03_Sentriant_AG_5_0 by Anatoliy Grishin

Sentriant™ AG 5.0 – централизованный контроль доступа конечных пользователей к сети Oleksandr Khomenko Systems Engineer Extreme Networks Associate khomenko@telco.ua Tel.: 380 (44) 406-56-06

Switching Product Portfolio BlackDiamond 20808 BlackDiamond 10808 BlackDiamond 12804

BlackDiamond 8800 a, e, c-series

Wireless Product Portfolio Altitude™ 350 a/b/g

Altitude 450 802.11n

Summit WM2000 Summit WM200 Summit®

200 APs

WM20 100 APs

SummitStack™ Summit® X450a

Summit X650

Gigabit Aggregation

10Gigabit Core

32 APs

Management Products Policy Manager EPICenter

Summit X250e

10/100 Edge

Service Watch

Summit X450e Gigabit Edge

Security Product Portfolio Summit X150

Sentriant NG 300

Sentriant AG 5.0

Summit X350

Page 2

Sentriant™ AG 5.0 Hardware

Software TM

PWR

Sentriant AG200

HDD

CONSOLE

eth0

eth1

•Intel Dual Core (Core 2 Duo/Xeon 5100 series) processor at 1.86GHz •2GB RAM (or greater) •80GB SATA disk (or greater) •Two 10/100/1000 Ethernet interfaces •CD ROM drive •An Internet connection or proxy server that allows outbound SSL communications

Page 3

The Endpoint Threat to the Network

Lack of institutional control over who and what is connecting to the network Traditional defenses (firewall, AV, IDS/IPS, VPN) offer ineffective protection against endpoint-based threats Hackers now targeting unpatched, unmaintained endpoints What makes endpoints dangerous? Spyware, worms, trojans Unpatched OSs and applications Out-of-date AV and anti-spyware definitions Human factors: high-risk activities (Peer-to-Peer, IM, harmful downloads)

"By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses." - Gartner, Inc. ÂŠ 2009 Extreme Networks, Inc. All rights reserved.

Page 4

Network Access Control (NAC)

Answers

the question: Is it safe to let this endpoint onto the network? Improves overall security posture of the network Proactively protects the network from compromised or harmful endpoints Further protects the endpoint itself, beyond whatâ&#x20AC;&#x2122;s provided by AV and personal firewalls

Enforces

corporate security policies

Policy compliant endpoints are provided access while non-compliant endpoints can be denied access or quarantined Helps to meet SOX, HIPAA, PCI-DSS requirements

Augments limited IT resources and staff Automated process alleviates the need for manual intervention Facilitates remediation of non-compliant endpoints to reduce IT help desk activity

Page 5

Sentriantâ&#x201E;˘ AG Product Overview

Protects

the network from harmful endpoints Provides compliance with security policies Quarantines noncompliant endpoints and facilitates repair activities Maintains complete endpoint access history

Page 6

Sentriantâ&#x201E;˘ AG Process

Page 7

Sentriantâ&#x201E;˘ AGâ&#x20AC;&#x201D;Key Capabilities

Advanced

Customizable access policies with hundreds of security checks Multiple testing options including a completely agent-less solution Minimal impact on end users Automatic quarantine and remediation on non-compliance endpoints

Flexible

Endpoint Integrity Testing

Deployment Options

Multiple standards-based enforcement methods Graduated levels of enforcement Single-server or multi-server deployment Clustering for high availability (HA) and load balancing

Enterprise-Class

Management and Administration

Centralized management Multi-user, role-based administration Powerful reporting capabilities and open APIs

Page 8

Advanced Endpoint Integrity Testing

Page 9

Point-and-Click Access Policy Definition

Select Tests for Inclusion in Access Policy

Specify Enforcement When Endpoint Fails Test

Refine Selected Test

Three

Page 10

Deep Endpoint Testing Test

categories include

OS service packs and hotfixes Browser and OS security settings Network and wireless settings Anti-virus (installed and up-to-date) Personal firewall (installed and up-to-date) Anti-spyware (installed and up-to-date) Peer-to-Peer applications (presence of) Worms, viruses, trojans, spyware (presence of) Required or prohibited software (administrator defined)

Tests

added continuously as new threats emerge Open, extensible testing engine Custom tests for organization-specific needs

Page 11

Testing Options

Multiple options provide coverage for all categories of users and devices 1. 2. 3.

Agent—lightweight persistent agent ActiveX—tests endpoint through browser Agent-less—no client software required

Support for both Windows and Mac endpoints No degradation in testing depth for any option

Page 12

Off-the-Shelf Tests (1 of 2) Operating Systems - Windows

Security Settings – OS X

Windows 2000 hotfixes

Airport Preference

Windows Server 2003 SP1 hotfixes

Airport WEP Enabled

Windows Server 2003 hotfixes

Bluetooth

Windows XP SP2 hotfixes

Internet Sharing

Windows XP hotfixes

Services

Windows Media Player Hotfixes

Firewall

Internet Explorer Hotfixes

Security Updates

Service HotFixes Service Packs

Anti-Spyware (installed and up-todate)

Windows automatic updates

Ad-Aware SE Personal

Security Settings - Windows

Ad-Aware Plus

Allowed Networks

Ad-Aware Professional

MS Excel macros

McAfee AntiSpyware

MS Outlook macros

CounterSpy

MS Word macros

PestPatrol

Services not allowed

Shavlik NetChk 5.8 and above

Services required

Spyware Eliminator

Windows bridge network connection

Webroot Spy Sweeper

Simultaneous wired/wireless connections

Windows Defender

Wireless network SSID connections

Anti-Virus (installed and up-to-date)

Windows security policy

Avast 4 Professional Edition

Browser Security Policy - Windows

AVG AntiVirus Free Ed

Browser version

BitDefender AntiVirus / Internet Security v10

IE internet security zone

ClamWin Free AntiVirus

IE local intranet security zone

Computer Associates eTrust EZ AntiVirus

IE restricted site security zone

F-Secure AntiVirus

IE trusted sites security zone

Kaspersky

AntiVirus for FileServers

Kaspersky AntiVirus for Workstations

McAfee VirusScan

McAfee Enterprise VirusScan 7.1.0

McAfee Enterprise VirusScan 8.0i

McAfee Enterprise VirusScan 8.5i

McAfee Enterprise VirusScan

McAfee Internet Security Suite 8.0

McAfee Internet Security Suite 2007 / Total Protection

McAfee Managed VirusScan

NOD32 AntiVirus

Norton AntiVirus 2004

Norton AntiVirus 2007

Norton Internet Security 2007

Panda Internet Security

Sophos Anti-Virus

Symantec Corporate AntiVirus

Trend Micro AntiVirus

Trend Micro OfficeScan Corporate Edition

ZoneAlarm Security Suite

Software Required / Not Allowed

Administratively Defined

High Risk Software

Google Desktop

Miscellaneous Software

Avaya IP Softphone Version Check

Page 13

Off-the-Shelf Tests (2 of 2) Personal Firewalls (installed and up-todate)

DICE

VBS.Shania

W32.Klez.gen

dIRC

W32.Beagle.A

W32.Korgo.G

Hotline Connect Client

W32.Beagle.AB

W32.Mimail.Q

AOL Security Edition

IceChat IRC client

W32.Beagle.AG

W32.Mimail.S

Black ICE Firewall

ICQ Pro

W32.Beagle.AO

W32.Mimail.T

leafChat

W32.Beagle.AZ

W32.Mydoom.A

Metasquarer

W32.Beagle.B

W32.Mydoom.AX-1

mlRC

W32.Beagle.E

W32.Mydoom.AX

Morpheus

W32.Beagle.J

W32.Mydoom.B

MyNapster

W32.Beagle.K

W32.Mydoom.M

MyWay

W32.Blaster.K.Worm

W32.Mydoom.Q

NetIRC

W32.Blaster.Worm

W32.Netsky.B

NexIRC

W32.Doomhunter

W32.Netsky.C

Not Only Two

W32.Dumaru.AD

W32.Netsky.D

P2PNet.net

W32.Dumaru.AH

W32.Netsky.K

PerfectNav

W32.Esbot.A.1

W32.Netsky.P

savIRC

W32.Esbot.A.2

W32.Rusty@m

Skype

W32.Esbot.A.3

W32.Sasser.B

Trillian

W32.Galil.F

W32.Sasser.E

Turbo IRC

W32.HLLW.Anig

W32.Sasser.Worm

Visual IRC

W32.HLLW.Cult.M

W32.Sircam.Worm

XFire

W32.HLLW.Deadhat

W32.Sober.O

Yahoo! Messenger

W32.HLLW.Doomjuice

W32.Sober.Z

W32.HLLW.Doomjuice.B

W32.Welchia.Worm

W32.HLLW.Lovgate

W32.Zotob.E

Computer Associates EZ Firewall

Internet Connection Firewall (Pre XP SP2)

McAfee Personal Firewall

Norton Personal Firewall / Internet Security

Norton Internet Securit 2007

Senforce Advanced Firewall

Sygate Personal Firewall

Symantec Client Firewall

Tiny Personal Firewall

Trend Micro Personal Firewall

Windows Firewall

ZoneAlarm Personal Firewall

P2P and Instant Messaging

AOL instant messenge

Altnet

BitTorrent

Gator

Kazaa

Kazaa Lite

K++

Chatbot

Viruses, Worms, Trojans, Spyware

CME-24

W32 Hiton

Keylogger.Stawin

W32.IRCBot.C

Trojan.Mitglieder.C

W32.Kifer

Page 14

Minimal End User Impact

Testing

completes in only seconds Succinct information on testing activity and steps required to achieve compliance Administrator-customizable messaging

Communication

is as visible or as invisible as environment requires

Page 15

Non-Compliant Endpoint Remediation

Automated

repair

Through integration with leading patch management systems

End-user

self remediation

Through on-screen directions (shown at right)

Access

'grace periodâ&#x20AC;&#x2122;

Provides temporary window of access (e.g., 3 days) to facilitate remediation End-User Endpoint Repair Instructions

Page 16

Flexible Deployment Options

Multiple Enforcement Methods

Out-of-band or inline options Accommodates wide range of network topologies and equipment Provides coverage of all network regions and entry points

Page 18

Enterprise-Class Management and Administration

Management Console

At-a-Glance Security Status

Drill-Down to Details

Network Wide Visibility

Centralized Policy Management and Configuration

Page 20

Multi-User, Role-Based Administration

Four

standard administrative rolesâ&#x20AC;&#x201D;custom roles can be defined Permissions may be further restricted by server or cluster Allows for shared administrative use across multiple IT groups ÂŠ 2009 Extreme Networks, Inc. All rights reserved.

Page 21

Comprehensive Reporting Designed

for

Auditors/Compliance Management Network and Security Administrators Reports

include

Endpoint list Test Details Report

Policy results Test details Test results

Reports can be refined by

Test Results Report

Page 22

Conclusion Infrastructure compatibility Summary

Advantages of ofSentriantâ&#x201E;˘ Solution Reduces cost implementing AG network access control (NAC) Fast

pre-connect endpoint scanning

Does not disrupt end user access to the network

Comprehensive

testing across the full range of endpoint

devices Ensures maximum protection and policy compliance

Advanced

clustering technology

Allows for incremental system scalability and continuous operations

Centralized

management

Lowers operational complexity for coverage in all network regions and locations

Shared

administrative use among multiple IT groups

Page 23

Thank You Let us know if you are interested in a complimentary 30-day evaluation license of Sentriantâ&#x201E;˘ AG

khomenko@telco.ua