Netzwerksicherheit, Juni 2009 Seite 1 Vortrag: Netzwerksicherheit Zentrale Steuerung, dezentrale Kontrolle 10. September 2009 Mit High-Speed Switching in die Netzwerk-Zukunft! Technologie Seminarreihe Dirk Schneider, HP ProCurve Network Consultant, informiert Sie über die wichtigsten Entwicklungen im Bereich geswitchter Netzwerke. Natürlich werden in diesem Rahmen auch die neuesten Produkte und Entwicklungen des Herstellers HP ProCurve vorgestellt Alle Seminarunterlagen finden Sie unter „www.bachert.de“ im Bereich Aktuelles/Seminare
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Wer möchte wann, von wo auf welche Ressourcen zugreifen?
Wer möchte wann, von wo auf welche Ressourcen zugreifen?
Erkennung und Abblockung von verschiedensten Attacken und Angriffen auf das Netzwerk.
Erkennung und Abblockung von verschiedensten Attacken und Angriffen auf das Netzwerk.
Sichere Bereitstellung einer gemanagten Netzwerkinfrastruktur.
Sichere Bereitstellung einer gemanagten Netzwerkinfrastruktur.
Netzwerksicherheit, Juni 2009 Seite 6
Adaptive Edge Architecture
� Die Zugangspunkte im Netzwerk bieten den optimalen Ansatz um Anomalien und Gefahren zu erkennen.
� Sich abzeichnende Probleme werden am Ort der Entstehung behoben/gelöst/bekämpft.
� Command from the center, control to the edge – the ProCurve Adaptive Edge Architecture
IntelligentEDGE
COMMANDFROM THECENTER
Per-PortDistributed Processors
Clients
Servers
WirelessClients
Internet
Clients
Netzwerksicherheit, Juni 2009 Seite 7
�Kontrolle im Edge-Bereich� Der erste Zugangspunkt bietet
die optimale Möglichkeit Probleme zu beheben
�Sicherheit� 802.1X� Web authentication� MAC authentication� Virus Throttling� ACLs� DHCP Snooping� ARP protection� BPDU protection & filtering� MAC lockout / lockdown� Source port filtering� Multiple Threat Detection
Commandfrom the Center
Internet
Interconnect
Fabric
Edge
Network
Servers
Intelligent
Switches
IntelligentSwitches
Wireless
Access Points
Clients
Wireless
Clients
Clients
Wireless
Clients
Edge
Portal
IntelligentEdge
Adaptive EDGE Architecture
Netzwerksicherheit, Juni 2009 Seite 8Rev. 6.41 8
IDM Identity Driven Manager
� IDM add-on for PCM+ dynamically applies security, access and performance settings to network infrastructure devices� Provides edge-enforced access control based on user, device, time, location, and
client system state
� Users receive appropriate access and rights wherever and whenever they connect based upon pre-configured access rights and policies� Can apply VLAN, ACL, QoS, and bandwidth limit settings on a per user basis
� Management effort is reduced since policies are defined using PCM+ client
� VLANs can be used for primary purpose of limiting communication between users instead of controlling access to core resources
3
VLAN Bandwidth limit
Time Location
QoS
Device ID Client integrity status
Set theseparameters:
Based onthese attributes:
ACLs
User ID
Netzwerksicherheit, Juni 2009 Seite 9Rev. 6.41 9
Using identity-driven access controls
� Identity-driven solution provides a means of enforcing per-user access rights based on:� Who the user is
� Where the access is occurring
� When the access is occurring
� What resources are allowed
Guest & Employee
Conference Room
Internet
Parking lot Lobby Campus
Business Network
R&D LAN
9:00
8:55
when
who
what
where
5
Netzwerksicherheit, Juni 2009 Seite 10Rev. 6.41 10
6. If valid user, IDM checks
• Username / password
• Time of day
• Location
• System (MAC address)
• Client Integrity Status
- Query to third-party
And applies access profile
- VLAN, QoS, Bandwidth, ACLs
IDM in operation
IDMAgent
3. User sends credentials(username/passwordor smartcard)
4. Switch forwards credentials to RADIUS server resulting in request for identity / authentication from database
5. Database responds with user validity
7. User-specificresources are made
available
Edge device with IDM feature support
1. User plugs in to network
RADIUS server
2. User is challenged forcredentials by switch
• IDM Agent is aware of transaction
Per usernetwork parameterdatabase
8
Edge device must support MAC, Web, or 802.1X authentication
IDM Agent adds “authorization” parameters to the RADIUS reply sent
to the switchwhere the access rights of the client are enforced
Netzwerksicherheit, Juni 2009 Seite 11
Internet
Guest
Employee
Non-Compliant
Employee
Zgriff nur auf das
Internet
Enterprise
LAN
Zugriff auf Inter-
und Intranet
Zugriff nur auf
Anti-Virus-
Service-Server
Edge
Switch
Anti-Virus remediation
Server
Corporate
Server
Access
Policy
Server
Conference Room
Conference Room
Network
Administrator
1. Sets up role based access
policy groups & assigns rules and access profiles:
• Set rules
• Time • Location
• Device ID• Client integrity status
• To trigger each policy
profile• ACL
• VLAN• QoS
• BW limit
2. Put users in appropriate access policy group
Network Access Security
Netzwerksicherheit, Juni 2009 Seite 12
Internet
Guest
Employee
Compliant
Employee
Zgriff nur auf das
Internet
Enterprise
LAN
Edge
Switch
Anti-Virus
Server
Corporate
Server
Access
Policy
Server
Conference Room
Conference Room
Zugriff auf Inter-
und Intranet
Zugriff auf Inter-
und Intranet
Network
Administrator
1. Sets up role based access
policy groups & assigns rules and access profiles:
• Set rules
• Time • Location
• Device ID• Client integrity status
• To trigger each policy
profile• ACL
• VLAN• QoS
• BW limit
2. Put users in appropriate access policy group
Network Access Security
Netzwerksicherheit, Juni 2009 Seite 13
no client
software required –sends MAC address
� Am Edge-Switch stehen 3 Authentifizierungsmethoden zur Verfügung:
� IEEE 802.1X
� Web Authentication
� MAC Authentication
RADIUS
Server
0008A2-1C99C6
using 802.1X
client software
using web
browser only
ProCurve
IDM
Client Authentication Possibilities
Netzwerksicherheit, Juni 2009 Seite 14
802.1X, Web and MAC authentication
• 802.1X• standard based and widely-used• no IP communication until authentication successful• port based access control• user based access control (up to 32 per port)
• Web-Authentication� port communication is redirected
to the switch� temporary IP address is assigned
by the switch� login screen is presented for the client
• MAC-Authentication� the device MAC address is used as username/password
Netzwerksicherheit, Juni 2009 Seite 15
15
• Allows easy creation and management of user policy groups for optimizing network performance and increasing user productivity
• Dynamically apply security, access and performance settings at port level based on policies
• IDM adds network reports and logs based on users for audit
VLAN BandwidthLimit
User/GroupTime
Location
QoSACLs
DeviceID
ClientIntegrityStatus
Set =>
Based on =>
Zugriffskontrolle Identity Driven Manager (IDM)
Netzwerksicherheit, Juni 2009 Seite 16
16
Adaptive Zugriffskontrolle mit IDM
802.1X Supplica
nt
802.1X Supplicant
802.1X Authenticator
Policy Enforcement Point (PEP)
ProCurve Switches and Access-Points
RADIUSServer
IDM Agent
PCM / IDM Server
AuthenticationDirectory
Active DirectoryLDAP
AuthenticationServer
Network Mgmt Server
ProCurveowned
MAC-Auth
Web-AuthMAC Address
HTTP Request
AuthenticationServer
3rd Party Software
Netzwerksicherheit, Juni 2009 Seite 17
17
Any 802.1X Client
EI PolicyDefinitions
AuthenticationDirectory
Active DirectoryeDirectory
LDAP
RADIUS Server
IDM Agent
PCM / IDM Server
Network Mgmt Server
Endpoint Integrity Agent
Endp
oint
In
tegr
ity A
gent
On-demand
ProCurveowned
Überprüfung der Endgeräte • Betriebssystemversion und Patch-Stand• Stand der Anti-Virus und Anti-Spyware-SoftwareGeforderte oder verbotene Anwendungssoftware.Und mehr…….
Network Access Controller 800
MAC-Auth
Web-Auth
MAC Address
HTTP Request
802.1X Authenticator
Policy Enforcement Point (PEP)
ProCurve Switches and Access-Points
Adaptive Zugriffkontrolle mitIDM und ProCurve NAC 800
Netzwerksicherheit, Juni 2009 Seite 18
18
• Authenticated systems• protects the network from harmful
peer-to-peer, allowed and prohibitedprograms and services
• OS versions, services packs, hotfixes• Security settings for browsers and
applications
Access ControlEndpoint Integrity with ProCurve NAC 800
Netzwerksicherheit, Juni 2009 Seite 19
19
� Operating systems� Service Packs � Rogue WAP Connection � Windows 2000 hotfixes � Windows Server 2003 SP1 hotfixes � Windows Server 2003 hotfixes � Windows XP SP2 hotfixes � Windows XP hotfixes � Windows automatic updates
� Browser security policy� IE internet security zone � IE local intranet security zone � IE restricted site security zone � IE trusted site security zone � IE version
� Security settings� MS Excel macros � MS Outlook macros � MS Word macros � Services not allowed � Services required � Windows Bridge Network Connection � Windows security policy � Windows startup registry entries allowed
P2P and instant messaging
Altnet
AOL instant messenger BitTorrent
Chainsaw
Chatbot
DICE
dIRC Gator
Hotline Connect Client
IceChat IRC client
ICQ Pro
IRCXpro Kazaa
Kazaa Lite K++
leafChat
Metasquarer
mlRC Morpheus
MyNapster
MyWay
NetIRC
NexIRC Not Only Two
P2PNet.net
PerfectNav
savIRC
Personal firewalls
AOL Security Edition
Black ICE Firewall Computer Associates EZ Firewall