White Paper. Unify Endpoint and Network Security with McAfee Network Access Control (NAC)

Transcription

1 Unify Endpoint and Network Security with McAfee Network Access Control (NAC)

2 Unified Endpoint and Network Security with McAfee Table of Contents Executive Summary Network Access Control 3 Evolution of NAC 3 Addressing business problems with NAC 4 Guest and contractor access 4 Compliance of employees to IT standards 4 Reduced security problems 4 Usage Scenarios 5 McAfee NAC process 6 McAfee Unified Secure Access 7 Sample network architecture 9 Why choose McAfee? 10 Lowest Operational Cost 10 Leverage Your Existing Investments 10 Summary 10 About McAfee Inc. 10

3 is an approach to computer network security that bridges the gap between the endpoint and the network by ensuring that only known or healthy endpoints are allowed to gain access to a network. NAC protects corporate networks by identifying, assessing, quarantining, and remediating systems prior to network access. This solution brief discusses the significance of NAC as a critical element of corporate security, the McAfee approach to NAC, the technology behind it, and its advantages. Executive Summary Network Access Control The concepts and rationale behind NAC are simple: Control guest and contractor access Ensure all systems are compliant with IT policies Help reduce the impact of malware Protect sensitive data and applications In today s diversified environment, many organizations do not know what or who is connected to their networks. According to InfoWatch, 77 percent of data leaks are caused by insiders and 23 percent through malicious intent. In the drive to expand access to corporate resources to enable third-party collaboration, networks are opened to contractors, visitors, customers, and partners whose machines are not subject to control by the organization. In most cases, there is no enforcement mechanism in place to control end-user access or report on host posture. This gap in corporate policy exposes the enterprise to a range of threats not just from malware, hackers, and malicious users, but also to loss of intellectual property as well as noncompliance with regulatory requirements. Traditional NAC solutions have struggled to achieve mainstream acceptance because they have been too costly to purchase and implement, too complex to manage, or have placed additional burdens on IT resources. A third generation NAC solution that leverages existing investments in infrastructure and simplifies deployment and management is the optimal solution. McAfee Unified Secure Access leverages McAfee epolicy Orchestrator (McAfee epo ) management software as well as our expanding network security product line to achieve the lowest cost of deployment. Its features adapt to any complex corporate network for flexible deployment that detects users identity, endpoint health status, malicious behavior, location. and more to provide an intelligent access control system that allows companies to securely extend network access to suit their business processes. Evolution of NAC First-generation NAC started out as an endpoint checking system to verify endpoint security; appropriate network access was then either allowed or denied. This definition later expanded to include a methods to remediate failed endpoints and then to recheck endpoints periodically after they are admitted. Firstgeneration NAC was an authentication-focused point solution that required major upgrades to network infrastructure, but many companies found that this was too complex and expensive to implement. Later, multiple vendors offered second-generation NAC solutions that leveraged their strengths (endpoint-based or network-based), but this view was limited to solving half of the problem well and the other half not as well. In its second generation, NAC standards such as TNC, IETF and 802.1x were still emerging, so meant that most available solutions were standalone and did not leverage the existing enterprise infrastructure. 3

4 Forrester Research is predicting a huge year ahead for NAC, claiming in a recent report that this watchdog technology is fast becoming a critical component in making many security initiatives efficient and a seamless part of the network infrastructure. (Forrester Research 2008) Even with economic issues reducing demand for IT products across the board, Infonetics estimates that worldwide NAC sales will increase by 21 percent in A vendor-centric product evolution cannot solve these issues. What is needed is a fundamental rethinking of NAC technologies to align with the corporate existing infrastructure and address real business problems. Addressing business problems with NAC After extensive interviews with customers and analyst firms, McAfee sees NAC usage as falling into one of three solution areas. Guest and contractor access With so many unprotected Ethernet ports inside a typical enterprise, companies need to ensure that a visitor plugging into a port is not spreading infection or accessing sensitive network resources. Contractors are a special type of guest that needs more access than a guest but less than an employee. Contractors need to access certain applications or data to do their job, but the risk of the contractor s machine being infected or theft of data is always prevalent. Compliance of employees to IT standards Enterprises have spent millions on security tools only to have self-administering users turn off anti-virus protection, create gaps in their firewall rules, or disable security tools that slow system performance. NAC not only ensures that security controls are in place, but also that IT standards are met. In addition to corporate IT standards, NAC improves compliance with government and industry standards. such as Payment Card Industry Data Security Standard (PCI DSS) and Sarbannes-Oxley (SOX): PCI section 7.1 Requires that companies limit access to computing resources only to those whose job requires it SOX 404 Requires that companies monitor access to the company s financial systems PCI section Requires that companies record entries for all systems for invalid login access attempts While deploying NAC does not alone make a company compliant, a NAC solution with identity-based controls helps support these specific objectives. Reduced security problems By preventing infected or insecure devices and potentially malicious applications from entering your network, security disasters can be mitigated or avoided altogether. A great example can be seen with the Conficker A and B worms, which have infected millions of PCs worldwide. These worms exploit a Microsoft Windows vulnerability for which a patch has been written, but has not been applied in as many as one-third of all Windows systems. Conficker is difficult to remove because it alters PC settings to prevent needed Microsoft patching or connection to remediation websites for removal information. 4

5 Core Applications With NAC in place, machines without appropriate patches could be denied access, and the infected machines would not be able to propagate the malware inside the network. Even if an infected machine does gain access with post-connect monitoring NAC, the behavior of the worm probing and propagating could be blocked or the machine could be knocked offline altogether. Usage Scenarios Through extensive customer evaluation and research, McAfee has developed six key usage scenarios required by medium-size to large organizations. These scenarios should be part of any NAC product evaluation. Important NAC User Scenarios 1. Guest or Contractor Access Visitor or contractor using an unmanaged system NAC Appliance Guests or contractors with their own equipment pose a risk any time they plug into a network. A NAC solution should assess whether an endpoint is a managed employee or an unidentified device and then place that user in the proper subnetwork or guest access portal or provide Internet access only. It should be able to identify contractors by their Microsoft Active Directory credentials and give them appropriate access to the network and applications. Active Directory credentials or gives them appropriate access to the network and applications through a pre-approved guest access portal. The McAfee solution needed for this is the McAfee NAC Appliance or NAC add-on to the McAfee Network Security Platform. 2. Managing Employee Access Assess endpoint health per IT standard ToPS Advanced or McAfee NAC (MNAC) To ensure that endpoints have the correct security configurations, upto-date operating system patches, and other required applications, a method for endpoint health assessment is required. A typical use case of preadmission NAC would be to prevent clients with out-of-date anti-virus signatures from connecting to sensitive servers. The McAfee solution required for this is the McAfee Network Access Control endpoint agent, which is included with McAfee Total Protection(ToPS) for Endpoint-Advanced software suite, or available as a separate purchase. 3. Sustaining the Health of Connected Devices Continual Assessment of Endpoint Configuration ToPS Advanced or McAfee NAC There are many devices that never leave the office, such as desktops, which are usually in a constant state of admission. Post-admission health assessment makes health and enforcement decisions based on user actions or changes in system health state or changes in policy after those users have been granted access to the network. For example, a user may have installed a peer-to-peer application that violates IT policy. Those applications should be scanned for and removed. The McAfee solution required for this is the McAfee NAC endpoint agent, which is included with McAfee Total Protection for Endpoint-Advanced software suite or purchased separately. 5

6 Important NAC User Scenarios 4. Malicious User or Malware Assess all infected or malicious endpoints doing damage IPS+NAC Add-on Machines that have already been admitted to a network can become infected with malware, such as bots or worms. Users can also inadvertently or maliciously install applications that can compromise data. What is required is a NAC system with an integrated intrusion prevention system (IPS) to continuously monitor networks via signatureand behavioral-based analysis. The McAfee solution needed for this is the NAC add-on to Network Security Platform. 5. Unknown or Risky User Behavior User on the network, risking damage or data loss Network User Behavioral Analysis Threats can come from authenticated users who have gained access to a network or who have maliciously bypassed access controls. For example, finance users could have their credentials stolen by a malicious user who then starts to search the network looking for valuable data in the engineering source code or legal department. What is required is a solution that analyzes user behavior against a dynamic baseline, highlights outlying behavior, and provides real-time alerts. The McAfee solution needed for this is the McAfee Network User Behavior Analysis (Securify) 6. Discovery of Unmanaged/ Unmanageable Devices Smart phones, medical devices, printers ToPS Advanced or McAfee NAC Many companies are unaware of all of the devices attached to their networks. Personal laptops, game consoles, medical devices, Linux or Macintosh machines, and unauthorized printers can all exist in the environment and pose a threat. What is required is a solution that scans your network for any unmanaged or unmanageable IP-based device and alert IT staff for action. The McAfee solution needed for this is the rogue system detection capability in ToPS for Endpoint Advanced. When selecting an NAC solution, users should prioritize the business problems and user scenarios they want to solve and consider a solution that examines endpoint health, validates user identity, monitors applications accessed, and detects malicious behavior. McAfee NAC process McAfee Unified Secure Access delivers complete access control by constantly monitoring, assessing, and tracking identity and actions, and by providing post admission control for users and applications for the ultimate control and security of the internal network. The following chart shows the recommended process for deploying and managing NAC. Unified Secure Access Process Step 1: Policy Define health, machine/user identity, application policy Step 5: Monitor Monitor endpoint to ensure ongoing compliance Monitor Remediate Policy Unified Secure Access Discover Step 2: Discover Scan for rogue devices, alert and report Step 4: Remediate Take action based on outcome of policy check or behavior Enforce Step 3: Enforce Pre or Post Admission health against policy is checked. Malicious behavior monitored 6

7 1. Policy The first, and some would say most difficult, part of deploying NAC is to define the people policy ; for example, what happens when a vice-president s anti-virus software is two months out of date? What happens when a contractor in Italy fails an endpoint health assessment? A system that has the granular policy capabilities along with role-based management access is required and McAfee epo fills the bill. 2. Discover Unified Secure Access discovers any IP-based devices on your network, whether unmanaged or unmanageable, such as a game console or medical device. Because Unified Secure Access contains rogue system detection technology, it will find new devices as the network evolves. 3. Endpoint health status Before gaining network access, endpoint devices are checked for system vulnerabilities, security software configuration parameters and more. Further network access decisions are based on the results of this examination. 4. Identity-based access control Access can be easily based on existing organizational roles/users (for example, Microsoft Active Directory). Once endpoints authenticate, they can roam across networks and be managed from a common NAC policy server. 5. Ongoing monitoring Devices are continuously monitored for noncompliant behavior. If detected, a range of remediation options are available. Behavior-based anomaly detection leverages the full power of IPS to knock risky users or machines off the network in real time. McAfee Unified Secure Access A true next-generation NAC solution should leverage and integrate into the existing corporate infrastructure, work with a single, centralized management system, and ensure that machines are compliant both before and after admission to the network. It also must play an integral part in enforcing compliance. A next-generation NAC solution needs to adequately encompass the endpoint strategy to cover all aspects of network access. McAfee has taken these factors into consideration and created a next-generation NAC solution called Unified Secure Access. With the introduction of Unified Secure Access, the promise of NAC has undergone a considerable expansion: now endpoint security, network security, access control, and compliance concerns are addressed through a comprehensive, holistic solution. Unified Secure Access contains the latest technologies, allowing both preadmission and post-admission control of employees, partners, and guests. Because Unified Secure Access supports adaptive policies, it detects (and mitigates when needed) changes on the endpoint, user identities, application access, and it constantly monitors systems for malicious behavior. Adaptive policies are granular and multilevel policies can be managed by multiple IT teams regardless of location. McAfee Unified Secure Access: Drive the Interlock Between Network and System NAC Appliance OR NAC Appliance 7

8 McAfee is also the first security vendor to unify NAC and network intrusion prevention on the same platform. This eases management burden and lowers total cost of ownership (TCO). This unified approach also lowers costs on both hardware and software. System Health Assess a system s compliance to a standard Granular Policy Individualize policy based on geography, user type, organization Machine ID Offer access based upon machine Unified Secure Access Identity Make access decisions based on who the user is Compliance Standard Increase compliance posture by enforcing policy Application or Data Offer access to specific applications or data Behavior Detect bahavioral anomalies Adaptive Policy Technology reduces errors and helps desk calls McAfee adaptive policy technology allows IT managers to tailor security tools to high-risk areas, reducing complexity and errors while increasing scalability and security. Adaptive policy technology goes beyond traditional NAC to monitor, assess, track, establish identity for users, devices, and applications, ensuring ultimate security and control of the network inside and out. Out-of-compliance end nodes can be detected and remediated with little or no intervention by the end user or IT workers. For example, if an employee installs an application that is not allowed, it can be detected at the time of the next NAC scan and then taken off the network, remediated, and returned to the network when it is compliant. Adaptive policy technology expands your security posture by combining multiple security approaches into one NAC solution, such as signature-based detection of host changes and identity- and applications-based technologies. Investment is protected by leveraging currently installed network and system components and by taking advantage of McAfee integrated management through epo. Compliance with internal policies and the ability to prove and even enforce compliance with standards such as Health Insurance Portability and Accountability Act (HIPAA) and PCI is also easily demonstrated with epo. McAfee NAC provides preadmission and post-admission scans that are easily configured to validate the required software and patches so that desktops are updated and functioning. Many of these requirements are supplied as predefined rules within McAfee NAC. Custom rules to check for other software are readily added with an intuitive wizard. Policy groups are created based on dozens of predefined criteria, as well as custom criteria by user, user groups, domains, applications, operating system, central processing unit, subnet, and time zone. These groups can be associated with policies, reports, NAC administrators, notifications, and administrative tasks. NAC policies themselves can include any of the more than 3,000 predefined checks, which can be applied to institution-specific groups. Responses to system noncompliance include auto-remediation, user education and coaching, and redirection to the remediation portal. Unmanaged hosts can be securely provisioned with Unified Secure Access through secure control and pre provisioning for guest access portals. Once admitted to the network, comprehensive post-admission control is available through application protocol, source/destination addresses, ports changing, host posture, and IPS-detected malicious behavior. 8

9 With comprehensive NAC monitoring and reporting included, reports on access logs (who, when, where) and action taken make day-to-day security and compliance management easy, accurate, scalable, and reproducible. Sample network architecture Deployment options are flexible and include both deploying in dynamic host configuration protocol (DHCP) mode or inline behind a virtual private network (VPN) or local area network (LAN) Agent/Host-Hosted Service Network Network/Host Internet Total Protection for Endpoint- Advanced (includes McAfee NAC) epolicy Orchestrator McAfee NAC Appliance Network User Behavioral Analysis appliance for user anomaly analysis 3 NAC Appliance D Mail Servers Guest 3 Appliance 1 Remote Workers and WAN 1 Branch Office 2 Network User Behavior 4 Guest Enterprise Headquarters 1 Managed systems may be quarantined at the system according to policy. Unmanaged systems (rogue and intruders) may be quarantined at network layers two and three, as well as at DHCP and VPN. McAfee NAC provides extensive reporting features. Reports may be run ad hoc or scheduled. They may be viewed, written to disk, or ed, as necessary and are highly customizable with several display options. They can also be saved in several file formats. Several hundred values may be reported on and include details on detection, scanning, compliance, enforcement, and remediation. All reports are configured and run by McAfee epolicy Orcehstrator (epo ) with no dependence on any other reporting infrastructure. Unified Secure Access offers flexible control of all types of network users. Many initial NAC deployments are to control guest users (for example, a guest meeting facility or consultants). Unified Secure Access makes it easy to set up guest networks, but it also scales to even the largest environments. Compared to switch or router-based solutions, which require expensive forklift upgrades to network infrastructure and complex and brittle policy definitions, McAfee Unified Secure Access solutions adapt to the threat level you want to address, the applications you want to protect, the users you want to allow, and the systems you want to conform to your security policies. 9

10 Why choose McAfee? As with any purchase, cost is a significant factor. However, a point solution that requires separate consoles, new endpoint agents, user training, and introduces unreliability into the ecosystem contains hidden costs that can only be fully exposed by looking at the return on investment and whether the solution leverages the existing infrastructure. Lowest Operational Cost One console for endpoint security, compliance, and access control Automatic self-remediation Supports compliance initiatives, such as PCI and SOX; reduced audit time and complexity Leverage Your Existing Investments Simple software add-on to Network Security Platforms Easy upgrade from existing McAfee products (anti-virus, epo) Integrates with Microsoft infrastructure, including Active Directory, NAP, XP, Vista Unified Secure Access provides compelling TCO analysis because it leverages the existing epo infrastructure to deploy and enforce policies. Implementation and training costs are minimal compared to point solutions, and McAfee products do not cause undue network disruption. Unified Secure Access is a simple upgrade from existing McAfee products, rather than a new point product with its own console and a lengthy and expensive deployment project. Based on epo and enterprise-class McAfee Network Security Platform, Unified Secure Access is exceptionally scalable. Summary Most NAC solutions available to date have been complex, costly, inaccurate, non-scalable, and not secure. McAfee Unified Secure Access is the world s first NAC solution to unify endpoint and network security with access control and compliance. Its adaptive policy technology surpasses current NAC solutions by controlling access and securing networks against threats inside and out. McAfee Unified Secure Access simplifies deployment with epo, leverages the ToPS-Advanced single agent, and uses McAfee IPS devices for network enforcement. It provides significant advances in security and compliance with zero additional footprints. Contact McAfee today to see how Unified Secure Access provides the lowest total cost of ownership of any NAC solution on the market. About McAfee Inc. McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. McAfee is relentlessly committed to tackling the world s toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee, Inc Freedom Circle Santa Clara, CA McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the U.S. and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-mcafee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners McAfee, Inc. All rights reserved. 6132wp_nts_unified-secure-access_0409_fnl_1