procurve access control solution 2 · • antivirus, spyware, firewalls, peer-to-peer, allowed and...

IT-Symposium 2007 18.04.2007

www.hp-user-society.de 1

© 2004 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

ProCurve Access Control Solution 2.0

Holger Hasenaug, Technical ConsultantHP ProCurve NetworkingCCIE#6343

2

Agenda

Comprehensive and Manageable Access Control

• Customer Needs• ProCurve Access Control Today … And Tomorrow• ProCurve Identity Driven Manager + Demo• ProCurve Network Access Controller 800• Flexible Deployment Options• Summary

IT-Symposium 2007 18.04.2007


3

Security Issues are Here to Stay

• Vulnerabilities and incidents continue to rise

• The increasingly mobile workforce and the need forcollaboration compound theproblem

• The costs to demonstratebusiness accountabilitycontinue to mount

4

The Great Compromise

Performanceand

Ease of Operation

Better ROILower TCO

Security Lower RiskHigh Availability

The Always-OnTransparent

Trusted Network

TheUnusableNetwork

TheInsecureNetwork

IT-Symposium 2007 18.04.2007


5

What Organizations Need to do Today

• Provide network access control

• Detect and respond to virus attacks from outside and inside the network

• Provide an automated network response to security attacks

• Understand and demonstrateregulatory compliance

• Deploy easy-to-use security solutions that are standards-based, and reliable

More Security with Less Complexity

6

Security Process in Practice

Protect

DetectRespond

Trusted Network

Infrastructure

Policies Validation

IT-Symposium 2007 18.04.2007


7

The Edge is the Enforcement Point

The first point of attachment is the optimal position to enforce policy and detect anomalies

Emerging distributed applications benefit from special treatment at the point of entry

Command from the center, control to the edge – the ProCurve Adaptive Edge Architecture

IntelligentEDGE

COMMANDFROM THECENTER

Per-PortDistributed Processors

Clients

Servers

WirelessClients

Internet

Clients

8

Internet

Guest

Employee

Non-CompliantEmployee

Access only to Internetat 2 Mbps

EnterpriseLAN

Access toInternet andCorp Servers

Access only toAnti-Virus

remediationServer

EdgeSwitch

Anti-Virus remediationServer

CorporateServer

AccessPolicyServer

Conference Room

Conference Room

Network Access Security User Experience

NetworkAdministrator

1. Sets up role based access policy groups & assigns rules and access profiles:

• Set rules• Time • Location• Device ID• Client integrity status

• To trigger each policy profile

• ACL• VLAN• QoS• BW limit

2. Put users in appropriate access policy group

IT-Symposium 2007 18.04.2007


9

Network Access Security User Experience cont.

Internet

Guest

Employee

CompliantEmployee

Access only to Internetat 2 Mbps

EnterpriseLAN

EdgeSwitch

Anti-VirusServer

CorporateServer

AccessPolicyServer

Conference Room

Conference Room

Access toInternet and

Corp Servers

Access toInternet andCorp Servers

NetworkAdministrator

1. Sets up role based access policy groups & assigns rules and access profiles:

• Set rules• Time • Location• Device ID• Client integrity status

• To trigger each policy profile

• ACL• VLAN• QoS• BW limit

2. Put users in appropriate access policy group

10

Today’s ProCurve Access Control SolutionAdaptive Access Control Solution

802.1X Supplic

ant

802.1X Supplicant

802.1X Authenticator

Policy Enforcement Point (PEP)

Supported in ProCurve Edge Devices5300 / 5400 / 3400 / 3500

4100 / 42002600 / 2600-PWR / 2800

2500420 / 530 / WESM

RADIUSServer

IDM Agent

PCM / IDM Server

Power

Fault

switch 5304xlJ4850A Console

procurvehp

Reset Clear SelfTest

Use xl modules onlyLED Mode SelectAct FDx !Max

Status

Power ModulesFan1 2 B C D E F GA H

A

C D

B

AuthenticationDirectory

Active DirectoryLDAP

AuthenticationServer

Network Mgmt Server

ProCurveowned

MAC-Auth

Web-AuthMAC Address

HTTP Request

AuthenticationServer

3rd Party Software

IT-Symposium 2007 18.04.2007


11

no clientsoftware required –sends MAC address

Client Authentication Possibilities

Three methods to authenticate at the “edge”• IEEE 802.1X• Web Authentication• MAC Authentication

RADIUSServer

0008A2-1C99C6

using 802.1X client software

using webbrowser only

ProCurve IDM

12

ProCurve Access Control Solution 2.0Identity Driven Manager (IDM) andProCurve Network Access Controller 800

Any 802.1X Client

802.1X Authenticator

Policy Enforcement Point (PEP)

EI PolicyDefinitions

AuthenticationDirectory

Active DirectoryeDirectory

LDAP

RADIUS Server

IDM Agent

PCM / IDM Server

Network Mgmt Server

Endpoint Integrity Agent

Endpoin

t In

tegrity

Agen

t On-demand

ProCurveowned

Power

Fault

switch 5304xlJ4850A Console

procurvehp

Reset Clear SelfTest

Use xl modules onlyLED Mode SelectAct FDx !Max

Status

Power ModulesFan1 2 B C D E F GA H

A

C D

B

Endpoint tests for• operating systems versions and updates• anti-virus and anti-spyware software• required or prohibited software

And more …

Network Access Controller 800

MAC-Auth

Web-Auth

MAC Address

HTTP Request

IT-Symposium 2007 18.04.2007


13

Identity Driven Manager

• Allows easy creation and management of user policy groups for optimizing network performance and increasing user productivity

• Dynamically apply security, access and performance settings at port level based on policies

• IDM adds network reports and logs based on users for audit

VLAN BandwidthLimit

User/GroupTime

Location

QoSACLs

DeviceID

ClientIntegrity

Status

Set =>

Based on =>

14

Identity Driven Manager example

H P In n o v a tio n

ProC urve N et w orki ngP ro C u rv eS w itc h 3 5 0 0 y lJ8 6 9 2 A PoE

P o w e r

F a u lt

S tatus

LE DM ode

A ctFD x

S pdFan

Test

R P SE P S

P oE

Reset Clear

M dl

P oE

Tm p

U sr

D ual-P ersonality P ort 10/100/1000-T (T) or M ini-G B IC (M )off = 10M bps flash = 100M bps on = 1000M bpsSpd M ode

Use on

ly one

(T or

M) for

each

Port

P oE -Integrated 10/100/1000B ase-T P orts (1-24T) - P orts are IE E E A uto M D I/M D I-X

A u xiliary P o rt

Status of the Back

C onsole

Link Mode

Link Mode

Link Mode

Link Mode

Link Mode

Link ModeM

M

M

M

2 2

2 1

2 4

2 3

2 2

2 1

2 4

2 3

T

T

T

T

2 01 81 61 4

1 91 71 51 3

1 21 086

1 1975

42

31

Empfang

Nur Internet Zugriff

1. Stock

Personalabteilung + Entwicklung

Port 1-4Web auth.

Port 5-8802.1X auth.

Web auth

Benutzer:hperso (Personalabteilung)aeinstein (Entwicklung)hhasenau (Netzwerkadmin)gast1 (Gast)000c297837d7 (Drucker)

2. Stock

Entwicklung

Meetingräume

Gäste – Internet ZugriffPersonalabteilung +

Entwickung


Personalabteilungs-server

Entwicklungs-server Internet Proxy Active Directory

RADIUS Sever IDM Server

Port 18MAC auth.


VLAN 2: 2.2.2.0/24 (Personalabteilung)VLAN 3: 3.3.3.0/24 (Entwicklung)VLAN 4: 4.4.4.0/24 (Netzwerkadmins)VLAN 5: 5.5.5.0/24 (Gast - Internet)VLAN 6: 6.6.6.0/24 (IP Telefonie)

Port 17MAC auth.

.100.101 .102 .104.103

Netzwerkadmin-server

IT-Symposium 2007 18.04.2007


15

What’s New inIdentity Driven Manager v2.2

Manageable Access Control• Secure Access Wizard• Dynamic Active Directory Synchronization• Management and Monitoring of the ProCurve NAC appliance

Comprehensive Access Control• Unified Access Control – Wireless access enhancements

16

What’s NewProCurve Network Access Controller 800

Manageable Access Control• Access Control in an appliance• Manageable by PCM+ / IDM management server

Comprehensive Access Control• Endpoint integrity assessment• Flexible deployment modes

– RADIUS Authentication (802.1X, WebAuth, MACAuth): the most secure access control

– In-Line: effective for remote access clients– DHCP: endpoint integrity validation for non-802.1X networks

IT-Symposium 2007 18.04.2007


17

Network Access Control Appliance

Simplifies deployment by integrating many components of the access control solution into a network appliance

• Network rack-mountable: 1U and shallow-depth• Authentication service (RADIUS)• IDM agent for adaptive network access policies• Local Authentication Directory• Endpoint integrity assessment

– Automatic updates for integrity rules, security checks, etc.

• Manageable by the PCM+ / IDM management server

18

Endpoint Integrity Checks

• Antivirus, spyware, firewalls, peer-to-peer, allowed and prohibited programs and services

• OS versions, services packs, hotfixes

• Security settings for browsers and applications

New tests developed and delivered regularly

IT-Symposium 2007 18.04.2007


19

Endpoint Integrity Tests

Operating systems Service Packs Windows 2000 hotfixes Windows Server 2003 SP1 hotfixes Windows Server 2003 hotfixes Windows XP SP2 hotfixes Windows XP hotfixes Windows automatic updates

Browser security policy IE internet security zone IE local intranet security zone IE restricted site security zone IE trusted site security zone IE version

Security settings MS Excel macros MS Outlook macros MS Word macros Services not allowed Services required Windows Bridge Network Connection Windows security policy Windows startup registry entries allowed

P2P and instant messaging Altnet AOL instant messenger BitTorrent Chainsaw Chatbot DICE dIRC Gator Hotline Connect Client IceChat IRC client ICQ Pro IRCXpro Kazaa Kazaa Lite K++ leafChat Metasquarer mlRC Morpheus MyNapster MyWay NetIRC NexIRC Not Only Two P2PNet.net PerfectNav savIRC

Personal firewalls AOL Security Edition Black ICE Firewall Computer Associates EZ

Firewall Internet Connection Firewall

(Pre XP SP2) McAfee Personal Firewall Panda Internet Security F-Secure Personal Firewall Norton Personal Firewall /

Internet Security Sygate Personal Firewall Symantec Client Firewall Tiny Personal Firewall Trend Micro Personal Firewall ZoneAlarm Personal Firewall Senforce Advanced Firewall Windows Firewall

MS Office version check Microsoft Office XP Microsoft Office 2003 Microsoft Office 2000

prohibited Software Administrator defined

Required software Administrator defined

Trillian Turbo IRC Visual IRC XFire Yahoo! Messenger

20

Endpoint Integrity Checks

Anti-spyware Ad-Aware SE Personal Ad-Aware Plus Ad-Aware Professional CounterSpy McAfee AntiSpyware Pest Patrol Spyware Eliminator Webroot Spy Sweeper Windows Defender

Spyware, Worms, viruses, and Trojans CME-24 Keylogger.Stawin Trojan.Mitglieder.C VBS.Shania W32.Beagle.A W32.Beagle.AB W32.Beagle.AG W32.Beagle.AO W32.Beagle.AZ W32.Beagle.B W32.Beagle.E W32.Beagle.J W32.Beagle.K W32.Beagle.M W32.Beagle.U W32.Blaster.K.Worm W32.Blaster.Worm W32.Doomhunter W32.Dumaru.AD W32.Dumaru.AH W32.Esbot.A.1 W32.Esbot.A.2 W32.Esbot.A.3 W32.Galil.F W32.HLLW.Anig W32.HLLW.Cult.M W32.HLLW.Deadhat W32.HLLW.Deadhat.B W32.HLLW.Doomjuice W32.HLLW.Doomjuice.B

Anti-virus NOD32 AntiVirus AVG AntiVirus Free Ed Computer Associates eTrust AntiVirus Computer Associates eTrust EZ AntiVirus F-Secure AntiVirus Kaspersky AntiVirus for FileServers Kaspersky AntiVirus for Workstations McAfee VirusScan McAfee Managed VirusScan McAfee Enterprise VirusScan McAfee Internet Security Suite 8.0 Norton Internet Security Trend Micro AntiVirus Trend Micro OfficeScan Corporate Edition Sophos AntiVirus Panda Internet Security Symantec Corporate AntiVirus

W32.HLLW.Lovgate W32 Hiton W32.IRCBot.C W32.Kifer W32.Klez.H W32.Klez.gen W32.Korgo.G W32.Mimail.Q W32.Mimail.S W32.Mimail.T W32.Mydoom.A W32.Mydoom.AX-1 W32.Mydoom.AX W32.Mydoom.B W32.Mydoom.M W32.Mydoom.Q W32.Netsky.B W32.Netsky.C W32.Netsky.D W32.Netsky.K W32.Netsky.P W32.Rusty@m W32.Sasser.B W32.Sasser.E W32.Sasser.Worm W32.Sircam.Worm W32.Sober.O W32.Sober.Z W32.Welchia.Worm W32.Zotob.E

IT-Symposium 2007 18.04.2007


21

Pre-Connect NAC

• Testing an endpoint device to ensure compliance prior to the endpoint being granted regular access on the network

Test Endpoint

Endpoint Compliant

No Regular Network Access

Regular Network Access

1

2

3

4

Endpoint

22

Post-Connect NAC

• Network access control where the endpoint device is periodicallytested after network access has been granted

– Upon determination of endpoint non-compliance the endpoint device is quarantined for remediation

Endpoint

Test Endpoint

Endpoint Not Compliant

Regular Network Access

Quarantined for Remediation

1

2

3

4

IT-Symposium 2007 18.04.2007


23

ProCurve NAC 800Endpoint Integrity Testing Methods

• Methods by which an endpoint can be accessed for the purposes oftesting

– Agent-based Permanent – Agent software is installed on each endpoint and is always available for testing

– Agent-based Transient – An agent is downloaded temporarily to the endpoint as required

– Agentless – Uses native applications to provide agent functions

24

ProCurve NAC 800 Deployment ModelsRADIUS Enforcement Mode

Solution Features

• Access to network is controlled by port security (802.1X / MACAuth) on edge devices

• ProCurve NAC enforces endpoint integrity validation of clients

• ProCurve Identity Driven Manager applies Adaptive Network Accesspolicies

ProCurve NAC 800Endpoint

Quarantine Network

Quarantine Network

MirroredDHCP traffic

Corporate Network

Corporate Network

RADIUSAuthentication

IT-Symposium 2007 18.04.2007


25

ProCurve NAC 800 Deployment ModelsInline-Mode for Remote Access

ProCurve NAC 800VPN and RAS

InternetInternet

Remote Client

Solution Features

• Access to network is controlled inline through address filtering by ProCurve NAC

• ProCurve NAC enforces endpoint integrity validation of remote clients

Corporate Network

Corporate Network

k5

26

ProCurve NAC 800 Deployment ModelsDHCP Enforcement Mode

DHCP Server

ProCurve NAC 800

Endpoint

Quarantine Network

Quarantine Network

Corporate Network

Corporate Network

Solution Features

• Access to network is controlled via DHCP management by ProCurve NAC

• ProCurve NAC enforces Endpoint Integrity validation of DHCP clients

k5 This is an alternate view for the previous slide on "InLine Mode for Remote Access"

This version removes the firewall, which is common, but not required. This allows for a larger version of the ProCurve NAC productkevin_porter, 2/7/2007

IT-Symposium 2007 18.04.2007


27

IDM + ProCurve NAC 800 + EI AgentsAdaptive Access Control with Endpoint Integrity For organizations who want a complete Access Control solution …

• Authenticated users – protects the network from unauthorized users and devices

• Adaptive network access rights – provides appropriate network access based on business policies for the user

• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements

• Ease of deployment and management – enables businesses to implement an effective NAC solution today

28

IDM and ProCurve NAC Use ModelsAdaptive Network Accesswith Endpoint Integrity

ProCurve NAC 800w/ProCurve NAC Agent Licenses

UnknownOn Remediation

VLAN to be tested

FailedOn Remediation

VLAN, will be retested at next authentication

PassedConnected to

Corporate VLAN

Corporate VLANRemediation VLAN

• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses

• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used

• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:

– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested

now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing

• IDM also sets ACLs, QoS, and Bandwidth limits based on access policy

• Works for both wired and wireless ProCurve edge devices

PCM/IDM Server

ProCurve Adaptive Edge Devices

IT-Symposium 2007 18.04.2007


29

IDM + ProCurve NAC 800Adaptive Access Control

For organizations who want to control network users and provide adaptive network access


• Adaptive network access rights – provides appropriate network access based on business policies for the user


30

Faculty VLANStudent VLAN

IDM and ProCurve NAC Use ModelsAdaptive Network Access

ProCurve NAC 800

StudentConnected to Student VLAN

Faculty MemberConnected to Faculty VLAN

•Solution includes IDM and ProCurve NAC 800

•Clients authenticate via 802.1X, and are placed on VLAN based IDM Access Policy.

– The IDM access policy can also set ACLs, QoS, and Bandwidth Limits

•Works for both wired and wireless ProCurve edge devices

Guest VLAN

GuestConnected to Guest VLAN

Management VLAN

PCM/IDM Server


IT-Symposium 2007 18.04.2007


31

ProCurve NAC 800 + EI AgentsAccess Control with Endpoint Integrity

For organizations who want to enforce system software requirements and protect their network from harmful systems …

• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements



32

ProCurve NAC 800 + EI Agents Access Control with Endpoint Integrity

ProCurve NAC 800w/ProCurve NAC Agent Licenses

UnknownOn Remediation

VLAN to be tested

FailedOn Remediation

VLAN, will be retested at next authentication

PassedConnected to

Corporate VLAN


• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses

• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used

• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:

– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested

now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing

• Works for both wired and wireless ProCurve edge devices


IT-Symposium 2007 18.04.2007


33

IDM and ProCurve NAC 800 Use ModelsEnterprise with Remote Office


ProCurve NAC 800 Procurve NAC 800ProCurve NAC 800

Main Enterprise SiteRemote Office

PCM/IDM Server

ManagerProCurve NAC 800

34

AccountingRADIUS

AccountingIDM Reports

SessionCounters

ProCurve Access Control SolutionLayers of Security

Authorization

802.1X supplicant

Endpoint Integrity

802.1X

Integrity

Authentication RADIUS

IDMAccess Policy Rules

VLAN, ACL, QoS, Rate-limit

Endpoint Integrity

Client Switch

RADIUS

RADIUS

WebAuthMAC Auth

Web Browser

IT-Symposium 2007 18.04.2007


35

Summary

ProCurve provides a comprehensive and manageable Access Control solution to prevent untrusted network use on both campus and distributed sites

• A deployable and manageable solution

• Suitable for current environments and extensible to future needs

• Protects network from harmful and infected systems

• Enforces business policies regarding network access rights

• Unified access control for LAN, WLAN, and WAN

The ProCurve Access Control solution helps administrators deploysecured network access based on business policy

More Security with Less Complexity

procurve access control solution 2 · • antivirus, spyware, firewalls, peer-to-peer, allowed and...

Documents