procurve access control solution 2 · • antivirus, spyware, firewalls, peer-to-peer, allowed and...
Post on 14-Jun-2020
0 Views
Preview:
TRANSCRIPT
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 1
© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
ProCurve Access Control Solution 2.0
Holger Hasenaug, Technical ConsultantHP ProCurve NetworkingCCIE#6343
2
Agenda
Comprehensive and Manageable Access Control
• Customer Needs• ProCurve Access Control Today … And Tomorrow• ProCurve Identity Driven Manager + Demo• ProCurve Network Access Controller 800• Flexible Deployment Options• Summary
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 2
3
Security Issues are Here to Stay
• Vulnerabilities and incidents continue to rise
• The increasingly mobile workforce and the need forcollaboration compound theproblem
• The costs to demonstratebusiness accountabilitycontinue to mount
4
The Great Compromise
Performanceand
Ease of Operation
Better ROILower TCO
Security Lower RiskHigh Availability
The Always-OnTransparent
Trusted Network
TheUnusableNetwork
TheInsecureNetwork
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 3
5
What Organizations Need to do Today
• Provide network access control
• Detect and respond to virus attacks from outside and inside the network
• Provide an automated network response to security attacks
• Understand and demonstrateregulatory compliance
• Deploy easy-to-use security solutions that are standards-based, and reliable
More Security with Less Complexity
6
Security Process in Practice
Protect
DetectRespond
Trusted Network
Infrastructure
Policies Validation
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 4
7
The Edge is the Enforcement Point
The first point of attachment is the optimal position to enforce policy and detect anomalies
Emerging distributed applications benefit from special treatment at the point of entry
Command from the center, control to the edge – the ProCurve Adaptive Edge Architecture
IntelligentEDGE
COMMANDFROM THECENTER
Per-PortDistributed Processors
Clients
Servers
WirelessClients
Internet
Clients
8
Internet
Guest
Employee
Non-CompliantEmployee
Access only to Internetat 2 Mbps
EnterpriseLAN
Access toInternet andCorp Servers
Access only toAnti-Virus
remediationServer
EdgeSwitch
Anti-Virus remediationServer
CorporateServer
AccessPolicyServer
Conference Room
Conference Room
Network Access Security User Experience
NetworkAdministrator
1. Sets up role based access policy groups & assigns rules and access profiles:
• Set rules• Time • Location• Device ID• Client integrity status
• To trigger each policy profile
• ACL• VLAN• QoS• BW limit
2. Put users in appropriate access policy group
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 5
9
Network Access Security User Experience cont.
Internet
Guest
Employee
CompliantEmployee
Access only to Internetat 2 Mbps
EnterpriseLAN
EdgeSwitch
Anti-VirusServer
CorporateServer
AccessPolicyServer
Conference Room
Conference Room
Access toInternet and
Corp Servers
Access toInternet andCorp Servers
NetworkAdministrator
1. Sets up role based access policy groups & assigns rules and access profiles:
• Set rules• Time • Location• Device ID• Client integrity status
• To trigger each policy profile
• ACL• VLAN• QoS• BW limit
2. Put users in appropriate access policy group
10
Today’s ProCurve Access Control SolutionAdaptive Access Control Solution
802.1X Supplic
ant
802.1X Supplicant
802.1X Authenticator
Policy Enforcement Point (PEP)
Supported in ProCurve Edge Devices5300 / 5400 / 3400 / 3500
4100 / 42002600 / 2600-PWR / 2800
2500420 / 530 / WESM
RADIUSServer
IDM Agent
PCM / IDM Server
Power
Fault
switch 5304xlJ4850A Console
procurvehp
Reset Clear SelfTest
Use xl modules onlyLED Mode SelectAct FDx !Max
Status
Power ModulesFan1 2 B C D E F GA H
A
C D
B
AuthenticationDirectory
Active DirectoryLDAP
AuthenticationServer
Network Mgmt Server
ProCurveowned
MAC-Auth
Web-AuthMAC Address
HTTP Request
AuthenticationServer
3rd Party Software
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 6
11
no clientsoftware required –sends MAC address
Client Authentication Possibilities
Three methods to authenticate at the “edge”• IEEE 802.1X• Web Authentication• MAC Authentication
RADIUSServer
0008A2-1C99C6
using 802.1X client software
using webbrowser only
ProCurve IDM
12
ProCurve Access Control Solution 2.0Identity Driven Manager (IDM) andProCurve Network Access Controller 800
Any 802.1X Client
802.1X Authenticator
Policy Enforcement Point (PEP)
EI PolicyDefinitions
AuthenticationDirectory
Active DirectoryeDirectory
LDAP
RADIUS Server
IDM Agent
PCM / IDM Server
Network Mgmt Server
Endpoint Integrity Agent
Endpoin
t In
tegrity
Agen
t On-demand
ProCurveowned
Power
Fault
switch 5304xlJ4850A Console
procurvehp
Reset Clear SelfTest
Use xl modules onlyLED Mode SelectAct FDx !Max
Status
Power ModulesFan1 2 B C D E F GA H
A
C D
B
Endpoint tests for• operating systems versions and updates• anti-virus and anti-spyware software• required or prohibited software
And more …
Network Access Controller 800
MAC-Auth
Web-Auth
MAC Address
HTTP Request
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 7
13
Identity Driven Manager
• Allows easy creation and management of user policy groups for optimizing network performance and increasing user productivity
• Dynamically apply security, access and performance settings at port level based on policies
• IDM adds network reports and logs based on users for audit
VLAN BandwidthLimit
User/GroupTime
Location
QoSACLs
DeviceID
ClientIntegrity
Status
Set =>
Based on =>
14
Identity Driven Manager example
H P In n o v a tio n
ProC urve N et w orki ngP ro C u rv eS w itc h 3 5 0 0 y lJ8 6 9 2 A PoE
P o w e r
F a u lt
S tatus
LE DM ode
A ctFD x
S pdFan
Test
R P SE P S
P oE
Reset Clear
M dl
P oE
Tm p
U sr
D ual-P ersonality P ort 10/100/1000-T (T) or M ini-G B IC (M )off = 10M bps flash = 100M bps on = 1000M bpsSpd M ode
Use on
ly one
(T or
M) for
each
Port
P oE -Integrated 10/100/1000B ase-T P orts (1-24T) - P orts are IE E E A uto M D I/M D I-X
A u xiliary P o rt
Status of the Back
C onsole
Link Mode
Link Mode
Link Mode
Link Mode
Link Mode
Link ModeM
M
M
M
2 2
2 1
2 4
2 3
2 2
2 1
2 4
2 3
T
T
T
T
2 01 81 61 4
1 91 71 51 3
1 21 086
1 1975
42
31
Empfang
Nur Internet Zugriff
1. Stock
Personalabteilung + Entwicklung
Port 1-4Web auth.
Port 5-8802.1X auth.
Web auth
Benutzer:hperso (Personalabteilung)aeinstein (Entwicklung)hhasenau (Netzwerkadmin)gast1 (Gast)000c297837d7 (Drucker)
2. Stock
Entwicklung
Meetingräume
Gäste – Internet ZugriffPersonalabteilung +
Entwickung
Port 9-12802.1X auth.
Personalabteilungs-server
Entwicklungs-server Internet Proxy Active Directory
RADIUS Sever IDM Server
Port 18MAC auth.
Port 13-16802.1X auth.
VLAN 2: 2.2.2.0/24 (Personalabteilung)VLAN 3: 3.3.3.0/24 (Entwicklung)VLAN 4: 4.4.4.0/24 (Netzwerkadmins)VLAN 5: 5.5.5.0/24 (Gast - Internet)VLAN 6: 6.6.6.0/24 (IP Telefonie)
Port 17MAC auth.
.100.101 .102 .104.103
Netzwerkadmin-server
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 8
15
What’s New inIdentity Driven Manager v2.2
Manageable Access Control• Secure Access Wizard• Dynamic Active Directory Synchronization• Management and Monitoring of the ProCurve NAC appliance
Comprehensive Access Control• Unified Access Control – Wireless access enhancements
16
What’s NewProCurve Network Access Controller 800
Manageable Access Control• Access Control in an appliance• Manageable by PCM+ / IDM management server
Comprehensive Access Control• Endpoint integrity assessment• Flexible deployment modes
– RADIUS Authentication (802.1X, WebAuth, MACAuth): the most secure access control
– In-Line: effective for remote access clients– DHCP: endpoint integrity validation for non-802.1X networks
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 9
17
Network Access Control Appliance
Simplifies deployment by integrating many components of the access control solution into a network appliance
• Network rack-mountable: 1U and shallow-depth• Authentication service (RADIUS)• IDM agent for adaptive network access policies• Local Authentication Directory• Endpoint integrity assessment
– Automatic updates for integrity rules, security checks, etc.
• Manageable by the PCM+ / IDM management server
18
Endpoint Integrity Checks
• Antivirus, spyware, firewalls, peer-to-peer, allowed and prohibited programs and services
• OS versions, services packs, hotfixes
• Security settings for browsers and applications
New tests developed and delivered regularly
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 10
19
Endpoint Integrity Tests
Operating systems Service Packs Windows 2000 hotfixes Windows Server 2003 SP1 hotfixes Windows Server 2003 hotfixes Windows XP SP2 hotfixes Windows XP hotfixes Windows automatic updates
Browser security policy IE internet security zone IE local intranet security zone IE restricted site security zone IE trusted site security zone IE version
Security settings MS Excel macros MS Outlook macros MS Word macros Services not allowed Services required Windows Bridge Network Connection Windows security policy Windows startup registry entries allowed
P2P and instant messaging Altnet AOL instant messenger BitTorrent Chainsaw Chatbot DICE dIRC Gator Hotline Connect Client IceChat IRC client ICQ Pro IRCXpro Kazaa Kazaa Lite K++ leafChat Metasquarer mlRC Morpheus MyNapster MyWay NetIRC NexIRC Not Only Two P2PNet.net PerfectNav savIRC
Personal firewalls AOL Security Edition Black ICE Firewall Computer Associates EZ
Firewall Internet Connection Firewall
(Pre XP SP2) McAfee Personal Firewall Panda Internet Security F-Secure Personal Firewall Norton Personal Firewall /
Internet Security Sygate Personal Firewall Symantec Client Firewall Tiny Personal Firewall Trend Micro Personal Firewall ZoneAlarm Personal Firewall Senforce Advanced Firewall Windows Firewall
MS Office version check Microsoft Office XP Microsoft Office 2003 Microsoft Office 2000
prohibited Software Administrator defined
Required software Administrator defined
Trillian Turbo IRC Visual IRC XFire Yahoo! Messenger
20
Endpoint Integrity Checks
Anti-spyware Ad-Aware SE Personal Ad-Aware Plus Ad-Aware Professional CounterSpy McAfee AntiSpyware Pest Patrol Spyware Eliminator Webroot Spy Sweeper Windows Defender
Spyware, Worms, viruses, and Trojans CME-24 Keylogger.Stawin Trojan.Mitglieder.C VBS.Shania W32.Beagle.A W32.Beagle.AB W32.Beagle.AG W32.Beagle.AO W32.Beagle.AZ W32.Beagle.B W32.Beagle.E W32.Beagle.J W32.Beagle.K W32.Beagle.M W32.Beagle.U W32.Blaster.K.Worm W32.Blaster.Worm W32.Doomhunter W32.Dumaru.AD W32.Dumaru.AH W32.Esbot.A.1 W32.Esbot.A.2 W32.Esbot.A.3 W32.Galil.F W32.HLLW.Anig W32.HLLW.Cult.M W32.HLLW.Deadhat W32.HLLW.Deadhat.B W32.HLLW.Doomjuice W32.HLLW.Doomjuice.B
Anti-virus NOD32 AntiVirus AVG AntiVirus Free Ed Computer Associates eTrust AntiVirus Computer Associates eTrust EZ AntiVirus F-Secure AntiVirus Kaspersky AntiVirus for FileServers Kaspersky AntiVirus for Workstations McAfee VirusScan McAfee Managed VirusScan McAfee Enterprise VirusScan McAfee Internet Security Suite 8.0 Norton Internet Security Trend Micro AntiVirus Trend Micro OfficeScan Corporate Edition Sophos AntiVirus Panda Internet Security Symantec Corporate AntiVirus
W32.HLLW.Lovgate W32 Hiton W32.IRCBot.C W32.Kifer W32.Klez.H W32.Klez.gen W32.Korgo.G W32.Mimail.Q W32.Mimail.S W32.Mimail.T W32.Mydoom.A W32.Mydoom.AX-1 W32.Mydoom.AX W32.Mydoom.B W32.Mydoom.M W32.Mydoom.Q W32.Netsky.B W32.Netsky.C W32.Netsky.D W32.Netsky.K W32.Netsky.P W32.Rusty@m W32.Sasser.B W32.Sasser.E W32.Sasser.Worm W32.Sircam.Worm W32.Sober.O W32.Sober.Z W32.Welchia.Worm W32.Zotob.E
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 11
21
Pre-Connect NAC
• Testing an endpoint device to ensure compliance prior to the endpoint being granted regular access on the network
Test Endpoint
Endpoint Compliant
No Regular Network Access
Regular Network Access
1
2
3
4
Endpoint
22
Post-Connect NAC
• Network access control where the endpoint device is periodicallytested after network access has been granted
– Upon determination of endpoint non-compliance the endpoint device is quarantined for remediation
Endpoint
Test Endpoint
Endpoint Not Compliant
Regular Network Access
Quarantined for Remediation
1
2
3
4
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 12
23
ProCurve NAC 800Endpoint Integrity Testing Methods
• Methods by which an endpoint can be accessed for the purposes oftesting
– Agent-based Permanent – Agent software is installed on each endpoint and is always available for testing
– Agent-based Transient – An agent is downloaded temporarily to the endpoint as required
– Agentless – Uses native applications to provide agent functions
24
ProCurve NAC 800 Deployment ModelsRADIUS Enforcement Mode
Solution Features
• Access to network is controlled by port security (802.1X / MACAuth) on edge devices
• ProCurve NAC enforces endpoint integrity validation of clients
• ProCurve Identity Driven Manager applies Adaptive Network Accesspolicies
ProCurve NAC 800Endpoint
Quarantine Network
Quarantine Network
MirroredDHCP traffic
Corporate Network
Corporate Network
RADIUSAuthentication
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 13
25
ProCurve NAC 800 Deployment ModelsInline-Mode for Remote Access
ProCurve NAC 800VPN and RAS
InternetInternet
Remote Client
Solution Features
• Access to network is controlled inline through address filtering by ProCurve NAC
• ProCurve NAC enforces endpoint integrity validation of remote clients
Corporate Network
Corporate Network
k5
26
ProCurve NAC 800 Deployment ModelsDHCP Enforcement Mode
DHCP Server
ProCurve NAC 800
Endpoint
Quarantine Network
Quarantine Network
Corporate Network
Corporate Network
Solution Features
• Access to network is controlled via DHCP management by ProCurve NAC
• ProCurve NAC enforces Endpoint Integrity validation of DHCP clients
Slide 25
k5 This is an alternate view for the previous slide on "InLine Mode for Remote Access"
This version removes the firewall, which is common, but not required. This allows for a larger version of the ProCurve NAC productkevin_porter, 2/7/2007
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 14
27
IDM + ProCurve NAC 800 + EI AgentsAdaptive Access Control with Endpoint Integrity For organizations who want a complete Access Control solution …
• Authenticated users – protects the network from unauthorized users and devices
• Adaptive network access rights – provides appropriate network access based on business policies for the user
• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
28
IDM and ProCurve NAC Use ModelsAdaptive Network Accesswith Endpoint Integrity
ProCurve NAC 800w/ProCurve NAC Agent Licenses
UnknownOn Remediation
VLAN to be tested
FailedOn Remediation
VLAN, will be retested at next authentication
PassedConnected to
Corporate VLAN
Corporate VLANRemediation VLAN
• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses
• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used
• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:
– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested
now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing
• IDM also sets ACLs, QoS, and Bandwidth limits based on access policy
• Works for both wired and wireless ProCurve edge devices
PCM/IDM Server
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 15
29
IDM + ProCurve NAC 800Adaptive Access Control
For organizations who want to control network users and provide adaptive network access
• Authenticated users – protects the network from unauthorized users and devices
• Adaptive network access rights – provides appropriate network access based on business policies for the user
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
30
Faculty VLANStudent VLAN
IDM and ProCurve NAC Use ModelsAdaptive Network Access
ProCurve NAC 800
StudentConnected to Student VLAN
Faculty MemberConnected to Faculty VLAN
•Solution includes IDM and ProCurve NAC 800
•Clients authenticate via 802.1X, and are placed on VLAN based IDM Access Policy.
– The IDM access policy can also set ACLs, QoS, and Bandwidth Limits
•Works for both wired and wireless ProCurve edge devices
Guest VLAN
GuestConnected to Guest VLAN
Management VLAN
PCM/IDM Server
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 16
31
ProCurve NAC 800 + EI AgentsAccess Control with Endpoint Integrity
For organizations who want to enforce system software requirements and protect their network from harmful systems …
• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements
• Authenticated users – protects the network from unauthorized users and devices
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
32
ProCurve NAC 800 + EI Agents Access Control with Endpoint Integrity
ProCurve NAC 800w/ProCurve NAC Agent Licenses
UnknownOn Remediation
VLAN to be tested
FailedOn Remediation
VLAN, will be retested at next authentication
PassedConnected to
Corporate VLAN
Corporate VLANRemediation VLAN
• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses
• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used
• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:
– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested
now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing
• Works for both wired and wireless ProCurve edge devices
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 17
33
IDM and ProCurve NAC 800 Use ModelsEnterprise with Remote Office
Corporate VLANRemediation VLAN
ProCurve NAC 800 Procurve NAC 800ProCurve NAC 800
Main Enterprise SiteRemote Office
PCM/IDM Server
ManagerProCurve NAC 800
34
AccountingRADIUS
AccountingIDM Reports
SessionCounters
ProCurve Access Control SolutionLayers of Security
Authorization
802.1X supplicant
Endpoint Integrity
802.1X
Integrity
Authentication RADIUS
IDMAccess Policy Rules
VLAN, ACL, QoS, Rate-limit
Endpoint Integrity
Client Switch
RADIUS
RADIUS
WebAuthMAC Auth
Web Browser
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 18
35
Summary
ProCurve provides a comprehensive and manageable Access Control solution to prevent untrusted network use on both campus and distributed sites
• A deployable and manageable solution
• Suitable for current environments and extensible to future needs
• Protects network from harmful and infected systems
• Enforces business policies regarding network access rights
• Unified access control for LAN, WLAN, and WAN
The ProCurve Access Control solution helps administrators deploysecured network access based on business policy
More Security with Less Complexity
top related