Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Similar documents
Cisco Network Admission Control (NAC) Solution

Cisco NAC Network Module for Integrated Services Routers

Networks with Cisco NAC Appliance primarily benefit from:

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Symbols. Numerics I N D E X

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Wireless NAC Appliance Integration

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Introduction. What is Cisco NAC Appliance? CHAPTER

Cisco Self Defending Network

August knac! 10 (or more) ways to bypass a NAC solution. Ofir Arkin, CTO

Case study: UniCredit Tiriac Bank deploys Cisco Network Admission Control

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

A Unified Threat Defense: The Need for Security Convergence

Enterasys. Design Guide. Network Access Control P/N

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition

ClearPass Ecosystem. Tomas Muliuolis HPE Aruba Baltics lead

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

2013 InterWorks, Page 1

Wireless and Network Security Integration Solution Overview

Symantec Network Access Control Starter Edition

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Campus Manager. Out-of-Band Network Access Control for Wired, Wireless and VPN Networks. DataSheet

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

User Management: Configuring User Roles and Local Users

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

Enterprise Guest Access

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Enterasys Network Access Control

ForeScout CounterACT. Automated Security Control Platform. Network Access Control Mobile Security Endpoint Compliance Threat Prevention

Network Access Control: A Whirlwind Tour Through The Basics. Joel M Snyder Senior Partner Opus One

Identity Based Network Access

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

THE SONICWALL CLEAN VPN APPROACH FOR THE MOBILE WORKFORCE

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

ForeScout Extended Module for Symantec Endpoint Protection

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Future-ready security for small and mid-size enterprises

MR Cloud Managed Wireless Access Points

Seceon s Open Threat Management software

NAC Director. Out-of-Band Network Access Control for Wired, Wireless and VPN Networks. DataSheet

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Secure Access - Update

Borderless Networks. Tom Schepers, Director Systems Engineering

AT&T Endpoint Security

The Context Aware Network A Holistic Approach to BYOD

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

SONICWALL SECURITY HEALTH CHECK SERVICE

MOBILE NETWORK ACCESS CONTROL

Teleworking and Security: IT All Begins with Endpoints. Jim Jessup Solutions Manager, Information Risk Management June 19, 2007

Massimiliano Sbaraglia

Cisco NAC Appliance Agents

Network Access Control Whitepaper

SONICWALL SECURITY HEALTH CHECK PSO 2017

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Identity-Based Cyber Defense. March 2017

SONICWALL SECURITY HEALTH CHECK SERVICE

Exam: : VPN/Security. Ver :

ForeScout Extended Module for Carbon Black

Cisco Identity Services Engine

Interop Labs Network Access Control

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Configure Posture. Note

Windows Server Network Access Protection. Richard Chiu

Cisco Intrusion Prevention Solutions

SentinelOne Technical Brief

ForeScout CounterACT Pervasive Network Security Platform Network Access Control Mobile Security Endpoint Compliance Threat Management

HikCentral V1.3 for Windows Hardening Guide

USG310/210/110. Benefits. Always online. Protection and optimization. Next Generation Firewall (NGFW) for small and medium-sized businesses

Features. HDX WAN optimization. QoS

Converged World. Martin Capurro

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Client Health Key Features Datasheet. Client Health Key Features Datasheet

Configuring NAC Out-of-Band Integration

USG2110 Unified Security Gateways

How Cisco IT Upgraded Intrusion Prevention Software to Improve Endpoint Security

CIH

Cisco Exam Questions & Answers

Understanding Network Access Control: What it means for your enterprise

GETTING THE NAC OF LAN SECURITY

Configure Client Posture Policies

Secure wired and wireless networks with smart access control

ForeScout Agentless Visibility and Control

Presentation_ID. 2003, 2004 Cisco Systems, Inc. All rights reserved.

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Posture Services on the Cisco ISE Configuration Guide Contents

PrecisionAccess Trusted Access Control

User Management: Configuring Auth Servers

Cisco Secure Access Control

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

McAfee Public Cloud Server Security Suite

Transcription:

Klaudia Bakšová System Engineer Cisco Systems Cisco Clean Access

Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits

The Challenge of Securing Complexity This is a story about network security. Specifically, how you can have productivity. security without compromising More to the point, your company may already be bristling with network defenses, but you still have one glaring vulnerability your network users.

The Business Case for NAC Limit the impact of security problems, stop threats from propagating 86% Increase overall corporate security posture 78% Protect against loss of sensitive/ personal information 77% Drivers Control network access based on user identity and role Protect against loss of intellectual property 60% 76% Demonstrate compliance to security/access policies 59% Regulatory requirements 44% 0% 20% 40% 60% 80% 100% Source: Infonetics Research, June 2009

Productivity Causes Complexity WHAT SYSTEM IS IT? WHO OWNS IT? WHERE IS IT COMING FROM? WHAT S ON IT? IS IT RUNNING? WHAT S THE PREFERRED WAY TO CHECK/FIX IT? Windows, Mac or Linux Laptop or desktop or PDA Printer or other corporate asset Company Employee Contractor Guest Unknown VPN LAN WLAN WAN Anti-virus, anti-spyware Personal firewall Patching tools Pre-configured checks Customized checks Self-remediation or auto-remediation Third-party software

Complexity Demands Defense-in-Depth identity endpoint security X Identity alone fails: Protects against unauthorized access, but not malware Identifies user, but not device network security X Endpoint security alone fails: 99% have AV, but infections persist! Host based apps are easily manipulated even unintentionally Time gap between virus and virus def/repair X Network security alone fails: Firewalls cannot block legitimate ports VPNs cannot block legitimate users Malware signatures must be known Detection often occurs after-the-fact

What Is Network Admission Control? Using the network to enforce policies ensures that incoming devices are compliant. identity Who is the user? Is s/he authorized? What role does s/he get? Please enter username: Is MS patched? Does A/V or A/S exist? Is it running? Are services on? Do required files exist? device security network security PLUS Is policy established? Are non-compliant devices quarantined? Is remediation required? Is remediation available?

Four Key Capabilities of NAC WHAT IT MEANS Uniquely identifies users and devices, and creates associations between the two Assess and enforce a ubiquitous policy across the entire network Acts on posture assessment results, isolates device, brings into compliance Easily creates comprehensive, granular policies that map quickly to user groups and roles WITHOUT IT... Associate users and devices with roles to know which policies apply; prevents device spoofing. A decentralized policy mechanism (e.g. on endpoint) can leave gaping security holes. Just knowing a device is non-compliant is not enough, someone still needs to fix it. Policies too complex or difficult to create and use will lead to abandonment of project.

Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits

NAC Appliance (a.k.a. Cisco Clean Access) Components Cisco Clean Access Server Serves as an in-band or out-of-band device for network access control Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments Rule-set Updates Scheduled automatic updates for anti-virus, critical hotfixes and other applications

Clean Access Server CAS is the enforcement point for network access CAS has two key interfaces (eth0/eth1): Untrusted Interface (eth1): Facing end users to be NACed untrusted network Trusted Interface (eth0): Facing the network to be secured trusted network Traffic is BRIDGED (Virtual Gateway) or ROUTED (Real IP Gateway) between the two interfaces VIRTUAL GATEWAY REAL IP GATEWAY SVI : Vlan 10 SVI : Vlan 40 Vlan 10 eth0 Vlan 40 eth0 Map 10>>40 10.10.20.0/24 eth1 Vlan 10 eth1 Vlan 10 eth1 10.10.10.0/24 eth0 Frame in > Frame out Frame in VLAN- Map on CAS Frame Out Packet in Routed by CAS packet Out

NAC Manager Overview Controls all NAC servers centrally Configuration policies pushed to all servers Communicates with servers for status and updates Scalable to support multiple servers NAC Manager NAC Server NAC Server NAC Server

NAC Appliance Sizing Super Manager manages more than 40 Users = online, concurrent Standard Manager manages up to 20 Enterprise and Branch Servers Enterprise and Manager Branch Servers Lite manages up to 3 Branch Office or SMB Servers 1500 users 2500 users 3500 users 100 users 250 users 500 users 50 users NM 100 users NM

NAC Server Deployment Mode The NAC server is deployed in a combination of the following 3 modes. In-Band (IB) or Out-of-Band (OOB) The NAC server (CAS) is in the data path all the time The NAC server is in the path only during the NAC process A given CAS server can only be IB or OOB Layer 2 (L2) or Layer 3 (L3) Users are L2 adjacent to the NAC server or they are multiple hops away (L3) from the NAC server (CAS) A given NAC server can support both L2 and L3 adjacent users Virtual Gateway (VG) or Real-IP Gateway (RIP-GW) The NAC server (CAS) acts as bridge (VG) or router (RIP- GW) between its two interfaces A given NAC server (CAS) can only be VG or RIP-GW,not both

CAS Physical Deployment Models Centralized - Redundant Example: Collapsed Core Centralized Deployment Virtual Gateway Mode 6 Access Layer Closets, 6 Data VLANs 500 users per VLAN total 3000 users 3 VLANS per CAS 1500 users each VLAN s 40, 50, 60 VLAN s 140, 150, 160 VLAN s 10, 20, 30 VLAN s 110, 120, 130 Access Collapsed Core / DistribuJon VLAN 110 VLAN 120 VLAN 130 VLAN 140 VLAN 150 VLAN 160 Access

CAS Physical Deployment Models Centralized Load-Balancing Example Enterprise Central Deployment Virtual Gateway Mode 3 Access Layer Closets, 6 VLANs 500 users per VLAN total 3000 users 3 VLANS per CAS 1500 users each

CAS Traffic Flow Deployment Models In Band & Out of Band In Band CAS is Inline (in the data path) before and after posture assessment ACL Filtering and Bandwidth Throttling Remote offices, VPN connectivity Limited scalability Out of Band Multi-gig throughput Inline only during posture assessment Port VLAN-based and Rolebased access control

CAS Client Access Deployment Models L2 & L3 L2 Model Client is L2 adjacent to CAS VG/Real IP GW/IB/OOB Mostly for LAN deployments MAC add as identifier L3 Model Client is not L2 adjacent to CAS VG/Real IP GW/IB/OOB Mostly for WAN/VPN deployments IP add as identifier

NAC Appliance for VPN Access Laptop IP: 192.168.1.150 Auth Server IP: 10.1.1.25 NAC Appliance Manager IP: 10.1.1.30 ASA IP: 192.168.1.3 NAC Appliance Server IP: 192.168.1.2 Router IP: 192.168.1.1 Intranet Server IP: 10.10.10.10 NAC Enforcement Point DNS Server IP: 10.20.20.20 Radius Accounting Server IP: 10.1.1.26 1. Remote user connects to ASA via IPSec or SSL VPN tunnel 2. Remote user obtains IP address from ASA 3. ASA forwards Radius accounting login info to CAS 4. Radius Accounting information logs user into Appliance, so no need to sign on twice - SSO 5. Everything else the same as in-band deployment

How do you create and manage headless devices in your environment? NAC Profiler can manage all other headless devices Automatic Discovery and Inventory via SNMP Profiles Devices into NAC Roles SPAN PROFILER NACS/Collector API SNMP NACM Devices added to Filter List from Profiler Devices get proper access under NAC

Dynamic Provisioning into NAC Manager NAC Profiler profiles device and automatically places it in the NAC Manager filter list Detailed Device Information

Cisco NAC Appliance Agents Clean Access Agent - local-machine, Agent-based Posture and Remediation Bundled with CAM software release/update Full Agent Installation/Stub Agent Installation (Java/ActiveX)

Cisco NAC Appliance Agents Cisco NAC Web Agent permanent client application not required Posture assessment available, no automatic Remediation

Cisco NAC Services Automated Policy Updates Automated Cisco Rulesets Simplify support for over 350+ security and management applications AutoUpdates Hotfixes, Service Packs (direct to WSUS Server) Cisco NAC Manager

Agenda 1. Securing Complexity 2. NAC Appliance Product Overview and In-Depth 3. NAC Appliance Technical Benefits

NAC Appliance Technical Benefits Product Experience With 500+ deployments, Cisco understands the technical impact on your network Defensein-Depth NAC Appliance is a self-contained, proactive way to enforce policy compliance on all incoming devices Rapid Setup Easy Mgmt Pre-configured rulesets and checks make it easy to setup, maintain, modify, and expand Flexible Deployment Broad deployment options means that NAC Appliance fits into your network the way you need it to Future Proof NAC Appliance is core to Cisco s strategic NAC vision and can be leveraged across all future deployment options

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback