Understanding Network Access Control: What it means for your enterprise

Similar documents
Reviewer s guide. PureMessage for Windows/Exchange Product tour

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Cisco Network Admission Control (NAC) Solution

Symantec Network Access Control Starter Edition

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Enterprise Guest Access

Symantec Network Access Control Starter Edition

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Symantec Network Access Control Starter Edition

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

Least privilege in the data center

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

Cisco Self Defending Network

Executive Summery. Siddharta Saha. Downloaded from

Network Access Control Whitepaper

IBM Proventia Management SiteProtector Sample Reports

Changing face of endpoint security

What It Takes to be a CISO in 2017

Novell ZENworks Network Access Control

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Teleworking and Security: IT All Begins with Endpoints. Jim Jessup Solutions Manager, Information Risk Management June 19, 2007

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

Protecting Your Digital World

CA Host-Based Intrusion Prevention System r8

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

NETWORK THREATS DEMAN

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

A Guide to Closing All Potential VDI Security Gaps

Cisco Identity Services Engine

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Networks with Cisco NAC Appliance primarily benefit from:

Wireless and Network Security Integration Solution Overview

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

align security instill confidence

Cisco Firepower NGFW. Anticipate, block, and respond to threats

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

Simplify Your Network Security with All-In-One Unified Threat Management

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

Cyber security tips and self-assessment for business

Cisco ASA 5500 Series IPS Edition for the Enterprise

Education Network Security

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

Enterasys. Design Guide. Network Access Control P/N

Hazardous Endpoints Protecting Your Network From Its Own Devices

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

EMC Ionix IT Compliance Analyzer Application Edition

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Transforming Security from Defense in Depth to Comprehensive Security Assurance

IBM Internet Security Systems Proventia Management SiteProtector

Converged World. Martin Capurro

Make security part of your client systems refresh

Mapping BeyondTrust Solutions to

Total Protection for Compliance: Unified IT Policy Auditing

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Carbon Black PCI Compliance Mapping Checklist

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Teradata and Protegrity High-Value Protection for High-Value Data

ForeScout ControlFabric TM Architecture

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Xerox and Cisco Identity Services Engine (ISE) White Paper

Get more out of technology starting day one. ProDeploy Enterprise Suite

Financial Conduct Authority. Financial Crime : A Guide for Firms

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

McAfee epolicy Orchestrator

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Cyber Criminal Methods & Prevention Techniques. By

SYMANTEC DATA CENTER SECURITY

Symantec Protection Suite Add-On for Hosted Security

Best Practices in Securing a Multicloud World

ForeScout Extended Module for Symantec Endpoint Protection

Future-ready security for small and mid-size enterprises

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

NETWORK ADMISSION CONTROL

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

HPE Intelligent Management Center

White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.

Security Architecture

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Healthcare in the Public Cloud DIY vs. Managed Services

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Phishing is Yesterday s News Get Ready for Pharming

McAfee Public Cloud Server Security Suite

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Maximizing IT Security with Configuration Management WHITE PAPER

How We Delivered Compliance to a London-based Law Firm. A Network Security Project Case Study.

Nebraska CERT Conference

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

Client Health Key Features Datasheet. Client Health Key Features Datasheet

Mobility, Security Concerns, and Avoidance

Transcription:

Understanding Network Access Control: What it means for your enterprise Network access control is a term that is highly used, but not clearly defined. By understanding the reasons for pursuing a network access control solution, by assessing what needs to be accomplished, and by determining how the solution is to be implemented and used, organizations give themselves a much better chance of uncovering the right technology for their environment. Through a comprehensive series of business and technical questions, this paper helps you define and understand your organization s needs in relation to network access control. A Sophos white paper February 2007

Understanding Network Access Control: What it means for your enterprise Overview In Information Technology and Security there are multiple terms that mean different things to different people. For example, consider the phrase policy compliance. Many vendors use this phrase to market their wares while paying little or no attention to what it means to the enterprise. Compliance with policy can mean regulatory compliance, internal physical security compliance, legal compliance, internet-use compliance, network-use compliance, endpoint security compliance, and much more. A quick Google search alone shows the number of sponsored links for the term policy compliance, many of them devoted to vendor solutions. In truth, policy compliance has many facets and needs further distillation to be useful to an enterprise. Another term that gets bandied about is network access control (NAC). In a young market, this term has become over used and highly misunderstood. NAC solutions encompass everything from intrusion detection systems, authenticated DHCP solutions, two-factor authentication, patch management solutions, network hardware, and security suites. These variations confuse the market and cause enterprises to compare apples to oranges when looking for a NAC solution. The key to finding a good solution for NAC is first understanding what the terms involved mean to the enterprise, and then matching those expectations with what a vendor can provide. The assessment questions that follow will help you with this task, enabling you to understand your organization s needs in relation to NAC. Establishing a baseline understanding To establish a baseline understanding, this document assumes that a NAC solution has four integral functions.* 1 Definition and management of endpoint security policies Setting up and managing a policy on who a user is and what needs to be running/not running on their machine to deem them safe and permit them access to the enterprise network. 2 Assessment of endpoint security policies Providing a mechanism to assess the state of adherence to the endpoint security policies. 3 Enforcement of endpoint security policies Providing/using a mechanism to automatically enforce endpoint security policies. 4 Reporting, alerting, and auditing Providing a means to monitor the endpoints and the solution. * This simple framework is designed to keep the scope of this paper focused by removing from the equation aspects like intrusion detection, anti-virus applications, and personal firewalls. 1

Assessment: Network Access Control and your enterprise Many vendors have defined themselves as providing a complete NAC solution or a key component of NAC. However, it is important for an organization both to determine exactly what the vendor means by network access control and to assess what it means in the context of the problems that the organization is trying to solve. By developing a greater understanding of NAC and endpoint policy enforcement, you can better determine how to approach a project. Answering the questions below will enable you to begin to define what access control means for your organization and start to shape a plan of attack. The next step will be to find the solutions that are available and to determine what questions you should pose to the solution vendors. Each section contains space for you to add your own criteria. There are also more discursive questions where you can add your thoughts and relevant information. Section I Business issues This section explores commonly raised NAC-related business issues, including questions about the reasons for pursuing a project, the potential costs/benefits, and who should be involved. While these are questions that every enterprise intuitively asks, agreeing upon and recording the answers often provides much needed direction in a NAC project. What are the main problems we hope to solve via a NAC solution? Stemming the tide of worms and viruses that proliferate in the network. Securing corporate information by protecting our endpoints. Ensuring the return on investment of prior security applications making sure they are all being used properly by all my users. Stopping rogue/unauthorized use of my network and mitigating the risk it imposes. Meeting internal or external regulations. Managing guest access to the network. Ensuring that my patch operation system is operating correctly and that necessary patches are installed on all my machines. Ensuring that every user on the network is identified. Protecting the enterprise by ensuring no file-sharing or peer-to-peer applications are operating on connected endpoints. 2

Note Security ROI is a diffi cult thing to measure accurately, as investing in security is much like investing in insurance. You need it to be there, you re more comfortable when it s there, and you re hardest hit when it is not. However, it is always best to take a look at what the current state is costing the enterprise by using various methods, such as cost of network downtime, cost of help desk response to security related incidents, and high and low-end estimated risk cost versus actual solution cost ratios. Why are we trying to solve these problems? Internal pressure to make proactive security a priority. External regulatory pressure. Risk of our data being compromised. Risk of bad publicity due to a security breach. Need to decrease the time, money, and effort spent on security problems. Experienced a recent security event and need to make sure it doesn t happen again. Can we quantify what this problem costs our enterprise? Can we estimate what solving this problem is worth to us? Do we currently know our risk levels associated with the endpoints using our network? Do we have independent mechanisms to audit them? Are we confident in those mechanisms? What groups in our enterprise should be involved in a decision on NAC? Information security Network operations Desktop support Privacy/Compliance management Who are the individuals in our organization that need to be involved in a NAC decision? 3

Section II Technical issues This section explores technical issues. The questions are designed to uncover the high-level technical needs of an organization, based loosely upon the technology for NAC available in the market today. In our environment, we have people accessing the network via different means. What access methods do we need to control? Remote via VPN LAN via wired connections LAN via wireless connections Are there segments of our user population that we would like to cover first? Are these segments based on types of users, types of access, or both? How many users do we need to cover? How many network segments do we need to cover? How important is a scalable solution? 4

What methods for access control would be acceptable in our enterprise? Appliance based Placing appliances at every access point. Software based Leveraging current and future enforcement technologies with a software solution. A combination Placing appliances in the network and placing software on each machine. Cisco standardization All Cisco NAC-compliant hardware, Cisco Trust Agent, Cisco management solution. Microsoft standardization All upgraded Microsoft OS, Microsoft servers throughout environment. Open standards based Trusted Computing Group standards based technology. When a corporate laptop or desktop accesses our network, what do we need to ensure before granting them access? They are a member of the corporate directory. Their machine is running a corporate standard image. Their security applications are running and properly updated. Their operating system is patched to the level I deem appropriate. They are not running any blacklisted software e.g. Kazaa or Skype. They are running required corporate software. 5

When a non-corporate laptop attempts to access our network, what action do we want to take? Allow them access to the network. Quarantine their access to Internet only access. Block their access altogether. Quarantine them until they pass a health check. Be notified of the access attempt. What is our preferred means of assessing each machine? Agentless ActiveX- or Java-based deep assessment of a machine. Agentless Access credentials needed for a deep remote assessment of each machine. Agentless Monitoring traffic to/from each machine is sufficient. Agent-based An agent that actively searches for elements placed in policy. Agent-based An agent that listens to other elements that report in via APIs. A combination, dependent on type of user accessing the network. Should a machine be assessed prior to granting connection or is it acceptable that a machine is assessed after making connection with the network? 6

What type of policy management should our NAC solution have? We would like to manage different policies for different user groups. We would like to manage policy centrally. We would like to script policy. We would like to manage policy via an intuitive GUI. We would like to have security applications and patches pre-populated for us to potentially use in policy. We would like the ability to write custom checks. Do we want one central place to manage all access policies, or do we want to manage different types of users and different types of access points separately? What technologies have already been placed in our network that we can leverage to quarantine and re-direct users? 802.1x on wireless LAN 802.1x on wired LAN DHCP Registered DHCP Cisco NAC-compliant routers and switches SSL VPN IP Sec VPN We don t want to leverage current infrastructure. 7

What is our deployment schedule? When do we want to achieve NAC throughout the enterprise? We needed it yesterday 0-6 months 6-12 months 1 year 2 years or longer What type of NAC technology best fits our deployment schedule? What types of solutions have we been effective at deploying in this timeframe in the past? Appliance based Placing appliances at every access point. Software based Leveraging current and future enforcement technologies with a software solution. A combination Placing appliances in the network and placing software on each machine. Cisco standardization All Cisco NAC-compliant hardware, Cisco Trust Agent, Cisco management solution. Microsoft standardization All upgraded Microsoft OS, Microsoft servers throughout environment. What type of information do we want to gather from our access control and endpoint policy enforcement solution? Authentication information only. The state of each machine in relation to policy. The number of access attempts. How the enterprise looks as a whole in relation to security policies. The presence of rogue or guest devices attempting to access the network via standard methods. The presence of rogue devices attempting to access the network via more sophisticated methods (e.g. spoofing an IP address). 8

What type of remediation options do we want to offer to people who are out of compliance with policy? None. Access to the internet to download the necessary patches and updates. Messaging and specific directions based on their compliance with policy. Integration with our patch management solution. What do we want our corporate end-user experience to be with a NAC and endpoint policy enforcement solution? What would best meet our business needs? Totally transparent for all machines attempting access. Transparent for compliant machines only. Very noticeable for all we want users to be highly aware their machines must be in compliance and they play a large part in keeping them up to date. Different experiences for different groups. What do we want our non-corporate/rogue end-user experience to be with a NAC and endpoint policy enforcement solution? What would best meet our business needs? Totally transparent for all machines attempting access. Transparent for compliant machines only. Very noticeable for all we want users to be highly aware their machines must be in compliance, recognizing they are a guest on our network, and they play a large part in keeping it up to date. Different experiences for different groups of guests. 9

The Sophos solution Sophos NAC is a software solution that works with an organization s current networks to control access of all users based on who they are, where they are accessing the network, and the security state of their computer as dictated by the organization s policies. By supporting current network hardware and all security applications, using standards to prepare for tomorrow s networks, and providing a solution that is scalable and configurable to meet specific business needs, Sophos NAC is a market leader and the only truly independent and enterprise-ready software solution on the market today. Sophos is a member of the Cisco NAC partner program, the Microsoft NAP partner program (Microsoft Gold Certified), and the Trusted Computing Group s Trusted Network Connect program. In our deployments in global Fortune 100 companies, Sophos has shown we have the people, processes, and product in place to meet enterprises network access control needs. To find out more about Sophos products and how to evaluate them, please visit www.sophos.com About Sophos Sophos is a world leader in integrated threat management solutions purpose-built for business, education and government. With 20 years experience and consolidated anti-virus, anti-spyware and anti-spam expertise SophosLabs protects even the most complex networks from known and unknown threats. Our reliably engineered, easy-to-operate products protect over 35 million users in more than 150 countries from viruses, spyware, intrusions, unwanted applications, phishing, spam and email policy abuse. Round-the-clock vigilance has resulted in our increasingly rapid international growth, expanding user base and continuous profitability. Our instant response to new threats is matched by business-focused, 24/7 technical support, and has led to the highest levels of customer satisfaction in the industry. Boston, USA Mainz, Germany Milan, Italy Oxford, UK Paris, France Singapore Sydney, Australia Vancouver, Canada Yokohama, Japan Copyright 2007. Sophos Plc. All registered trademarks and copyrights are understood and recognized by Sophos. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means without the prior written permission of the publishers.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback