Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by MPIRIRWE BYANAGWA STEPHEN. An approach to computer network security that attempts to unify endpoint security technology (such as antivirus,

Published byJohn Burke Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by MPIRIRWE BYANAGWA STEPHEN. An approach to computer network security that attempts to unify endpoint security technology (such as antivirus,"— Presentation transcript:

1 Presented by MPIRIRWE BYANAGWA STEPHEN

2 An approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement” Aim: to control endpoint security by unifying it with network device security and the whole network Result: End devices that do not comply to the set security policies are identified and quarantined.

3 What you can do = Who You Are Where You Are Coming From How Well You Comply with Policy + + Darn… We just summarized NAC in one slide. What else is there to talk about?

4  Network Access Control (NAC) checks computers accessing your network to ensure full compliance with your security policies. NAC makes sure computers, including roaming laptops, are running antivirus, firewalls, and other security applications. It also makes sure that OS service packs are up to date and that Windows Update is active.

5  Pre-admission vs Post-admission enforcement  Agent vs Agentless data collection  An agent s/w runs on the endpoint to report the status  Agentless devices  Some devices do not support NAC agent s/w  e.g., printers, scanners, phones, photocopiers, and other special devices  NAC uses scanning and network inventory techniques (whitelisting, blacklisting, ACLs) to discern those characteristics remotely

6  Out-of-band vs Inline solutions  Inline: A single box acts as an internal firewall for access- layer networks and enforces the policy  Out-of-band: Agents on end-stations report information to a central console, which in turn control switches to enforce policy. 6

7 Quarantine vs captive portals for r emediation  Quarantine: A non-compliant end-station is only allowed to access a restricted network with patch and update servers.  Captive portals: The captive portal technique forces an HTTP client on a network to see a special web page before gaining full access.  In NAC, a captive portal intercepts HTTP access to web pages, redirecting users to a web application that provides instructions and tools for updating their computers.

8  Endpoints that do not comply with established security policies pose a threat and can introduce a security risk into the network.  Goal of NAC: to prevent vulnerable and noncompliant hosts from obtaining network access

9 9 1.Authentication of the user Authenticate End users are authenticated before getting network access

10 10 2.Use environmental information as part of policy decision making Environment Where is the user coming from ? When is the access request occurring? What is the End Point Security posture of the end point? 1.Authentication of the user Authenticate

11 11 3.Control usage based on capabilities of hardware and security policy Allow or deny access. Put the user on a VLAN. Send user to remediation. Apply ACLs or firewall rules. 2.Use environmental information as part of policy decision making Environment 1.Authentication of the user Authenticate Access Control

12 12 4.Manage it all Usable management and cross-platform NAC normalization 3.Control usage based on capabilities of hardware and security policy 2.Use environmental information as part of policy decision making 1.Authentication of the user Environment Authenticate Access Control Management

13  802.1X port based authentication (via RADIUS)  MAC based authentication (via RADIUS)  Web based authentication  Static port/MAC configuration  Dynamic port/MAC configuration (SNMP)  Kerberos snooping

14 MethodConclusionsBenefitsDisadvantages 802.1XIf all requirements are fulfilled, 802.1X offers a very scalable and dynamic identification with a high level of security at the switch port. Standard for current systems Centralized administration Real time detection High level of security Good scalability Additional information (user, host) Many requirements Subsequent upgrade expensive MAC This method is a solution for special end systems. It is better than static port/MAC assignment since dynamic and scalability are the same as for 802.1X. Standard for current systems Centralizes administration Real time detection Good scalability Many requirements Low security Additional information is limited WebThis method is more an addition than a complete authentication method. It simplifies the administrative effort for guests and allows access to older devices. Centralized administration Real time detection Good scalability Additional service administration Additional registration portal Unsecure quarantine

15  Makerere’s NAC is based on Sophos NAC and Sophos Advanced NAC.  Sophos NAC Advanced provides comprehensive and easy-to-deploy enterprise ‑ ready network access control (NAC).  It allows administrators to  define and centrally manage security policies to identify and isolate all non-compliant, compromised or misconfigured computers accessing the corporate network.  It seamlessly integrates with existing network infrastructures and security applications from a wide range of vendors.

16  Compliance e.g right software and up-to-date patches  Monitoring and reporting  Increased security and policy deployment  Management and control e.g. remote scans, protect installations from removal, remote policy deployment.  Total security.

17

18  Detect and fix managed endpoint vulnerabilities  Make sure guest computers meet your security requirements before they access your network  Prevent unauthorized computers from accessing the network  Get standard reporting on endpoint policy compliance  Available from Endpoint Protection management console

19  An installed agent provides comprehensive compliance assessment and enforcement of managed computers, both prior to and during a network session.  A web agent provides comprehensive compliance assessment prior to network access for remote or LAN- based unmanaged computers, or on managed computers when an agent is not practical.  DHCP enforcement protects the network from unauthorised computers connecting to the corporate LAN using an enterprise’s existing DHCP infrastructure.  IEEE 802.1x enforcement stops unauthorised computers connecting to the LAN.  RADIUS enforcement protects the network from non- compliant laptops by providing enforcement prior to opening IPSec, SSL-VPN, or wireless connections.

20  An intuitive web interface offers extensive policy-building capabilities, flexible enforcement control and extensive reporting and alerting features.  Administrators can define and manage unique policies for detecting operating system patches, security applications and signature updates across all computers.  Scans can detect for installation, last engine scan date/time, signature file date/time, running detection for processes, real-time protection status, and version/value  Administrators can choose whether unauthorised or non-compliant computers are isolated, quarantined for remediation, automatically remediated or sent alerts.  Policies can be customised to ensure no unwanted applications are run.  A customisable landing page provides immediate, easy-to-view NAC compliance  statistics.  Custom application creation and enforcement enables administrators to respond  rapidly to unforeseen threats. Point- and-click contextual operating system patch definitions save administrators hours of configuration time.  Simple, central policy mode control enables enforcement steps to be phased in –from Report Only, through Remediate, to Enforce – avoiding an all-or-nothing approach, and providing optimum control and ease of policy deployment during each stage of implementation.

21  Installing NAC and other S/Ws i.e.  Compliance dissolver  Web agent for guests and unmanaged users  DHCP enforcer + Authentication mtds  Verifying NAC URL Server address.  Accessing the NAC Manager: The NAC Manager provides a centralized location for policy definition and endpoint compliance reporting.  NAC Policy customisation  Sophos Ent. Config + compliance agent deployment  Phased deployment.  Report only  Remediate  enforcement

22  Endpoint Security  Fast and effective antivirus: Delivers complete protection against today’s threats. Protect and manage all your platforms: Windows, OS X, Linux, UNIX, and virtualized environment from a single console. Reduce the risk of data loss and malware infection with built-in control of removable devices like USB keys, drives and wireless networking devices.  Active application control: Control the apps that can cause security, legal, productivity or bandwidth problems. Our unique Active Protection approach means we provide and maintain detection of hundreds of Windows applications so you don’t have to.  Threat-aware patch assessment: Use our Windows endpoint agent to prioritize the really critical threat-related patches for popular apps including Microsoft, Adobe, Apple and Java.

23  Mobile Device Management We make BYOD easy and affordable with easy-to- implement mobile device management (MDM). It lets you secure and manage all your users’ devices: iPhones, iPads, Android, BlackBerry, Windows Phone.  Complete smartphone and tablet control Quickly establish policies for giving access to corporate email and data, lock or wipe lost or stolen devices, and manage apps.  Convenient enterprise app store Easily manage apps with your own enterprise app store to publish and push apps users need while blocking the ones they don't.  Lightweight mobile antivirus Protect your users and your data from the growing threat of malicious Android apps. Our Android security app checks for malicious apps and stops them from becoming a problem.

24  Web Protection The web is the number one source of malware and threats, which is why we’ve integrated advanced web protection into the endpoint agent. You get the most best web threat detection and malicious site protection available— wherever users go.  Safe browsing, built-in web security Integrated advanced web threat detection right into the endpoint agent that scans for malicious web code at the network layer before it’s passed to the browser.  Block inappropriate content, web filtering Set a smart surfing policy for the 14 most inappropriate site categories, right from within our console. Policy is enforced on the endpoint, wherever your users go.  Data Protection Your confidential data needs protection, and you've got to prove it’s protected to the regulators. With combination of data control with full-disk encryption, along with granular device control and application control, you can easily implement a comprehensive data protection strategy all for the same price as your threat protection.  Proven encryption encryption is quick, easy and proven to secure your sensitive files. If you need full-disk encryption, that's available too as part of our End-user Data Suite.  Built-in data control unique and simple approach to DLP integrates the scanning for sensitive information into our endpoint engine. Making it easy for you to configure, deploy and manage.

25  Network Protection A firewall is an essential component of any network infrastructure. And if you have users on the move, they need business-grade firewall protection that travels with them. At the same time, you can’t just let any old computer onto your network. Control who qualifies for access with NAC.  Windows Client firewall Our client firewall protects your users from hackers, intrusions and rogue applications calling home. It’s centrally managed and integrated into our single Windows endpoint agent.  Integrated Network Access Control Our Network Access Control (NAC) checks Windows computers accessing your network to ensure full compliance with your security policies before they join.  Email Protection Your mail server is an equally important part of your infrastructure and a major point of attack for spam and threats. That’s why we offer essential protection for your users’ email too.  Proven security for Microsoft Exchange You get the latest email protection for Microsoft Exchange to block spam, viruses, spyware and phishing. It scans all inbound, outbound and Exchange message stores.

26  What’s done?  NAC demo  Users currently installed  Nac policy templates  Nac products  Etcs….

27  Enforcement not ready due to lack of DHCP enforcer ( windows s/w), Radius and IEEE 802.xx. They are supposed to be installed on DHCP server which is presently Linux based.  Heterogeneous & complex network structure. Affects detection, deployment and enforcement.  Lack of adequate training especially security.  Lack of enough exposure for best practices.

28  There is a great need to look at internal security as a threat.  There is need for capacity building especially in security for systems unit.  There is need for bench marking.  Everyone must get involved.

29  http://www.sophos.com/en-us/support/documentation.aspx http://www.sophos.com/en-us/support/documentation.aspx  http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control  Joel Snyder, Network access control vendors pass endpoint security testing - Alcatel-Lucent, Bradford, Enterasys, ForeScout, McAfee go above and beyond, Network World, June 21, 2010 Joel Snyder http://www.networkworld.com/reviews/2010/062110-network-access- control-test-end-point.html  Tutorial: Network Access Control (NAC), July 17, 2007 http://www.networkcomputing.com/data-protection/229607166?pgno=3 Good explanation of basic NAC concepts: http://en.wikipedia.org/wiki/Network_Access_Control http://en.wikipedia.org/wiki/Network_Access_Control  FAQ for Network Admission Control (NAC), 2006: http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd8040bc84.pdf http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/ns 617/net_design_guidance0900aecd8040bc84.pdf

Download ppt "Presented by MPIRIRWE BYANAGWA STEPHEN. An approach to computer network security that attempts to unify endpoint security technology (such as antivirus,"

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
© 2012 ForeScout Technologies, Page 1 Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013.

© 2012 ForeScout Technologies, Page 1 Bob Reny, Sr. Systems Engineer Do you know NAC? Data Connectors - Vancouver 4/25/2013.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.

Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,

The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,
MobileFirst Protect 1. MobileFirst Protect (MaaS360) 2 Mobile Device Management Enable and Manage Apple iOS smartphones, and tablets with Apple DEP Gain.

MobileFirst Protect 1. MobileFirst Protect (MaaS360) 2 Mobile Device Management Enable and Manage Apple iOS smartphones, and tablets with Apple DEP Gain.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
Network Access Control “an approach to computer network security that attempts to unify endpoint security.

Network Access Control “an approach to computer network security that attempts to unify endpoint security.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
KASPERSKY ENDPOINT SECURITY FOR BUSINESS

KASPERSKY ENDPOINT SECURITY FOR BUSINESS
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Similar presentations

Ads by Google