©2004 check point software technologies ltd. proprietary & confidential policy and...

©2004 Check Point Software Technologies Ltd. Proprietary & Confidential

Policy and Configuration Compliance for Devices Connecting to the Wireless Network

Check PointEndpoint Security Strategy

2©2004 Check Point Software Technologies Ltd. Proprietary & Confidential

Agenda

Trends and Benefits in Wireless LANs Endpoint Security Challenges 802.1X Authentication Securing Wireless LANS with Integrity Securing Wireless LANS with SecureVPN Summary Questions

We’re raising the bar in Endpoint Security!We’re raising the bar in Endpoint Security!


Wireless LAN Forecasts

0

0.5

1

1.5

2

2.5

3

3.5

2000 2001 2002 2003 2004 2005

EquipmentRevenue (Billions)

IDC, April 2001


The Benefits of Wireless LANs

Business Case for

Wireless LANs

Operational BenefitsHigher productivityIncreased flexibilityNew applications

Financial BenefitsLower deployment costs

Increased ROI for wireless-accessible applications


Wireless LAN Applications

Business ApplicationsRetail: Kiosks, mobile cash registersHealthcare: Triage, billing, mobile patient record accessManufacturing: Bar code readers for inventory and shipping, mobile access to diagramsOffices: Mobile access to information

Public ApplicationsCoffee houses, airports, home offices, neighborhood area networks


Current Wireless LAN Security

SSID MAC Address Filtering Wired Equivalent Privacy

– RC4 encryption algorithm– Shared, static encryption key


Wireless LAN Insecurity

Radio Link

WiFiAccess Point

Authorized accessAuthorized accessUniversity resourceUniversity resourceFinancial DataFinancial DataStudent InformationStudent Information

Client-Client attacksAccess point not always needed for client-client communication

•Denial of Service•Port Scanning•Eavesdropping•Malicious Code Injection


Endpoint PC Vulnerabilities Present Risk– Legitimate, authenticated users may be

infected & contagious– Laptops returning to the network exacerbate

the problem Endpoint Security Difficult to Deploy and

Manage– Existing endpoint security solutions are poorly

integrated– Access, security and enforcement require

separate solutions Endpoint IPS unmanageable

– Static/Server-Oriented models not functional for Endpoint PCs

Network access policy enforcement is difficult for IT to implement– Disparate solutions– Hardware & software installation required– Disparate management

Endpoint Security Challenges


End Point Security Requires More than IPS

Endpoint

•Policy Enforcement•Application Control•Intrusion Prevention•Remediation Assistance

Security Must Be Intelligent, Adaptive and Pre-Emptive

Network

Application


Solutions

Standard 802.1x Authentication 802.1X with Integrity Agent SecureVPN with Integrity SecureClient


EnterpriseNetwork

Supplicant Access Point RADIUSServer

EAP Start

EAP Request/ID

Start EAP Authentication

Ask Client for Identity

EAP Response/ID(UserID)

RADIUS AccessRequest

Access Requestw/ UserID

EAP Request/Challenge

RADIUS Access: AcceptEAP Success

RADIUS AccessChallenge: EAP

RADIUS Reply/Challenge

EAP Response/Password

RADIUS Access: RestrictEAP Success(restricted access)

OR,

Standard EAP Session

Perform EAP Sequence(MD5, TLS, PEAP)


802.1X only Risks

Identifies Machine or User not the security profile of the machine.

Infected machine has “Red Carpet” access to internal resources.

No mid session security check only at session creation.


EAP Integration with Integrity

EnterpriseNetwork

Supplicant Access Point RADIUSServer

IntegrityServer

RADIUS“Proxy”

***EAP Client Extension

RADIUS Access: AcceptEAP Success

Accept

AcceptProxy(success)

Proxy(failure)

RADIUS Access: RestrictEAP Success(restricted access)

OR,

RADIUSRequest

EAP Request/Challenge: ZLX

RADIUS AccessChallenge: EAP ZLX

RADIUS Reply/Challenge

EAP Response/ZLX (policy)

PolicyQuery

Policy Lookup

Reject

(Std. EAP Session)

= New components or data extensions

= EAP existing standard


EAP Integration Overview

Wireless LAN

RADIUSServer

D

W.A.P.

B

FirewallWirelessComputer

A

FirewallWirelessComputer

A

PolicyServer

C

Client computer (A) initiates connectionto WAP (B).

1

WAP generates EAP authentication request to RADIUS Proxy Server (C2).2

RADIUS Proxy Server (C2) sends client access rights to WAP (B): WAPgrants full or restricted access to the network.

5

RADIUS Proxy Server (C2):a.Receives the authentication request and authenticates the client via the

RADIUS Server.b. Via EAP challenge, acquires the security policy and state from the client

computer (A).c. Requests Policy Server (D) to approve the client computer’s security

policy and state.

3

Policy Server (C):a. Validates the security policy and state of the client computer (A)

b. Decides whether to grant full or restricted access to the client computer.

4

Corporate Network

RADIUSProxy ServerC2


802.1X + Integrity Agent Benefits

Checks the security profile of the machine.– AV– Patches / Service Pack– Other Software

Infected machine is quarantined from other internal assets, Zero Day protection.

Security profile is check throughout the Wireless session and can be switched to Guest VLAN or quarantine VLAN if found to be out of compliance.


Integrity Agent Functionality Check List

Stateful Personal FirewallOutbound Threat Protection (Application

Control)Email and Instant Messaging SecurityLocation Aware Policy Switching (Office,

Remote)HIPS (Host Based IPS)Scalable, Flexible ManagementAssured Network Access Policy

Enforcement


Integrity Agent Functionality (Cont)

Additional Security Policy Compliance Checks

Anti-Virus– Running Status (Real Time Options enabled)– Signature file age verification

Patch– Registry Value Checking– File Version Checking

Application– File Version Checking


HIPS Value (Host Intrusion Protection)

Proactively detect and prevents buffer overflows on the wire.

Supports a variety of protocols– Scans potentially compromised parts of the protocol– Works on HTTP, FTP, iMap, SMTP, Pop3, NNTP.

Early detection on the network Zero day buffer overflow protection Catches:

– Slammer– Blaster– CodeRed I & II– Nimda – and more….


SecureVPN for Wireless LANs

Universal VPN – Access anywhere from remote location or wireless

LAN Integrated security

– Proven protection of network integrity and information confidentiality

Smart management

VPN-1 GatewaySolutions

VPN-1 Integrity

SecureClient


VPN Access From Anywhere

Enables universal VPN access– Wireless LAN, Remote Access, Intranet, and

Extranet– Windows, Pocket PC, clientless VPN

Internet


Comprehensive Security Assurance

Provides strong encryption of data– DES, 3DES, or Advanced Encryption Standard (AES)

Protects against unauthorized network access– Integrated firewall for gateway and client– Flexible authentication

• Certificates, OS passwords, tokens, biometrics, and more

“Access Denied”

“Access Denied”


End-to-End Data Confidentiality

Provides strong encryption of data– DES, 3DES, or

Advanced Encryption Standard (AES)

Flexible security options– Client-server or client-

gateway

VPN-1 Pro

VPN-1 SecureServer

VPN-1 Integrity SecureClient


Smart Management for Wireless LAN Security

Enables single policy for all security endpoints

Lowers cost of managing wireless LAN VPN– Automated software

updates for VPN-1 Integrity SecureClient

SmartCenter


Summary

Corporations and University’s are deploying wireless LANs for cost and operational benefits

Current wireless LAN technologies are inherently insecure

Check Point SecureVPN solutions provide WLAN security integrated into the enterprise network

©2004 check point software technologies ltd. proprietary & confidential policy and...

Documents