1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN...
-
Upload
sharlene-mcdowell -
Category
Documents
-
view
212 -
download
0
Transcript of 1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN...
1© 2004 Cisco Systems, Inc. All rights reserved.
KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN ACCESS (CCA)Tom Leary-Southeast Sales Specialists
Tom Blodgett-SE
222© 2004 Cisco Systems, Inc. All rights reserved.
Agenda
• Education Challenges
• Cisco = Security
• Clean Access Overview
• Roadmap
• Demo
333© 2004 Cisco Systems, Inc. All rights reserved.
Challenges in Education
• Diverse User Community: Students, Staff, Visiting Professors, Conference Attendees
• Balance: Network Security / Core Academic Values
• Pain Points:
Helpdesk
Network down time and crashes due to unmanaged user systems
No effective method of enforcing network policy
• Liability: Criminal and Civil
“Colleges have a well deserved reputation for lax security. As a result they risk increased insurance costs and expensive lawsuits.” - Michael McRobbie - VP of IT, Indiana University
444© 2004 Cisco Systems, Inc. All rights reserved.
Challenges in Education
• Spiking: Fall/Spring/Winter Semester
• Assets: Medical information; SS#’s
• Network: Wireless and Wireline
• Cost: One virus/worm incident costs $100,000*.-Source: ICSA 2003 Annual Virus Survey
Sources of infection can come from
Unmanaged student laptops
Visiting scholars and guests
Conferences attendees
555© 2004 Cisco Systems, Inc. All rights reserved.
Education Customer Sampling
• 2 Million end users on CCA protected networks
• Over 400+ education customers deployed
• Considered “de facto” solution among higher education for network admission control
666© 2004 Cisco Systems, Inc. All rights reserved.
Cisco is Committed to Security
Last year, we spent $300M in just security R&D…10% of Last year, we spent $300M in just security R&D…10% of our R&D budget. our R&D budget. ( $300M is more than all of the other ( $300M is more than all of the other security vendors, combined).security vendors, combined).
We’ve acquired seven security companies since 2002.We’ve acquired seven security companies since 2002.
All of that technology has made it to the street in short All of that technology has made it to the street in short order order (Psionics/CTR, Okena/CSA, Twingo, (Psionics/CTR, Okena/CSA, Twingo, Riverhead/Guard-Detector, Perfigo, Protego)Riverhead/Guard-Detector, Perfigo, Protego)..
We are the number one vendor, no matter how you slice it, We are the number one vendor, no matter how you slice it, in firewalls, intrusion detection, and VPN.in firewalls, intrusion detection, and VPN.
We have a long-term vision that is keeping us relevant and We have a long-term vision that is keeping us relevant and on-track. on-track. (End-point security, Active-X Defense System, (End-point security, Active-X Defense System, Self-Defending Network Initiative).Self-Defending Network Initiative).
© 2004 Cisco Systems, Inc. All rights reserved.
777© 2004 Cisco Systems, Inc. All rights reserved.
Security Acquisitions Airespace, Inc – Wireless (management and NIDS) – Jan 2005
Protego – Security Alert Processing – Dec 2004 Perfigo – Cisco Clean Access – Oct 2004 Riverhead – Cisco Guard/Detector – Mar 2004 Twingo – SSL (Clientless) VPN – Mar 2004 (Twelve in 2004)
Okena – Cisco Security Agent – Jan 2003 (Four in 2003)
Psionics – Cisco Threat Response – Oct 2002 (Five in 2002)
Allegro Systems – VPN Acceleration – Jul 2001 (Two in 2001)
Arrowpoint – Content Acceleration – May 2000 Altiga – Remote Access VPN – Jan 2000 Compatible Systems – Service Provider VPN – Jan 2000 (Twenty-three in 2000)
The Wheel Group in 1998
888© 2004 Cisco Systems, Inc. All rights reserved.
Network Security
Do you have a security policy in place?
Are you enforcing your security policy company wide?
Will your existing networking infrastructure allow you to provide threat defense and enforce your security policy?
Does your security strategy consider desktop to Internet access protection with unified management?
Do you have sufficient control over end users desktops and laptops?
Are you currently able to protect against and identify network threats that disrupt your business?
999© 2004 Cisco Systems, Inc. All rights reserved.
SYSTEM LEVEL SYSTEM LEVEL SOLUTIONSSOLUTIONS
• EndpointsEndpoints
• NetworkNetwork
• ServicesServices
• PartnershipsPartnerships
CONTINUOUSCONTINUOUSTECHNOLOGYTECHNOLOGYINNOVATIONINNOVATION
CONTINUOUSCONTINUOUSTECHNOLOGYTECHNOLOGYINNOVATIONINNOVATION
• Endpoint SecurityEndpoint Security• Application FirewallApplication Firewall• SSL VPNSSL VPN• Network Anomaly Network Anomaly
DetectionDetection
INTEGRATED INTEGRATED SECURITYSECURITY
INTEGRATED INTEGRATED SECURITYSECURITY
• Secure ConnectivitySecure Connectivity• Threat DefenseThreat Defense• Trust & IdentityTrust & Identity
• Secure ConnectivitySecure Connectivity• Threat DefenseThreat Defense• Trust & IdentityTrust & Identity
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Self Defending Network Strategy
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
SDN Foundations
101010© 2004 Cisco Systems, Inc. All rights reserved.
NAC FRAMEWORKTraditional Cisco
NAC
NAC APPLIANCELeverages Cisco
Clean Access
Sold through NAC-enabled products
Integrated solution leveraging Cisco
network and vendor products
Sold as virtual or integrated appliance
Self-contained product integrates but does not
rely on partners
Cisco NAC Umbrella: Two Models
• Offers customers a deployment timeframe choice• Adapts to customers’ investment protection requirements
111111© 2004 Cisco Systems, Inc. All rights reserved.
PRODUCTOVERVIEW
111111© 2004 Cisco Systems, Inc. All rights reserved.9101_01_2004_c1
121212© 2004 Cisco Systems, Inc. All rights reserved.
What Does Clean Access Do?
Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access:
RECOGNIZES
EVALUATES
ENFORCES
Recognizes:Users, device, and role (guest, employee, contractor)
Evaluates:Identify vulnerabilities on devices
Enforces:Eliminate vulnerabilities before network access
131313© 2004 Cisco Systems, Inc. All rights reserved.
Key Cisco Clean Access Features
• Role-based authentication
– Clean Access Server enforces authorization policies and privileges
– Supports multiple user roles (e.g. guests, employees, and contractors)
• Scans for security requirements
– Agent scan for required versions of Hotfixes, AV, and other software
– Network scan for virus and worm infections
– Network scan for port vulnerabilities
• Network quarantine
– Isolate non-compliant machines from rest of network
– MAC & IP-based quarantine effective at a per-user level
• Repair and update
– Network-based tools for vulnerability and threat remediation
– Help-desk Integration
All-in-one policy compliance and remediation solution
141414© 2004 Cisco Systems, Inc. All rights reserved.
• Cisco Clean Access Server
Formerly CleanMachines SmartServer
Serves as an inline or out-of-band device for network access control
• Cisco Clean Access Manager
Formerly CleanMachines SmartManager
Centralizes management for administrators, support personnel, and operators
• Cisco Clean Access Agent
Formerly CleanMachines SmartEnforcer
Optional client for device-based registry scans in unmanaged environments
Cisco Clean Access Components
151515© 2004 Cisco Systems, Inc. All rights reserved.
The Birds-Eye View:
THE GOAL
Intranet/Network
The Birds-Eye View: Cisco Clean Access
2. User Is Redirected to a Login Page
• Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device
Device Is Non-Compliant or Login Is Incorrect
• User is denied access and assigned to a quarantine role with access to online remediation resources
3a. QuarantineRole
3b. Device Is “Clean”• Machine gets on “clean
list” and is granted access to network
Cisco CleanAccess Server
Cisco Clean Access Manager
1. End User Attempts to Access a Web Page or Uses an Optional Client
• Network access is blocked until end user provides login information Authentication
Server
161616© 2004 Cisco Systems, Inc. All rights reserved.
End User Experience: with Agent
4.
LoginScreen Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
171717© 2004 Cisco Systems, Inc. All rights reserved.
End User Experience: Web-based
LoginScreen
Scan is performed(types of checks depend on user role/OS)
Click-through remediation
181818© 2004 Cisco Systems, Inc. All rights reserved.
Pre-Configured Clean Access Checks
Critical Windows Update
Windows XP, Windows 2000, Windows 98, Windows ME
Symantec
Norton AntiVirus 2005 v. 11.0.x Norton AntiVirus 2004 v. 10.xNorton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x Symantec AntiVirus Corporate Edition v. 8.x
Sophos
Sophos Anti-Virus Enterprise v. 3.x
McAfee
McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP
Trend Micro
Trend Micro Internet Security v. 12.x Trend Micro Internet Security v. 11.2 Trend Micro Internet Security v. 11.0 Trend Micro OfficeScan Corporate Edition v. 6.x Trend Micro OfficeScan Corporate Edition v. 5.x Trend Micro PC-Cillin 2004 Trend Micro PC-Cillin 2003
Cisco Systems
Cisco Security Agent v. 4.x
Clean Access allows customers to addcustom checks for other applications
191919© 2004 Cisco Systems, Inc. All rights reserved.
Pre-Configured Checks (cont’d)
Computer Associates (eTrust)
Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x
F-Secure
F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus 2004 5.x
Panda
Panda Titanium Anti-Virus 2004 v. 3.x Panda Anti-Virus Platinum v. 7.x Panda Anti-Virus Platinum v. 6.x Panda Internet Security Platinum v. 8.x Panda Anti-Virus Light v. 1.9x
Kaspersky
Kaspersky Anti-Virus Personal v. 5.xKaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x
Authentium
Authentium Command Anti-Virus Enterprise 4.x
SOFTWIN (BitDefender)
BitDefender Free Edition v. 7.x BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x
Grisoft (AVG)
AVG Antivirus v. 7.0AVG Antivirus v. 6.0AVG Antivirus v. 6.0 Free Edition
Frisk Software International
F-Prot Antivirus v. 3.x
SalD
DrWeb Antivirus v. 4.31b
Eset
NOD32 Antivirus system NT/2000/2003/XP 2.0
Zone Labs
ZoneAlarm with Antivirus v. 5.x
202020© 2004 Cisco Systems, Inc. All rights reserved.
Inline Deployment OptionsInline Deployment Options
FEATURES:• VLAN trunking support• ~1 GB/sec throughput
support• Failover support
IntranetBorder Router
Firewall
Switch
Core
Switch
Authentication Server
CCAServerRouted Central
Deployment
CCAServerBridged Central
Deployment
CCAServerEdge Deployment
CCAManager
232323© 2004 Cisco Systems, Inc. All rights reserved.
Multiple Deployment Options
Out-of-band: For high throughput environments for deployment in• Campus Environments• Branch Offices• Extranet environments• Highly routed environments
Inline: Supports environments including• Wireless• Hubs• Shared Media
242424© 2004 Cisco Systems, Inc. All rights reserved.
CCA: User Access, Non-certified Machine
Host withCCA Agent
1 End user attaches host to network
Switch
CCA Manager
2
2 Switch sends MAC address via SNMP-based alert to CCA Manager
3 CCA Manager decides whether host has been previously certified
1
4
4 CCA Server acts as a gateway or bridge for the quarantine VLAN
CCA Server
CCA Server intercepts device requestPerforms posture assessment and remediation
5
5 CCA Server certifies MAC address and forwards to CCA Manager
Network7
7 Host is granted access to network
6
6 CCA Manager instructs switch to change to the appropriate VLAN
3
If NO, CCA Manager instructs switch to put device on quarantine VLAN.
262626© 2004 Cisco Systems, Inc. All rights reserved.
CCA: Other Roadmap Items
• In-line L3 multi-hop support (Jul 2005)
• Remote Access support (Jul 2005)
• Wireless support for Airespace (avail now)
• Wireless support for VPN (avail now)
• Enhanced support for Anti-Spyware apps (Jul 2005)
• NAC Appliance for the commercial market (Sep 2005)
• Auto Launching Clean Access Agent (Oct 2005)
• CCA on NAC Framework (TBD)
272727© 2004 Cisco Systems, Inc. All rights reserved. 272727© 2004 Cisco Systems, Inc. All rights reserved.9101_01_2004_c1
THANK YOU.