Transcription
IT-Symposium 200718.04.2007ProCurve Access Control Solution 2.0Holger Hasenaug, Technical ConsultantHP ProCurve NetworkingCCIE#6343 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.AgendaComprehensive and Manageable Access Control Customer NeedsProCurve Access Control Today And TomorrowProCurve Identity Driven Manager DemoProCurve Network Access Controller 800Flexible Deployment OptionsSummary2www.hp-user-society.de1
IT-Symposium 200718.04.2007Security Issues are Here to Stay Vulnerabilities andincidents continue to rise The increasingly mobileworkforce and the need forcollaboration compound theproblem The costs to demonstratebusiness accountabilitycontinue to mount3The Great CompromiseBetter ROILower TCOThe Always-OnTransparentTrusted NetworkTheInsecureNetworkPerformanceandEase of OperationTheUnusableNetworkSecurityLower RiskHigh Availability4www.hp-user-society.de2
IT-Symposium 200718.04.2007What OrganizationsNeed to do Today Provide network accesscontrol Detect and respond to virusattacks from outside andinside the network Provide an automated networkresponse to security attacks Understand and demonstrateregulatory compliance Deploy easy-to-use securitysolutions that are standardsbased, and reliableMore Security with Less Complexity5Security Process in rastructureRespondDetect6www.hp-user-society.de3
IT-Symposium 200718.04.2007The Edge is the Enforcement PointServersThe first point of attachment isthe optimal position to enforcepolicy and detect anomaliesIntelligentEDGEInternetEmerging distributedapplications benefit from specialtreatment at the point of entryClientsClientsCommand from the center,control to the edge – theProCurve Adaptive EdgeArchitectureCOMMANDFROM THECENTERWirelessClientsPer-PortDistributed Processors7Network Access SecurityUser ExperienceNetworkAdministratorConference RoomInternetAccess onlyto Internetat 2 MbpsAccess toInternet andCorp ServersAccess only liantEmployeeConference Roomwww.hp-user-society.deEdgeSwitch1. Sets up role based accesspolicy groups & assignsrules and access profiles: Set rulesEnterprise TimeLAN Location Device ID Client integrity status To trigger each policyCorporateprofileServer ACL VLAN QoS BW limitAnti-Virus remediation2. Put users in appropriateServeraccess policy groupAccessPolicyServer84
IT-Symposium 200718.04.2007Network Access SecurityUser Experience cont.NetworkAdministratorConference RoomInternetAccess onlyto Internetat 2 MbpsGuestAccess toInternet andCorp Servers1. Sets up role based accesspolicy groups & assignsrules and access profiles: Set rulesEnterprise TimeLAN Location Device ID Client integrity status To trigger each policyCorporateprofileServer ACL VLAN QoS BW limitAnti-Virus2. Put users in appropriateServeraccess policy groupEdgeSwitchAccessPolicyServerEmployeeAccess toInternet andCorp ServersCompliantEmployeeConference Room9Today’s ProCurve Access Control SolutionAdaptive Access Control SolutionAuthenticationServerHTTP RequestWeb-AuthMAC henticationDirectoryhp procurveswitch 5304xlJ4850AStatusConsoleReset12Clear Self Fan PowerTestABCDEModulesFGHAct FDx Max !LED Mode SelectUse xl modules onlyPowerFaultABCD802.1X AuthenticatorRADIUSServerActive DirectoryLDAPIDM AgentPolicy Enforcement Point (PEP)Supported in ProCurve Edge Devices5300 / 5400 / 3400 / 35004100 / 42002600 / 2600-PWR / 28002500420 / 530 / WESMProCurveowned3rd PartySoftwarePCM / IDMServerNetwork MgmtServer10www.hp-user-society.de5
IT-Symposium 200718.04.2007Client Authentication PossibilitiesThree methods to authenticate at the “edge” IEEE 802.1XWeb AuthenticationMAC no clientsoftware required –sends MAC addressusing 802.1Xclient softwareusing webbrowser only11ProCurve Access Control Solution 2.0Identity Driven Manager (IDM) andProCurve Network Access Controller 800Endpoint tests for EI PolicyDefinitionsAnd more EndpointIntegrity Agent Network Access Controller 800operating systems versions and updatesanti-virus and anti-spyware softwarerequired or prohibited softwareOn-demandAny 802.1XClienthp procurveswitch 5304xlJ4850AEndpointIntegrity AgentStatusConsoleReset12Clear Self Fan PowerTestABCDEModulesFGHAct FDx Max !LED Mode SelectUse xl modules onlyPowerFaultMAC AddressMAC-AuthHTTP RequestWeb-AuthABCD802.1X AuthenticatorPolicy Enforcement Point (PEP)RADIUSServerAuthenticationDirectoryIDM AgentPCM / IDMServerActive DirectoryeDirectoryLDAPProCurveownedNetwork MgmtServerwww.hp-user-society.de126
IT-Symposium 200718.04.2007Identity Driven Manager Allows easy creation and management of user policy groupsfor optimizing network performance and increasing userproductivity Dynamically apply security, access and performancesettings at port level based on policies IDM adds network reports and logs based on users for auditSet Based on IDQoSClientIntegrityStatus13Identity Driven Manager exampleEntwicklungsserver.101M ldPor Cuvr eS w tci h3 5 0 0 y lEo8 6 9 2 APJSastuP o we r P oEF a u tlT pmnaFEPRSPSSkcBefhosutaModpSedMb01f ospNetzwerkadminserver.102afl bM01 hsspMp01 nosbkinL1 Medo.1035791 1.104k 1 3 MinLedo1 51 71 92 1T2 3TkinL2 1MeMdo2 3MActDxFLDEMoedSpdPoEUsrtseTestRlearCColesnAu xP o trryilakinL2 Medo4681 01 2.100kinL1 4edoM1 61 82 02 2T2 4TkinL2 2MeMdoPr oC urve N et w orki ngH P In n o v a iot n2 7VLAN 2: 2.2.2.0/24 (Personalabteilung)VLAN 3: 3.3.3.0/24 (Entwicklung)VLAN 4: 4.4.4.0/24 (Netzwerkadmins)VLAN 5: 5.5.5.0/24 (Gast - Internet)VLAN 6: 6.6.6.0/24 (IP Telefonie)Port 1-4Web auth.IDM ServerDul-P eaPolityanors()M in/-T0rt1-G B IC (M )PoE -In/B s01dragteP-Tea o)P rtsT4-2(1rtsIEeao EEAuM D I/M D I-Xto3Active DirectoryRADIUS SeverInternet Proxye osUnyl neo (T or M) for ea chorP tPersonalabteilungsserverPort 5-8802.1X auth.Web authPort 9-12802.1X auth.Port 17MAC auth.Port 13-16802.1X n)(Gast)(Drucker)Port 18MAC auth.EmpfangMeetingräume1. Stock2. StockNur Internet ZugriffGäste – Internet ZugriffPersonalabteilung EntwickungPersonalabteilung EntwicklungEntwicklung14www.hp-user-society.de7
IT-Symposium 200718.04.2007What’s New inIdentity Driven Manager v2.2Manageable Access Control Secure Access Wizard Dynamic Active Directory Synchronization Management and Monitoring of the ProCurve NAC applianceComprehensive Access Control Unified Access Control – Wireless access enhancements15What’s NewProCurve Network Access Controller 800Manageable Access Control Access Control in an appliance Manageable by PCM / IDM management serverComprehensive Access Control Endpoint integrity assessment Flexible deployment modes– RADIUS Authentication (802.1X, WebAuth, MACAuth): the mostsecure access control– In-Line: effective for remote access clients– DHCP: endpoint integrity validation for non-802.1X networks16www.hp-user-society.de8
IT-Symposium 200718.04.2007Network Access Control ApplianceSimplifies deployment by integrating manycomponents of the access control solution into anetwork applianceNetwork rack-mountable: 1U and shallow-depthAuthentication service (RADIUS)IDM agent for adaptive network access policiesLocal Authentication DirectoryEndpoint integrity assessment– Automatic updates for integrity rules, securitychecks, etc. Manageable by the PCM / IDM management server 17Endpoint Integrity Checks Antivirus, spyware, firewalls,peer-to-peer, allowed andprohibited programs and services OS versions, services packs,hotfixes Security settings for browsersand applicationsNew tests developed anddelivered regularly18www.hp-user-society.de9
IT-Symposium 200718.04.2007Endpoint Integrity TestsOperating systemsService PacksWindows 2000 hotfixesWindows Server 2003 SP1 hotfixesWindows Server 2003 hotfixesWindows XP SP2 hotfixesWindows XP hotfixesWindows automatic updatesBrowser security policyIE internet security zoneIE local intranet security zoneIE restricted site security zoneIE trusted site security zoneIE versionSecurity settingsMS Excel macrosMS Outlook macrosMS Word macrosServices not allowedServices requiredWindows Bridge Network ConnectionWindows security policyWindows startup registry entries allowedPersonal firewallsAOL Security EditionBlack ICE FirewallComputer Associates EZFirewallInternet Connection Firewall(Pre XP SP2)McAfee Personal FirewallPanda Internet SecurityF-Secure Personal FirewallNorton Personal Firewall /Internet SecuritySygate Personal FirewallSymantec Client FirewallTiny Personal FirewallTrend Micro Personal FirewallZoneAlarm Personal FirewallSenforce Advanced FirewallWindows FirewallMS Office version checkMicrosoft Office XPMicrosoft Office 2003Microsoft Office 2000prohibited SoftwareAdministrator definedP2P and instant messagingTrillianAltnetAOL instant messenger Turbo IRCVisual IRCBitTorrentXFireChainsawYahoo! MessengerChatbotDICEdIRCGatorHotline Connect ClientIceChat IRC clientICQ ProIRCXproKazaaKazaa Lite K CNexIRCNot Only TwoP2PNet.netPerfectNavsavIRCRequired softwareAdministrator defined19Endpoint Integrity ChecksAnti-virusNOD32 AntiVirusAVG AntiVirus Free EdComputer Associates eTrust AntiVirusComputer Associates eTrust EZ AntiVirusF-Secure AntiVirusKaspersky AntiVirus for FileServersKaspersky AntiVirus for WorkstationsMcAfee VirusScanMcAfee Managed VirusScanMcAfee Enterprise VirusScanMcAfee Internet Security Suite 8.0Norton Internet SecurityTrend Micro AntiVirusTrend Micro OfficeScan Corporate EditionSophos AntiVirusPanda Internet SecuritySymantec Corporate e SE PersonalAd-Aware PlusAd-Aware ProfessionalCounterSpyMcAfee AntiSpywarePest PatrolSpyware EliminatorWebroot Spy SweeperWindows DefenderSpyware, Worms, viruses, and 2.HLLW.Doomjuice.BW32.HLLW.LovgateW32 Sober.OW32.Sober.ZW32.Welchia.WormW32.Zotob.E2010
IT-Symposium 200718.04.2007Pre-Connect NAC Testing an endpoint device to ensure compliance prior to theendpoint being granted regular access on the network1No Regular Network AccessEndpointTest Endpoint32Endpoint Compliant4Regular Network Access21Post-Connect NAC Network access control where the endpoint device is periodicallytested after network access has been granted– Upon determination of endpoint non-compliance theendpoint device is quarantined for remediation1Regular Network AccessEndpointTest Endpoint32Endpoint Not Compliant4Quarantined for Remediation22www.hp-user-society.de11
IT-Symposium 200718.04.2007ProCurve NAC 800Endpoint Integrity Testing Methods Methods by which an endpoint can be accessed for the purposes oftesting– Agent-based Permanent – Agent software is installed on eachendpoint and is always available for testing– Agent-based Transient – An agent is downloaded temporarily tothe endpoint as required– Agentless – Uses native applications to provide agent functions23ProCurve NAC 800 Deployment ModelsRADIUS Enforcement CP trafficEndpointProCurve NAC 800Solution Features Access to network is controlled by port securitydevices ProCurve NAC enforces endpoint integrity validation of clients ProCurve Identity Driven Manager applies Adaptive Network Accesspolicies(802.1X / MACAuth)on edge24www.hp-user-society.de12
IT-Symposium 200718.04.2007k5ProCurve NAC 800 Deployment ModelsInline-Mode for Remote AccessInternetInternetRemoteClientVPN and RASProCurve NAC 800CorporateCorporateNetworkNetworkSolution Features Access to network is controlled inline through address filtering byProCurve NAC ProCurve NAC enforces endpoint integrity validation of remote clients25ProCurve NAC 800 Deployment ModelsDHCP Enforcement porateNetworkNetworkDHCP ServerEndpointProCurve NAC 800Solution Features Access to network is controlled via DHCP management by ProCurve NAC ProCurve NAC enforces Endpoint Integrity validation of DHCP clients26www.hp-user-society.de13
Slide 25k5This is an alternate view for the previous slide on "InLine Mode for Remote Access"This version removes the firewall, which is common, but not required. This allows for a largerversion of the ProCurve NAC productkevin porter, 2/7/2007
IT-Symposium 200718.04.2007IDM ProCurve NAC 800 EI AgentsAdaptive Access Control withEndpoint IntegrityFor organizations who want a complete Access Control solution Authenticated users – protects the network from unauthorizedusers and devices Adaptive network access rights – provides appropriate networkaccess based on business policies for the user Endpoint Integrity – protects the network from harmful systemsand enforces system software requirements Ease of deployment and management – enables businesses toimplement an effective NAC solution today27IDM and ProCurve NAC Use ModelsAdaptive Network Accesswith Endpoint IntegrityCorporate VLANRemediation VLANProCurve NAC 800w/ProCurve NAC Agent LicensesProCurve Adaptive Edge DevicesPassedConnected toCorporate VLANUnknownOn RemediationVLAN to betestedFailedOn RemediationVLAN, will beretested at nextauthenticationPCM/IDM Server Solutionincludes: IDM, ProCurve NAC 800,and ProCurve NAC EI Agent Licenses Remediation VLAN configured to allsecured edge ports, in addition to all othercompany VLANs used Clients authenticate via 802.1X, and areplaced on VLAN based on EI status:–Corporate VLAN if the have recently passed EI testing–Remediation VLAN if they are Unknown will be testednow and reauthenticated if they pass the EI test–Remediation VLAN if they fail EI testing IDMalso sets ACLs, QoS, and Bandwidthlimits based on access policy Works for both wired and wirelessProCurve edge devices28www.hp-user-society.de14
IT-Symposium 200718.04.2007IDM ProCurve NAC 800Adaptive Access ControlFor organizations who want to control network users and provideadaptive network access Authenticated users – protects the network from unauthorizedusers and devices Adaptive network access rights – provides appropriate networkaccess based on business policies for the user Ease of deployment and management – enables businesses toimplement an effective NAC solution today29IDM and ProCurve NAC Use ModelsAdaptive Network AccessFaculty VLANStudent VLANGuest VLANManagement VLANProCurve NAC 800ProCurve Adaptive Edge Devices SolutionNAC 800PCM/IDM Serverincludes IDM and ProCurve Clientsauthenticate via 802.1X, andare placed on VLAN based IDMAccess Policy.–The IDM access policy can also setACLs, QoS, and Bandwidth Limits WorksFacultyMemberConnected toFaculty VLANfor both wired and wirelessProCurve edge devicesStudentConnected toStudent VLANGuestConnected toGuest VLAN30www.hp-user-society.de15
IT-Symposium 200718.04.2007ProCurve NAC 800 EI AgentsAccess Control with Endpoint IntegrityFor organizations who want to enforce system softwarerequirements and protect their network from harmful systems Endpoint Integrity – protects the network from harmful systemsand enforces system software requirements Authenticated users – protects the network from unauthorizedusers and devices Ease of deployment and management – enables businesses toimplement an effective NAC solution today31ProCurve NAC 800 EI AgentsAccess Control with Endpoint IntegrityCorporate VLANRemediation VLANProCurve NAC 800w/ProCurve NAC Agent LicensesProCurve Adaptive Edge DevicesPassedConnected toCorporate VLANUnknownOn RemediationVLAN to betestedFailedOn RemediationVLAN, will beretested at nextauthentication Solutionincludes: IDM, ProCurve NAC 800,and ProCurve NAC EI Agent Licenses Remediation VLAN configured to allsecured edge ports, in addition to all othercompany VLANs used Clients authenticate via 802.1X, and areplaced on VLAN based on EI status:–Corporate VLAN if the have recently passed EI testing–Remediation VLAN if they are Unknown will be testednow and reauthenticated if they pass the EI test–Remediation VLAN if they fail EI testing Worksfor both wired and wirelessProCurve edge devices32www.hp-user-society.de16
IT-Symposium 200718.04.2007IDM and ProCurve NAC 800 Use ModelsEnterprise with Remote OfficeManagerProCurve NAC 800PCM/IDM ServerCorporate VLANRemediation VLANProCurve NAC 800Procurve NAC 800ProCurve NAC 800Remote OfficeMain Enterprise Site33ProCurve Access Control SolutionLayers of ingIDM ReportsVLAN, ACL,QoS, Rate-limitIDMAccess Policy RulesEndpoint IntegrityWeb Browser802.1X supplicantEndpoint IntegrityMAC .de17
IT-Symposium 200718.04.2007SummaryProCurve provides a comprehensive and manageable Access Controlsolution to prevent untrusted network use on both campus anddistributed sites A deployable and manageable solution Suitable for current environments andextensible to future needs Protects network from harmful andinfected systems Enforces business policies regardingnetwork access rights Unified access control for LAN, WLAN, and WANThe ProCurve Access Control solution helps administrators deploysecured network access based on business policyMore Security with Less Complexity35www.hp-user-society.de18
Norton Personal Firewall / Internet Security Sygate Personal Firewall Symantec Client Firewall Tiny Personal Firewall Trend Micro Personal Firewall ZoneAlarm Personal Firewall Senforce Advanced Firewall Windows Firewall MS Office version check Micros
