White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

Transcription

1 White Paper February 2006 McAfee Policy Enforcer Securing your endpoints for network access with McAfee Policy Enforcer

2 White Paper February 2006 Page 2 Table of Contents Executive Summary 3 Enforcing Network Access Policies Reduces Risks 3 Complete Enforcement Coverage for Network Access How It Works 4 McAfee Policy Enforcer Architecture 7 Summary 10 About McAfee 10

3 White Paper February 2006 Page 3 Securing your endpoints for network access with McAfee Policy Enforcer Executive Summary Companies are allowing broader access to information resources at a time when the risks of a security breach have never been greater. Increased collaboration and outsourcing mean that business partners perform integral business functions ranging from product design to customer service from around the globe. Guests, contractors, and consultants need access to network services and core enterprise applications at your locations. And companies workforces are increasingly mobile, with employees connecting to the corporate enterprise from Wi-Fi hotspots in hotel rooms, coffee shops, and from their homes. At the same time, external threats are evolving rapidly and increasing in sophistication. Blended threats are commonplace, such as using spam to spread worms and other malicious code. To compound the challenge, the entry of a single non-compliant laptop or handheld can render a secure network vulnerable to attack. A single employee can inadvertently infect the entire corporate network by working on an unprotected device over an untrusted connection. The challenge for enterprise security managers is to permit employees in corporate locations and home offices, as well as contractors, consultants, and other users, to access the corporate network without compromising business availability or increasing risk. Enforcing security policies for network access is more critical than ever. Stringent requirements for protecting proprietary company information and ensuring business continuity are mandated not only by companies internal business policies, but also by a growing number of legal regulations. A security breach can damage consumer trust and incur significant financial and legal penalties. The escalating cycle of newly discovered vulnerabilities and the ensuring software patches is creating patch fatigue among many security administrators, which increases the risk of widespread threats. Scheduling periodic software updates and system checks simply can t keep pace with the realities of an always-on business world. At best, locating and isolating infected systems to prevent damage from occurring is time- and resource-intensive and, at worst, impossible. A proactive approach to defining and enforcing network access policies is required. McAfee Policy Enforcer protects enterprises by preventing non-compliant systems from accessing the corporate network. Policy Enforcer is a platform-independent approach that works with most any operating system, virtual private network (VPN), or network, ensuring a low cost of ownership. Policy Enforcer uses proven, enterpriseclass technologies such as McAfee epolicy Orchestrator (epo ), which is used by more than tens of thousands of customers worldwide. It also incorporates remote scanning technology from McAfee Foundstone to identify network vulnerabilities and assess risk. Plus, Policy Enforcer extends and enhances the Cisco Network Admission Control (NAC) enforcement framework, and it will also enhance the Microsoft Network Access Protection (NAP) and Trusted Computing Group Trusted Network Connect (TNC) 802.1x frameworks as they become available. epo delivers a coordinated, proactive defense against malicious threats and attacks for the enterprise. McAfee s acquisition of Foundstone provides strong capabilities in asset management, risk management, and compliance. Proven threat prevention tools such as McAfee IntruShield, McAfee Host Intrusion Prevention System (Host IPS), and McAfee AntiSpyware Enterprise provide comprehensive protection of networks and systems. Policy Enforcer completes the picture by enforcing security policies at the network access level. This white paper provides a technical overview of McAfee Policy Enforcer, a network access control solution, and will give enterprise security and network managers an understanding of the Policy Enforcer architecture, how it works, and various enforcement scenarios. Enforcing Network Access Policies Reduces Risks McAfee Policy Enforcer is a powerful assessment and enforcement solution that protects enterprises by preventing non-compliant systems from accessing the corporate network. If a system is vulnerable or infected, the user simply cannot connect to the network or will be routed

4 White Paper February 2006 Page 4 to a quarantine area of the network designed to control attacks and where remediation can be initiated. Consider the following examples of key network risks: Onsite managed system An employee connects his laptop to the corporate network. But last night he was working from home on an unprotected connection, and his system has been compromised with a worm. Policy Enforcer identifies that the laptop lacks the protection for the newly discovered threat and redirects it to a quarantine network where the problem can be fixed. The threat is avoided Onsite unmanaged system Consultants are collaborating closely with marketers on plans for a hot new product launch. The consultants need access to relevant collaboration tools, but they do not have the security applications and patches required for full network access. Policy Enforcer can automatically place the consultants systems in a subnet of the network with limited access, so they can access the needed resources without compromising corporate security. Network access is controlled Remote managed system The vice president of sales connects to the corporate network over a VPN connection from a hotel room, but her laptop has an out-of-date antivirus definition file because she was traveling when the update became available. Policy Enforcer notes that the laptop does not comply with the network access policy, and so it prevents the VPN connection from completing until the new anti-virus definition files are downloaded. The network is protected Remote unmanaged system An outsourcing partner needs access to corporate network resources from its own site using a VPN. Policy Enforcer verifies that the partner s systems comply with the company s network access policies before allowing access via the Internet. Security is maintained Policy Enforcer performs a granular assessment of systems that connect over the local area network (LAN) or remotely to determine whether the systems comply with corporate network access policies. With Policy Enforcer, enterprise security managers can keep their networks clean and secure, and also gain a way to view, enforce, and report on the compliance of users systems to specified policies from a single management console. Policy Enforcer delivers the lowest cost of ownership by leveraging organizations existing infrastructures. It is platform-independent, so it works seamlessly in a heterogeneous environment comprised of all major types of switches, operating systems, and VPNs. It uses epo to centrally deploy updates and manage network security, which lowers implementation and integration costs. Policy Enforcer s software-based policy compliance scanners and network access sensors lower the total cost of ownership. A software-based enforcement strategy means organizations gain proactive policy enforcement without investing in expensive hardware appliances or making forklift upgrades to their existing security and network infrastructures. Organizations can leverage their existing McAfee desktop footprint to simplify deployment to tens of thousands of managed systems or can deploy Policy Enforcer in an agentless mode. Ultimately, Policy Enforcer delivers scalable policy enforcement unparalleled in the industry. Its distributed architecture is designed to scale to meet the needs of even very large enterprises while remaining easy to manage. Complete Enforcement Coverage for Network Access How It Works Policy Enforcer provides protection across all stages of network access control policy definition, system detection, system assessment, network enforcement, and system remediation. The security administrator begins by defining endpoint security policies for network access control. Policy Enforcer then detects systems as they come onto the network, actively assesses them for compliance with the specified security policies, enforces network access, and provides the remediation action specified by the administrator. Policy Enforcer is comprised of three major software components: the Policy Enforcer Server, Policy Enforcer Sensor, and Policy Enforcer Scanner. The Policy Enforcer Server provides the core administration infrastructure. Policy Enforcer Sensors, which are at key locations in the enterprise, detect systems coming onto the network and enforce policies. Policy Enforcer Scanners reside on the network, desktops, laptops, and other systems to scan for compliance with security policies. The architecture is described in detail later in this white paper. The process for defining network access policies is consistent across all types of enforcement scenarios, while the methods for detecting, assessing, and enforcing compliance vary based on connection type. The security administrator defines the network access policy based upon the organization s security requirements. Each policy consists of rules that check for the existence and configuration of software on the covered systems plus enforcement options if a system does not comply.

5 White Paper February 2006 Page 5 Network access control for LAN-based employees with McAfee host enforcement Self-enforcement or host-based enforcement is provided through the Policy Enforcer Scanner, which is deployed as a small update to all managed systems running the epo agent. In this host enforcement model, the Policy Enforcer Scanner is network-connection and location aware. Before network access is granted to a device running the Policy Enforcer Scanner, the system is locally scanned and assessed to verify that it complies with the security policy. A deep, granular compliance assessment is performed, such as verifying vital patch compliance and security application compliance for McAfee and third-party solutions, as well as ensuring that high-risk viruses are not present. (For a complete list of compliance checks, refer to Table 1.) A final list of checks is processed and executed at the endpoint. These checks are then tallied up to determine system posture, and, based on this posture, the system is either allowed network access, blocked, or quarantined. Policy Enforcer also provides for continuous scanning of systems, based on administratordefined time periods. of what happened and the remediation steps to take. This remediation Web portal can provide users with the ability to update their systems to comply with corporate security policy requirements without calling the help desk. Network access control for LAN-based guest systems with McAfee switch enforcement Unmanaged systems (or rogue systems) on the LAN typically belong to contractors, consultants, or other guests. The Policy Enforcer Sensor detects unmanaged systems as they attempt to connect to the network. The Policy Enforcer Server will use the Policy Enforcer Scanner nearest to the unmanaged system either to remotely scan the system using administrator-supplied credentials such as a domain account, or to perform a non-credentialed scan. If a managed system complies with the security policy, it grants itself full network access. If it fails to comply, the administrator can specify an action allow access, allow access and alert the administrator, confine itself to a set of quarantined network resources, or locally block access to the network. Allowing network access to non-compliant systems usually happens under special circumstances, such as when authoring new rules or in an emergency, during which the administrator would want to ignore a non-compliant system. The administrator can be notified of the system s noncompliance via or SNMP, and the event is logged. LAN-based managed systems can be quarantined or dropped. A system is prevented from communicating with the network by locking down a network driver in the Policy Enforcer Scanner, which blocks all incoming and outgoing traffic, except for remediation servers and other administrative network traffic, until a remediation action and resulting successful compliant scan is achieved. When users are denied access or placed in a quarantine area, they can be given instructions for remediation via a remediation Web portal. Administrators can customize the remediation Web portal to include a user-friendly definition Policy Enforcer Sensors detect workstations and laptops as they come onto the network. Sensors are deployed to strategic locations inside the network such as near a DHCP server, a switch, or a router, where they can view network traffic. Compliant systems are granted network access, whereas the administrator can specify an action for non-compliant or uncredentialed devices allow access, allow access and alert the administrator, quarantine to an isolated section of the network, or drop from the network at the switch port.

6 White Paper February 2006 Page 6 If an end system does not have the Policy Enforcer Scanner, it can be remotely scanned by a nearby server. An indeterminate scan result may occur if an unmanaged system does not respond to credentials provided by the administrator for remote scanning. This condition can be considered a failure, depending on administrator preferences, and may result in a network access mode change or simply a notification. Policy Enforcer can quarantine a non-compliant unmanaged system on the network by physically changing its virtual LAN (VLAN) using SNMP. Policy Enforcer instructs the switch to which the node is attached to change the VLAN on the switch port to a quarantine VLAN. This quarantine VLAN should be configured to have restricted access to resources, thereby allowing communication with remediation servers and the Policy Enforcer Server, while eliminating exposure from the non-compliant device. Unmanaged systems can also be dropped from the network. The Policy Enforcer Server and Policy Enforcer Sensor instruct the switch to physically turn off the switch port for that system, so no communication is possible. Network access control for remote IPsec VPN systems Remote managed systems are typically employees systems accessing the network over an IPsec VPN connection. VPNbased systems are detected when they try to connect to the VPN appliance or server. At that time, the VPN client requests a system scan and the VPN concentrator grants or denies network access based on the results of the scan. The scan is performed locally as the Policy Enforcer Scanner is integrated with the IPsec client. Policy Enforcer supports Check Point, Cisco, Juniper, and Nortel VPN solutions. Communication between the Policy Enforcer Sensor and Policy Enforcer Server during the quarantine ensures that moving the non-compliant system from the original switch port to the quarantine switch port neither evades quarantine operations, nor results in multiple switch ports being configured for a single node. Quarantined systems can be redirected to a remediation Web portal where the systems may be brought up to policy and granted full network usage. Once the system has achieved compliance, the system can be returned to its original VLAN. Systems that cannot be brought up to policy standards can be left in the quarantine network and given access that the policy dictates is appropriate. McAfee Policy Enforcer is tightly integrated with IPsec and SSL VPN clients.

7 White Paper February 2006 Page 7 The resulting enforcement action depends on the policy enforcement mode and the VPN provider: do nothing, quarantine, or block. Blocking prevents the VPN connection from being completed. The VPN client itself handles the block and alerts the user as to why the connection was denied. Subsequent connection attempts are reassessed by the Policy Enforcer Scanner, and once the scan passes, the VPN connection is allowed to complete. Information about the failed attempt is relayed to the Policy Enforcer Server for forensic analysis and reporting. Network access control for unmanaged SSL VPN systems Customers, partners, and contractors may access your network using a remote unmanaged system, typically via a Secure Sockets Layer (SSL) VPN connection over the Internet. Unmanaged systems connecting over an SSL VPN are detected and assessed when the VPN client attempts to create a connection to the VPN. SSL-based VPNs typically download the VPN client each time a connection attempt is requested, and because of Policy Enforcer s tight integration with the leading SSL VPNs, the Policy Enforcer Scanner components are automatically downloaded with the SSL VPN client. The Policy Enforcer Scanner scans the system for compliance with the security policy and returns a pass or fail to the VPN client. If the client passes the assessment, the connection is completed. If the system does not comply, the VPN client denies the connection or redirects it to a different network for remediation. The VPN client software alerts the user as to why the connection was denied or modified. Policy Enforcer provides a complete network access control solution for the enterprise, covering the corporate office, branch offices, remote users, and conference rooms. Tightly integrated with epo and capable of performing agent-based, agentless, and agent-on-demand compliance and risk assessment, the solution offers organizations the ability to deploy the solution in phases that align with their network access control goals. McAfee Policy Enforcer Architecture As previously noted, Policy Enforcer is a software-based solution comprised of three major components: Policy Enforcer Server, Policy Enforcer Sensor, and Policy Enforcer Scanner.

8 White Paper February 2006 Page 8 Policy Enforcer Server The Policy Enforcer Server provides the user interface and infrastructure where security administrators can define and manage network access policy, schedule assessment scans, and create reports. The Policy Enforcer Server also generates alerts. Policy rules may include how often security patches are updated, what version of the virus definitions is required for anti-virus software, or if a particular system has a different connection policy assigned because of sensitive material on the hard drive. Each rule specifies the operating system and other criteria. It also describes which end nodes should be scanned for which properties. A simple rule may state that all Windows XP end nodes on the network must have patch MS installed. A more complex rule may state that all Windows 2000 server platforms starting with the NetBIOS name SRV on the network must have Service Pack 4 and patches MS04-044, MS04-040, and MS05-002, anti-virus DAT files that are no more than one version older than the currently released DAT version, and not be infected with the MyDoom virus. If a device is not compliant with the endpoint security policy, the administrator specifies whether it is audited only, quarantined and redirected to a remediation Web portal, or dropped from the network. The administrator can create a list of trusted end nodes that are exempt from network access enforcement. These systems are tracked and reported but are never scanned or acted upon. Trusted end nodes allow for enforcement flexibility across the enterprise, preventing mission-critical end nodes such as servers, storage servers, or printers from ever being removed from the network in the event of a compliance failure. Policy Enforcer uses epo s powerful management interface and reporting and notification capabilities, enabling enterprises to gain a comprehensive policy enforcement tool with minimal effort. The Policy Enforcer Server may be installed on the same server as epo to leverage powerful server hardware, or it may be installed on a separate server to offload additional processing and provide scalability in very large enterprises. Policy Enforcer Sensor Policy Enforcer Sensors automatically detect the presence of all LAN-based end nodes, whether on wired or wireless connections, and create a real-time map of the network topology. The network topology discovery leverages protocols and technologies available on most manageable Layer 2 switches and routers. Policy Enforcer listens for broadcast traffic from the switches as well as DHCP requests from incoming nodes. The sensors examine the network traffic for information such as MAC address, subnet, and VLAN, which is securely communicated to the Policy Enforcer Server for evaluation. Sensors are deployed to strategic locations inside the network, such as near a DHCP server or router. Rules for policies can be set by operating system and other criteria.

9 White Paper February 2006 Page 9 The Policy Enforcer Sensor automatically discovers the network topology and creates a map for real-time network-access compliance enforcement. Multiple sensors may be used to cover the entire enterprise. Redundant sensors provide for maximum security and availability. Servers and other systems that use static IP addressing require a sensor deployed to their broadcast subnet so traffic may be captured and parsed. Policy Enforcer Sensors build a real-time map of the network topology switches, switch ports, routers, and other sensors. The sensors use this topology map to rapidly quarantine or remove a system that fails to comply with policy from the network before any potential damage can be done. The Policy Enforcer Sensor can also control the switch or router. If a non-compliant system is to be placed on the quarantine VLAN or blocked from the network completely, then the Policy Enforcer Server securely communicates instructions to the Policy Enforcer Sensor to configure the switch for that enforcement mode. If the switches have been upgraded to be compatible with Cisco NAC enforcement framework, then the Policy Enforcer Sensor will communicate the need to quarantine or block the system with Cisco NAC. Administrators can enable or disable topology discovery for each sensor from the Policy Enforcer Server console. Each Policy Enforcer Sensor may be managed and configured separately, allowing for flexible deployment. For strong security, the Policy Enforcer Sensors use SSL to communicate with the Policy Enforcer Server. The structure of the data is stored in XML on the Policy Enforcer Sensor and in the Policy Enforcer Server database for maximum flexibility and easy integration with third-party management applications. Policy Enforcer Scanner The Policy Enforcer Scanner intercepts and prevents network communication on the host if it fails the endpoint compliance scan. Policy Enforcer provides both host-based compliance scanning for self-enforcement of managed systems and remote compliance scanning for systems that are not directly managed by Policy Enforcer, affording the most comprehensive policy enforcement. The Policy Enforcer Scanner has three functions: detect, assess, and quarantine. The Policy Enforcer Scanner is a TDI network driver and is used in both the detection and quarantine processes. All functions are used in the selfenforcement mode and only the assess function is used in the remote scanning mode. For remote scanning, detection is accomplished with Policy Server Sensors and quarantine is accomplished through VLAN switching. The Policy Enforcer Scanner is based on Foundstone scanning technology to evaluate system compliance. Policy Enforcer offers comprehensive scanning, including the checks listed in Table 1:

10 White Paper February 2006 Page 10 Category Threat/ Mydoom infection checks Sasser Zotob Bagle Nachi Netsky Plus many others Host anti-virus Microsoft service packs Host firewall Host intrusion prevention Patch management agents Host antispyware System/policy management agents Patch assessment McAfee VirusScan Enterprise and McAfee VirusScan Symantec AntiVirus and Norton AntiVirus Trend Micro OfficeScan and ServerProtect Computer Associates eztrust AV Sophos Anti-Virus Microsoft Windows Update Microsoft patches for service packs, operating systems, Internet Explorer McAfee Desktop Firewall Sygate Firewall Symantec Firewall Microsoft Windows XP Firewall McAfee Entercept 5.0 McAfee Host Intrusion Prevention 6.0 Patchlink Update BigFix Patch Manager Microsoft Windows Update BMC Marimba Patch Management Agent McAfee AntiSpyware Webroot Spysweeper Computer Associates PestPatrol Microsoft Secure Messaging Service (SMS) IBM Tivoli Agent Symantec ESM Microsoft security patches Table 1: Compliance and threat checks The Policy Enforcer Scanner receives content and policy updates from epo, ensuring that the systems are always checked for the latest patches, high-risk vulnerabilities, software configurations, virus activity, and more. The Policy Enforcer Scanner uses SSL to communicate securely with the Policy Enforcer Server. McAfee Security Research will be continuously releasing new content to identify new threats, new patches, and new application support. Summary McAfee Policy Enforcer provides robust policy creation, assessment, and remediation to ensure application and patch compliance, plus it provides comprehensive, flexible enforcement methods for complete network enforcement coverage, both in heterogeneous environments and those supporting enforcement frameworks, such as Cisco NAC, Microsoft NAP, and Trusted Computing Group TNC. Together these capabilities provide enterprises with the most comprehensive, cost-effective, and network-agnostic enforcement solution available today. Policy Enforcer: Protects your business from non-compliant managed and unmanaged systems accessing the network. Policy Enforcer provides granular assessment, reducing the risk from managed and unmanaged systems accessing your network. It provides comprehensive policy creation, assessment, and remediation to ensure application and patch compliance, and verifies that high-risk viruses and threats are not present Supports your existing heterogeneous infrastructure. Policy Enforcer enforces network access policy across the enterprise, regardless of network or platform infrastructure, providing effective protection against threats while delivering a low cost of ownership. It supports a mixed-vendor network environment for all major types of switches, operating systems, and VPNs, including Check Point, Cisco, Juniper, and Nortel Includes fully integrated management capability. It uses your epo infrastructure for easy deployment and centralized management, reducing IT complexity and administration requirements Enables lower cost of ownership. Organizations gain enforcement across the enterprise without a major overhaul of network hardware. Policy Enforcer is an easyto-deploy software solution that includes host-based and remote-based scanners and sensors Provides network access control for the network environments of today and tomorrow. A comprehensive solution itself, Policy Enforcer also provides an enforcement solution for networks today as well as tight integration planned with enforcement frameworks Cisco NAC, Microsoft NAP, and Trusted Computing Group TNC 802.1x About McAfee McAfee, Inc., headquartered in Santa Clara, California, and the global leader in intrusion prevention and security risk management, delivers proactive and proven solutions and services that secure systems and networks around the world. With its unmatched security expertise and commitment to innovation, McAfee empowers home users, businesses, the public sector, and service providers with the ability to block attacks, prevent disruptions, and continuously track and improve their security. McAfee, Inc Freedom Circle, Santa Clara, CA 95054, , McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners McAfee, Inc. All rights reserved. 6-sps-pe-endpt