Policy Management: The Avenda Approach To An Essential Network Service



Similar documents
Achieving PCI-Compliance through Cyberoam

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Secure Networks for Process Control

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Network Virtualization Network Admission Control Deployment Guide

Sygate Secure Enterprise and Alcatel

Symantec VIP Integration with ISE

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Addressing BYOD Challenges with ForeScout and Motorola Solutions

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Network Access Control in Virtual Environments. Technical Note

Payment Card Industry Data Security Standard

Network Access Control ProCurve and Microsoft NAP Integration

Securing Virtual Applications and Servers

Network Access Security It's Broke, Now What? June 15, 2010

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Cisco Advanced Services for Network Security

Network Security Policy: Best Practices White Paper

VLANs. Application Note

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Building A Secure Microsoft Exchange Continuity Appliance

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Security Considerations for DirectAccess Deployments. Whitepaper

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Technical Note. ForeScout CounterACT: Virtual Firewall

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Ovation Security Center Data Sheet

Cisco TrustSec Solution Overview

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

RuggedCom Solutions for

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network security strategy to meet new threats and simplify IT security operations

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

ForeScout CounterACT. Continuous Monitoring and Mitigation

GE Measurement & Control. Cyber Security for NEI 08-09

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Microsoft Windows Server System White Paper

USER GUIDE: MaaS360 Services

Configure ISE Version 1.4 Posture with Microsoft WSUS

Industrial Security Solutions

Application Note Secure Enterprise Guest Access August 2004

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

IP Telephony Management

Securing SIP Trunks APPLICATION NOTE.

WHITE PAPER. Infoblox IPAM Integration with Microsoft AD Sites and Local Services

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Total Protection for Compliance: Unified IT Policy Auditing

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

CISCO IOS NETWORK SECURITY (IINS)

How To Protect Your Network From Attack From A Network Security Threat

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs

Security Technology: Firewalls and VPNs

Recommended IP Telephony Architecture

Standard: Event Monitoring

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How To Achieve Pca Compliance With Redhat Enterprise Linux

GFI White Paper PCI-DSS compliance and GFI Software products

SSL VPN Technical Primer

Evolving Network Security with the Alcatel-Lucent Access Guardian

Requirements When Considering a Next- Generation Firewall

Cisco TrustSec How-To Guide: Guest Services

EPICenter Network Management Software

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

State of Texas. TEX-AN Next Generation. NNI Plan

Using Entrust certificates with VPN

Whitepaper. Securing Visitor Access through Network Access Control Technology

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Best Practices for Secure Remote Access. Aventail Technical White Paper

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Unified Threat Management

BYOD: BRING YOUR OWN DEVICE.

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Deploying Firewalls Throughout Your Organization

Network Security 1 Module 4 Trust and Identity Technology

About the VM-Series Firewall

CA Anti-Virus r8.1. Benefits. Overview. CA Advantage

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Architecture Overview

SonicWALL PCI 1.1 Implementation Guide

Transcription:

End-to-End Trust and Identity Platform White Paper Policy Management: The Avenda Approach To An Essential Network Service http://www.avendasys.com email: info@avendasys.com email: sales@avendasys.com Avenda Systems, Inc. 2855 Kifer Rd, Suite 102 Santa Clara, California 95051 USA Tel: +1 408.748.1993 Fax: +1 408.748.1997 Avenda Systems India Pvt. Ltd. #797, 3rd Floor, Annapoorna 10th Main, Jayanagar 4th Block Bangalore 560011 India Tel: +91 80.4153.0876/77/78 Fax: +91 80.4153.0879 Copyright 2005-2007 Avenda Systems, Inc. All rights reserved. etips and End-to-End Trust and Identity Platform are trademarks of Avenda Systems, Inc. All other brands or trademarks are the property of their respective holders. Contact Avenda Systems, Inc. for complete specifications and other product related information.

Introduction It may be hard to recall that, in the earliest days of the Internet, there was no built-in service for managing names and resolving names to addresses as there is today with the Domain Name Service (DNS). Before DNS, system administrators managed local hosts files which contained these name-to-address mappings and which had to be manually updated at each system as new hosts were added to the network. Some of this burden was later alleviated with scripts that would periodically distribute a master hosts file to a collection of hosts. Today, no one would consider running anything but a tiny network without a DNS and associated address management services as DHCP. Avenda believes that policy management systems, which today are quite primitive and infantile, will mature and will become an essential service of a well-managed network, just as DNS has. Furthermore, just as the usefulness of DNS now extends far beyond its original scope of statically mapping names to addresses, the usefulness of policy systems will extend far beyond the scope they currently have. Today, most policy systems are essentially RADIUS servers that are used to check users identity and to grant or deny access based on that identity. More recently, some more granular control has been implemented such as the ability to assign a user to a specific virtual LAN (VLAN), or to apply an access control list at the point of access based on the identity of the user. However, policy needs to be applied at multiple points along the communication path including network elements, such as Ethernet switches, wireless access point and VPN gateways, and at multiple application servers such as file servers, Web servers and mail servers. Also, fine grain control over access, such as permission to access a file for read, write, or modify, is also required. While systems and applications provide such policy mechanisms each in its own way and each requiring its own configuration, what is needed is a ubiquitous, end-to-end policy management system that is integrated into and part of the network infrastructure. Avenda was formed to address this need in the market. Our approach is to design and develop products to address immediate customer needs but with an architecture for evolving these products towards the vision of the end-to-end policy management solution. The Immediate Need: Network Access Control In the past couple of years, network access control (NAC) has been recognized to be an essential requirement for running any enterprise network. There have been two drivers for this. The first was the adoption of wireless networking. No longer could access be controlled by physical access to a building or computer room. Instead, the network is required to check the identity of who is connecting to the network. The second is the proliferation of worms, virus and system security breaches. What is needed is control Avenda Systems White Paper 2

over what is connecting to the network and some level of trust that the system has not been compromised. Succinctly said, network access control is the configuration of policies for, and enforcement of access to, the network and its services. Specifically, the purpose of NAC is to control who has access, under what conditions, what level of access should be granted, and to deny access, either proactively or reactively, to unauthorized or misbehaving clients. The purpose, of course, is to prevent unauthorized access to resources and theft of information and prevent malicious destructive activities such as DoS attacks and damaging viruses or worms. Solution Architecture Several NAC frameworks have been recently proposed and are under active development. These include Cisco s Network Access Control (CNAC), Microsoft s Network Access Protection (NAP), and The Trusted Computing Group s Trusted Network Connect (TNC). Also, the IETF has created a working group chartered to address network endpoint assessment (NEA). For each of these frameworks (to the extent they have been specified) the core component is the policy management system. This is the component the administrator interacts with to define network policies and where policy decisions are made. The policy management system then interacts with all the other components to ensure that the defined policies are enforced and to assist in any remediation activities. In order to minimize the administrative overhead and complexity (by avoiding deployment of multiple, disparate policy systems) and to ensure predictable behavior (by avoiding multiple, perhaps inconsistent, policy decisions) it is essential that there be a single, but highly scalable, comprehensive policy management system for the enterprise and one that can accommodate current and future needs of the enterprise. To address this requirement, Avenda has developed the Enterprise Trust and Identity Policy System (etips) to provide this service for any of these NAC frameworks, and even for a deployment comprising multiple frameworks. In keeping with the architecture of these emerging frameworks, etips is designed to be embedded in an end-to-end solution as shown in the figure. Avenda Systems White Paper 3

With this architecture, the policy system integrates with clients requesting access using standard protocols and various support services, such as identity stores and trust verification systems at the backend, also using standard protocols as well as emerging new ones. It works with individual frameworks or in an environment with multiple frameworks. Furthermore, it is a platform that is ready to deploy additional policy management services, such as policy management for applications. The benefits of this solution are described in more detail below. Policy Management and Enforcement With etips The functionality of etips can be described by a workflow of five stages which provides a comprehensive model for policy management. Avenda Systems White Paper 4

Define: In the define stage, as its name suggests, the administrator defines the policies they want to apply to the network and its services. Arbitrary credentials (such as user identity and device state), attributes (such as location and time-ofday), and rules can be specified. Detect: Detection is invoked when some access request is made, such as when a client attempts to connect to the network. In this stage, etips determines the access procedure and set of rules to apply to this client. For example, the procedure for a client requesting access from within the enterprise network may require a username and password for identity checks; the procedure for a client requesting access from an external hotspot may require two-factor identity checks. The results of detection also determine the protocol for the next stage, collection. Collect: Collection is the procedure for gathering all the data required to make a policy decision. This includes credentials and attributes such as identity, level of trust of the device, perhaps location. Enforce: In this stage, etips makes a policy decision based on the gathered data and set of rules that were selected in the collection phase. The result of this Avenda Systems White Paper 5

decision is a policy enforcement profile. This profile is then mapped to specific commands to be pushed to the enforcement devices. Remediate: In some cases, the decision is to deny, or limit access until some remediation action is taken. The etips workflow includes a remediation stage which allows for this remediation to occur and then to be followed by a repeat of the workflow. The result of a remediation decision is to apply some remediation enforcement profile and some commands to the client to assist in its remediation. Depending on the remediation required, this might be automatic (requiring no action from the user) or manual (requiring explicit action from the user). As described above, the etips workflow applies proactive access control. That is, an access control decision is made before granting access. But this workflow is also applicable to reactive access control, that is, access control decisions made after a client has been granted access. In the case of reactive access control, etips repeatedly invokes the workflow based either on a periodic timer or a network event. For each repetition of the workflow additional data may be include in the collection and enforcement stages, such as data obtained from an intrusion detection system. It is useful to highlight some of the key benefits Avenda s solution architecture, specifically as it is implemented by etips. Flexible, extensible policy definition: The administrator can configure attributebased service, role-mapping, health and enforcement policies in a streamlined and uniform manner. Rule definitions can be based on roles, health, time, date, location, access and authentication protocol attributes, identity store attributes, connection method, white and black lists, MAC & IP address lists. The policy definition sub-system can be extended in a running system to add new policy attributes and rules. Powerful rules engine: Behind the workflow is a powerful rules engine designed to act on the extensible policies and rules of the policy definition sub-system. Based on these inputs, the engine determines and abstract enforcement profiles and then converts this to specific enforcement rules. etips supports the ability to simulate policies and place the system in monitor-only mode. This enables the administrator to experiment with complex policies before deploying them in the network. Out-of-band deployment: etips platform sits outside the regular traffic path and makes use of RADIUS and TACACS+ based enforcement as specified by the supported NAC frameworks. Most network devices support these protocols. Network performance and scalability are not impacted, unlike with in-band-based enforcement technologies. In addition, the enforcement of the policy decision is synchronized with the granting of access, unlike with non-integrated protocols such as SNMP. Enforcement with existing infrastructure: Rather than deploying enforcement devices and thereby duplicating the network infrastructure, etips controls enforcement using the capabilities of the existing infrastructure. The abstraction of enforcement attributes enables etips to apply enforcement in a multi-vendor Avenda Systems White Paper 6

network infrastructure and to easily integrate new devices as they are added to the network. Multi-vendor device support: etips can push enforcement commands to any vendor s switches, routers, wireless access points, firewalls and VPN devices using both standard and vendor-specific RADIUS attributes such as VLAN, filter ID for ACLs, Downloadable ACLs, policy based ACLs and others. Enforcement profile abstraction enables administrator to use the same set of rules to enforce access control on different types of devices. Multiple NAC framework support: With its extensible architecture etips natively supports both Cisco NAC and Microsoft NAP frameworks and acts as a unified policy decision point for both frameworks. The enterprise can use best-ofbreed capabilities of either framework and define a single set of policies to control access to network and server elements. The extensible architecture also makes it possible for the etips platform to support standard frameworks, such as TNC, as they evolve. Rich APIs: etips supports a rich set of APIs for configuration and monitoring. This allows third-party applications to interface to the etips policy subsystem. It also makes it possible to configure etips with external scripts, thereby easing the administration overhead. Integrated Remediation: With etips, remediation is fully integrated into the workflow from the definition phased through the decision and enforcement phases. Enterprise-class management and deployment scalability: The platform supports a fully replicated cluster of etips appliances for high availability and load balancing. All members of the cluster can be centrally managed, with support for consolidated dashboard view of all session activities. All configuration changes are replicated throughout the cluster without need for a system restart. Cost-effectiveness: etips uses existing identity stores, network infrastructure and posture validation and audit servers, thus increasing return on existing investment and reducing total cost of ownership. Beyond Network Access Control As stated in the introduction, Avenda believes that policy management services will play an ever increasing role in the day-to-day operations of enterprise networks. Consequently, flexibility and expandability have been primary factors in the design of the etips architecture. From discussions with customers and partners, some additional policy management needs have already been identified. Device Identity: In several situations the devices themselves need to be identified. Policies can then be specified based on device identity as well as user identity. Client provisioning: etips can push policy decisions to the clients themselves allowing the client itself to enforce some of the policies. This might be to Avenda Systems White Paper 7

optimize the device behavior to match the services of the network (such as for quality of service parameters) or for a virtual machine monitor to enforce policies for virtual machines. Application access control: Policies can be specified based on specific application requirements and then applied to the access of those applications. Specifically, different policies might apply for Web access, file access, mail access. In the future, applications will integrate with the policy management system in order to determine application access control Fine-grain control: Within an application, the policy rules and decision might need fine-grain control. For example, read access and write access are likely to have different policies (as is already the case in file systems). Different policies might be applied to different data within the application. Reactive policy definition and enforcement: Various intrusion detection and attack mitigation systems have been deployed and are becoming more prevelant. In the future these will integrate with the policy subsystem sharing the same policy definitions and leveraging the enforcement and logging mechanisms of the policy management system. Summary Network access control has created a demand for improved, more powerful policy management solutions. Avenda has addressed this emerging market with the Enterprise Trust and Identity Policy Management System (etips). Recognizing that access control is a multi-vendor, multi-component solution, etips has been designed to integrate with existing infrastructure and emerging NAC frameworks so as to take advantage of capabilities already embedded in the network. The etips architecture is also well suited to solve future requirements that IT managers will demand as their policy management requirements grow and mature. Avenda Systems White Paper 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information