1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN...

1© 2004 Cisco Systems, Inc. All rights reserved.

KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN ACCESS (CCA)Tom Leary-Southeast Sales Specialists

[email protected]

Tom Blodgett-SE

[email protected]


Agenda

• Education Challenges

• Cisco = Security

• Clean Access Overview

• Roadmap

• Demo


Challenges in Education

• Diverse User Community: Students, Staff, Visiting Professors, Conference Attendees

• Balance: Network Security / Core Academic Values

• Pain Points:

Helpdesk

Network down time and crashes due to unmanaged user systems

No effective method of enforcing network policy

• Liability: Criminal and Civil

“Colleges have a well deserved reputation for lax security. As a result they risk increased insurance costs and expensive lawsuits.” - Michael McRobbie - VP of IT, Indiana University


Challenges in Education

• Spiking: Fall/Spring/Winter Semester

• Assets: Medical information; SS#’s

• Network: Wireless and Wireline

• Cost: One virus/worm incident costs $100,000*.-Source: ICSA 2003 Annual Virus Survey

Sources of infection can come from

Unmanaged student laptops

Visiting scholars and guests

Conferences attendees


Education Customer Sampling

• 2 Million end users on CCA protected networks

• Over 400+ education customers deployed

• Considered “de facto” solution among higher education for network admission control


Cisco is Committed to Security

Last year, we spent $300M in just security R&D…10% of Last year, we spent $300M in just security R&D…10% of our R&D budget. our R&D budget. ( $300M is more than all of the other ( $300M is more than all of the other security vendors, combined).security vendors, combined).

We’ve acquired seven security companies since 2002.We’ve acquired seven security companies since 2002.

All of that technology has made it to the street in short All of that technology has made it to the street in short order order (Psionics/CTR, Okena/CSA, Twingo, (Psionics/CTR, Okena/CSA, Twingo, Riverhead/Guard-Detector, Perfigo, Protego)Riverhead/Guard-Detector, Perfigo, Protego)..

We are the number one vendor, no matter how you slice it, We are the number one vendor, no matter how you slice it, in firewalls, intrusion detection, and VPN.in firewalls, intrusion detection, and VPN.

We have a long-term vision that is keeping us relevant and We have a long-term vision that is keeping us relevant and on-track. on-track. (End-point security, Active-X Defense System, (End-point security, Active-X Defense System, Self-Defending Network Initiative).Self-Defending Network Initiative).

© 2004 Cisco Systems, Inc. All rights reserved.


Security Acquisitions Airespace, Inc – Wireless (management and NIDS) – Jan 2005

Protego – Security Alert Processing – Dec 2004 Perfigo – Cisco Clean Access – Oct 2004 Riverhead – Cisco Guard/Detector – Mar 2004 Twingo – SSL (Clientless) VPN – Mar 2004 (Twelve in 2004)

Okena – Cisco Security Agent – Jan 2003 (Four in 2003)

Psionics – Cisco Threat Response – Oct 2002 (Five in 2002)

Allegro Systems – VPN Acceleration – Jul 2001 (Two in 2001)

Arrowpoint – Content Acceleration – May 2000 Altiga – Remote Access VPN – Jan 2000 Compatible Systems – Service Provider VPN – Jan 2000 (Twenty-three in 2000)

The Wheel Group in 1998


Network Security

Do you have a security policy in place?

Are you enforcing your security policy company wide?

Will your existing networking infrastructure allow you to provide threat defense and enforce your security policy?

Does your security strategy consider desktop to Internet access protection with unified management?

Do you have sufficient control over end users desktops and laptops?

Are you currently able to protect against and identify network threats that disrupt your business?


SYSTEM LEVEL SYSTEM LEVEL SOLUTIONSSOLUTIONS

• EndpointsEndpoints

• NetworkNetwork

• ServicesServices

• PartnershipsPartnerships

CONTINUOUSCONTINUOUSTECHNOLOGYTECHNOLOGYINNOVATIONINNOVATION

CONTINUOUSCONTINUOUSTECHNOLOGYTECHNOLOGYINNOVATIONINNOVATION

• Endpoint SecurityEndpoint Security• Application FirewallApplication Firewall• SSL VPNSSL VPN• Network Anomaly Network Anomaly

DetectionDetection

INTEGRATED INTEGRATED SECURITYSECURITY

INTEGRATED INTEGRATED SECURITYSECURITY

• Secure ConnectivitySecure Connectivity• Threat DefenseThreat Defense• Trust & IdentityTrust & Identity

• Secure ConnectivitySecure Connectivity• Threat DefenseThreat Defense• Trust & IdentityTrust & Identity

An initiative to dramatically improve the network’s ability to identify, prevent, and adapt

to threats

An initiative to dramatically improve the network’s ability to identify, prevent, and adapt

to threats

Self Defending Network Strategy

Cisco strategy to dramatically improve the

network’s ability to

identify, prevent, and adapt to threats

Cisco strategy to dramatically improve the

network’s ability to

identify, prevent, and adapt to threats

SDN Foundations


NAC FRAMEWORKTraditional Cisco

NAC

NAC APPLIANCELeverages Cisco

Clean Access

Sold through NAC-enabled products

Integrated solution leveraging Cisco

network and vendor products

Sold as virtual or integrated appliance

Self-contained product integrates but does not

rely on partners

Cisco NAC Umbrella: Two Models

• Offers customers a deployment timeframe choice• Adapts to customers’ investment protection requirements


PRODUCTOVERVIEW

111111© 2004 Cisco Systems, Inc. All rights reserved.9101_01_2004_c1


What Does Clean Access Do?

Before allowing users onto the network, whether it’s a wired or wireless network, Clean Access:

RECOGNIZES

EVALUATES

ENFORCES

Recognizes:Users, device, and role (guest, employee, contractor)

Evaluates:Identify vulnerabilities on devices

Enforces:Eliminate vulnerabilities before network access


Key Cisco Clean Access Features

• Role-based authentication

– Clean Access Server enforces authorization policies and privileges

– Supports multiple user roles (e.g. guests, employees, and contractors)

• Scans for security requirements

– Agent scan for required versions of Hotfixes, AV, and other software

– Network scan for virus and worm infections

– Network scan for port vulnerabilities

• Network quarantine

– Isolate non-compliant machines from rest of network

– MAC & IP-based quarantine effective at a per-user level

• Repair and update

– Network-based tools for vulnerability and threat remediation

– Help-desk Integration

All-in-one policy compliance and remediation solution


• Cisco Clean Access Server

Formerly CleanMachines SmartServer

Serves as an inline or out-of-band device for network access control

• Cisco Clean Access Manager

Formerly CleanMachines SmartManager

Centralizes management for administrators, support personnel, and operators

• Cisco Clean Access Agent

Formerly CleanMachines SmartEnforcer

Optional client for device-based registry scans in unmanaged environments

Cisco Clean Access Components


The Birds-Eye View:

THE GOAL

Intranet/Network

The Birds-Eye View: Cisco Clean Access

2. User Is Redirected to a Login Page

• Clean Access validates username and password; also performs device and network scans to assess vulnerabilities on the device

Device Is Non-Compliant or Login Is Incorrect

• User is denied access and assigned to a quarantine role with access to online remediation resources

3a. QuarantineRole

3b. Device Is “Clean”• Machine gets on “clean

list” and is granted access to network

Cisco CleanAccess Server

Cisco Clean Access Manager

1. End User Attempts to Access a Web Page or Uses an Optional Client

• Network access is blocked until end user provides login information Authentication

Server


End User Experience: with Agent

4.

LoginScreen Scan is performed

(types of checks depend on user role)

Scan fails

Remediate


End User Experience: Web-based

LoginScreen

Scan is performed(types of checks depend on user role/OS)

Click-through remediation


Pre-Configured Clean Access Checks

Critical Windows Update

Windows XP, Windows 2000, Windows 98, Windows ME

Symantec

Norton AntiVirus 2005 v. 11.0.x Norton AntiVirus 2004 v. 10.xNorton AntiVirus 2004 Professional v. 10.x Norton Internet Security 2004 Norton AntiVirus 2003 v. 9.x Norton AntiVirus 2003 Professional v. 9.x Norton AntiVirus 2002 Professional v. 8.x Norton AntiVirus Corporate Edition v. 7.x Symantec Internet Security 2005 Edition 8.0.x Symantec AntiVirus Scan Engine Edition 8.0.x Symantec AntiVirus Corporate Edition v. 9.x Symantec AntiVirus Corporate Edition v. 8.x

Sophos

Sophos Anti-Virus Enterprise v. 3.x

McAfee

McAfee VirusScan Enterprise v. 8.0i beta McAfee VirusScan Enterprise Edition v. 7.5 McAfee VirusScan Enterprise Edition v. 7.1 McAfee VirusScan Enterprise Edition v. 7.0 McAfee VirusScan Enterprise Edition v. 4.5.x McAfee VirusScan Professional Edition v. 8.0.x McAfee VirusScan Professional Edition v. 7.x McAfee VirusScan ASaP

Trend Micro

Trend Micro Internet Security v. 12.x Trend Micro Internet Security v. 11.2 Trend Micro Internet Security v. 11.0 Trend Micro OfficeScan Corporate Edition v. 6.x Trend Micro OfficeScan Corporate Edition v. 5.x Trend Micro PC-Cillin 2004 Trend Micro PC-Cillin 2003

Cisco Systems

Cisco Security Agent v. 4.x

Clean Access allows customers to addcustom checks for other applications


Pre-Configured Checks (cont’d)

Computer Associates (eTrust)

Computer Associates eTrust Antivirus v. 7.x Computer Associates eTrust EZ Antivirus v. 6.2.x Computer Associates eTrust EZ Antivirus v. 6.1.x

F-Secure

F-Secure Anti-Virus for Workstations TBYB 5.x F-Secure Anti-Virus Client Security 5.x F-Secure Anti-Virus 2004 5.x

Panda

Panda Titanium Anti-Virus 2004 v. 3.x Panda Anti-Virus Platinum v. 7.x Panda Anti-Virus Platinum v. 6.x Panda Internet Security Platinum v. 8.x Panda Anti-Virus Light v. 1.9x

Kaspersky

Kaspersky Anti-Virus Personal v. 5.xKaspersky Anti-Virus Personal v. 4.x Kaspersky Anti-Virus Personal Pro v. 4.x

Authentium

Authentium Command Anti-Virus Enterprise 4.x

SOFTWIN (BitDefender)

BitDefender Free Edition v. 7.x BitDefender Standard/Professional Edition 7.x BitDefender Standard v. 8.0.x BitDefender Professional Plus v. 8.0.x

Grisoft (AVG)

AVG Antivirus v. 7.0AVG Antivirus v. 6.0AVG Antivirus v. 6.0 Free Edition

Frisk Software International

F-Prot Antivirus v. 3.x

SalD

DrWeb Antivirus v. 4.31b

Eset

NOD32 Antivirus system NT/2000/2003/XP 2.0

Zone Labs

ZoneAlarm with Antivirus v. 5.x


Inline Deployment OptionsInline Deployment Options

FEATURES:• VLAN trunking support• ~1 GB/sec throughput

support• Failover support

IntranetBorder Router

Firewall

Switch

Core

Switch

Authentication Server

CCAServerRouted Central

Deployment

CCAServerBridged Central

Deployment

CCAServerEdge Deployment

CCAManager


Multiple Deployment Options

Out-of-band: For high throughput environments for deployment in• Campus Environments• Branch Offices• Extranet environments• Highly routed environments

Inline: Supports environments including• Wireless• Hubs• Shared Media


CCA: User Access, Non-certified Machine

Host withCCA Agent

1 End user attaches host to network

Switch

CCA Manager

2

2 Switch sends MAC address via SNMP-based alert to CCA Manager

3 CCA Manager decides whether host has been previously certified

1

4

4 CCA Server acts as a gateway or bridge for the quarantine VLAN

CCA Server

CCA Server intercepts device requestPerforms posture assessment and remediation

5

5 CCA Server certifies MAC address and forwards to CCA Manager

Network7

7 Host is granted access to network

6

6 CCA Manager instructs switch to change to the appropriate VLAN

3

If NO, CCA Manager instructs switch to put device on quarantine VLAN.


CCA: Other Roadmap Items

• In-line L3 multi-hop support (Jul 2005)

• Remote Access support (Jul 2005)

• Wireless support for Airespace (avail now)

• Wireless support for VPN (avail now)

• Enhanced support for Anti-Spyware apps (Jul 2005)

• NAC Appliance for the commercial market (Sep 2005)

• Auto Launching Clean Access Agent (Oct 2005)

• CCA on NAC Framework (TBD)

1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN...

Documents

Transcript of 1 © 2004 Cisco Systems, Inc. All rights reserved. KEEPING YOUR NETWORK CLEAN WITH CISCO CLEAN...