思科网络准入控制管理.ppt

2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID1思科网络准入控制管理思科网络准入控制管理 Network Access Control(NAC)2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID2安全趋势与网络准入控制思科网络准入控制管理简介思科网络准入控制功能介绍思科网络准入控制部署和应用议程议程 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID3全球电子犯罪率上升迅速！全球电子犯罪率上升迅速！Malicious Software Strains exploded from 30K/40K per month to 170,000 from February to March 2008Phishing e-mails doubled 400,000 a day in August to nearly 800,000 a day in November)Ads for stolen identity information doubled or tripled in price in Fall 2008(stolen identity that once cost$5,for instance,now sells for$15).Over 100 million credit/debit card transactions compromised due to malware at a large US Payment Processor possibly the largest data breach to date (WashingtonP-Jan 20,2009)Theres been a marked increase in the number of attacks and the number of successful fraud attemptsThis is the busiest practice has ever been.”Gartner 2008“In periods of recession or slow growth,companies are going to turn their attentions to customer retention rather than customer acquisitionThe last thing you need in that environment is a data breach and the associated brand damage.“Forrester 2008 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID4企业重要数据泄漏统计企业重要数据泄漏统计Unauthorized application use:70%of IT say the use of unauthorized programs result in as many as half of data loss incidents.Misuse of corporate computers:44%of employees share work devices with others without supervision.Unauthorized access:39%of IT said they have dealt with an employee accessing unauthorized parts of a companys network or facility.Remote worker security:46%of employees to transfer files between work and personal computers.Misuse of passwords:18%of employees share passwords with co-workers.That rate jumps to 25 percent in China,India,and Italy.2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID5终端应用安全现状终端应用安全现状Windows,Linux笔记本电脑、台式机或笔记本电脑、台式机或PDA打印机或其他公司资产打印机或其他公司资产系统环境复杂公司公司员工员工合同商合同商访客访客未知人员未知人员人员复杂VPN局域网局域网WLAN广域网广域网网络环境复杂防病毒，防间谍软件防病毒，防间谍软件个人防火墙个人防火墙修补工具修补工具安全工具实施难度大终端遭受严重安全威胁，各种恶意代码攻击，如病毒、终端遭受严重安全威胁，各种恶意代码攻击，如病毒、蠕虫、木马及混合安全威胁，非法访问，黑客攻击蠕虫、木马及混合安全威胁，非法访问，黑客攻击如何防范？如何防范？2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID6网络准入控制NAC用户受益用户受益威胁控制减少终端感染减轻IT查毒负担增强网络复原力细粒度访问控制减少安全事故防敏感数据泄漏行业规范遵从提高安全性满足安全审计需要提高运维效率便捷的访客网络 设备自动识别和监控网络准入控制的好处网络准入控制的好处 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID7Source:Infonetics Research,May 2008网络准入控制实例统计网络准入控制实例统计0%20%40%60%80%100%Limit the impact of security problems,stop threats from propagatingProtect against loss of sensitive/personal informationIncrease overall corporatesecurity postureControl network access basedon user identity and roleReduce risk of allowing alldevices to connect to my networkDemonstrate compliance to security/access policiesProtect against lossof intellectual propertyDrivers83%76%76%74%73%70%61%2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID8安全趋势与网络准入控制思科网络准入控制管理简介思科网络准入控制功能介绍思科网络准入控制部署和应用议程议程 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID9思科网络准入控制思科网络准入控制NAC领先、创新！领先、创新！4000+customers41%market share11 Infonetics,June 20082 Frost&Sullivan April 2008,Gartner March 2008,IDC Dec 2007,Infonetics June 20083 April 2008 http:/ MayGold Award:Information Security Readers Choice Awards3#1 NAC Vendorleading analysts2Pioneered NAC launched in 2004 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID10业务策略治理业务策略治理Governance200320092004:$92m2006:$207m安全访客登录安全访客登录Secure Guest用户身份识别用户身份识别User Identity设备特征识别设备特征识别Device ProfilingWhoareyou?Whatson yourdevice?What otherdevices areconnected?Who else isconnecting?What are theconditionsof access?2005:$131m2007:$354mMarket Size(source:IDC,June 2007)Value-Add安全状态评估安全状态评估Posture AssessmentFirst to the marketComprehensive solutionFlexible deployment choices and options思科网络准入控制思科网络准入控制NAC领先、不断创新！领先、不断创新！2008:$570m 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID11思科思科NAC功能一览功能一览基于角色的访问控制基于角色的访问控制 强制终端安全策略遵从强制终端安全策略遵从检测用户权限和终端健康状况提供员工/访客网络访问Cisco NAC完善的企业终端网络准入控制！识别非PC终端，实时监控终端修复 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID12思科思科NAC组件组件NAC ManagerCentralized management,configuration,reporting,and policy storePosture,services and enforcementNAC ServerNAC ProfilerNAC Guest ServerProfiles unmanageddevicesFull-featured guest provisioning server 802.1x SupplicantCSSC or Vista embedded supplicantNAC Agent No-cost client:Persistent,dissolvable,or webACS ServerAccess policy system for 802.1x terminationEndpointComponents(Optional)NAC Profiler,Guest Server and ACS(Optional)NAC Manager and Server(Required)2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID13思科思科NAC可部署于各种场景可部署于各种场景Endpoint ComplianceNetwork access only for compliant devicesGuest ComplianceRestricted internet access only for guest usersWireless ComplianceSecured network access only for compliant wireless devicesVPN User ComplianceIntranet access only for compliant remote access usersGovernance ComplianceEnsure user compliance to governance and risk user acceptable policies802.1QWireless Building 2Conference Roomin Building 3Internet IPSec Campus Building 1 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID14思科思科NAC部署规模选择部署规模选择3500 users eachSuperManagermanages up to 40Enterprise andBranch Servers Enterprise andBranch Servers 1500 users eachStandardManagermanages up to 20Branch Officeor SMB Servers100 users 250 users 500 usersManagerLitemanages up to 3Users=online,concurrent2500 users each50/100 Users(ISR NM)2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID15安全趋势与网络准入控制思科网络准入控制管理简介思科网络准入控制功能介绍思科网络准入控制部署和应用议程议程 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID16Cisco NAC四项基本功能四项基本功能Using the network to enforce policies ensures that incoming devices are compliant.扫描与评估Agent scan for required versions of hotfixes,AV,etcNetwork scan for virus and worm infections and port vulnerabilities认证与授权Enforces authorization policies and privilegesSupports multiple user roles更新与修复Network-based tools for vulnerability and threat remediationHelp-desk integration隔离与实施Isolate non-compliant devices from rest of network MAC and IP-based quarantine effective at a per-user level 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID17目标目标内部网内部网/网络网络思科思科NAC用户流程概述用户流程概述2.用户被重导向到登录页面用户被重导向到登录页面Clean Access验证用户名和密码，验证用户名和密码，并执行设备和网络扫描。以评估并执行设备和网络扫描。以评估设备上的安全漏洞设备上的安全漏洞设备不符合安全策略或登录信息不设备不符合安全策略或登录信息不正确正确拒绝用户接入，向其分配一个隔离角色，拒绝用户接入，向其分配一个隔离角色，使其访问在线修复资源使其访问在线修复资源3a.隔离隔离3b.设备已设备已“清洁清洁”机器进入机器进入“认证设备列表认证设备列表”，获得接入网络的许可，获得接入网络的许可Clean AccessServerClean Access Manager1.最终用户尝试访问某一网页或使用一个最终用户尝试访问某一网页或使用一个可选客户端可选客户端在有线或无线最终用户提供登录信息之前，禁在有线或无线最终用户提供登录信息之前，禁止其接入网络止其接入网络验证验证服务器服务器 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID18终端体验终端体验4.LoginScreenScan is performed(types of checks depend on user role)Scan failsRemediate 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID19两种终端模式两种终端模式 CCA 和和 Web agentsDeploy different agents for different Users/RolesClean Access agent for EmployeesWeb agent for Guests and Contractors 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID20思科思科NAC特点特点支持所有用户环境支持所有用户环境统一整合的解决方案满足wired,wireless,VPN,remote LANs的需求Cisco NAC战略战略注重互操作性注重互操作性最广泛的支持当前的OS、各类型设备、各种第三方应用程序创新、创新、再创新！创新、创新、再创新！率先实现SSO,rulesets,profiling,network module,etc.利用现有的网络平台利用现有的网络平台最优化支持思科install base，同时可协同其它平台良好工作 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID21思科思科 NAC 身份认证与状态评估身份认证与状态评估认证方式：Cisco NAC 支持本地认证、Kerberos、LDAP、RADIUS、Active Directory、等集成；支持VPN、无线客户端和AD域的SSO设备安全状态评估：拥有众多NAC战略合作伙伴，预定义将近3万条的规则集，检测多种应用，可定期从Cisco站点更新，同时提供强大的自定义功能 User IdentityPosture AssessmentDevice ProfilingSecure GuestGovernanceAuthentication and Posture 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID22思科思科NAC集成自动升级的规则集集成自动升级的规则集Automated Cisco rulesets 简化管理操作，支持超过350+厂家的应用软件提供近30,000条预定义检查AutoUpdates Hotfixes,Service Packs(direct to WSUS Server)Cisco NAC Appliance Manager 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID23思科思科NAC创新优势创新优势设备特征识别设备特征识别设备信息简表设备信息简表Device Profiling Cisco Profile Server 能够智能判别能够智能判别100多种设备类型，根据接入网多种设备类型，根据接入网络的设备类型执行不同的准入控制策略络的设备类型执行不同的准入控制策略 User IdentityPosture AssessmentDevice ProfilingSecure GuestGovernanceNon-PC devicesCisco创新创新：采用：采用device profile 技术实现接入设备技术实现接入设备自动类型识别与管理，解自动类型识别与管理，解决了存在的安全隐患决了存在的安全隐患如何实现打印机、传真机等非PC设备安全上网？2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID24思科NAC Profiler自动设备特征识别和接入控制自动设备特征识别和接入控制 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID25思科思科NAC 创新优势创新优势访客生命周期管理访客生命周期管理User IdentityPosture AssessmentDevice ProfilingSecure GuestGovernanceCisco创新：创新：Guest Server实现访实现访客生命周期管理，为业务伙伴、访客生命周期管理，为业务伙伴、访客提供安全的互联世界客提供安全的互联世界PROVISIONINGNOTIFICATIONMANAGEMENTREPORTINGSMSEmailPrint-out访客生命周期管理访客生命周期管理Guest policy 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID26访客登陆界面访客登陆界面 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID27访客管理访客管理创建访客账号创建访客账号 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID28访客管理访客管理审计与报告审计与报告SponsorInformationGuestInformationAccountInformation 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID29安全趋势与网络准入控制思科网络准入控制简介思科网络准入控制功能介绍思科网络准入控制部署和应用议程议程 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID30思科思科NAC灵活的部署模式灵活的部署模式VPN,wireless,campus,and remote LANsEnforcement via ApplianceOptimized for Cisco campus LANs(L2,L3)SNMP as control planeOptimized for Cisco campus LANs(802.1x)RADIUS as control planeIP WAN802.1qNAC ServerNAC ManagerVPNNAC NMIn-BandL3802.1qNAC ServerNAC ManagerSNMPOut-of-BandNACServerNAC ManagerACSRadius802.1x802.1xRADIUS 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID31全球及国内成功案例全球及国内成功案例制造业：青岛海尔、四川长虹制造业：青岛海尔、四川长虹能源：神华集团总部及多个矿站能源：神华集团总部及多个矿站电力：上海电力、浙江电力、贵州天生桥发电厂电力：上海电力、浙江电力、贵州天生桥发电厂汽车：东风康明思发动机厂汽车：东风康明思发动机厂研究院：中冶南方研究院：中冶南方政府：江苏地税局、天津港、洋浦港政府：江苏地税局、天津港、洋浦港企业：上海烟草，长兴船务公司企业：上海烟草，长兴船务公司,上海公共交通卡股份公司上海公共交通卡股份公司 Cisco NAC拥有中国最大的拥有中国最大的NAC实施案例：青岛海尔实施案例：青岛海尔12000用户用户Cisco NAC在以高速度增长：在以高速度增长：over 500%Y/Y growthCY08 Q4 NAC4.6将支持双字节，全面支持中文将支持双字节，全面支持中文 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID32案例分享案例分享1：某集团：某集团主营能源交通主营能源交通问题和需求：问题和需求：上市需要遵从Sarbanes法案桌面终端维护工作量大需要强制更新系统、病毒库和软件升级等规范员工上网行为 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID33二层二层OOB 方案演示方案演示-1某PC连接到接入交换机Fa0/12口CAM10.128.5.1/24CASLDAP/DHCPCisco 二层交换机二层交换机A大楼大楼交换机交换机Vlan6CAM管理管理Vlan598Untrust vlanSVI Vlan59910.X.X.254A大楼大楼网络网络核心网络核心网络Vlan598TrunkCAS 管理管理vlan60Vlan599 通讯通讯vlanFa0/12接入交换机Fa0/12口分入untrust vlan598PC发起的DHCP请求到达CAS，CAS上vlan598和vlan599做映射DHCP请求请求DHCP relayDHCP 响应并返回响应并返回vlan599段地址段地址DHCP获得获得10.X.X.73/23DNS通过CAS向PC分配通讯vlan599的IP地址PatchServerAnti-vServer 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID34OOB 方案演示方案演示-2CAM10.128.5.1/24CAS10.128.4.1/24LDAP/DHCPCisco 二层交换机二层交换机A大楼大楼交换机交换机Vlan6CAM管理管理Vlan598Untrust vlanSVI Vlan59910.X.X.254A大楼大楼网络网络核心网络核心网络Vlan598Fa0/12PatchServerAnti-vServerPC试图访问网络试图访问网络CAS对其认证对其认证当PC试图访问网络资源时，必须经过CAS，这时CAS对其进行认证和安全检查当认证和安全检查没有通过时CAS提示PC只能访问相应的服务器资源，在打补丁或安装防病毒软件后可用重新发起认证PC未通过未通过CAS限制限制PC只能只能访问补丁服务器访问补丁服务器等有限资源等有限资源当PC通过了CAS的认证和安全检查后，CAM会调整接入交换机，使PC所接入的F0/12端口划分到正常用户的通讯vlan 599中Vlan599认证通讯认证通讯vlanPC直接访问直接访问核心网络核心网络进入新Vlan后PC重新通过DHCP获得新地址，并直接通过核心交换机访问核心网络，不再经过CAS分入新分入新Vlan重新获得地址重新获得地址DHCP服务器服务器再次收到请求，再次收到请求，分发新分发新vlan内的内的IP地址给地址给PCTrunkCAS 管理管理vlan60Vlan599 通讯通讯vlan 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID35二层二层IB 方案演示方案演示某PC连接到接入交换机Fa0/13口CAM10.128.5.1/24CASLDAP/DHCPCisco 二层交换机二层交换机A大楼大楼交换机交换机Vlan6CAM管理管理Vlan698SVI Vlan59910.X.X.254A大楼大楼网络网络核心网络核心网络Vlan698TrunkCAS 管理管理vlan60Vlan699 通讯通讯vlanFa0/13接入交换机Fa0/13口属于认证 vlan698，CAS上对认证vlan和通讯vlan699做了映射CAS在vlan698模拟vlan699的网关，PC发起的所有流量都必须经过CAS完成对外访问DHCP请求请求DHCP relayDHCP 响应并返回响应并返回vlan599段地址段地址DHCP获得获得10.Y.X.73/23通过将用户分到不同的role完成访问控制PatchServerAnti-vServer 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID36演示演示User login through the browser web interfaceNAC authentication interfaceHealth check，find no system patchPatch interface,users need only click on the bottom left corner of the button,the system prompts the user to installPass the health check,login interface 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID37案例分享案例分享2：某集团：某集团世界第四大白色家电制造商世界第四大白色家电制造商 面临的问题：每年大量的桌面终端维护工作大量员工安装下载工具和代理工具集团推行的软件很少安装网络带宽占用严重病毒横行，网络扫描无处不在急需规范员工上网行为&端点安全防护端点安全防护 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID38思科的优势：适应多种网络环境，多种操作系统能够对各种类型的接入终端进行检测 提供灵活多样的认证方式，支持多种验证形式基于角色的用户验证，实现分级分权限管理对终端设备的全面的安全检测提供有效的隔离，并有多种手段帮助用户进行修复易于实施，易于维护，适合大规模应用，支持HA 实施效果：实施效果：规范了用户上网的行为，推广了集团AD域和软件安装策略，使加入NAC的用户都符合集团统一规范。案例分享案例分享2：某集团：某集团世界第四大白色家電製造商世界第四大白色家電製造商 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID39三层三层IB 方案演示方案演示客户PC保持原有vlan不变。CAMCASLDAP/DHCPCisco 二层交换机二层交换机A大楼大楼交换机交换机Vlan6CAM管理管理SVI Vlan59910.X.X.254A大楼大楼网络网络核心网络核心网络Vlan61Vlan60由CAS做身份验证后对客户PC分配到不同的Role通过将用户分到不同的role完成访问控制PatchServerAnti-vServerInt Vlan 699PBR Vlan 699在网关位置作PBR将用户数据导向到CAS的untrust端口 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID40NAC部署示意图部署示意图运行管理区运行管理区核心交换机核心交换机6509应用服务区应用服务区Cisco 4506Cisco 3750测试开发区测试开发区Cisco 3750Cisco 3750Cisco 3560网通网通电信电信F5-3400Fortigate 1000AASA 5550IDS 4215DMZ区区互联网互联网接入区接入区合作伙伴专网合作伙伴专网接入路由器接入路由器合作伙伴接入子区合作伙伴接入子区广域网接入区广域网接入区MPLS接入路由器接入路由器7606MPLS各地分支机构各地分支机构汇聚交换机汇聚交换机6509创牌大楼交换创牌大楼交换机机6509Cisco 3560Cisco 2960各事业部各事业部Cisco 2960各事业部各事业部Cisco 3560Cisco 2960各事业部各事业部Cisco 3560ASA 55502台台 CAM4台台 CASNAC管理区管理区2台台 CAS 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID41案例分享案例分享3：某公司：某公司主营汽車、铸造主营汽車、铸造1250个用户，HA配置，实现了局域网用户及VPN用户的准入控制。成功实现项目目标：成功实现项目目标：能判断接入网络的设备的操作系统授权版本;能判断接入网络的设备是否安装了要求的操作系统补丁;能判断接入网络的设备是否安装并运行了认可的防病毒软件及其病毒库是否为最新;能够结合域帐号对接入网络的设备的身份进行验证;可针对上述14的判断结果对交换机的端口进行切换控制,并将端口划分至策略定义的VLAN中;系统应可同时控制局域网接入用户和VPN连接接入用户;2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID42NAC项目网络拓扑项目网络拓扑VPN部分部分 2006 Cisco Systems,Inc.All rights reserved.Cisco ConfidentialPresentation_ID44Questions?