Network Access Control for Mobile Networks
|
|
- Elmer Woods
- 7 years ago
- Views:
Transcription
1 Network Access Control for Mobile Networks
2 Table of Contents Introduction 3 Network access initiatives the candidates 4 Posture-based access control 4 Cisco network access control 5 Microsoft NAP 7 Juniper UAC 8 In-line traffic inspection approaches 8 Establishing identity-based access control 9 The power of identity-based security in mobile networks 9 Conclusion 11 About Aruba Networks, Inc. 12 Aruba Networks, Inc. 2
3 Introduction The threat of an infected device gaining access to a healthy enterprise network is becoming a significant concern. The focus has been on securing the network perimeter, which leaves the network vulnerable to attacks that originate within the security perimeter. This threat is exacerbated by the growth in popularity of mobile devices such as laptops, PDAs and SmartPhones that more easily move between public and private networks. The use of these mobile devices in insecure public networks such as wireless hotspots and municipal Wi-Fi networks exposes these devices to various kinds of viruses, worms and other malicious software. When these devices re-enter the enterprise network, the lack of any security mechanism in the traditional enterprise network architecture leaves the network vulnerable to attacks from malware. Various vendors big and small have recognized the need to create solutions that address this important issue. Since any re-architecture of the enterprise network is a significant undertaking, most approaches focus on an overlay solution in the short-term, providing a path of migration to comprehensive network-wide security architecture. The types of solutions are beginning to converge, with operating system and anti-virus vendors emerging as the most capable for establishing client health and network vendors for using the results to enforce identity-based security. Various approaches have been proposed, many requiring changes to the network, the end-point and other elements. The figure below illustrates the various points in a typical enterprise network that these approaches target. The final solution will often be a combination of parts of all these solutions. However, it is important to note that networks are changing to solve this problem, as are the role of network elements. Data Center Approach 4: Protect selected/sensitive areas of network Approach 3: Inline traffic inspection and intrusion/anomaly detection Approach 2: Network based access control with user authentication Approach 1: Client security software Figure 1. Various approaches of protecting networks Aruba Networks, Inc. 3
4 Network access initiatives the candidates While it is unanimously agreed that network access control is a problem, opinions differ about how to address it. Broadly speaking, the solutions are categorized as follows: Posture checking: Solutions in this category aim to verify the posture, or state, of the host before allowing the appropriate level of access to the network. To verify posture, such systems typically verify user identity and the health of the machine (whether it is infected by a virus or other malware). Such systems also may check whether the host has current versions of antimalware software such as anti-virus software, host firewalls, etc.) There are a variety of solutions within this category that vary in the following ways: Number and types of items used to establish posture -- A primary differentiator here is OS based or clientless systems vs. those requiring the temporary or permanent installation of additional client software to assess posture Method used to convey the posture from the client to the network Method used to quarantine or protect the network (and other hosts) from non-compliant hosts In-line packet inspection: In this category, an in-line network device (usually a switch or an appliance) is used to inspect all traffic for known malware signatures and/or anomalies. Solutions within this category differ in the following ways: Position of the device or appliance that inspects the traffic Percentage of the total traffic that is inspected The inspection algorithms applied to relevant traffic When examined more closely, it becomes clear that the approaches can be complementary if implemented correctly. This paper will attempt to clarify how the different approaches diverge and to identify the simplest and most secure way to implement an effective access control solution. Posture-based access control All solutions in this category are based on the concept that a host must be checked for posture prior to gaining network access. This process validates a host against an established corporate policy to determine compliance. The result of the posture check helps determine the level of network access permitted to the host. In reality, the above description is an over-simplification. Defining the posture of a client is more complex and requires user identity and the health state of the client. The exact definition of health state varies in different environments. The following are examples of some common attributes that make up the health state of a client: Anti-malware software installed and active on the client and the version of this software is current Presence of any malware on the client Network interfaces enabled and/or active Some of the solutions that fit into this category are Cisco NAC (both 802.1x-based and Cisco Clean Accessbased), Microsoft NAP, and Juniper UAC (Universal Access Controller). Solutions in this category differ in several important ways. For instance, each solution may be unique in the method it uses to: Authenticate the user Determine the posture of the client Convey the posture to a server that compares the client s posture to configured policies Enforce access control depending on the result of the posture check Aruba Networks, Inc. 4
5 It s useful to examine each initiative in more detail and compare them across the dimensions mentioned above. Major initiatives in this category include: Cisco Network Access Control Microsoft NAP Juniper UAC Some initiatives are based on a combination of posture and user identity. These include: 802.1x-based solutions IPSec-based solutions Clientless Solutions The primary difference tends to be OS based integration ( clientless ) vs. using a downloadable software client. While the process of establishing client posture is an important one, this is a natural area for OS and antivirus software vendors and is expected to mature quickly. A process that needs to be considered even more heavily is that of enforcing the authentication decision in a mobile network. Proper enforcement by the network is the difference between simple Posture-based Access Control and more flexible and secure Identity-based Access Control, where detailed client based information such as user role and application usage are tightly coupled with posture results to determine appropriate access privileges. Cisco network access control Cisco Network Access Control is a posture-based Access Control solution from Cisco that involves a variety of solutions products/solutions. It should be noted that Cisco NAC is effectively a closed solution that may introduce interoperability issues with third party software and networking equipment. Cisco offers two solutions that are most pertinent to the discussion in this paper; an 802.1x-based solution and the Clean Access solution. Cisco 802.1x framework for network access control In this mode, the authentication mechanism is 802.1x. Because authentication occurs at Layer 2, this approach is inherently more secure than the web-based authentication used in Cisco Clean Access. Since 802.1x already is widely used in wireless, it is likely that this will become the more common of the two solutions. The main elements in this solution are: Cisco Trust Agent (CTA) 802.1x Supplicant 802.1x authenticator ACS Radius server Cisco Policy Server Third-party client software and Policy Servers (optional) The sequence of events when the client attempts to access the network is: 1. Since the port and client are both configured for 802.1x authentication, the port is logically shut down until the client successfully authenticates. 2. The Cisco Trust Agent collects all health information from the Cisco Security Agent and/or the various third-party plug-ins such as anti-virus software (McAfee, Symantec etc,). 3. Using the Extensible Authentication Protocol (EAP) exchange during 802.1x, the CTA provides this information to the Cisco Access Control Server (ACS). Aruba Networks, Inc. 5
6 4. Cisco ACS passes this information to the Cisco Policy Server which, in turn, passes information to third-party policy servers when needed. 5. Depending of the result of the evaluation by the Cisco Policy Server (and the third-party policy servers), the Cisco ACS either returns a Radius Accept with the default VLAN or returns a Radius Accept with a quarantine VLAN. This can be achieved through the use of any of the standard Radius attributes. It should be noted that more secure alternatives of enforcement exist if using a wireless overlay from Aruba networks, a WLAN and wireless security vendor. When 802.1x-based network access controls is used with network access control capabilities from Aruba Networks, the procedure outlined above can be modified based on the more flexible and secure concept of user roles. As an example, the Radius attribute Tunnel-Pvt-Group-Id can be used to return the user role quarantine or employee. CSA NAC-Apps CTA Start 802.1x EAPo802.1x EAP over Radius Posture information to policy server Radius Accept (with quarantine attribute)/reject Convey result to ACS Radius NAC API Switch/802.1x authenticator Cisco ACS Third party policy server Figure 2. Cisco NAC Framework Cisco clean access Cisco Clean Access is the solution that Cisco acquired from Perfigo in This solution uses a dedicated appliance to provide the capability to authenticate users by utilizing a web browser (similar to the many vendors captive portal solutions) to evaluate host compliance with security policies and regulate access to the network for the hosts accordingly. There are three main components to this solution: 1. Cisco Clean Access Server (CAS): This is the appliance that acts as the authenticator using the browserbased authentication mechanism. 2. Cisco Clean Access Agent (CAA): This agent is downloaded to the client machine attempting to access the network to evaluate the health and integrity of the host. 3. Cisco Clean Access Manager (CAM): This is the out-of-band management server where security policies are configured. There are two deployment modes for Cisco Clean Access: in-band and out-of-band. The in-band deployment has the following process flow: 1. Client attempts to access the network 2. CAS detects that the MAC address is not in the approved list 3. CAS redirects the HTTP request to a login page (similar to a captive portal) Aruba Networks, Inc. 6
7 4. Employee enters credentials; CAS authenticates the user through the authentication server 5. Once the CAS identifies the user as an employee, the employee is forced to download the CAA 6. CAA evaluates the posture of the host and forwards the result to the CAS 7. CAS forwards the report to the CAM. If the CAM reports that the client is not in compliance, the CAS places the user in a quarantine VLAN/subnet. 8. The CAS sends the remediation steps to the CAA. Since this deployment does not have any non-standard support requirements from the network infrastructure and is vendor-agnostic, this mode of deployment is supported on most network infrastructures, including an Aruba mobile network. Note that this is also the only mode that is supported on the Cisco wireless infrastructure as well. The out-of-band deployment model requires support for communication between the switch and the Cisco CAM. This is supported only on selected Cisco wired switches. The current documented list is: Cisco Catalyst 2950, 3550, 3560, 3750, 4500, and 6500 switches. Microsoft NAP Microsoft has launched the Network Access Protection (NAP) initiative with the Vista and Longhorn versions of the company s Windows operating system for hosts and servers, respectively. As the developer of the client OS, Microsoft is in a very good position to develop a strong posture-based solution. While the basic concept of NAP is similar to the Cisco NAC initiative, the approach and the underlying technologies are significantly different. The Microsoft NAP initiative is an open solution, comprised of techniques based on 802.1x, IPSec and Dynamic Host Control Protocol (DHCP). NAP is based on a framework that will accommodate for new additional enforcement options as well x-based approach This approach is similar to that used in the Cisco 802.1x-based framework. The fundamental difference between the two solutions relates to the endpoint software. With Microsoft, the endpoint software is inherently coupled with the operating system and therefore does not require the installation and management of an additional piece of software such as the Cisco Trust Agent. This approach provides a significant capital and operational cost advantage for Microsoft customers who are looking to create an 802.1x-based framework for Network Access Control. The main components in the 802.1x-based Microsoft NAP approach are: x supplicant + Posture Validating software (included in the Windows Vista client) 2. Network switches supporting 802.1x 3. Microsoft NPS (Network Policy Server) 4. Third-party Health Servers (optional) IPSec-based approach In the IPSec-based approach, the network is split into three zones: secure, boundary and restricted. By default, a computer is in the restricted zone. On entering the network, the computer sets up an HTTPS channel with the Health Certificate Server (HCS) and uses this channel to convey its user credentials and posture (called Statements of Health) to the HCS which, in turn, passes these to the Radius server and the Policy Server, respectively. If the result of these checks is a success, the computer obtains a Health Certificate. This Aruba Networks, Inc. 7
8 certificate is used to authenticate the computer when initiating communication with devices/computers in the secure zone. If the checks fail, the computer is placed in the Restricted Network. The boundary network typically consists of remediation servers. Computers that are in the restricted network can access these servers without requiring a certificate a capacity that is usually used to download software/patches that bring the client to compliance with policies. This approach is represented in a logical diagram below. Restricted Network Boundary Network Secure Network Figure 3. IPSec based NAP DHCP-based approach The DHCP approach uses the same basic concepts as the 802.1x approach. It is primarily implemented in circumstances where using 802.1x is not feasible. That situation typically occurs when 802.1x is not supported at the network switch or because it is too costly to upgrade to 802.1x across the network. While EAP is the protocol used to convey the health of the device in an 802.1x-based approach, this approach uses DHCP to convey that information. Juniper UAC Juniper s Unified Access Control (UAC) solution is based on the Trusted Computing Group (TCG) Trusted Network Connect (TNC) architecture. TCG intends to create a standards-based set of API s for NAC components. While most NAC solutions loosely follow the TCG model, Juniper has taken a more active role in adopting and promoting it. The basic model is similar to the others in that there is posture assessment, using Integrity Measurement Collectors (IMCs), which provides health related information to a server that evaluates this data against Integrity Measurement Verifiers (IMVs) which then determines how policy enforcement is carried out. One of the primary issues with TCG-TNC today is industry adoption. Almost no one else has demonstrated conformance with the standard, providing a risky uphill battle for gaining market acceptance. In-line traffic inspection approaches A fundamentally different approach to protecting the network from malware is to use network elements (usually switches and network appliances) to inspect traffic to detect anomalies and signatures. Because the two approaches differ in their technique, they will often be deployed in parallel to ensure the ongoing health and security of a network. Aruba Networks, Inc. 8
9 The different methods used to detect malware usually fall into one of two categories: signature detection and anomaly detection. Signature detection will detect known attacks by looking at network traffic for established patterns. The obvious flaw in this approach is the inability to detect Day Zero attacks that are new or attacks that self-modify as they propagate. Anomaly detection should be used in addition to signature detection to recognize attacks that don t have an existing signature. Anomaly detection looks for deviations from baseline network behavior and intelligently predicts which deviations are attacks requiring mitigation. One of the major disadvantages of in-line traffic inspection is that the device inspecting the traffic can be the bottleneck and therefore fail to meet the performance requirements of network applications. Different deployment models have been proposed to overcome this problem. The most common workaround is to move the inspecting device out of the data path by re-directing traffic from a switch using port mirroring capabilities or by configuring a device to do policy-based routing of specific vulnerable applications to the inspecting device. Among the vendors providing a solution in this category are Consentry and FireEye. Establishing identity-based access control As discussed above, there are a variety of solutions for providing Posture-based Access Control; however, one requirement that remains consistently important across all solutions is to deploy a sophisticated enforcement technique that supports Identity-based Access Control. In order to achieve this, a good enforcement technique should have the following characteristics: 1. Close proximity to the edge of the network - This is required for enforcement to be truly effective 2. Firewall role-based enforcement - VLANs should not be used as a security mechanism and should not be the sole mechanism for protecting networks. 3. Simple to manage. The solution should be a manageable solution. Any solution that increases the operational expenses of the network effectively becomes an un-deployable solution. The best enforcement solutions are characterized by uniform policy-based access control across all entry points on a network. Policy enforcement should not be based on a static point of entry. The network elements that best satisfy these requirements typically integrate authentication and firewall functionality. That approach helps ensure that the network element can enforce the policy based on both the user credential and the health state/posture of the client. The power of identity-based security in mobile networks An interesting trend in enterprise networks is the consolidation of requirements for mobility and security. While the growth of wireless and remote access technologies is driving the requirement for greater mobility, the same technologies also are triggering a surge in the number of network vulnerabilities. This situation forces network designers and administrators to consider mobility and security requirements together, rather than treating them separately. This has created the need to establish an overlay architecture that enables mobility over existing network infrastructures. An overlay infrastructure provides a framework to support any of the network access control solutions outlined in this whitepaper, including posture-based solutions and solutions based on in-line packet inspection. Solutions such as the Aruba Networks Mobile Edge, provide an integrated user-based stateful firewall that ensures flexible and secure enforcement of NAC policiies. An effective mobility overlay solution should have the following characteristics: Role- and User-based policy enforcement capabilities on the mobile edge of the network The ability to interoperate with any of the network access control solutions outlined in this white paper Centralized management and troubleshooting capabilities to provide a reasonable operational expense model The ability to differentiate between classes of users (such as employee, guest, quarantined, infected, etc.), rather than depending on VLANs for security Aruba Networks, Inc. 9
10 Figure 4 illustrates the various points of entry (and therefore the required points of enforcement) in a mobile network. This is, in fact, a simplified version of what exists in most large-scale enterprise networks. Such networks are comprised of multiple WLAN mobility controllers located on a single campus and sometimes also in branch offices, which are usually managed separately. Typically, such networks also have individually managed firewalls at each location and a large number of access switches. The cost of managing and updating security policy across all these access mechanisms is a major barrier to the implementation of most of the access control techniques discussed previously in this white paper. Headquarters DMZ Branch/Home Office Authentication server Internet VPN WLAN controller Points of network access control/policy enforcement Figure 4. Disparate solutions (often from single vendors) lead to separately managed enforcement solutions Aruba Networks, Inc. 10
11 There is a much better way to implement mobility with NAC. Figure 5 illustrates a non-disruptive solution that creates a mobility overlay on the existing wired infrastructure. This solution provides access control and policy enforcement across various access mechanisms without incurring the incremental cost of managing each of these individually. Policies for enforcement are configured and managed centrally using a global security construct such as roles and policies, rather than local constructs such as VLANs. Note that this approach toward policy enforcement provides a way to enforce any (and, if required, a combination) of the NAC approaches from different vendors discussed above. Headquarters Branch/Home Office Authentication server Internet Mobility controller overlay Generally managed global policy enforcement Figure 5. Using an overlay mobility architecture to provide global policy enforcement Conclusion Network access control initiatives are a necessity for enterprise networks today to ensure that infected devices don t gain access to healthy networks. A variety of solutions are available, the best of which use a combination of tactics to provide defense-in-depth to the network. OS and antivirus vendors are likely to be the natural choice for determining posture, not networking vendors. However, to achieve secure Identity-based Access Control in mobile networks, enforcement technique by the networking vendor is arguably just as important as the posture evaluation technique. When designing a network access control initiative, it is important to consider interoperability with network infrastructure and mobility solutions. NAC initiatives place critical requirements on the devices that constitute the mobile edge, and the mobile infrastructure s ability to support these requirements directly determines a NAC solution s effectiveness. Even a complete NAC solution based on the ideal combination of components can be undermined if the mobility infrastructure uses an unsophisticated enforcement solution. Aruba Networks, Inc. 11
12 As it relates to mobile networks, a NAC implementation is typically best deployed as a non-disruptive solution that creates a mobility overlay on the existing wired infrastructure. This solution is especially compelling as it provides powerful global policy enforcement with centralized management. About Aruba Networks, Inc. Aruba Networks is a leading provider of next-generation network access solutions for the mobile enterprise. The company s Mobile Virtual Enterprise (MOVE) architecture unifies wired and wireless network infrastructures into one seamless access solution for corporate headquarters, mobile business professionals, remote workers and guests. This unified approach to access networks enables IT organizations and users to securely address the Bring Your Own Device (BYOD) phenomenon, dramatically improving productivity and lowering capital and operational costs. Listed on the NASDAQ and Russell 2000 Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, Africa and Asia Pacific regions. To learn more, visit Aruba at For real-time news updates follow Aruba on Twitter and Facebook, and for the latest technical discussions on mobility and Aruba products visit Airheads Social at arubanetworks.com Crossman Avenue. Sunnyvale, CA ARUBA Tel Fax info@arubanetworks.com 2013 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective owners. WP_NACMobileNetworks_01XX13
Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks
Tech Brief Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks Introduction In today s era of increasing mobile computing, one of the greatest challenges
More informationA Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model
A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Table of Contents Introduction 3 Deployment approaches 3 Overlay monitoring 3 Integrated monitoring 4 Hybrid
More informationSolving the Sticky Client Problem in Wireless LANs SOLVING THE STICKY CLIENT PROBLEM IN WIRELESS LANS. Aruba Networks AP-135 and Cisco AP3602i
SOLVING THE STICKY CLIENT PROBLEM IN WIRELESS LANS Aruba Networks AP-135 and Cisco AP3602i Conducted at the Aruba Proof-of-Concept Lab May 2013 Statement of test result confidence Aruba makes every attempt
More informationIntegrating Wired IDS with Wi-Fi Using Open-Source IDS to Complement a Wireless IDS/IPS Deployment
Integrating Wired IDS with Wi-Fi Using Open-Source IDS to Complement a Wireless IDS/IPS Deployment Table of Contents Introduction 3 Limitations in WIDS monitoring 3 Monitoring weaknesses 3 Traffic analysis
More informationMobilize to Rightsize Your Network
Mobilize to Rightsize Your Network Table of Contents How enterprise mobility can reduce the total cost of network ownership by 70 percent 3 Mobility means cost savings 3 Getting started on savings 4 Make
More informationQUALITY OF SERVICE FOR CLOUD-BASED MOBILE APPS: Aruba Networks AP-135 and Cisco AP3602i
QUALITY OF SERVICE FOR CLOUD-BASED MOBILE APPS: Aruba Networks AP-135 and Cisco AP3602i Conducted at the Aruba Proof-of-Concept Lab November 2012 Statement of test result confidence Aruba makes every attempt
More informationDesign and Implementation Guide. Apple iphone Compatibility
Design and Implementation Guide Apple iphone Compatibility Introduction Security in wireless LANs has long been a concern for network administrators. While securing laptop devices is well understood, new
More informationTechnical Note. ForeScout CounterACT: Virtual Firewall
ForeScout CounterACT: Contents Introduction... 3 What is the vfw?.... 3 Technically, How Does vfw Work?.... 4 How Does vfw Compare to a Real Firewall?.... 4 How Does vfw Compare to other Blocking Methods?...
More informationARCHITECT S GUIDE: Comply to Connect Using TNC Technology
ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org
More informationCOORDINATED THREAT CONTROL
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
More informationWI-FI PERFORMANCE BENCHMARK TESTING: Aruba Networks AP-225 and Cisco Aironet 3702i
WI-FI PERFORMANCE BENCHMARK TESTING: Networks AP-225 and Cisco Aironet 3702i Conducted at the Proof-of-Concept Lab January 24, 2014 Statement of Test Result Confidence makes every attempt to optimize all
More informationEnterprise A Closer Look at Wireless Intrusion Detection:
White Paper Enterprise A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model Josh Wright Senior Security Researcher Introduction As wireless enterprise networks become
More informationPalo Alto Networks User-ID Services. Unified Visitor Management
Palo Alto Networks User-ID Services Unified Visitor Management Copyright 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks, Aruba Wireless Networks, the registered Aruba
More informationNETWORK ACCESS CONTROL TECHNOLOGIES
NETWORK ACCESS CONTROL TECHNOLOGIES Benny Czarny OPSWAT Inc., 640 2nd, 2nd Floor San Francisco, CA 94107, USA Tel +1 415 543 1534 # 301 Email benny@opswat.com ABSTRACT Cisco, Microsoft and the Trusted
More informationEffective Network Access Control in a Wireless World
Tech Brief Effective Network Access Control in a Wireless World March 2009 Jon Green, CISSP Aruba Networks Contents Executive Summary...1 Overview...2 Ubiquitous Access Mobility Ensuring Integrity with
More informationIDM and Endpoint Integrity Technical Overview
ProCurve ing by HP IDM and Endpoint Integrity Technical Overview The Threats to Today s ing Environments... 2 Endpoint Integrity Defined... 2 Endpoint Integrity Options... 2 The ProCurve Solution: Endpoint
More informationNetwork Access Security It's Broke, Now What? June 15, 2010
Network Access Security It's Broke, Now What? June 15, 2010 Jeffrey L Carrell Network Security Consultant Network Conversions SHARKFEST 10 Stanford University June 14-17, 2010 Network Access Security It's
More informationData Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement
Comprehensive Endpoint Enforcement Overview is a complete, end-to-end network access control solution that enables organizations to efficiently and securely control access to corporate networks through
More informationThe Importance of Standards to Network Access Control
White Paper The Importance of Standards to Network Access Control Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net Part Number:
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationWhite Paper. Five Steps to Firewall Planning and Design
Five Steps to Firewall Planning and Design 1 Table of Contents Executive Summary... 3 Introduction... 3 Firewall Planning and Design Processes... 3 Step 1. Identify Security Requirements for Your Organization...
More informationTowards End-to-End Security
Towards End-to-End Security Thomas M. Chen Dept. of Electrical Engineering Southern Methodist University PO Box 750338 Dallas, TX 75275-0338 USA Tel: 214-768-8541 Fax: 214-768-3573 Email: tchen@engr.smu.edu
More informationThis chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview
This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview Deployment models C H A P T E R 6 Implementing Network
More informationLessons in Wireless for K-12 Schools
White Paper Education Lessons in Wireless for K-12 Schools Don Reckles Introduction The Growing Need for the Network Primary and secondary (K-12) educational institutions are increasingly turning to computer
More informationDeploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.
Table of Contents Section 1: Executive summary...1 Section 2: The challenge...2 Section 3: WLAN security...3 and the 802.1X standard Section 4: The solution...4 Section 5: Security...4 Section 6: Encrypted
More informationNetwork Virtualization Network Admission Control Deployment Guide
Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus
More informationMicrosoft Windows Server System White Paper
Introduction to Network Access Protection Microsoft Corporation Published: June 2004, Updated: May 2006 Abstract Network Access Protection, a platform for Microsoft Windows Server "Longhorn" (now in beta
More informationBYOD: BRING YOUR OWN DEVICE.
white paper BYOD: BRING YOUR OWN DEVICE. On-boarding and Securing Devices in Your Corporate Network Preparing Your Network to Meet Device Demand The proliferation of smartphones and tablets brings increased
More informationBypassing Network Access Control Systems
1 Bypassing Network Access Control Systems Ofir Arkin, CTO Blackhat USA 2006 ofir.arkin@insightix.com http://www.insightix.com 2 What this talk is about? Introduction to NAC The components of a NAC solution
More informationDMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationPolicy Management: The Avenda Approach To An Essential Network Service
End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda
More informationPOLICY SECURE FOR UNIFIED ACCESS CONTROL
White Paper POLICY SECURE FOR UNIFIED ACCESS CONTROL Enabling Identity, Role, and Device-Based Access Control in a Simply Connected Network Copyright 2014, Pulse Secure LLC 1 Table of Contents Executive
More informationSecuring Virtual Applications and Servers
White Paper Securing Virtual Applications and Servers Overview Security concerns are the most often cited obstacle to application virtualization and adoption of cloud-computing models. Merely replicating
More informationPRODUCT CATEGORY BROCHURE. Juniper Networks SA Series
PRODUCT CATEGORY BROCHURE Juniper Networks SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations
More informationBanning Wireless Doesn t Stop Users: Understand How to Protect Your Network and Support Wi-Fi Enthusiasts
Banning Wireless Doesn t Stop Users: Understand How to Protect Your Network and Support Wi-Fi Enthusiasts Table of Contents Introduction 3 Implementing no wireless 3 No wireless policies without enforcement
More informationWhitepaper. Securing Visitor Access through Network Access Control Technology
Securing Visitor Access through Contents Introduction 3 The ForeScout Solution for Securing Visitor Access 4 Implementing Security Policies for Visitor Access 4 Providing Secure Visitor Access How it works.
More informationBest Practices for Outdoor Wireless Security
Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged
More informationNetwork Access Control (NAC)
Solutions Network Access Control (NAC) Allied Telesis provides advanced edge security for Enterprise networks Security Issues The security issues facing Enterprise networks have evolved over the years,
More informationNETWORK ACCESS CONTROL
RIVIER ACADEMIC JOURNAL, VOLUME 3, NUMBER 2, FALL 2007 NETWORK ACCESS CONTROL Arti Sood * Graduate Student, M.S. in Computer Science Program, Rivier College Abstract Computers connected to the Internet
More informationPRODUCT CATEGORY BROCHURE
PRODUCT CATEGORY BROCHURE SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations of Every Size
More informationSECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD
SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD www.wipro.com Table of Contents Executive Summary 03 Introduction 03 Challanges 04 Solution 05 Three Layered Approach to secure BYOD 06 Conclusion
More informationSymantec Advanced Threat Protection: Network
Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How
More informationSecuring the University Network
Securing the University Network Abstract Endpoint policy compliance solutions take either a network-centric or device-centric approach to solving the problem. The body of this paper addresses these two
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationAruba Mobility Access Switch and Arista 7050S INTEROPERABILITY TEST RESULTS:
Aruba and INTEROPERABILITY TEST RESULTS: Aruba and Aruba and Table of Contents Executive summary 3 Scope and methodology 3 Interface connectivity 4 Port channels and link aggregation control protocol (LACP)
More informationClearPass: Understanding BYOD and today s evolving network access security requirements
ClearPass: Understanding BYOD and today s evolving network access security requirements ClearPass: Understanding BYOD and today s evolving network access security requirements Chapter 1: Introduction............................
More informationSecuring end devices
Securing end devices Securing the network edge is already covered. Infrastructure devices in the LAN Workstations Servers IP phones Access points Storage area networking (SAN) devices. Endpoint Security
More informationARCHITECT S GUIDE: Mobile Security Using TNC Technology
ARCHITECT S GUIDE: Mobile Security Using TNC Technology December 0 Trusted Computing Group 855 SW 5rd Drive Beaverton, OR 97006 Tel (50) 69-056 Fax (50) 644-6708 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org
More informationFIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES
FIREWALL Features SECURITY OF INFORMATION TECHNOLOGIES To ensure that they stay competitive and in order to expand their activity, businesses today know it is in their best interests to open up more channels
More informationBypassing Network Access Control Systems
Bypassing Network Access Control Systems Ofir Arkin Chief Technology Officer Insightix Ltd. September 2006 United States International 945 Concord Street 13 Hasadna Street Framingham, MA 01701 Ra'anana,
More informationThe dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more
The dramatic growth in mobile device malware continues to escalate at an ever-accelerating pace. These threats continue to become more sophisticated while the barrier to entry remains low. As specific
More informationNetwork Access Control ProCurve and Microsoft NAP Integration
HP ProCurve Networking Network Access Control ProCurve and Microsoft NAP Integration Abstract...2 Foundation...3 Network Access Control basics...4 ProCurve Identity Driven Manager overview...5 Microsoft
More informationBEST PRACTICES FOR SECURE REMOTE ACCESS A GUIDE TO THE FUTURE
BEST PRACTICES FOR SECURE REMOTE ACCESS A GUIDE TO THE FUTURE The future trend is towards a universal access control model, one which inverts the network so that the protective perimeter is concentrated
More informationSonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity
SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria
More informationDeploying Firewalls Throughout Your Organization
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
More informationDriving Operational Efficiency: A Guide to Using AirWave Wireless Management Suite for Service Desk Troubleshooting
Driving Operational Efficiency: A Guide to Using AirWave Wireless Management Suite for Service Desk Troubleshooting Table of Contents Introduction 3 Problem #1: I can t get onto the network 4 Step 1: Has
More informationNetwork Design Best Practices for Deploying WLAN Switches
Network Design Best Practices for Deploying WLAN Switches A New Debate As wireless LAN products designed for the enterprise came to market, a debate rapidly developed pitting the advantages of standalone
More informationJuniper Networks Unified Access Control (UAC) and EX-Series Switches
White Paper Juniper Networks Unified Access Control (UAC) and EX-Series Switches Meeting Today s Security Challenges with End-to-End Network Access Control Juniper Networks, Inc. 1194 North Mathilda Avenue
More informationAddressing BYOD Challenges with ForeScout and Motorola Solutions
Solution Brief Addressing BYOD Challenges with ForeScout and Motorola Solutions Highlights Automated onboarding Full automation for discovering, profiling, and onboarding devices onto both wired and wireless
More informationNAC at the endpoint: control your network through device compliance
NAC at the endpoint: control your network through device compliance Protecting IT networks used to be a straightforward case of encircling computers and servers with a firewall and ensuring that all traffic
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationCLEARPASS ONGUARD CONFIGURATION GUIDE
CONFIGURATION GUIDE REVISION HISTORY Revised By Date Changes Dennis Boas July 2015 Version 1 initial release TABLE OF CONTENTS... 1 INTRODUCTION... 3 CONFIGURATION WORKFLOW... 4 CONFIGURE POSTURE POLICIES...
More informationSymantec Client Management Suite 8.0
IT Flexibility. User Freedom. Data Sheet: Endpoint Management Overview of Symantec Client Management Suite Symantec Client Management Suite automates time-consuming and redundant tasks for deploying, managing,
More informationUnited Security Technology White Paper
United Security Technology White Paper United Security Technology White Paper 1 Challenges...6 1.1 Security Problems Caused by Mobile Communication...6 1.2 Security Fragmentation Problems...8 2 United
More informationSygate Secure Enterprise and Alcatel
Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More information» WHITE PAPER. 802.1X and NAC: Best Practices for Effective Network Access Control. www.bradfordnetworks.com
» WHITE PAPER 802.1X and NAC: Best Practices for Effective Network Access Control White Paper» 802.1X and NAC: Best Practices for Effective Network Access Control 1 IEEE 802.1X is an IEEE (Institute of
More informationCisco TrustSec Solution Overview
Solution Overview Cisco TrustSec Solution Overview 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents Introduction... 3 Solution Overview...
More informationHow To Use Cisco Identity Based Networking Services (Ibns)
. Data Sheet Identity-Based Networking Services Identity-Based Networking Services Overview Cisco Identity-Based Networking Services (IBNS) is an integrated solution that offers authentication, access
More informationSOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013
SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov
More informationCisco Virtualization Experience Infrastructure: Secure the Virtual Desktop
White Paper Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop What You Will Learn Cisco Virtualization Experience Infrastructure (VXI) delivers a service-optimized desktop virtualization
More informationTrusted Network Connect (TNC)
Trusted Network Connect (TNC) Open Standards for Integrity-based Network Access Control and Coordinated Network Security April 2011 Trusted Computing Group 3855 SW 153rd Drive, Beaverton, OR 97006 Tel
More informationSecure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco
Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks
More informationSecurity Considerations for DirectAccess Deployments. Whitepaper
Security Considerations for DirectAccess Deployments Whitepaper February 2015 This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationPreparing your network for the mobile onslaught
IBM Global Technology Services Thought Leadership White Paper Preparing your network for the mobile onslaught How networks can overcome the security, delivery challenges posed by mobile devices 2 Preparing
More informationsolution guide DLNA, AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS
DLNA, AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS Table of Contents Warning and Disclaimer Introduction What is Zero Configuration Networking (zeroconf)? What is DLNA? Making DLNA and Bonjour work over WLANs
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationEXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS
EXTENDING THREAT PROTECTION AND WHITEPAPER CLOUD-BASED SECURITY SERVICES PROTECT USERS IN ANY LOCATION ACROSS ANY NETWORK It s a phenomenon and a fact: employees are always on today. They connect to the
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationBest Practices for Secure Remote Access. Aventail Technical White Paper
Aventail Technical White Paper Table of contents Overview 3 1. Strong, secure access policy for the corporate network 3 2. Personal firewall, anti-virus, and intrusion-prevention for all desktops 4 3.
More informationCisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks
Cisco IT Article December 2013 End-to-End Security Policy Control Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks Identity Services Engine is an integral
More informationMulti-platform TNC with Radiator, XSupplicant and libtnc
May 1, 2007 Radiator Multi-platform TNC with Radiator, XSupplicant and libtnc Copyright (C) 2007 Open System Consultants Pty. Ltd. This white paper discusses the theory and application of Trusted Network
More informationSecuring the Small Business Network. Keeping up with the changing threat landscape
Securing the Small Business Network Keeping up with the changing threat landscape Table of Contents Securing the Small Business Network 1 UTM: Keeping up with the Changing 2 Threat Landscape RFDPI: Not
More informationSOSPG2. Implementing Network Access Controls. Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com
SOSPG2 Implementing Network Access Controls Nate Isaacson Security Solution Architect Nate.Isaacson@cdw.com Offer Pa Agenda The BYOD Challenges NAC terms The Big Picture NAC Solutions and Deployment What
More informationReduce Your Virus Exposure with Active Virus Protection
Reduce Your Virus Exposure with Active Virus Protection Executive Summary Viruses are the leading Internet security threat facing businesses of all sizes. Viruses spread faster and cause more damage than
More informationJuniper Networks Solution Portfolio for Public Sector Network Security
SOLUTION BROCHURE Juniper Networks Solution Portfolio for Public Sector Network Security Protect against Network Downtime, Control Access to Critical Resources, and Provide Information Assurance Juniper
More informationWhat s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4
Page 1 Product Bulletin What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4 This document lists the new features available in Version 6.4 of the Secure Access SSL VPN product line. This
More informationCisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture
Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture Cisco Systems and Microsoft Corporation Published: September 2006 Abstract Cisco Systems, Inc. and
More informationUnified Security TNC EVERYWHERE. Wireless security. Road Warrior. IT Security. IT Security. Conference Room. Surveillance.
Corporate Governance Employee Cube Road Warrior Surveillance Surveillance IT Security Data Center IT Security Conference Room Wireless security Manufacturing and Control TNC EVERYWHERE Unified Security
More informationSSL VPN Technology White Paper
SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and
More informationWHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment... 2. Adaptive Network Security...
WHITEPAPER Top 4 Network Security Challenges in Healthcare Addressing Them with Adaptive Network Security Executive Summary... 1 Top 4 Network Security Challenges Addressing Security Challenges with Adaptive
More informationIntelligent. Data Sheet
Cisco IPS Software Product Overview Cisco IPS Software is the industry s leading network-based intrusion prevention software. It provides intelligent, precise, and flexible protection for your business
More informationNetwork Access Control (NAC) and Network Security Standards
Network Control (NAC) and Network Security Standards Copyright 2011 Trusted Computing Group Other names and brands are properties of their respective owners. Slide #1 Agenda Goals of NAC Standards What
More informationWhy Switch from IPSec to SSL VPN. And Four Steps to Ease Transition
Why Switch from IPSec to SSL VPN And Four Steps to Ease Transition Table of Contents The case for IPSec VPNs 1 The case for SSL VPNs 2 What s driving the move to SSL VPNs? 3 IPSec VPN management concerns
More informationForeScout CounterACT. Continuous Monitoring and Mitigation
Brochure ForeScout CounterACT Real-time Visibility Network Access Control Endpoint Compliance Mobile Security Rapid Threat Response Continuous Monitoring and Mitigation Benefits Security Gain real-time
More informationUsing AirWave RAPIDS Rogue Detection to Implement Your Wireless Security and PCI Compliance Strategy
Using AirWave RAPIDS Rogue Detection to Implement Your Wireless Security and PCI Compliance Strategy Table of Contents Introduction 3 Using AirWave RAPIDS to detect all rogues on your network 4 Rogue device
More informationThe self-defending network a resilient network. By Steen Pedersen Ementor, Denmark
The self-defending network a resilient network By Steen Pedersen Ementor, Denmark The self-defending network - a resilient network What is required of our internal networks? Available, robust, fast and
More informationConquering today s bring-your-own-device challenges
Conquering today s bring-your-own-device challenges Table of Contents A framework for deploying successful BYOD initiatives 3 Shortcomings of current solutions 4 The vision for BYOD access management 5
More information