Netzwerk Sicherheit

Transcription

Netzwerk Sicherheit

Technologie Seminarreihe
10. September 2009
Mit High-Speed Switching in die Netzwerk-Zukunft!
Vortrag:
Netzwerksicherheit
Zentrale Steuerung, dezentrale Kontrolle
Dirk Schneider, HP ProCurve Network Consultant, informiert Sie über
die wichtigsten Entwicklungen im Bereich geswitchter Netzwerke.
Natürlich werden in diesem Rahmen auch die neuesten Produkte und
Entwicklungen des Herstellers HP ProCurve vorgestellt
Alle Seminarunterlagen finden Sie unter „www.bachert.de“ im Bereich Aktuelles/Seminare
Netzwerksicherheit, Juni 2009 Seite 1
Netzwerksicherheit
Ständig steigende Bedeutung
• wachsende Vernetzung im IT- und Nicht-IT Bereich
• steigende Mobilitätsansprüche (ex- und interne Ressourcen)
• Flexibilisierung der Arbeitsprozesse über alle
Unternehmensbereiche
Netzwerksicherheit
Ein umfassender Schutz ist nur durch einen
vielschichtigen Ansatz erreichbar.
“Zwiebelmodell”
• network access control
Zugriffskontrolle
• intrusion prevention
Einbruchschutz und Meldesysteme
• identity and access management
Identitäts- und Zugriffsmanagement
• vulnerability management
Gefahren und Risikomanagement
Netzwerksicherheit
2007 hätten 80% der Schadensursachen in Netzwerken
durch den Einsatz verfügbarer Technologien verhindert
werden können:
• network access control,
• intrusion prevention,
• identity and access management,
• vulnerability management.”
ProCurve Security
ProActive
Defense
Zugriffskontrolle
Wer möchte wann,
von wo auf welche
Ressourcen
zugreifen?
Netzwerksicherheit
Erkennung und
Abblockung von
verschiedensten
Attacken und
Angriffen auf das
Netzwerk.
Regulatory
Compliance
Adaptive Edge Architecture
Sichere
Infrastruktur
Sichere Bereitstellung einer
gemanagten
Netzwerkinfrastruktur.
Adaptive Edge Architecture
Servers
Die Zugangspunkte im
Netzwerk bieten den optimalen
Ansatz um Anomalien und
Gefahren zu erkennen.
Sich abzeichnende Probleme
werden am Ort der Entstehung
behoben/gelöst/bekämpft.
Command from the center,
control to the edge – the
ProCurve Adaptive Edge
Architecture
Intelligent
EDGE
Internet
Clients
Clients
COMMAND
FROM THE
CENTER
Wireless
Clients
Per-Port
Distributed Processors
Adaptive EDGE Architecture
Kontrolle im Edge-Bereich
Der erste Zugangspunkt bietet
die optimale Möglichkeit
Probleme zu beheben
Servers
Intelligent
Edge
Wireless
Clients
Sicherheit
802.1X
Web authentication
MAC authentication
Virus Throttling
ACLs
DHCP Snooping
ARP protection
BPDU protection & filtering
MAC lockout / lockdown
Source port filtering
Multiple Threat Detection
Intelligent
Switches
Clients
Intelligent
Switches
Clients
Interconnect
Fabric
Wireless
Access Points
Wireless
Clients
Edge
Network
Command
from the Center
Edge
Portal
Internet
IDM Identity Driven Manager
IDM add-on for PCM+ dynamically applies security, access and performance
settings to network infrastructure devices
Users receive appropriate access and rights wherever and whenever they
connect based upon pre-configured access rights and policies
Provides edge-enforced access control based on user, device, time, location, and
client system state
Can apply VLAN, ACL, QoS, and bandwidth limit settings on a per user basis
Management effort is reduced since policies are defined using PCM+ client
VLANs can be used for primary purpose of limiting communication between
users instead of controlling access to core resources
Based on
these attributes:
Set these
parameters:
Rev. 6.41
3
User ID
VLAN
Device ID
Time
Bandwidth limit
Location
QoS
Client integrity
status
ACLs
8
Using identity-driven access controls
Identity-driven solution provides a means of enforcing per-user access rights
based on:
Who the user is
Where the access is occurring
When the access is occurring
What resources are allowed
Business
Network
Internet
when
9:00
what
Guest & Employee
Conference Room
where
8:55
Parking lot
Rev. 6.41
5
Lobby
R&D
LAN
who
Campus
9
IDM in operation
1. User plugs in to network
2. User is challenged for
credentials by switch
Edge device
with IDM
feature support
4. Switch forwards credentials to
RADIUS server resulting in
request for identity /
authentication from database
•
7. Userspecific
resources
are made
available
3. User sends credentials
(username/password
or smartcard)
6. If valid user, IDM checks
• Username / password
• Time of day
• Location
• System (MAC address)
• Client Integrity Status
IDM Agent is aware of transaction
5. Database
responds with
user validity
RADIUS
server
- Query to third-party
And applies access profile
- VLAN, QoS, Bandwidth,
ACLs
IDM
Agent
Per user
network
parameter
database
IDM Agent adds
“authorization”
parameters to the
RADIUS reply sent
to the switch
where the access
rights of the client
are enforced
Edge device must support MAC, Web, or 802.1X authentication
Rev. 6.41
8
10
Network Access Security
Network
Administrator
Conference Room
Internet
Zgriff nur auf das
Internet
Zugriff auf Interund Intranet
Zugriff nur auf
Anti-VirusService-Server
Guest
Employee
Non-Compliant
Employee
Edge
Switch
1. Sets up role based access
policy groups & assigns
rules and access profiles:
• Set rules
Enterprise
• Time
LAN
• Location
• Device ID
• Client integrity status
• To trigger each policy
Corporate
profile
Server
• ACL
• VLAN
• QoS
• BW limit
Anti-Virus remediation
2. Put users in appropriate
Server
access policy group
Conference Room
Access
Policy
Server
Network Access Security
Network
Administrator
Conference Room
Internet
Zgriff nur auf das
Internet
Guest
Employee
Compliant
Employee
Edge
Switch
1. Sets up role based access
policy groups & assigns
rules and access profiles:
• Set rules
Enterprise
• Time
LAN
• Location
• Device ID
• Client integrity status
• To trigger each policy
Corporate
profile
Server
• ACL
• VLAN
• QoS
• BW limit
Anti-Virus
2. Put users in appropriate
Server
access policy group
Conference Room
Access
Policy
Server
Client Authentication Possibilities
Am Edge-Switch stehen 3 Authentifizierungsmethoden zur Verfügung:
IEEE 802.1X
Web Authentication
MAC Authentication
RADIUS
Server
ProCurve
IDM
0008A2-1C99C6
no client
software required –
sends MAC address
using 802.1X
client software
using web
browser only
802.1X, Web and MAC authentication
•
802.1X
•
standard based and widely-used
•
no IP communication until authentication successful
•
port based access control
•
user based access control (up to 32 per port)
•
Web-Authentication
port communication is redirected
to the switch
temporary IP address is assigned
by the switch
login screen is presented for the client
•
MAC-Authentication
the device MAC address is used as username/password
Zugriffskontrolle
Identity Driven Manager (IDM)
•
•
•
Allows easy creation and management of user policy groups for optimizing
network performance and increasing user productivity
Dynamically apply security, access and performance settings at port level
based on policies
IDM adds network reports and logs based on users for audit
Set =>
Based on =>
ACLs
VLAN
Bandwidth
Limit
User/Group
Time
Location
Device
ID
QoS
Client
Integrity
Status
15
Adaptive Zugriffskontrolle mit IDM
Authentication
Server
HTTP Request
Web-Auth
MAC Address
MAC-Auth
802.1X
802.1X
Supplica
Supplicant
nt
Authentication
Directory
RADIUS
Server
Active Directory
LDAP
IDM Agent
802.1X Authenticator
Policy Enforcement Point (PEP)
ProCurve Switches
and Access-Points
ProCurve
owned
3rd Party
Software
PCM / IDM
Server
Network Mgmt
Server
16
Adaptive Zugriffkontrolle mit
IDM und ProCurve NAC 800
Überprüfung der Endgeräte
Network Access Controller 800
Betriebssystemversion und Patch-Stand
• Stand der Anti-Virus und Anti-Spyware-Software
Geforderte oder verbotene Anwendungssoftware.
•
Endpoint
Integrity Agent
Und mehr…….
EI Policy
Definitions
On-demand
Endpoint
Integrity Agent
Any 802.1X
Client
MAC Address
HTTP Request
Authentication
Directory
RADIUS Server
MAC-Auth
Web-Auth
IDM Agent
802.1X Authenticator
Active Directory
eDirectory
LDAP
PCM / IDM
Server
Policy Enforcement Point (PEP)
ProCurve Switches
and Access-Points
ProCurve
owned
Network Mgmt
Server
17
Access Control
Endpoint Integrity with ProCurve NAC 800
•
Authenticated systems
•
protects the network from harmful
systems and enforces system
software requirements
•
Endpoint integrity checks
•
Antivirus, spyware, firewalls,
peer-to-peer, allowed and prohibited
programs and services
•
OS versions, services packs, hotfixes
•
Security settings for browsers and
applications
18
Endpoint Integrity Tests
Operating systems
Service Packs
Rogue WAP Connection
Windows 2000 hotfixes
Windows Server 2003 SP1 hotfixes
Windows Server 2003 hotfixes
Windows XP SP2 hotfixes
Windows XP hotfixes
Windows automatic updates
Browser security policy
IE internet security zone
IE local intranet security zone
IE restricted site security zone
IE trusted site security zone
IE version
Security settings
MS Excel macros
MS Outlook macros
MS Word macros
Services not allowed
Services required
Windows Bridge Network Connection
Windows security policy
Windows startup registry entries allowed
Personal firewalls
AOL Security Edition
Black ICE Firewall
Computer Associates EZ Firewall
Internet Connection Firewall (Pre
XP SP2)
McAfee Personal Firewall
Panda Internet Security
F-Secure Personal Firewall
Norton Personal Firewall / Internet
Security
Sygate Personal Firewall
Symantec Client Firewall
Tiny Personal Firewall
Trend Micro Personal Firewall
ZoneAlarm Personal Firewall
Senforce Advanced Firewall
Windows Firewall
MS Office version check
Microsoft Office XP
Microsoft Office 2003
Microsoft Office 2000
prohibited Software
Administrator defined
Required software
Administrator defined
P2P and instant messaging
Altnet
AOL instant messenger
BitTorrent
Chainsaw
Chatbot
DICE
dIRC
Gator
Hotline Connect Client
IceChat IRC client
ICQ Pro
IRCXpro
Kazaa
Kazaa Lite K++
leafChat
Metasquarer
mlRC
Morpheus
MyNapster
MyWay
NetIRC
NexIRC
Not Only Two
P2PNet.net
PerfectNav
savIRC
19
Trillian
Turbo IRC
Visual IRC
XFire
Yahoo! Messenger
Endpoint Integrity Checks
Anti-virus
NOD32 AntiVirus
AVG AntiVirus Free Ed
Computer Associates eTrust AntiVirus
Computer Associates eTrust EZ AntiVirus
F-Secure AntiVirus
Kaspersky AntiVirus for FileServers
Kaspersky AntiVirus for Workstations
McAfee VirusScan
McAfee Managed VirusScan
McAfee Enterprise VirusScan
McAfee Internet Security Suite 8.0
Norton Internet Security
Trend Micro AntiVirus
Trend Micro OfficeScan Corporate Edition
Sophos AntiVirus
Panda Internet Security
Symantec Corporate AntiVirus
Anti-spyware
Ad-Aware SE Personal
Ad-Aware Plus
Ad-Aware Professional
CounterSpy
McAfee AntiSpyware
Pest Patrol
Spyware Eliminator
Webroot Spy Sweeper
Windows Defender
Spyware, Worms, viruses, and Trojans
CME-24
Keylogger.Stawin
Trojan.Mitglieder.C
VBS.Shania
W32.Beagle.A
W32.Beagle.AB
W32.Beagle.AG
W32.Beagle.AO
W32.Beagle.AZ
W32.Beagle.B
W32.Beagle.E
W32.Beagle.J
W32.Beagle.K
W32.Beagle.M
W32.Beagle.U
W32.Blaster.K.Worm
W32.Blaster.Worm
W32.Doomhunter
W32.Dumaru.AD
W32.Dumaru.AH
W32.Esbot.A.1
W32.Esbot.A.2
W32.Esbot.A.3
W32.Galil.F
W32.HLLW.Anig
W32.HLLW.Cult.M
W32.HLLW.Deadhat
W32.HLLW.Deadhat.B
W32.HLLW.Doomjuice
W32.HLLW.Doomjuice.B
20
W32.HLLW.Lovgate
W32 Hiton
W32.IRCBot.C
W32.Kifer
W32.Klez.H
W32.Klez.gen
W32.Korgo.G
W32.Mimail.Q
W32.Mimail.S
W32.Mimail.T
W32.Mydoom.A
W32.Mydoom.AX-1
W32.Mydoom.AX
W32.Mydoom.B
W32.Mydoom.M
W32.Mydoom.Q
W32.Netsky.B
W32.Netsky.C
W32.Netsky.D
W32.Netsky.K
W32.Netsky.P
W32.Rusty@m
W32.Sasser.B
W32.Sasser.E
W32.Sasser.Worm
W32.Sircam.Worm
W32.Sober.O
W32.Sober.Z
W32.Welchia.Worm
W32.Zotob.E
Gastzugänge im WLAN anlegen
The WebUser administrator can access only this window.
1
Manually
set a
username
and password
Automatically
create a
username and
password
2
3
4
21
Rev 1.0
21
Zusammenfassung
ProCurve bietet eine umfassende und handhabbare Zugangskontrolle um Ihre
Netzwerkinfrastruktur zu schützen:
Eine erweiterbare und handhabbare Lösung.
Flexibel für gegenwärtige und zukünftige Anforderungen.
Schützt das Netzwerk vor gefährlichen oder infizierten Endgeräten.
Erzwingt die Einhaltung der internen Unternehmenspolitik im Umgang mit der IT
Infrastruktur.
Vereinheitlichte Zugangskontrolle für LAN, WLAN und WAN.
The ProCurve Access Control solution helps administrators deploy secured
network access based on business policy
More Security with Less Complexity
22

Netzwerk Sicherheit

Transcription

Similar documents

Office 365 Pro Plus

Entblößung 2.0

TeamViewer 9 Handbuch – Fernsteuerung