©2004 check point software technologies ltd. proprietary & confidential policy and...
TRANSCRIPT
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Policy and Configuration Compliance for Devices Connecting to the Wireless Network
Check PointEndpoint Security Strategy
2©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Agenda
Trends and Benefits in Wireless LANs Endpoint Security Challenges 802.1X Authentication Securing Wireless LANS with Integrity Securing Wireless LANS with SecureVPN Summary Questions
We’re raising the bar in Endpoint Security!We’re raising the bar in Endpoint Security!
3©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Wireless LAN Forecasts
0
0.5
1
1.5
2
2.5
3
3.5
2000 2001 2002 2003 2004 2005
EquipmentRevenue (Billions)
IDC, April 2001
4©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
The Benefits of Wireless LANs
Business Case for
Wireless LANs
Operational BenefitsHigher productivityIncreased flexibilityNew applications
Financial BenefitsLower deployment costs
Increased ROI for wireless-accessible applications
5©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Wireless LAN Applications
Business ApplicationsRetail: Kiosks, mobile cash registersHealthcare: Triage, billing, mobile patient record accessManufacturing: Bar code readers for inventory and shipping, mobile access to diagramsOffices: Mobile access to information
Public ApplicationsCoffee houses, airports, home offices, neighborhood area networks
6©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Current Wireless LAN Security
SSID MAC Address Filtering Wired Equivalent Privacy
– RC4 encryption algorithm– Shared, static encryption key
7©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Wireless LAN Insecurity
Radio Link
WiFiAccess Point
Authorized accessAuthorized accessUniversity resourceUniversity resourceFinancial DataFinancial DataStudent InformationStudent Information
Client-Client attacksAccess point not always needed for client-client communication
•Denial of Service•Port Scanning•Eavesdropping•Malicious Code Injection
8©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Endpoint PC Vulnerabilities Present Risk– Legitimate, authenticated users may be
infected & contagious– Laptops returning to the network exacerbate
the problem Endpoint Security Difficult to Deploy and
Manage– Existing endpoint security solutions are poorly
integrated– Access, security and enforcement require
separate solutions Endpoint IPS unmanageable
– Static/Server-Oriented models not functional for Endpoint PCs
Network access policy enforcement is difficult for IT to implement– Disparate solutions– Hardware & software installation required– Disparate management
Endpoint Security Challenges
9©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
End Point Security Requires More than IPS
Endpoint
•Policy Enforcement•Application Control•Intrusion Prevention•Remediation Assistance
Security Must Be Intelligent, Adaptive and Pre-Emptive
Network
Application
10©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Solutions
Standard 802.1x Authentication 802.1X with Integrity Agent SecureVPN with Integrity SecureClient
11©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
EnterpriseNetwork
Supplicant Access Point RADIUSServer
EAP Start
EAP Request/ID
Start EAP Authentication
Ask Client for Identity
EAP Response/ID(UserID)
RADIUS AccessRequest
Access Requestw/ UserID
EAP Request/Challenge
RADIUS Access: AcceptEAP Success
RADIUS AccessChallenge: EAP
RADIUS Reply/Challenge
EAP Response/Password
RADIUS Access: RestrictEAP Success(restricted access)
OR,
Standard EAP Session
Perform EAP Sequence(MD5, TLS, PEAP)
12©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
802.1X only Risks
Identifies Machine or User not the security profile of the machine.
Infected machine has “Red Carpet” access to internal resources.
No mid session security check only at session creation.
13©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
EAP Integration with Integrity
EnterpriseNetwork
Supplicant Access Point RADIUSServer
IntegrityServer
RADIUS“Proxy”
***EAP Client Extension
RADIUS Access: AcceptEAP Success
Accept
AcceptProxy(success)
Proxy(failure)
RADIUS Access: RestrictEAP Success(restricted access)
OR,
RADIUSRequest
EAP Request/Challenge: ZLX
RADIUS AccessChallenge: EAP ZLX
RADIUS Reply/Challenge
EAP Response/ZLX (policy)
PolicyQuery
Policy Lookup
Reject
(Std. EAP Session)
= New components or data extensions
= EAP existing standard
14©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
EAP Integration Overview
Wireless LAN
RADIUSServer
D
W.A.P.
B
FirewallWirelessComputer
A
FirewallWirelessComputer
A
PolicyServer
C
Client computer (A) initiates connectionto WAP (B).
1
WAP generates EAP authentication request to RADIUS Proxy Server (C2).2
RADIUS Proxy Server (C2) sends client access rights to WAP (B): WAPgrants full or restricted access to the network.
5
RADIUS Proxy Server (C2):a.Receives the authentication request and authenticates the client via the
RADIUS Server.b. Via EAP challenge, acquires the security policy and state from the client
computer (A).c. Requests Policy Server (D) to approve the client computer’s security
policy and state.
3
Policy Server (C):a. Validates the security policy and state of the client computer (A)
b. Decides whether to grant full or restricted access to the client computer.
4
Corporate Network
RADIUSProxy ServerC2
15©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
802.1X + Integrity Agent Benefits
Checks the security profile of the machine.– AV– Patches / Service Pack– Other Software
Infected machine is quarantined from other internal assets, Zero Day protection.
Security profile is check throughout the Wireless session and can be switched to Guest VLAN or quarantine VLAN if found to be out of compliance.
16©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Integrity Agent Functionality Check List
Stateful Personal FirewallOutbound Threat Protection (Application
Control)Email and Instant Messaging SecurityLocation Aware Policy Switching (Office,
Remote)HIPS (Host Based IPS)Scalable, Flexible ManagementAssured Network Access Policy
Enforcement
17©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Integrity Agent Functionality (Cont)
Additional Security Policy Compliance Checks
Anti-Virus– Running Status (Real Time Options enabled)– Signature file age verification
Patch– Registry Value Checking– File Version Checking
Application– File Version Checking
18©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
HIPS Value (Host Intrusion Protection)
Proactively detect and prevents buffer overflows on the wire.
Supports a variety of protocols– Scans potentially compromised parts of the protocol– Works on HTTP, FTP, iMap, SMTP, Pop3, NNTP.
Early detection on the network Zero day buffer overflow protection Catches:
– Slammer– Blaster– CodeRed I & II– Nimda – and more….
19©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
SecureVPN for Wireless LANs
Universal VPN – Access anywhere from remote location or wireless
LAN Integrated security
– Proven protection of network integrity and information confidentiality
Smart management
VPN-1 GatewaySolutions
VPN-1 Integrity
SecureClient
20©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
VPN Access From Anywhere
Enables universal VPN access– Wireless LAN, Remote Access, Intranet, and
Extranet– Windows, Pocket PC, clientless VPN
Internet
21©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Comprehensive Security Assurance
Provides strong encryption of data– DES, 3DES, or Advanced Encryption Standard (AES)
Protects against unauthorized network access– Integrated firewall for gateway and client– Flexible authentication
• Certificates, OS passwords, tokens, biometrics, and more
“Access Denied”
“Access Denied”
22©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
End-to-End Data Confidentiality
Provides strong encryption of data– DES, 3DES, or
Advanced Encryption Standard (AES)
Flexible security options– Client-server or client-
gateway
VPN-1 Pro
VPN-1 SecureServer
VPN-1 Integrity SecureClient
23©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Smart Management for Wireless LAN Security
Enables single policy for all security endpoints
Lowers cost of managing wireless LAN VPN– Automated software
updates for VPN-1 Integrity SecureClient
SmartCenter
24©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Summary
Corporations and University’s are deploying wireless LANs for cost and operational benefits
Current wireless LAN technologies are inherently insecure
Check Point SecureVPN solutions provide WLAN security integrated into the enterprise network
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential
Thank You
Questions?