思科终端准入控制及安全解决方案

1©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2CiscoNAC2andCSAMC5.1Demo终端准入控制及安全解决方案技术交流222©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2中国安全市场及产品分析重点解决方案GeneralMarketSegment#SolutionSegmentMarketReadinessCiscoSolutionReadinessSESkillReadinessPartnerReadinessCASupportLevelOverall1FirewallASA55002IntegratedSecurity3IntrusionPrevention4UnifiedThreatMgmt1IPSecVPN2SSLVPN3.DDoS1Guard1NetworkAnti-virus(CSC,SCE)2DesktopAnti-X/HostIPS(CSA)1NACFramework2NACAppliance1UCSecurity2DataCenterSecurity1Ent.SecurityManagementMars2SPSOC1ManagedSecurity2Prof.SecurityAudit8.SecurityService7.SecurityManagement6.ApplicationSecurity5.End-pointCompliance4.Anti-X2.VPN1.BasicSecurity333©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2思科安全产品－－明星产品：积分奖励、项目中亮点SolutionProductFirewallPIX,FWSM,ASA5500IntegratedSecurityISR,C65/76FWSM,IDSM,SSLModuleIntrusionPreventionIPS4200,IPSandIDSM-2forrouter&Cat6KManagedSecurityISR,ASA5505UTMASA5500GuardC65/76AGM,GuardXTNetworkAntivirusASA-CSC,SCE1010/2020NACApplianceCiscoCleanAccessCAS/CAMUCSecuritySCE1010/2020DataCenterSecurityAVS3120/3180,ACESecurityMgmtACS,CS-MARS,CiscoSecurityMgrSPSOCCS-SIMS,NextGenerationCS-MARSProf.SecurityAuditDeliveredbyprofessionalserviceteam444©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2内容安排•思科网络准入控制方案•思科准入控制解决方案部署范例NACAppliance**********************************************•思科终端安全防护方案**********************************************•Mars安全网管系统概述•Mars系统部署步骤**********************************************•网络准入控制方案DEMONACFramework•网络终端安全方案DEMO•网络准入控制CCADEMO（Optional)555©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2DoyouwanttodateNAC?“NACislikehavingParisHiltonasyourgirlfriend.Theconceptisfantastic,butinrealitytheexperiencemightnotbethatgreat.But…we’restillwillingtogiveitagoaslongaswecanunderstand/handleherbehaviour”今天让我们来揭开她的神秘面纱！666©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2网络准入控制解决方案（NAC2）OVERVIEW666©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2777©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2目前企业/SPDCN内部桌面管理系统面临的问题•终端用户的身份控制以及访问权限控制•Windows操作系统的安全漏洞，易被黑客或者病毒利用，比如造成蠕虫病毒泛滥•员工访问危险的网站•员工安装非授权的危险软件，或者没有安装指定的安全软件（如杀毒软件）•员工违反安全规定，擅自使用可移动存储设备（如CD、U盘、移动硬盘等），易于泄漏内部资料•员工私自安装双网卡、电话拨号、ADSL等上网•PC机数量太多，管理人员维护、监控困难•…•导致：60-70%的系统及网络安全隐患来源于公司内部888©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2企业内部网络中蠕虫攻击的特征安全威胁无处不在分支机构互联网数据中心•网络及系统安全隐患大多来源于企业内部•自传播蠕虫会继续危害企业，造成停机时间和不断的修复•不符合要求及安全规范的服务器和台式机很普遍•识别并隔离感染的系统消耗大量的时间和资源•用户、访问方法和端点种类的繁多加剧了问题的严重性•终端机带来的危害不仅仅是自身而是整个网络系统远程用户攻击可能来自任何地方LAN无线LAN999©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2之前的网络准入方法依靠单纯的用户名密码认证机制“Hello.”Alice:“Hello.”Bob:“Hello.Iamanadministrator”GrantedGrantedGrantedGrantedChuck:“IamrunninganunpatchedWindows2000system.IamGigabitEthernetconnectedwithwormdejourandthisoneisreallynasty.Haveaniceday!”Chuck:“Hello.Iamindales”101010©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2正确的方式:NetworkAdmissionControl附加检查策略:IdentityWindowsXPServicePack2CTA2.0Anti-VirusPatchManagementChuck:Sales我是合法身份用户Windows2000NoServicePackNoAnti-VirusNoPatchManagementRemediationServer被隔离QuarantinePostureServersDirectoryServer111111©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2思科网络准入控制方案两套网络准入控制解决方案定位分析NETWORKACCESSDEVICEAUTHENTICATIONPOLICYENFORCEMENTDISCOVERYREMEDIATIONNACApplc.AgentACSAUTHENTICATIONENFORCEMENTDISCOVERYPOLICYREMEDIATIONNETWORKACCESSDEVICECiscoTrustAgentNACFRAMEWORKNACAPPLIANCENACFramework:全网部署思科网络设备、兼容Dot1X认证、由第三方产品提供端点分析以及升级服务、建议与主机安全防护解决方案捆绑销售推广（CSA）。实施设备要求简单：最低配置仅需要ACS4.0NACAppliance:适用于多厂商环境、综合用户身份认证、端点分析以及补丁升级服务于一体的安全解决方案，组网必须要求CAM/CAS服务器。无需网络设备支持DOT1X特性。配置简单实施难度低适用范围广！。ENFORCEMENTCAS/CAM121212©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2思科网络准入控制解决方案OptionANACFramwork解决方案131313©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2ACSv4.0RemediationServerDirectoryServerAnti-VirusServer后台服务器PostureValidationServersAuditServerCS-MARSNACFrameworkDeploymentArchitecture思科网络接入设备接入方式LANRemoteWANAny141414©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2NACPostureStates•Healthy【健康】-Hostiscompliant;norestrictionsonnetworkaccess.•Checkup【待检查】–Hostiswithinpolicybutanupdateisavailable.UsedtoproactivelyremediateahosttotheHealthystate.•Transition【过渡】–Hostposturingisinprocess;giveinterimaccesspendingfullposturevalidation.Applicableduringhostbootwhenallservicesmaynotberunningorauditresultsarenotyetavailable.•Quarantine【隔离】–Hostisoutofcompliance;restrictnetworkaccesstoaquarantinenetworkforremediation.Thehostisnotanactivethreatbutisvulnerabletoaknownattackorinfection•Infected【感染】–Hostisanactivethreattootherendpointdevices;networkaccessshouldbeseverelyrestrictedortotallydeniedallnetworkaccess.•Unknown【未知】-Hostposturecannotbedetermined.Quarantinethehostandauditorremediateuntiladefinitiveposturecanbedetermined.Mayalso151515©2005CiscoSystems,Inc.Allrightsreserved.SEC-204011328_05_2005_X2策略服务器决策点网络接入设备抑制蠕虫/病毒:网络准入控制（NA