Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

Transcription

1

2 Orchestrated Security Network Automated, Event Driven Network Security Ralph Wanders Consulting Systems Engineer

3 Orchestrated Security Network! " TCG/ TNC Architecture! " IF-MAP! " Use cases of IF-MAP! " Benefits of an IF-MAP ecosystem (Juniper Networks + Infoblox + Great Bay )

4 TCG: standards for trusted systems Virtualized Platform Mobile Phones Printers & Hardcopy TNC Authentication Network Security Storage Security Hardware Applications "Software Stack "Operating Systems "Web Services "Authentication "Data Protection Desktops & Notebooks Servers Infrastructure

5 Tnc architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers

6 Coördinated security via IF-MAP SOAP based protocol for publishing data to the MAP and querying or subscribing to get data from it Asset Management System Endpoint Security (via NAC) SIM / SEM MAP IPAM IF-MAP Protocol Physical Security ICS/SCADA Security AAA DLP Server or IDS Switching Wireless Firewalls Cloud Security

7 Open, standard, multi-vendor & future proof IF-MAP ensuring Interoperability:!" Built in IF-MAP server on IC!" MAP client enables publish, subscribe and search Access Requester (AR) Wireless Policy Enforcement Point (PEP) Network Perimeter Policy Decision Point (PDP) Metadata Access Point (MAP) IF-MAP Clients SA Series Great Bay IF-MAP Server IC Series Insightix Junos Pulse EX Series IC Series Third-Party Firewalls Lumeta Hirsch Wired Firewall Third-Party Appliances Wave SRX Series Third-Party DLP Infoblox

8 TNC Adoption ecosystem partners Access Requestor Policy Enforcement Point Policy Decision Point Metadata Access Point Sensors, Flow Controllers

9 USE CASE I: Access control at both L2 & L3 3rd Party Supplicants IF-MAP Juniper Endpoint Profiler Tablet/Notebook/Laptop Juniper Policy Server (IC) SBR/AD/LDAP/PKI/RSA/ Radius Protected Resource Juniper Client Juniper EX series SRX OAC/Junos Pulse Juniper WLC series!" Hybrid (dot1x+l3) network access control!" Differentiated access based on corporate assets vs. personal devices!" Web Auth via IC/ EX/ WLC (Captive Portal)!" Role based dynamic ACLs from IC to the switch port!" Addition: Coordinated threat control via IPS sensors / SIEM

10 USE case II: user-role based app firewall 3rd Party Supplicants IF-MAP Juniper Policy Server (IC) Tablet/Notebook/Laptop SBR/AD/LDAP/PKI/RSA/ Radius Protected Resource OAC/Junos Pulse Juniper Switches- WLAN 3 rd Party Switches- WLAN SRX Application layer based access Control in the market:!" Application identification via SRX FW!" IC pushing user-role info to SRX!" Infoblox pushes DHCP/ IP info to IC (non Junos Pulse clients!)!" SRX is enforcing user access to application

11 Use case III: access control at L2 - MAC auth & device profiling IF-MAP Juniper Policy Server (IC) Juniper Endpoint Profiler LDAP Unmanageable Devices Protected Resource Juniper Switches Printers/Fax/ Phones 3 rd Party Switches MAC Auth at different entry points:!" MAC auth at access layer or IC or Profiler!" Supports managed/unmanaged devices!" Profiler solution supporting device profiling & role based access control for phones, printers etc

12 Use case iv: protect against MAC spoofing IF-MAP Juniper Policy Server (IC) Juniper Endpoint Profiler LDAP Unmanageable Devices Protected Resource Juniper Switches Printers/Fax/ Phones 3 rd Party Switches Detection and mitigation of spoofed MAC address:!" Profiler detects MAC spoofing, assigns device to new profile!" Profiler publishes event via IF-MAP!" IC receives IF-MAP event, updates endpoint access privileges

13 Use case V: coordinated threat control via IF-MAP STRM MAP Server (IC or 3 rd -party) Sensor Juniper Policy Server (IC) SBR/AD/LDAP/PKI/RSA/ Radius Protected Resource OAC/Junos Pulse Juniper Switches- WLAN 3 rd Party Switches- WLAN SRX Dynamic attack protection:!" Profiler, STRM, or third-party sensor detects unauthorized activity!" IDP and/or STRM communicates to IC via MAP!" IC updates access control on firewalls, switches

14 IF-MAP Ecosystem Advantages! " Open standards! " Non-proprietary Supports multi-vendor compatibility! " Interoperability! " Visibility and control! " Excellent Return-on-Investment (ROI)! " Leverages existing network infrastructure! " Easily extensible in the future (through IF-MAP ecosystem partners) with added functionality! " OPEX Reduction! " Automated/ event driven

15 LAN ACCESS CONTROL MARKET 2012 Magic Quadrant Key Takeaways: Juniper's focus on open standards enables it to support heterogeneous network environments and helps to keep the pressure on other NAC vendors to minimize vendor proprietary features.. Juniper UAC integration across its IPS, SSL VPN, firewall, SIEM and Junos Pulse offerings is strong...

16 Vragen?