Executive Summery. Siddharta Saha. Downloaded from

Transcription

1 1 Executive Summery In the last quarter of century the world has seen a tremendous growth in IT and IT enabled services. IT infrastructure of any organization is the most precious since business process of today s world is based totally on IT. Conventionally IT infrastructure of any organization comprises of desktop clients, servers, storage, printers, networking equipments, IP Phones etc. As Information Technology has grown, various types of threats on such valuable assets and data have also increased exponentially. Viruses, hackers, intruders are some of the big threats. Luckily there are applications and practices to combat against such evils and keep your IT enabled business process secure. But network administrators and security engineer find it often challenging to secure their infrastructure in spite of having adopted the recommended security norms. This is because many times such standards are not implemented to the fullest. Or the security appliance is not tuned properly to provide adequate level of security. Moreover traditional security practices have lot of dependencies on the end users. For example all clients in the network may be loaded with anti viruses but daily updates may be dropped by a general user because he thinks, it would take a lot of time and I have important works to do. This is a common approach of end users in almost every organization. This is to remember at this point that an outdated anti virus is as bad as having none. The end user in this case has not only made itself vulnerable but brought treats to the entire organization. Moreover traditional security solutions work on the clients that are already connected to the network and have sufficient access to cause trouble in the infrastructure. This situation is very dangerous if the nature of threat is new to the security system. These zero day attacks may not be prevented by traditional security system. IT managers find it very difficult to avoid such situations and deploy security polices in all the equipments and users across all the hierarchy. There are two well-known approaches to address these issues developed by two major IT Giant Microsoft Corporation and Cisco Systems which shall be discussed in the following sections. 1) Network Access Protection (NAP) by Microsoft Corporation. 2) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access Control in some of the literatures)

2 2 Index Introduction. 3 Network Access Protection (NAP). 4 Network Access Control (NAC). 7 Case Study. 9 Conclusion. 13 Reference. 14

3 3 Introduction With the number of threats increasing day by day IT managers often finds it very difficult to keep the security level of the connected client up to the desired level. Even spending so much on protecting the resources from the external source of attack it is a big task to secure the network from the internal threats. Outdated anti virus, non patched OS etc bring element of threat to the entire network. Even if the policy and the procedure in place IT managers find it difficult to enforce the policy on the end users. There are two well-known approaches to address these issues developed by two major IT Giant Microsoft Corporation and Cisco Systems 3) Network Access Protection (NAP) by Microsoft Corporation. 4) Network Admission Control (NAC) by Cisco Systems. (This is also called Network Access Control in some of the literatures) Both of the technologies implement the same basic philosophy in their own way. Any client is tested against the security polices to find out its compliance. Only after the client successfully complies with the security standards it is allowed inside the network. Otherwise it may be diverted to a special remediation zone where security polices would be enforced on it to make it safe for the actual IT infrastructure. Or the client shall be allowed a very limited access to the resources. Otherwise access to the network and resources may be out right rejected due to noncompliance. In the following sections we shall discuss about both of the technologies, their components and the way various policies can be implemented. At the end we shall also document a case study based on one of these technology.

4 4 Network Access Protection (NAP) Network Access Protection is new technology developed by Microsoft Corporation to protect the IT assets of any organization from threats that may have been caused by lose security policy deployment such as inadequate access restriction on access to the resources, compromised client stations etc. It also aims to reduce the burden on the security and networking team of the organization, reduce the operational cost and increase availability. The way it works Components Depending on the type of enforcement policy organization chose to deploy some or all of the components described below may be installed. Network Policy Server (NPS): In this server health check and validation policies are defined. The definition of the policy may differ as per the enforcement type and policy is adapted by the organization. SoH sent by the clients are validated in it. Microsoft Windows Longhorn and above are capable of being NPS. An NPS has the following functional units System Health Validator (SHV) to validate SoH Active Directory (AD) to store information about the user accounts and their network access profiles. Health Policy (HP) to define exact policy for specific enforcement plan. Admin Sever takes the actual decision about the fate of the client based on the feedback from the SHV.

5 5 NAP Agent: Remediation Server (RS): A Remediation Server offers limited access to the client that has failed to comply with the policy due to improper SoH. It allows such end devices to download/ install patches/ updates that are required to improve the SoH to comply with the policy. An RS may be implemented in a single server or a group of servers and may have the following components. DNS server Proxy server (only allowing web access to the Microsoft and anti virus site) A local anti virus update mirror inside the intranet. Enforcement options

6 6 Network Access Control by Cisco Systems NAC essentially has the same philosophy as NAP; do not allow any device to enter into the network unless it complies with the security policy of the organization. The architecture and implementation is also somewhat similar. But in NAC may define not only whom to give access but also how the client would be able to access the network. It addresses the requirement of any organization by offering following features. Role based access control: Guest Access: It provides access policy definitions and access restriction for the guest users. Like a manager comes from a business partner, he should be allowed internet access after health checkup. Client device security enforcement: Any device should qualify as per the security policy of the organization before it is granted access in the network. Remediation: Help noncompliant clients to improve the help status so that it qualifies to enter into the network. Control of peripheral and non PC devices:

7 7 Components of NAC Depending on the policy adapted by the organization a NAC may have some or all of the following components. NAC server: It is the heart of the NAC environment. It does the device health checks and enforces policy laid by administrator on the end devices. Can be deployed in L2 ( locally) or at L3 (globally) network. NAC Manager: It managers the NAC server and provides web based user interface to the administrator for creating and managing NAC policies. It also allows to manage the user like creating role based policies and user authentication.

8 8 Case Study Pinnacle School of Business Management (PSBM) is a top notch institution for Business studies. Each year a large number of students enroll for both residential and part time courses on various topics of business management. It also offers distant learning e-courses to the students who can not attend the class room. The school has full WiFi coverage inside the campus including hostels. Students access various course materials by using laptops and tablets. Residential students use their laptops at classrooms and dormitories and the evening students also bring their laptops in the campus. Both of the groups of users access digital library online that has a wide range of books and other electronic study materials. Students of distant learning courses connect to the e-learning server through IPSec and also access the digital library. Concerns: Though the IT team offers to install anti virus to the laptops of resident users free of cost some of them either do not install it thinking it would make the laptop slow. Many students turn off the regular updates as it may slow their surfing speed. Students often do not scan the removable media because they are in hurry Evening students bring their laptops, which they use at home and their office networks and do not update the OS patches and anti virus. Remote students also access the network by IPSec but there is no control over their sanity in terms of virus and Trojans. All such users create a lot of problems in the network. Even after spending huge amount on the firewall and anti virus software the network Administrator of PSBM can not rest in peace. The clients with outdated anti virus, OS patch and other security holes not only compromising their own security but also putting the network and other IT resources at stake.

9 9 In one recent incident a laptop of one student from Marketing Dept. was infected by a MAC spoofing virus. It spoofed the gateway address and diverted all outbound traffic to itself. All traffic to the internet stopped. It stuff found it a Herculean task to identify and remove the culprit. It was found that the anti virus would have easily removed the virus but the anti virus definition of the laptop was not updated since last 2 months! Solution The dean of the PSBM decided to enforce the security policy on all clients that wants to access the IT resources of the school. The message was loud and clear NO COMPLIANCE, NO ACCESS. The IT team of PSBM has come up with a solution to deploy Microsoft NAP in their network. The selected NAP instead of Cisco NAC for two reasons. The network of PSBM has equipments not only from Cisco but from other vendors also. The existing servers of school are running on Windows 2008 Sever and so the deployment of NAP would be easy and time saving. Policy and Enforcement.

10 10 The way the systems work at PSBM IP Sec Enforcement 802.1x Enforcement NAP agent of laptop/ tablet send request for access to the 802.1x access point. Along with the SoH. SoH is validated as per the health policy (HP) at NPS.

11 11 If the client complies with the policy then they are allowed to access the network and resources as per user roles and privileges defined by the Active Directory. All the non complaint clients are sent to the remediation zone. The remediation zone has a DNS server and Proxy server. The proxy server allows limited web access to the clients (only to the website of major anti virus vendors and Microsoft, Apple etc) so that they can improve their SoH. Components used: Results: Results are quite stunning the incidents of virus and worm spread inside the network ha reduced by 97%. Now the students are more careful about OS antivirus and other security updates because now they have understood clearly NO COMPLIANCE, NO ACCESS.

12 12 Conclusion Traditional security solutions work on the clients that are already connected to the network and have sufficient access to cause trouble in the infrastructure. This situation is very dangerous if the nature of threat is new to the security system. These zero day attacks may not be prevented by traditional security system. IT managers find it very difficult to avoid such situations and deploy security polices in all the equipments and users across all the hierarchy. Microsoft Network Access Protection and Cisco Network Admission Control is new breed of security enforcement system which eliminated many problems of traditional security systems. Having any or both of the system inside an enterprise network does not eliminate the necessarily of a traditional firewall or anti virus. Rather enforcing end users to adhere to the policies and norms that are laid by the administrator of the network.

13 13 Reference