untrusted guests from connecting to private
ports
Misconfiguration of a port will provide trusted network access
Use of separate subnets leads to inefficient use IP address space
Switches may be vulnerable to attacks related to MAC flooding,
tagging, multicast brute force, etc. 9
10. Gap Analysis in Current Solution
• Policies for endpoint security are not enforceable
• Users are not authenticated before access to the
network. Identification is instead performed by
the application
• Several entry points: wireless, wired and VPN
• Different types of users: full-time employees,
vendors, partners and guests
• VLAN assignment is not dictated by identity or
security posture
10
12. Improve Endpoint Security
• Deploy a comprehensive endpoint solution that
includes anti-virus, anti-spyware, and host intrusion
prevention capabilities
• Define and enforce policies that do not allow end
users to disable these protections
• Deploy personal firewall software to all computers,
not only VPN enabled systems
• Design an employee education campaign stressing
the importance of maintaining up to date security
software definitions
12
13. Improve Identity
13
Identity Based
Authentication
√
Valid Credentials
Invalid/No Credentials
X
Corporate
Network
No Access
Authorized User
Unauthorized External
Wireless User
Corporate
Resources
Identity Store Integration
802.1X
14. Improve Network Security
14
Virtual Private Networks
• Provided by vendors such as Cisco and F5
• Ensures confidentiality and integrity,
but only for point to point connections
Intrusion Detection and Prevention Systems
• Provided by vendors such as Sourcefire, 3Com, and IBM
• Able to use both predefined (and regularly updated) signatures and
statistics to detect and prevent attacks
• May cost tens of thousands of dollars per Gbps of inspection with no
guaranteed return
Firewalls
• Provided by vendors such as Check Point, Juniper Networks, etc.
• Control what hosts can access on other networks by port, protocol, or
IP address
• Unless installed on every PC, not useful between hosts on internal
LANs
15. Comprehensive Solution
15
THE GOAL
NAC Server gathers
and assesses
user/device information
Username and password
Device configuration and vulnerabilities
Noncompliant device
or incorrect login
Access denied
Placed to quarantine for remediation
Device is compliant
Placed on “certified devices list”
Network access granted
NAC Server
NAC Manager
End user attempts to
access network
Initial access is blocked
Single-sign-on or web login
Authentication
Server
1
2
3a
3b
Quarantine
Role
Intranet/
Network
18. NAC Vendor Comparison
18
Cisco NAC Juniper UAC Microsoft NAP
User/Device
Authentication
✔ ✔ ✔
Device Posture ✔ ✔ ✔
Remediation Full support Limited Very Limited
Full OS
Support
MS, Mac OSX Only MS Only MS
Guest Access
Portal
Full support
No temporary
IDs
No support
Microsoft NAP Juniper UAC Cisco NAC
Device Posture
Assessment
Full support Full support Full support
User/Device
Authentication
Requires MS
RADIUS
Requires group
mapping support
Integrates w/
current
infrastructure
Remediation Very Limited Full support Full support
Full OS Support Only MS MS, Mac OSX MS, Mac OSX
Guest Access
Portal
Requires 3rd
party
No temporary
logins
Full support
Asset
Management
None Manual Automated
20. Total Cost of Ownership
Number of users supported: Up to 10,000, including guests
Initial Hardware/Software Cost = $125,000
Implementation Cost = $25,000
Maintenance Cost = $72,000 per year
Power & Cooling Cost = $3,000 per year
TCO = $150,000 + $75,000 per year = $225,000 initial year cost
TCO ≈ $500,000 after 5 years
20
21. ROI Information
21
• Fewer infections result in fewer incidents and help
desk calls
Man Hours Cost/hour
Identifying and locating non-
compliant machine
.66 $75/hr
Bringing non-compliant machine
into compliance
1 $75/hr
Potential cost savings per non-compliant user $125
• The break-even point is 4,000 incidents over 5 years.
22. Potential Loss by Industry
22
Industry Revenue/Employee Hour
Energy $569.20
Manufacturing $134.20
Retail $244.37
Banking $130.52
Media $119.74
Total Industry Average $205.55
Source: http://www.competitivereviews.com/metasecurity.pdf
23. Feasibility Analysis
23
• Already a Cisco network, so NAC would simply
be an add-on to current network
• Entry points can easily be identified
• Anti-virus and other end-point protections
already deployed to users
• Non-compliance problems currently occur at a
rate of 6 per day, indicating a positive ROI on a
potential NAC investment
24. Final Recommendation
24
We conclude that a comprehensive NAC system
such as Cisco’s Network Admission Control
would be a better investment than piecemeal
improvements to the company’s current
network security systems.
We found that out corporate network infrastructure was vulnerable to virus or worm outbreaks from many sources – some of which could be internal users. In the next section we will highlight some of the problem areas.
Currently, we have implemented various solutions that fall into each of these categories, but the sum of everything currently deployed is not quite secure enough to protect against existing threats.
Our existing endpoint security solution relies upon the Symantec anti-virus client installed on all workstations and the Cisco VPN client with firewall capabilities installed on laptops of users requiring remote access.
On the positive side, these solutions provide central management capabilities and the Cisco firewall application cannot be disabled by the end users. However, the anti-virus software causes end user workstations to perform slowly and as a result users disable the automatic updates and stop full system scans before they complete. In addition, there is no personal firewall software on any machine that does not have VPN access and we do not have any anti-spyware or host intrusion prevention solution deployed.
Our current identity solution has been built overtime. It currently consists of four separate user directories. User accounts exist for each employee within Windows Active Directory, Lotus Notes, Cisco VPN and Oracle E-Business Suite. When an employee joins the company, a paper access form is filled out and an account gets created in each of the four user directories by local administrators. These accounts are created by different administrators for each of the directories. The username and password used for the account should follow the written company policies. The local administrators then apply the appropriate authorization policies. Again any changes to a user's access, including removal of access, needs to be updated within each distinct user directory. For compliance and regulatory reasons, for all four directories, administrators must compare user and access lists against termination reports on a weekly basis.
This solution puts a lot of burden and creates a lot of dependence on the administrators of each directory. We must trust these administrators to enforce our user account and password policies. Because each employee has at least four accounts, they tend to be more "loose" with their password because it’s difficult to keep track (especially because account expiration does not occur simultaneously across the four directories. An example of loose password management that has been seen in the office is employees sticking Post-It notes with their passwords in plain view on their monitors. The accounting is extremely tedious and not very reliable. This puts us at risk for SOX violations and fines if auditors find deficiencies.
Overall our current solution is lacking centralized, accurate enforcement of our security policies.
Currently, the company’s network security is based on segregation of various user groups using 802.1Q VLANs. The two most significant VLANs are the private one and the guest one. Network ports at all employee workspaces are associated with the private VLAN, while network ports at all hot desks are associated with the guest VLAN. This layer 2 network segregation prevents routing between untrusted guests and private resources, but this is dependent on trusted or untrusted machines being connected to the appropriate network ports. There are no measures in place to prevent untrusted machines from obtaining physical access to private VLAN ports, and once connected, DHCP will provide them with an IP address. This of course defeats the purpose of the segregation and allows for access to private resources. Not only does the lack of physical workplace security pose a risk, so does the potential for unintended bridging as a result of port misconfiguration.
Years ago, one might have considered the existing network access control measures adequate, but not anymore. A malicious individual would not have to be very clever to figure out that the private VLAN is where they would rather connect. The network would not assess their identity or security posture and identity management is left to the individual applications. This means the application servers and trusted users are sitting targets as long as they are connected. These endpoints may be protected by antivirus software and firewalls, providing their signatures have been updated and they have not gone ahead and disabled the software for convenience. Even if the VLAN based network segregation were effective, the network would still lack provisions for other user groups that may be somewhat trusted, like vendors and partners.
If we were to provide a more secure environment by improving each of the areas where we found gaps in the existing solution, we would start by deploying a more comprehensive endpoint security suite. This suite of software would have to include anti-virus, anti-spyware and host intrusion prevention capabilities. We would also change the corporate security policy to state that users were not allowed to disable any end point security protections. The deployed suite would have to be configurable in such a way to prevent end users from disabling any of the protections enabled. We would also deploy our existing personal firewall solution to every corporate workstation instead of only the VPN enabled laptops. Finally, we would develop a new employee education campaign to stress the importance of maintaining a secure corporate computing environment.
To improve our current identity solution, we would start by integrating our user directories into a central identity store. This single identity store would be responsible for enforcing policies and for authentication. In addition based on the roles in the single identity store, users would be authorized to specific resources, including corporate resources, email, VPN and business applications.
Then as part of the user authentication, we would implement 802.1X. 802.1X is a Layer 2 protocol for transporting authentication messages between users’ PCs and the authenticator. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.
Source: http://en.wikipedia.org/wiki/IEEE_802.1X
Network access can be better controlled by the addition of various network security systems such as remote access VPN, intrusion detection and prevention, and firewalls. Each system has its merits, but not even the combination of all three can solve the problem at hand. Remote access VPNs will ensure confidentiality and integrity of data via the use of encryption, but are only for users who need to access the core private network from outside the office. IDS and IPS systems try to detect and prevent attacks from entering the network, but are costly and not designed to block every network access point – only certain points that interface totally untrusted networks like the Internet. Without ubiquitous prevention, even detected attacks may be successful before they can be remidiated. Finally, firewalls can block unused ports or untrusted IP networks at the perimeter of the company network, but they cannot prevent attacks from within and/or against application specific vulnerabilities.
This is an example of how the Cisco NAC appliance offers a comprehensive solution. The end goal is for the user to have access to the Internal Corporate network. But we want to know who is logging in and if they are compliant before network access is granted. In order to accomplish this:
First the user attempts access to the network. Their access is initially closed until credentials and posture information is collected on the end-station. Once this information is collected, the NAC Server validates the credentials and evaluates the posture information and decides if the endstation is compliant. If not, the user is quarantined and their access is separated from the network in order to be remediated. If the user is deemed compliant, then the device is placed on a “certified devices list” and network access is now granted.
Based on the complexity of implementing security improvements across the network we decided to pursue a comprehensive solution for network access control.
When considering a comprehensive solution, we turned to Gartner for some guidance and chose to concentrate on Cisco and Juniper based on their leadership in this area of network security.
We also considered the Microsoft solution because of the future potential of Microsoft’s NAP solution. Gartner has chosen not to include Microsoft as their solution requires a significant OS upgrade to all client machines. But we chose to include it anyway as to show the amount of growth that needs to occur before Microsoft’s solution will become viable.
Lastly, we stayed away from endpoint-only related NAC solutions, such as Symantec or McAfee because of OS compatibility restrictions and the possibility that the endpoint clients themselves could be compromised, disabled, or even used as an attack vector in their own right.
Microsoft
- No Third Party OS support.
Anti-Virus software / Personal FW / Anti-spyware NAC integration is to add another vendor solution on top of NAP
Guest: Additional software from 3rd vendor required
Asset Management for Printers, Phones, and other machines is none existent.
Juniper
Requires some modifications to existing authentication/directory infrastructure
Easy provisioning of temporary logins for guests is not available. Admin needs to provision a guest account and then remove it.
Asset Management is all done manually
Cisco
Integrates seamlessly with current authentication/directory infrastructure
Guest Server allows employees to provision their own temporary logins for their guests.
Asset Management can be discovered with NAC Profiler tool.
Our organization needs to support up to 10,000 users including their guests. As an estimate to the total cost of ownership, we’re looking at:
Initial Hardware/Software Cost of $125,000
Implementation Cost of $25,000
Maintenance Cost of $72,000 per year
Power & Cooling Cost of $3,000 per year
This amounts to $225,000 initial year cost and $500,000 after 5 years.
In order to get our return on investment for the $500,000 spent over 5 years, we’ll look at how much it costs to identify non-compliant machines and how long it takes to remediate each machine.
If we estimate around 6 calls per day, this amounts to 2,190 calls per year, and 10,950 calls in 5 years.
If deploying NAC can cut our number of calls in half to 3 calls per day, then we are now faced with 4380 calls per year, 5475 calls in 5 years, which ultimately amounts to a cost savings of $684,375.
Organizations that have the most revenue and are most heavily dependent on online systems have the highest potential loss of revenue from network outages. Strict network security is one way to prevent malware from causing these outages. This table shows average revenue by employee hour (i.e., assuming 2,000 hours per year). The percentage of the revenue actually lost depends on the criticality of the system that experiences the outage (e.g., degree of customer interaction, existing workarounds, peak periods) and the number of users affected by the outage or slowdown. These are big numbers and it is clear from this analysis that we want to avoid these potential losses.
Furthermore, these numbers do not even include the significant immediate losses that can result from bad publicity and loss of customer trust that affects future revenues.
Source: http://www.competitivereviews.com/metasecurity.pdf
When we asked ourselves how feasible it would be to implement a comprehensive NAC solution, we determined that there are actually few technical hurdles. We are already a large Cisco customer considering that we have a Cisco network, so we will likely get a discounted rate on the Cisco NAC product. Our network is clearly mapped out and understood, so we can easily identify the network entry points. In addition, our end points are already protected with anti-virus.
With strong executive sponsorship, we believe that this solution would be feasible.
Network security vendors that do not have comprehensive NAC products would love for you to believe that if you buy their product of choice, whether it be antivirus software, AAA, firewalls, etc., then you will have peace of mind. In truth, vulnerabilities abound in a complex corporate network and it really does require a comprehensive NAC product to ensure that all endpoint, identity, and network security systems work together to prevent and protect from security breaches.