Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
White Paper
Intel Information Technology
                               Enforcing Network Security
Computer Manufacturing
...
White Paper Enforcing Network Security on Connection




                                  Executive Summary
             ...
Enforcing Network Security on Connection   White Paper




Contents
Executive Summary .......................................
White Paper Enforcing Network Security on Connection




                                  Background
                    ...
Enforcing Network Security on Connection   White Paper




Network Security Risks
Today our networks face many security ri...
White Paper Enforcing Network Security on Connection




                                  A New Security Paradigm
       ...
Enforcing Network Security on Connection   White Paper




The Technologies Behind
Our Solution
The solution employed in o...
White Paper Enforcing Network Security on Connection




                                  Clients that connect to a Micro...
Enforcing Network Security on Connection   White Paper




Tunneling Protocol                                             ...
White Paper Enforcing Network Security on Connection




                                          • A network service as ...
Enforcing Network Security on Connection   White Paper




Intel’s Security
Enhancement Program
Our investigations were pr...
White Paper Enforcing Network Security on Connection




                                  term, and short-term architectu...
Enforcing Network Security on Connection       White Paper




Steps to Developing a New Security Method

Our experiences ...
White Paper Enforcing Network Security on Connection




                                  Challenges
                    ...
Enforcing Network Security on Connection    White Paper




Conclusion
During our pilot program to implement improved secu...
www.intel.com/IT




This paper is for informational purposes only. THIS DOCUMENT IS               Intel, the Intel logo, ...
Upcoming SlideShare
Loading in …5
×

Enforcing Network Security on Connection

588 views

Published on

  • Be the first to comment

  • Be the first to like this

Enforcing Network Security on Connection

  1. 1. White Paper Intel Information Technology Enforcing Network Security Computer Manufacturing Client Security on Connection In response to the rise in network security threats, Intel IT is taking advantage of new industry standards to enhance its network security. Through 802.1x authentication, security policy compliance enforcement, and remediation, each device and user is identified, verified, and validated for compliance with security policies before being connected to our network. Sagi Bar-Or, Intel Corporation February 2007 IT@Intel
  2. 2. White Paper Enforcing Network Security on Connection Executive Summary As networking evolves to support both wired and wireless access, securing corporate networks from attack becomes ever more essential. Intel IT is using a new security method to authenticate devices, validate them against security compliance policies, and remediate specific problems before they connect to Intel’s networks. Intel IT has Our strategy includes: demonstrated how to • Ensuring that network hardware, firmware, and software meet the IEEE use the capabilities 802.1x standard. of emerging open • Authenticating all devices attempting to connect to our network. network security • Checking for compliance with Intel’s information security policies. standards to combine • Cleaning infected systems and bringing their configuration into compliance device authentication with security policies before they connect to our network. with security policy compliance • Providing wired and wireless clients an assured connection to a known network. enforcement, enabling • Protecting mobile devices against unintentionally connecting to a hostile network. proactive remediation A pilot program, which we began in September 2003, validated our approach by before a device protecting wired and wireless client systems in office and factory environments. is allowed on the This is a promising new network security method. For example, it could enable our network. IT managers to: • Ensure that all systems connecting to Intel’s networks meet specific security requirements. • Enforce system states to meet security policies, for example, weekly virus scanning. • Scan systems for recent worms and viruses and block connectivity until cleaned. • Protect mobile laptop PCs that have been unconnected from getting or proliferating recently emerged viruses. Intel IT has demonstrated how to use the capabilities of emerging open network security standards to combine device authentication with security policy compliance enforcement, enabling proactive remediation before a device is allowed on the network. Today, we have completed many major milestones for on-connect authentication, including configuration and deployment of the infrastructure and clients for LAN and wireless LAN (WLAN). We are now working on the next stage: adding compliance enforcement and protecting remote-access virtual private network (VPN).
  3. 3. Enforcing Network Security on Connection White Paper Contents Executive Summary ............................................................................................................................................... Background ................................................................................................................................................................... 4 Network Security Risks ........................................................................................................................................ 5 A New Security Paradigm.................................................................................................................................... 6 The Technologies Behind Our Solution ...................................................................................................... 7 Authentication Protocols .................................................................................................................................... 7 Password-based Protocol ................................................................................................................................... 7 Certificate-based Protocol ................................................................................................................................. 8 Tunneling Protocol ................................................................................................................................................. 9 Security Compliance Enforcement................................................................................................................. 9 Asset Registration Validation........................................................................................................................ 10 Forming a Program Team ................................................................................................................................ 11 Gathering Requirements .................................................................................................................................. 11 Identifying Project Scope ................................................................................................................................ 11 Intel’s Security Enhancement Program ................................................................................................... 11 Piloting the Solution .......................................................................................................................................... 1 Challenges .................................................................................................................................................................. 14 Conclusion ................................................................................................................................................................... 15 Authors ......................................................................................................................................................................... 15 Acronyms ..................................................................................................................................................................... 15
  4. 4. White Paper Enforcing Network Security on Connection Background In today’s networking world, companies are increasingly at risk for network attacks— from hostile intruders, viruses, and worms to server impersonations. To reduce the potential impact of such attacks at Intel, we needed to enhance security protection in our environment. Facing this business need, Intel IT saw a solution Intel has hundreds of sites worldwide and opportunity in three new standards of the Institute approximately 100,000 employees (including of Electrical and Electronic Engineers (IEEE), all of contractors), each of whom has at least one PC. which offer advanced authentication capabilities: We’ve moved to a mobile environment in which 802.1x for port-based security, next-generation more than 70 percent of our knowledge workers 802.11i for networking, and Wi-Fi* protected use mobile computers and more than 40 percent access (WPA). are wireless-enabled. Intel has 30,000 wireless users, 4,000+ wireless access points, and over Our solution needed to address all aspects of 50,000 wired switch ports. Intel’s complex environment. Intel’s networking environment includes a multitude of client To address security in this complex environment, platforms: desktop PCs, laptops, personal digital Intel IT conducted a pilot project to investigate assistants (PDAs), and other small form-factor using state-of-the-art technologies to protect devices, such as smartphones. These devices use network ports. We wanted to find out whether various operating systems, including Microsoft we could provide required levels of security by Windows*, PocketPC*, Linux*, and UNIX*. combining authentication to prevent unauthorized network access with verification that each Our environment also presents a variety of device connecting to the network environment use cases, including office clients, servers, and is compliant with current security policies. station controllers. 4
  5. 5. Enforcing Network Security on Connection White Paper Network Security Risks Today our networks face many security risks, whether wired or wireless. One of the most common is unauthorized network access. In addition, we must also protect against the threat of damage done by legitimate devices or people through the spread of worms and viruses. But how do you deny network access to devices By their very nature, WLANs do not lend that are contaminated or suspicious or not themselves to physical protection, since they do compliant with current information security not require devices to physically connect to the policies? To detect that a device is non-compliant network. Incorporating wireless technology in a after it is already on the network and then large, global enterprise can potentially introduce disconnect it is not sufficient. Worms, for example, new risks into the environment if not carefully propagate themselves very quickly in the network managed. Wireless ports that are not sufficiently layer. To maximize protection, the device should protected can increase the risk of incursions not be granted access to the network at all unless from unauthorized network access. When a or until the problem can be remediated. wireless network is unprotected, someone can be out in the parking lot or blocks away and still Wired networks have the advantage of requiring connect to the WLAN. physical access to connect to them. As a result, they can be partially protected using physical On the other hand, unprotected wireless clients security measures such as guards or locked may be vulnerable. “Rogue” wireless devices can doors. However, even with physical security, also pose dangers to network security. They can wired networks still face the same risks from increase the risk of server impersonation, where viruses and worms that wireless networks clients are lured onto hostile networks. must deal with. And we must still protect the LAN environment from authorized individuals connecting unauthorized devices to the network and from malicious activity by authorized users. 5
  6. 6. White Paper Enforcing Network Security on Connection A New Security Paradigm In response to these security challenges, the IEEE has been working on 802.11i, an emerging security standard for WLAN. This includes the existing port-based authentication standard, 802.1x, which is also used for wired LANs. Intel IT’s proof-of-concept study demonstrated so they can make yes/no decisions on allowing that 802.1x-enabled device authentication, connection to the network. combined with automated scanning and • Enforce system states—for example, if a full enforcement of security policies, can give system scan has not been performed on a us control over every device attached to connecting system within the time period our network. specified by security policy, we could force This new security paradigm is important to us the scan prior to connection. because it has the potential to dramatically • Arrange to quickly scan connecting systems improve our ability to enforce security policy. for a recent worm that can be detected based For example, using this new approach, Intel IT on a signature file and block connectivity until managers could: the system is cleaned. • Ensure that only authorized devices and • Require mobile computers that are away from users can connect to the network. the network for a period of time to update their • Ensure that systems they don’t own or virus or signature file before they reconnect, maintain meet minimum security requirements, protecting laptop PCs from either getting or proliferating a recently emerged virus. 6
  7. 7. Enforcing Network Security on Connection White Paper The Technologies Behind Our Solution The solution employed in our pilot combined authentication, security compliance, and asset registration validation capabilities that are now possible to implement through the 802.1x standard. Authentication Protocols In our study, we considered the following three protocol types for authentication: Authentication occurs when a device tries to connect to the network, for example, through a • Password-based local wired port or a wireless access point (AP). • Certificate-based 802.1x is based on the Extensible Authentication Protocol (EAP) specifically developed to address • Tunneling port-level authentication. Password-based Protocol EAP allows authentication of devices before Password-based protocols authenticate using they are granted access to the network. It is an passwords for both the device and the user. extension to the Point-to-Point Protocol (PPP) Two examples of password-based protocols are for Ethernet networks and enables a variety of Protected EAP-Microsoft Challenge Handshake authentication protocols. It passes through the Authentication Protocol version 2* (PEAP-MS exchange of authentication messages, allowing CHAP v2) and Cisco’s Lightweight Extensible authentication software on the server to interact Authentication Protocol* (LEAP). with its counterpart on the client before the device is connected. 7
  8. 8. White Paper Enforcing Network Security on Connection Clients that connect to a Microsoft Windows drive to enable offline logon. This will compromise domain already use device and user credentials security if a laptop is stolen. The optimal solution to authenticate to the domain. The same is to not cache the logon credential. However, if credentials can be used to authenticate to the password must be cached to enable offline the network with 802.1x. logon or roaming, it can still be protected with a non-cached PIN, using a hardware module such For a device, the domain credential is the host as a trusted platform module (TPM) to provide name. The password is created when the device tamper-resistant storage. joins the domain and its hash is cached both on the client and in the directory. The password is changed automatically, as required by company Certificate-based Protocol policy (for instance, every 30 or 90 days). Computer certificates significantly improve the level of security and resistance to brute force For a user, the domain credential is the username attacks. However, certificate-based protocols and password. The user password can be made such as EAP-Transport Layer Security (EAP- secure using domain-wide group policy objects TLS) require a public key infrastructure (PKI), that require passwords to meet strong password which adds a level of complexity and cost. A specifications and to be changed periodically. certificate authority (CA) must be established A common industry definition of a strong to generate the certificate, and a system put password specification is that passwords be at in place for deployment and maintenance to least six characters long, and include letters and revoke, renew, and track certificates. Certificates digits in upper- and lowercase, with at least one can be purchased from a commercial source, but special character. they still need to be deployed and maintained. Using both device and user credentials provides Nevertheless, once the PKI and certificate-based better protection, as they complement each authentication is established, it is a highly stable other’s vulnerabilities. For example, users’ and scalable service. passwords are susceptible to social engineering The optimum approach is to use separate (tricking a person into revealing their password) certificates for device and user authentication and shoulder surfing (stealing a password by and to require both forms of authentication looking over someone’s shoulder as they type it before allowing network access. However, in). The device password compensates for that, this may not be the best option for device as the user never uses and does not know the authentication, as the credential needs to be device password. Unfortunately, the ability to associated with the device. One solution is to authenticate using two credentials in the same store the certificate in the TPM on the computer, session is not yet supported by the IEEE standard. if the ease of use for customers makes that Another drawback of password-based protocols is additional risk worthwhile. that the user password is cached on the local hard 8
  9. 9. Enforcing Network Security on Connection White Paper Tunneling Protocol for compliance. This compliance scanning can also verify that critical security services, such as virus Tunneling protocols enable a secure tunnel protection, are running on the device. between the client and authenticator, allowing the authentication process to occur securely. Security compliance can be enforced in several This protocol is said to “tunnel” because it pushes ways before a device is allowed to connect to through different types of packets, encapsulating the production network. Here are three examples: them at the peer level or below. Tunneling • Do not enter. When detected as non- protocols transport multiple protocols over a compliant, the device is not allowed access. common network and provide the vehicle for This method is elegant in its simplicity; encrypted VPNs. In the network authentication however, users need the ability to contact a case, the tunneling protocol is used to perform support center when access is denied. the authentication session in a protected way. Examples of tunneling protocols include • Partial access. When detected as non- Protected EAP (PEAP) and Tunneled TLS (TTLS). compliant, the device gains partial access to the network. That is, it is issued a valid IP Security Compliance address, but can only access limited resources. Enforcement • Remediation. When detected as non-compliant, Authentication is an important step in protecting the device is redirected to a non-production networks from unauthorized access, but it’s (remediation) network. In this network, the only one piece of the puzzle. Gartner Group was device’s security compliance is updated. forecasting that, “by the first quarter of 2005, Remediation can be done using various levels enterprises that don’t enforce security policies of automation. Once the device (known as a during network login will experience 200 percent supplicant) is verified to be compliant, it can be more network downtime than those that do (0.7 assigned an IP address and allowed to access probability).”1 By introducing security compliance the network, as shown in Figure 1. at Layer 2 of the network stack, devices can be There are several technologies in the domain of identified as authorized to access the network as compliance enforcement on connect. They can well as compliant with information security policies. be divided into three main types, according to the policy enforcement point (PEP): To become security compliant, the device must pass a series of checks, according to predefined • The client as the enforcement point. Typically policies. For example, security patches, virus achieved by a personal firewall or another definitions, and other security-related configuration low-level device driver at the network driver components can be checked against a database interface (NDI) level, which controls network access for the device. 1 “Scan, Block and Quarantine to Survive Worm Attacks.” Gartner Group. Paper ID T21-7-7550. 9
  10. 10. White Paper Enforcing Network Security on Connection • A network service as the enforcement point. Asset Registration In this technology, a network device limits Validation network access per device. This is achieved by A third condition for allowing a device to be a network access server (NAS), or, for example, connected to the network is verifying that the Dynamic Host Configuration Protocol (DHCP). device is registered. Verification can be done • A proprietary network appliance as the with an existing database in the organization. enforcement point. In this method, a specific The approach is similar to compliance scanning network appliance captures the packets and enforcement, described above. controls them accordingly. Production 1 Step 1: Authentication (Identity—Layer 2) Network 2 Step 2: Compliance with Policies (Layer 2) 3 Step 3: Open Port, Assign IP Address, Grant Network Access (Layer 3) Authentication Compliance Server Server Wireless Access Point Network Switch 1 YES 3 YES 1 2 3 1 2 3 ID? 2 3 OK? 3 3 3 2 2 2 1 1 NO 1 NO Remediation Zone Remediation STOP 2 Services Remediation Client Client Not Possible (Supplicant) (Supplicant) Figure 1. Device authentication and compliance enforcement process. 10
  11. 11. Enforcing Network Security on Connection White Paper Intel’s Security Enhancement Program Our investigations were prompted by a combination of business need and emerging technologies. Intel’s business units were calling for next-generation authentication and security methods to address the increase in security threats to the corporate network. At the same time, the 802.11i networking standard promised port-based authentication technology to address these needs. Forming a Program Team Phased Implementation We began by bringing together Intel IT managers Due to the complexity of deployment and who had a vested interest in the problem and number of new technologies in the pilot, the solution, including IT client, network, security, we decided to take a phased approach to and server infrastructure groups. We defined implementation. Each phase gradually raises a core team who would participate in mapping the technology level, as well as the opportunity requirements and use cases, then architect a to study more varied use cases. Later phases solution, as well as a management review council incorporate more use cases and enhanced (MRC) to make decisions as we proceeded. As the security methods. program progressed, we added additional team Mission Statement members to develop, test, and certify the solution. The outcome of our first brainstorming was a mission statement: Gathering Requirements To build the right solution, we had to fully • Every device attempting to become a node understand the business needs and customer on the network must pass authentication, requirements. We spent time gathering security policy compliance enforcement, and requirements from Intel’s business units—the asset registration validation to gain access. customers for our IT solution—to understand their Designing the Solution specific business needs and requirements for the solution. We defined use cases and brainstormed We evaluated the available network and client about the technologies and possibilities. technologies for authentication, security compliance, and asset registration validation. We knew we wanted to incorporate appropriate Identifying Project Scope authentication and compliance scanning To determine the scope of our project, we identified hardware tools, but realized that not all required which networks needed defending and which technologies existed or were mature at the time platforms and operating systems needed to access of our program’s inception. Based on the initial those networks. We decided on key use cases. exploration, we developed long-term, medium- 11
  12. 12. White Paper Enforcing Network Security on Connection term, and short-term architectures based on firmware or hardware upgrades to support the 802.1x standard for port-based network 802.1x. This upgrade would be necessary to access control (part of the 802.11i standard). afford us control over every port that attaches We designed solutions that would align with devices to the network. that architecture and support the business and customer requirements, and also defined Identifying Use Cases and Clients integration requirements. We decided on two use cases for Phase 1: office user and factory user. We selected user Defining Core Components platforms for Phase 1 based on Intel® Centrino® We defined reference designs for core mobile technology. components of the Phase 1 pilot, based on the architecture. Among the core components Piloting the Solution were switch configuration, network ports, With the design in place for Phase 1, we authentication, authorization and accounting began engineering the solution. This involved (AAA) server infrastructure, PKI, wireless access establishing the back-end infrastructure and points, dynamic account management, and arranging for the required network firmware client operating systems and configuration. We and hardware upgrades, then preparing for established engineering sub-teams for each core client updates. component reference design to develop, test, and certify solutions. To test the viability and usability of our solution, we sought and received management approval We developed reference designs for core to begin an initial proof of concept. In September components of the authentication and security 2004, we demonstrated our solution at the Intel compliance enforcement system, based on the Developer’s Forum. We showed how it could work, architecture, and established a sub-team for using Intel Centrino mobile technology-based each core component reference design. We client laptops running EAP, Intel® PROSet/ tested individual components and certified Wireless software, and our custom compliance them for use within our environment. We then enforcement software for the demo. integrated components to make sure they worked as a system. Getting Certification Upgrading the Network Intel has rigorous processes for certifying any solution that could potentially be deployed in the We began with the important task of upgrading enterprise. To ensure we had a valid pilot, we are all ports involved in Phase 1 to the 802.1x using the pilot data to get both the components standard. We mapped all network ports, including and the entire system certified by our IT LAN and WLAN, identifying all switches and standards body. access points on the network that would need 1
  13. 13. Enforcing Network Security on Connection White Paper Steps to Developing a New Security Method Our experiences with this pilot and other security and compliance individual components and certify them for use within our projects have led us to craft a 10-step plan for developing new environment, then integrate components to make sure they security methods. work as a system. 1. Identify the need. Explorations of new security methods 6. Pilot the solution. To test the success and usability of our are typically driven by a combination of business need for security enforcement solution, we perform a proof-of-concept enhanced network security and emerging technologies. test and a series of pilots for each phase of our deployment. Deploying each pilot involves establishing the back-end . Identify the players and form the team. In response to infrastructure and arranging for network upgrades, then the identified need, Intel IT initiates a program to investigate preparing for client updates. possible solutions. When launching this type of program, we initiate a core team to participate in developing and 7. Certify the solution. We use the pilot data to get the engineering the solution and an MRC to make decisions. components and the entire system certified by our standards body for deployment throughout the enterprise. . Gather requirements and identify the project scope. We begin by gathering requirements from the Intel business units, 8. Prepare the budget. While the pilot and certification efforts our IT customers. We scope the project to determine which are ongoing, we prepare a deployment budget. networks, platforms, and operating systems our solution needs 9. Get management approval. As we proceed with our program, to support. We identify the ports that need protecting. We decide we seek and get management approval at major milestones whether to approach the problem with a phased deployment. before advancing to each next activity. When the pilot is 4. Explore the technologies and design the solution. We complete, we submit the pilot results, certifications, and evaluate the available technologies, determine which will best deployment budget to the MRC for approval to deploy. meet our needs, and develop an architecture. We then design 10. Deploy the solution across the enterprise. Once we have solutions in alignment with that architecture, which support the management approval, the final step is deploying the solution in business requirements. our corporate environment. This involves establishing the back- 5. Determine the components. We define reference designs end infrastructure, arranging for network upgrades, preparing for core system components, based on the architecture, and clients, and setting up maintenance and sustaining activities. establish a project sub-team for each component. We test 1
  14. 14. White Paper Enforcing Network Security on Connection Challenges One of the major challenges for the program was that not all required technologies existed or were mature when we began our study. Initially, authentication was the only available technology. Today, numerous products are offered, or will be offered soon, that include asset registration, validation, or compliance enforcement. Components that have not yet been released, security and manageability. We don’t want to such as some used in our pilot studies, can lock legitimate users out, even if they are introduce short-term issues that disappear not 100 percent compliant. For example, if a when that component is released. For corporate- computer has anti-virus detection turned off, wide deployment, all components must be in we must prevent access. But if it is missing a production. non-critical security patch, we can grant access along with a prompt to the user to install the However, the benefit of an early pilot is that patch. The solution is to clearly define policies. we can submit our requirements and concerns to component manufacturers in the early stages We must also address wavers and exceptions. of their products, making it more likely that we In large organizations, there will always be get the features we need when the component devices and users that must be treated is released. differently, for example, printers, network detection devices, and lab computers. We must Another challenge is the need to update each also have a process in place to identify and and every component. A well-known slogan is address wavers and exceptions. “your network is as secure as the weakest link.” This reflects the need to cover all the access Lastly, working on this type of program requires points to the corporate network, for example, cross-organizational cooperation within the all the LAN switches. organization. This is a comprehensive solution that covers client, network equipment, and back- Applying a new security scheme to the network end servers. In our program, excellent cooperation poses the classic challenge of security versus between all teams was a key success factor. usability, so we must find the path between 14
  15. 15. Enforcing Network Security on Connection White Paper Conclusion During our pilot program to implement improved security methods at Intel, we identified the necessary infrastructure (hardware, firmware, and software) to support secure network access, enforced as devices connect to our LANs and WLANs. Our approach authenticates the device and user to the network, authenticates the network server to the client, checks the client for compliance to the current security policies, and provides remediation for non-compliant devices. Our best defense against unauthorized network allowed on the network. By applying security access and other security threats is combining policy compliance checks, we can ensure that security compliance scanning and enforcement infected or vulnerable devices do not gain access with state-of-the-art authentication. Through to networks to allow propagation of worms and authentication and asset registration validation, viruses. Through this combination of methods, we we can ensure that only authorized devices are are reducing our security risk. Authors Sagi Bar-Or is a systems engineer with Intel Information Technology Acronyms AAA authorization and accounting PEP policy enforcement point AP access point PKI public key infrastructure CA certificate authority PPP Point-to-Point Protocol EAP Extensible Authentication Protocol MRC management review council IEEE Institute of Electrical and Electronic Engineers MS CHAP Microsoft Challenge Handshake Authentication Protocol LEAP Lightweight Extensible Authentication Protocol TKIP Temporal Key Integrity Protocol NAS network access server TLS Transport Layer Security NDI network driver interface TPM trusted platform module PDA personal digital assistant TTLS Tunneled TLS PEAP Protected EAP VPN virtual private network WLAN wireless LAN 15
  16. 16. www.intel.com/IT This paper is for informational purposes only. THIS DOCUMENT IS Intel, the Intel logo, Intel. Leap ahead. and Intel. Leap ahead. logo, and PROVIDED AS IS WITH NO WARRANTIES WHATSOEVER, INCLUDING Centrino are trademarks or registered trademarks of Intel Corporation ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, or its subsidiaries in other countries. FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR * Other names and brands may be claimed as the property of others. SAMPLE. Intel disclaims all liability, including liability for infringement Copyright 2007, Intel Corporation. All rights reserved. of any proprietary rights, relating to use of information in this specification. No license, express or implied, by estoppel or otherwise, Printed in USA Please Recycle to any intellectual property rights is granted herein. 0207/ARM/RDA/PDF ITAI Number: 06-4705w

×