Sentriant™ AG 5.0 – централизованный контроль доступа конечных пользователей к сети Oleksandr Khomenko Systems Engineer Extreme Networks Associate khomenko@telco.ua Tel.: 380 (44) 406-56-06
© 2009 Extreme Networks, Inc. All rights reserved.
Switching Product Portfolio BlackDiamond 20808 BlackDiamond 10808 BlackDiamond 12804
BlackDiamond 8800 a, e, c-series
Wireless Product Portfolio Altitude™ 350 a/b/g
Altitude 450 802.11n
Summit WM2000 Summit WM200 Summit®
200 APs
WM20 100 APs
SummitStack™ Summit® X450a
Summit X650
Gigabit Aggregation
10Gigabit Core
32 APs
Management Products Policy Manager EPICenter
Summit X250e
10/100 Edge
Service Watch
Summit X450e Gigabit Edge
Security Product Portfolio Summit X150
Sentriant NG 300
Sentriant AG 5.0
Summit X350
© 2009 Extreme Networks, Inc. All rights reserved.
Page 2
Sentriant™ AG 5.0 Hardware
Software TM
PWR
Sentriant AG200
HDD
CONSOLE
eth0
eth1
•Intel Dual Core (Core 2 Duo/Xeon 5100 series) processor at 1.86GHz •2GB RAM (or greater) •80GB SATA disk (or greater) •Two 10/100/1000 Ethernet interfaces •CD ROM drive •An Internet connection or proxy server that allows outbound SSL communications
© 2009 Extreme Networks, Inc. All rights reserved.
Page 3
The Endpoint Threat to the Network
Lack of institutional control over who and what is connecting to the network Traditional defenses (firewall, AV, IDS/IPS, VPN) offer ineffective protection against endpoint-based threats Hackers now targeting unpatched, unmaintained endpoints What makes endpoints dangerous? Spyware, worms, trojans Unpatched OSs and applications Out-of-date AV and anti-spyware definitions Human factors: high-risk activities (Peer-to-Peer, IM, harmful downloads)
"By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses." - Gartner, Inc. Š 2009 Extreme Networks, Inc. All rights reserved.
Page 4
Network Access Control (NAC)
Answers
the question: Is it safe to let this endpoint onto the network? Improves overall security posture of the network Proactively protects the network from compromised or harmful endpoints Further protects the endpoint itself, beyond what’s provided by AV and personal firewalls
Enforces
corporate security policies
Policy compliant endpoints are provided access while non-compliant endpoints can be denied access or quarantined Helps to meet SOX, HIPAA, PCI-DSS requirements
Augments limited IT resources and staff Automated process alleviates the need for manual intervention Facilitates remediation of non-compliant endpoints to reduce IT help desk activity
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 5
Sentriant™ AG Product Overview
Protects
the network from harmful endpoints Provides compliance with security policies Quarantines noncompliant endpoints and facilitates repair activities Maintains complete endpoint access history
Works with new or existing network infrastructure Š 2009 Extreme Networks, Inc. All rights reserved.
Page 6
Sentriant™ AG Process
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 7
Sentriant™ AG—Key Capabilities
Advanced
Customizable access policies with hundreds of security checks Multiple testing options including a completely agent-less solution Minimal impact on end users Automatic quarantine and remediation on non-compliance endpoints
Flexible
Endpoint Integrity Testing
Deployment Options
Multiple standards-based enforcement methods Graduated levels of enforcement Single-server or multi-server deployment Clustering for high availability (HA) and load balancing
Enterprise-Class
Management and Administration
Centralized management Multi-user, role-based administration Powerful reporting capabilities and open APIs
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 8
Advanced Endpoint Integrity Testing
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 9
Point-and-Click Access Policy Definition
Select Tests for Inclusion in Access Policy
Specify Enforcement When Endpoint Fails Test
Refine Selected Test
Three
out-of-the-box access policies are provided Custom policies can be created for different network locations, devices or end-user types Š 2009 Extreme Networks, Inc. All rights reserved.
Page 10
Deep Endpoint Testing Test
categories include
OS service packs and hotfixes Browser and OS security settings Network and wireless settings Anti-virus (installed and up-to-date) Personal firewall (installed and up-to-date) Anti-spyware (installed and up-to-date) Peer-to-Peer applications (presence of) Worms, viruses, trojans, spyware (presence of) Required or prohibited software (administrator defined)
Tests
added continuously as new threats emerge Open, extensible testing engine Custom tests for organization-specific needs
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 11
Testing Options
Multiple options provide coverage for all categories of users and devices 1. 2. 3.
Agent—lightweight persistent agent ActiveX—tests endpoint through browser Agent-less—no client software required
Support for both Windows and Mac endpoints No degradation in testing depth for any option
© 2009 Extreme Networks, Inc. All rights reserved.
Page 12
Off-the-Shelf Tests (1 of 2) Operating Systems - Windows
Security Settings – OS X
Windows 2000 hotfixes
Airport Preference
Windows Server 2003 SP1 hotfixes
Airport WEP Enabled
Windows Server 2003 hotfixes
Bluetooth
Windows XP SP2 hotfixes
Internet Sharing
Windows XP hotfixes
Services
Windows Media Player Hotfixes
Firewall
Internet Explorer Hotfixes
Security Updates
Service HotFixes Service Packs
Anti-Spyware (installed and up-todate)
Windows automatic updates
Ad-Aware SE Personal
Security Settings - Windows
Ad-Aware Plus
Allowed Networks
Ad-Aware Professional
MS Excel macros
McAfee AntiSpyware
MS Outlook macros
CounterSpy
MS Word macros
PestPatrol
Services not allowed
Shavlik NetChk 5.8 and above
Services required
Spyware Eliminator
Windows bridge network connection
Webroot Spy Sweeper
Simultaneous wired/wireless connections
Windows Defender
Wireless network SSID connections
Anti-Virus (installed and up-to-date)
Windows security policy
Avast 4 Professional Edition
Browser Security Policy - Windows
AVG AntiVirus Free Ed
Browser version
BitDefender AntiVirus / Internet Security v10
IE internet security zone
ClamWin Free AntiVirus
IE local intranet security zone
Computer Associates eTrust EZ AntiVirus
IE restricted site security zone
F-Secure AntiVirus
IE trusted sites security zone
Kaspersky Internet Security / AntiVirus 6.0 © 2009 Extreme Networks, Inc. All rights reserved.
Kaspersky
AntiVirus for FileServers
Kaspersky AntiVirus for Workstations
McAfee VirusScan
McAfee Enterprise VirusScan 7.1.0
McAfee Enterprise VirusScan 8.0i
McAfee Enterprise VirusScan 8.5i
McAfee Enterprise VirusScan
McAfee Internet Security Suite 8.0
McAfee Internet Security Suite 2007 / Total Protection
McAfee Managed VirusScan
NOD32 AntiVirus
Norton AntiVirus 2004
Norton AntiVirus 2007
Norton Internet Security 2007
Panda Internet Security
Sophos Anti-Virus
Symantec Corporate AntiVirus
Trend Micro AntiVirus
Trend Micro OfficeScan Corporate Edition
ZoneAlarm Security Suite
Software Required / Not Allowed
Administratively Defined
High Risk Software
Google Desktop
Miscellaneous Software
Avaya IP Softphone Version Check
Page 13
Off-the-Shelf Tests (2 of 2) Personal Firewalls (installed and up-todate)
DICE
VBS.Shania
W32.Klez.gen
dIRC
W32.Beagle.A
W32.Korgo.G
Hotline Connect Client
W32.Beagle.AB
W32.Mimail.Q
AOL Security Edition
IceChat IRC client
W32.Beagle.AG
W32.Mimail.S
Black ICE Firewall
ICQ Pro
W32.Beagle.AO
W32.Mimail.T
leafChat
W32.Beagle.AZ
W32.Mydoom.A
Metasquarer
W32.Beagle.B
W32.Mydoom.AX-1
mlRC
W32.Beagle.E
W32.Mydoom.AX
Morpheus
W32.Beagle.J
W32.Mydoom.B
MyNapster
W32.Beagle.K
W32.Mydoom.M
MyWay
W32.Blaster.K.Worm
W32.Mydoom.Q
NetIRC
W32.Blaster.Worm
W32.Netsky.B
NexIRC
W32.Doomhunter
W32.Netsky.C
Not Only Two
W32.Dumaru.AD
W32.Netsky.D
P2PNet.net
W32.Dumaru.AH
W32.Netsky.K
PerfectNav
W32.Esbot.A.1
W32.Netsky.P
savIRC
W32.Esbot.A.2
W32.Rusty@m
Skype
W32.Esbot.A.3
W32.Sasser.B
Trillian
W32.Galil.F
W32.Sasser.E
Turbo IRC
W32.HLLW.Anig
W32.Sasser.Worm
Visual IRC
W32.HLLW.Cult.M
W32.Sircam.Worm
XFire
W32.HLLW.Deadhat
W32.Sober.O
Yahoo! Messenger
W32.HLLW.Doomjuice
W32.Sober.Z
W32.HLLW.Doomjuice.B
W32.Welchia.Worm
W32.HLLW.Lovgate
W32.Zotob.E
Computer Associates EZ Firewall
Internet Connection Firewall (Pre XP SP2)
McAfee Personal Firewall
Norton Personal Firewall / Internet Security
Norton Internet Securit 2007
Senforce Advanced Firewall
Sygate Personal Firewall
Symantec Client Firewall
Tiny Personal Firewall
Trend Micro Personal Firewall
Windows Firewall
ZoneAlarm Personal Firewall
P2P and Instant Messaging
AOL instant messenge
Altnet
BitTorrent
Gator
Kazaa
Kazaa Lite
K++
Chatbot
Viruses, Worms, Trojans, Spyware
CME-24
W32 Hiton
Keylogger.Stawin
W32.IRCBot.C
Trojan.Mitglieder.C
W32.Kifer
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 14
Minimal End User Impact
Testing
completes in only seconds Succinct information on testing activity and steps required to achieve compliance Administrator-customizable messaging
Communication
is as visible or as invisible as environment requires
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 15
Non-Compliant Endpoint Remediation
Automated
repair
Through integration with leading patch management systems
End-user
self remediation
Through on-screen directions (shown at right)
Access
'grace period’
Provides temporary window of access (e.g., 3 days) to facilitate remediation End-User Endpoint Repair Instructions
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 16
Flexible Deployment Options
Š 2009 Extreme Networks, Inc. All rights reserved.
Multiple Enforcement Methods
Out-of-band or inline options Accommodates wide range of network topologies and equipment Provides coverage of all network regions and entry points
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 18
Enterprise-Class Management and Administration
Š 2009 Extreme Networks, Inc. All rights reserved.
Management Console
At-a-Glance Security Status
Drill-Down to Details
Network Wide Visibility
Centralized Policy Management and Configuration
Š 2009 Extreme Networks, Inc. All rights reserved.
Page 20
Multi-User, Role-Based Administration
Four
standard administrative roles—custom roles can be defined Permissions may be further restricted by server or cluster Allows for shared administrative use across multiple IT groups Š 2009 Extreme Networks, Inc. All rights reserved.
Page 21
Comprehensive Reporting Designed
for
Auditors/Compliance Management Network and Security Administrators Reports
include
Endpoint list Test Details Report
Policy results Test details Test results
Reports can be refined by
additional search/filter criteria Documented SQL interface for integration with third-party reporting packages Š 2009 Extreme Networks, Inc. All rights reserved.
Test Results Report
Page 22
Conclusion Infrastructure compatibility Summary
Advantages of ofSentriant™ Solution Reduces cost implementing AG network access control (NAC) Fast
pre-connect endpoint scanning
Does not disrupt end user access to the network
Comprehensive
testing across the full range of endpoint
devices Ensures maximum protection and policy compliance
Advanced
clustering technology
Allows for incremental system scalability and continuous operations
Centralized
management
Lowers operational complexity for coverage in all network regions and locations
Shared
administrative use among multiple IT groups
Minimizes the overhead of day-to-day operations Š 2009 Extreme Networks, Inc. All rights reserved.
Page 23
Thank You Let us know if you are interested in a complimentary 30-day evaluation license of Sentriant™ AG
khomenko@telco.ua
www.telco.ua Tel.: 380 (44) 406-56-06 Š 2009 Extreme Networks, Inc. All rights reserved.