Vortrag: Netzwerksicherheit

Netzwerksicherheit, Juni 2009 Seite 1

Vortrag:

NetzwerksicherheitZentrale Steuerung, dezentrale Kontrolle

10. September 2009

Mit High-Speed Switching in die Netzwerk-Zukunft!

Technologie Seminarreihe

Dirk Schneider, HP ProCurve Network Consultant, informiert Sie über

die wichtigsten Entwicklungen im Bereich geswitchter Netzwerke. Natürlich werden in diesem Rahmen auch die neuesten Produkte und

Entwicklungen des Herstellers HP ProCurve vorgestellt

Alle Seminarunterlagen finden Sie unter „www.bachert.de“ im Bereich Aktuelles/Seminare


Netzwerksicherheit

Ständig steigende Bedeutung

• wachsende Vernetzung im IT- und Nicht-IT Bereich

• steigende Mobilitätsansprüche (ex- und interne Ressourcen)

• Flexibilisierung der Arbeitsprozesse über alle Unternehmensbereiche


Netzwerksicherheit

Ein umfassender Schutz ist nur durch einen vielschichtigen Ansatz erreichbar.

“Zwiebelmodell”

• network access controlZugriffskontrolle

• intrusion preventionEinbruchschutz und Meldesysteme

• identity and access managementIdentitäts- und Zugriffsmanagement

• vulnerability managementGefahren und Risikomanagement


Netzwerksicherheit

2007 hätten 80% der Schadensursachen in Netzwerken durch den Einsatz verfügbarer Technologien verhindert werden können:

• network access control, • intrusion prevention,• identity and access management,• vulnerability management.”


ProCurve Security

Adaptive Edge ArchitectureAdaptive Edge Architecture

ProActiveDefenseProActiveDefense

Zugriffs-kontrolleZugriffs-kontrolle

SichereInfrastruktur

SichereInfrastruktur

Netzwerk-sicherheitNetzwerk-sicherheit

RegulatoryComplianceRegulatoryCompliance

Wer möchte wann, von wo auf welche Ressourcen zugreifen?

Wer möchte wann, von wo auf welche Ressourcen zugreifen?

Erkennung und Abblockung von verschiedensten Attacken und Angriffen auf das Netzwerk.

Erkennung und Abblockung von verschiedensten Attacken und Angriffen auf das Netzwerk.

Sichere Bereitstellung einer gemanagten Netzwerkinfrastruktur.

Sichere Bereitstellung einer gemanagten Netzwerkinfrastruktur.


Adaptive Edge Architecture

� Die Zugangspunkte im Netzwerk bieten den optimalen Ansatz um Anomalien und Gefahren zu erkennen.

� Sich abzeichnende Probleme werden am Ort der Entstehung behoben/gelöst/bekämpft.

� Command from the center, control to the edge – the ProCurve Adaptive Edge Architecture

IntelligentEDGE

COMMANDFROM THECENTER

Per-PortDistributed Processors

Clients

Servers

WirelessClients

Internet

Clients


�Kontrolle im Edge-Bereich� Der erste Zugangspunkt bietet

die optimale Möglichkeit Probleme zu beheben

�Sicherheit� 802.1X� Web authentication� MAC authentication� Virus Throttling� ACLs� DHCP Snooping� ARP protection� BPDU protection & filtering� MAC lockout / lockdown� Source port filtering� Multiple Threat Detection

Commandfrom the Center

Internet

Interconnect

Fabric

Edge

Network

Servers

Intelligent

Switches

IntelligentSwitches

Wireless

Access Points

Clients

Wireless

Clients

Clients

Wireless

Clients

Edge

Portal

IntelligentEdge

Adaptive EDGE Architecture

Netzwerksicherheit, Juni 2009 Seite 8Rev. 6.41 8

IDM Identity Driven Manager

� IDM add-on for PCM+ dynamically applies security, access and performance settings to network infrastructure devices� Provides edge-enforced access control based on user, device, time, location, and

client system state

� Users receive appropriate access and rights wherever and whenever they connect based upon pre-configured access rights and policies� Can apply VLAN, ACL, QoS, and bandwidth limit settings on a per user basis

� Management effort is reduced since policies are defined using PCM+ client

� VLANs can be used for primary purpose of limiting communication between users instead of controlling access to core resources

3

VLAN Bandwidth limit

Time Location

QoS

Device ID Client integrity status

Set theseparameters:

Based onthese attributes:

ACLs

User ID


Using identity-driven access controls

� Identity-driven solution provides a means of enforcing per-user access rights based on:� Who the user is

� Where the access is occurring

� When the access is occurring

� What resources are allowed

Guest & Employee

Conference Room

Internet

Parking lot Lobby Campus

Business Network

R&D LAN

9:00

8:55

when

who

what

where

5


6. If valid user, IDM checks

• Username / password

• Time of day

• Location

• System (MAC address)

• Client Integrity Status

- Query to third-party

And applies access profile

- VLAN, QoS, Bandwidth, ACLs

IDM in operation

IDMAgent

3. User sends credentials(username/passwordor smartcard)

4. Switch forwards credentials to RADIUS server resulting in request for identity / authentication from database

5. Database responds with user validity

7. User-specificresources are made

available

Edge device with IDM feature support

1. User plugs in to network

RADIUS server

2. User is challenged forcredentials by switch

• IDM Agent is aware of transaction

Per usernetwork parameterdatabase

8

Edge device must support MAC, Web, or 802.1X authentication

IDM Agent adds “authorization” parameters to the RADIUS reply sent

to the switchwhere the access rights of the client are enforced


Internet

Guest

Employee

Non-Compliant

Employee

Zgriff nur auf das

Internet

Enterprise

LAN

Zugriff auf Inter-

und Intranet

Zugriff nur auf

Anti-Virus-

Service-Server

Edge

Switch

Anti-Virus remediation

Server

Corporate

Server

Access

Policy

Server

Conference Room

Conference Room

Network

Administrator

1. Sets up role based access

policy groups & assigns rules and access profiles:

• Set rules

• Time • Location

• Device ID• Client integrity status

• To trigger each policy

profile• ACL

• VLAN• QoS

• BW limit

2. Put users in appropriate access policy group

Network Access Security


Internet

Guest

Employee

Compliant

Employee

Zgriff nur auf das

Internet

Enterprise

LAN

Edge

Switch

Anti-Virus

Server

Corporate

Server

Access

Policy

Server

Conference Room

Conference Room

Zugriff auf Inter-

und Intranet

Zugriff auf Inter-

und Intranet

Network

Administrator

1. Sets up role based access

policy groups & assigns rules and access profiles:

• Set rules

• Time • Location

• Device ID• Client integrity status

• To trigger each policy

profile• ACL

• VLAN• QoS

• BW limit

2. Put users in appropriate access policy group

Network Access Security


no client

software required –sends MAC address

� Am Edge-Switch stehen 3 Authentifizierungsmethoden zur Verfügung:

� IEEE 802.1X

� Web Authentication

� MAC Authentication

RADIUS

Server

0008A2-1C99C6

using 802.1X

client software

using web

browser only

ProCurve

IDM

Client Authentication Possibilities


802.1X, Web and MAC authentication

• 802.1X• standard based and widely-used• no IP communication until authentication successful• port based access control• user based access control (up to 32 per port)

• Web-Authentication� port communication is redirected

to the switch� temporary IP address is assigned

by the switch� login screen is presented for the client

• MAC-Authentication� the device MAC address is used as username/password


15

• Allows easy creation and management of user policy groups for optimizing network performance and increasing user productivity

• Dynamically apply security, access and performance settings at port level based on policies

• IDM adds network reports and logs based on users for audit

VLAN BandwidthLimit

User/GroupTime

Location

QoSACLs

DeviceID

ClientIntegrityStatus

Set =>

Based on =>

Zugriffskontrolle Identity Driven Manager (IDM)


16

Adaptive Zugriffskontrolle mit IDM

802.1X Supplica

nt

802.1X Supplicant

802.1X Authenticator

Policy Enforcement Point (PEP)

ProCurve Switches and Access-Points

RADIUSServer

IDM Agent

PCM / IDM Server

AuthenticationDirectory

Active DirectoryLDAP

AuthenticationServer

Network Mgmt Server

ProCurveowned

MAC-Auth

Web-AuthMAC Address

HTTP Request

AuthenticationServer

3rd Party Software


17

Any 802.1X Client

EI PolicyDefinitions

AuthenticationDirectory

Active DirectoryeDirectory

LDAP

RADIUS Server

IDM Agent

PCM / IDM Server

Network Mgmt Server

Endpoint Integrity Agent

Endp

oint

In

tegr

ity A

gent

On-demand

ProCurveowned

Überprüfung der Endgeräte • Betriebssystemversion und Patch-Stand• Stand der Anti-Virus und Anti-Spyware-SoftwareGeforderte oder verbotene Anwendungssoftware.Und mehr…….

Network Access Controller 800

MAC-Auth

Web-Auth

MAC Address

HTTP Request

802.1X Authenticator

Policy Enforcement Point (PEP)

ProCurve Switches and Access-Points

Adaptive Zugriffkontrolle mitIDM und ProCurve NAC 800


18

• Authenticated systems• protects the network from harmful

systems and enforces systemsoftware requirements

• Endpoint integrity checks• Antivirus, spyware, firewalls,

peer-to-peer, allowed and prohibitedprograms and services

• OS versions, services packs, hotfixes• Security settings for browsers and

applications

Access ControlEndpoint Integrity with ProCurve NAC 800


19

� Operating systems� Service Packs � Rogue WAP Connection � Windows 2000 hotfixes � Windows Server 2003 SP1 hotfixes � Windows Server 2003 hotfixes � Windows XP SP2 hotfixes � Windows XP hotfixes � Windows automatic updates

� Browser security policy� IE internet security zone � IE local intranet security zone � IE restricted site security zone � IE trusted site security zone � IE version

� Security settings� MS Excel macros � MS Outlook macros � MS Word macros � Services not allowed � Services required � Windows Bridge Network Connection � Windows security policy � Windows startup registry entries allowed

P2P and instant messaging

Altnet

AOL instant messenger BitTorrent

Chainsaw

Chatbot

DICE

dIRC Gator

Hotline Connect Client

IceChat IRC client

ICQ Pro

IRCXpro Kazaa

Kazaa Lite K++

leafChat

Metasquarer

mlRC Morpheus

MyNapster

MyWay

NetIRC

NexIRC Not Only Two

P2PNet.net

PerfectNav

savIRC

Personal firewalls

AOL Security Edition

Black ICE Firewall Computer Associates EZ Firewall

Internet Connection Firewall (Pre XP SP2)

McAfee Personal Firewall

Panda Internet Security

F-Secure Personal Firewall

Norton Personal Firewall / Internet Security

Sygate Personal Firewall Symantec Client Firewall

Tiny Personal Firewall

Trend Micro Personal Firewall

ZoneAlarm Personal Firewall

Senforce Advanced Firewall Windows Firewall

MS Office version check

Microsoft Office XP

Microsoft Office 2003 Microsoft Office 2000

prohibited Software

Administrator defined

Required software

Administrator defined

Trillian

Turbo IRC

Visual IRC XFire

Yahoo! Messenger

Endpoint Integrity Tests


20

Anti-spyware

Ad-Aware SE Personal

Ad-Aware Plus

Ad-Aware Professional

CounterSpy

McAfee AntiSpyware

Pest Patrol

Spyware Eliminator

Webroot Spy Sweeper

Windows Defender

Spyware, Worms, viruses, and TrojansCME-24 Keylogger.Stawin Trojan.Mitglieder.C VBS.Shania W32.Beagle.A W32.Beagle.AB W32.Beagle.AG W32.Beagle.AO W32.Beagle.AZ W32.Beagle.B W32.Beagle.E W32.Beagle.J W32.Beagle.K W32.Beagle.M W32.Beagle.U W32.Blaster.K.Worm W32.Blaster.Worm W32.Doomhunter W32.Dumaru.AD W32.Dumaru.AH W32.Esbot.A.1 W32.Esbot.A.2 W32.Esbot.A.3 W32.Galil.F W32.HLLW.Anig W32.HLLW.Cult.M W32.HLLW.Deadhat W32.HLLW.Deadhat.BW32.HLLW.Doomjuice W32.HLLW.Doomjuice.B

Anti-virus

NOD32 AntiVirus

AVG AntiVirus Free Ed

Computer Associates eTrust AntiVirus

Computer Associates eTrust EZ AntiVirus

F-Secure AntiVirus

Kaspersky AntiVirus for FileServers

Kaspersky AntiVirus for Workstations

McAfee VirusScan

McAfee Managed VirusScan

McAfee Enterprise VirusScan

McAfee Internet Security Suite 8.0

Norton Internet Security

Trend Micro AntiVirus

Trend Micro OfficeScan Corporate Edition

Sophos AntiVirus

Panda Internet Security

Symantec Corporate AntiVirus

W32.HLLW.Lovgate W32 Hiton W32.IRCBot.C W32.Kifer W32.Klez.H W32.Klez.gen W32.Korgo.G W32.Mimail.Q W32.Mimail.S W32.Mimail.T W32.Mydoom.A W32.Mydoom.AX-1 W32.Mydoom.AX W32.Mydoom.B W32.Mydoom.M W32.Mydoom.Q W32.Netsky.B W32.Netsky.C W32.Netsky.D W32.Netsky.K W32.Netsky.P W32.Rusty@m W32.Sasser.B W32.Sasser.E W32.Sasser.Worm W32.Sircam.Worm W32.Sober.O W32.Sober.Z W32.Welchia.Worm W32.Zotob.E

Endpoint Integrity Checks


21

21

Gastzugänge im WLAN anlegenThe WebUser administrator can access only this window.

Manually set a username and password

Automatically create a username and password

1

2

3

4

Rev 1.0


22

� ProCurve bietet eine umfassende und handhabbare Zugangskontrolle um Ihre Netzwerkinfrastruktur zu schützen:

� Eine erweiterbare und handhabbare Lösung.

� Flexibel für gegenwärtige und zukünftige Anforderungen.

� Schützt das Netzwerk vor gefährlichen oder infizierten Endgeräten.

� Erzwingt die Einhaltung der internen Unternehmenspolitik im Umgang mit der IT Infrastruktur.

� Vereinheitlichte Zugangskontrolle für LAN, WLAN und WAN.

� The ProCurve Access Control solution helps administrators deploy secured network access based on business policy

More Security with Less Complexity

Zusammenfassung

Documents

Vortrag: Netzwerksicherheit