Supporting Compliance A Network Approach Whitepaper

Supporting Compliance A Network ApproachThere is nothing more important than our customers.Page 2Executive SummaryWith the significant increase in compliance related mandates put upon IT organizations today, Enterasys has written this white paper to explain our approach to supporting compliance through advanced policy-driven networking. Regulatory compliance and governance mandates are new and daunting issues for any IT organization. These requirements for compliance can come from outside the organization in the form of government legislation, such as HIPAA or Sarbanes-Oxley. They can also come from the inside of the organization in the form of organizational governance edicts from executive management. In either case, the network infrastructure must play a role in supporting the often abstract requirements of compliance, while at the same time ensuring that the business objectives of the organization are still being met. Enterasys Secure Networks™ solutions for compliance provide visibility and enforcement capabilities that are practical, achievable, and deliver rapid time to value. With an Enterasys solution you will be able to answer the following key questions:• Can the confidentiality and integrity of data be ensured throughout its lifecycle on the network infrastructure?• Can access to critical information be controlled so that only the right people at the right time have it?• Can guests or contractors be allowed on the business network and given access to basic services while still protecting critical and private information?• Can a breach in communication policy be identified immediately and the network react in real-time to prevent a non-compliant situation?• Can the network report on both compliant and non-compliant states of individual users, both past and present?• Does the network solution support open-architecture, multi-vendor interoperability?• Can this solution be deployed today, in my existing environment?Let us show you how our innovative products and technologies can enable you to build a secure network that embraces compliance initiatives. Leading companies worldwide have deployed Enterasys Secure Networks solutions for compliance. Set up a time to see how our unique approach can increase your overall compliance capability while leveraging your existing investments. Call (877) 801-7082 or +1 (978) 684-1000 or visit http://www.enterasys.com/securenetworks.Supporting Compliance A Network ApproachPage 2 IntroductionThis paper will take a top-down approach, exploring compliance mandates and how to align the network infrastructure in support of these mandates. Because the network infrastructure is pervasive in the fact that it connects all users, business services and critical data, it can be leveraged as a tool to enforce communications policies. Based on both regulatory and internal company rules and regulations, network usage can be accounted; data can be secured; and misuse can be controlled. The network infrastructure can be a significant control point in maintaining compliance mandates.CobiT (Control Objectives for Information and Related Technology) is a widely adopted framework for assisting IT organizations with maximizing technology while complying to governances. This paper will use the best practices of CobiT to help identify the design and functionality of the network communications infrastructure to meet business continuity and compliance requirements. Specific functionality of the network infrastructure and related control software will be discussed and the unique advantages of an Enterasys solution will be offered for consideration. Why is Compliance Important to You and Your Organization?Compliance changes the rules for corporate governance. Much of today’s emphasis on compliance is a direct result of corporate scandals which occurred in the past five to ten years. Executives at companies such as Enron and WorldCom believed they were beyond reproach, and there was little in the way of specific regulation and precedent to prevent this type of behavior. In response to these scandals, new legislation such as Sarbanes-Oxley was passed to help address the illegal activities, and to help restore the confidence of the investing public.Much of today’s legislation not only punishes the corporation, but additionally makes executives personally accountable for the activities of the corporation. With very severe penalties for noncompliance are now prescribed. For example, Sarbanes-Oxley defines severe penalties for violations for ‘C’ level executives involved in fraud or non-compliance: $1M USD or 10 years in jail! Now, it’s personal!Newer legislation such as Sarbanes-Oxley forces auditing of not only the numbers themselves, but also how these numbers are generated – meaning that finance related processes come under scrutiny. Since the IT infrastructure is part of the financial process, it too comes under the watchful eyes of the auditor.Compliance ExamplesHere are several examples of recent compliance legislation. As you can see, these laws not only focus on the financial perspective but on privacy as well.• BASEL II -Minimum capital requirements, supervisory review and market discipline to promote greater stability in the financial system.• European Union Data Privacy Directive – Mandates rules for the collection of protection of individual personal data.• Graham-Leach-Bliley – Intended to ensure financial institutions protect sensitive customer information that may be accessible to hackers through Internet or intranet environments.• Health Insurance Portability and Accountability Act (HIPAA) – requires that patient records be protected against exposure to unauthorized entities.• Payment Card Industry (PCI) -a set of data and network security requirements for companies which process credit card transactions for the purpose of protecting sensitive credit card holder information.• Sarbanes-Oxley – Requires the implementation of checks and balances to ensure that the process used to generate financial reports is sound and cannot be tampered with.Additionally, many enterprises understand that better compliance, better IT governance, and better data protection mechanisms are good for business. In fact, many organizations tout their compliance with standards such as ISO 177991 as a competitive advantage – a customer of one of these organizations realizes that their data will be treated with great respect. So, in some cases, compliance is mandated by upper management rather than through external forces.1 ISO 17799 is a set of best practices aimed at maintaining information security in an organization. ISO 17799 conforms to the concepts of protecting Confidentiality, Integrity and Availability – the CIA Triad.Page 3 Impact of Compliance Regulations on ITThe impact of compliance on the IT organization is in some cases quite obvious, while in other cases it is not so obvious. We will look at two important pieces of legislation, HIPAA and Sarbanes-Oxley.HIPAA makes the following assertion:“ A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.”Here, the legislation is very specific and can easily be translated into IT requirements. One would imagine that “technical” safeguards would translate quite readily into Authentication, Authorization and Accounting (AAA) of certain assets. The “unintentional” disclosure would translate into some type of monitoring system. So, in the case of HIPAA, the impact on the IT organization is readily visible.When one reads the Sarbanes-Oxley legislation, however, the impact to the IT organization is not quite as clear. Much of Sarbanes-Oxley is concerned with the implementation of control systems within the finance organizations of publicly traded companies. One may ask “why does a law concerned with financial reporting impact the IT organization?” To answer this question, think of what Sarbanes-Oxley is trying to do – it’s trying to guarantee that financial reports are accurate and timely. As a secondary objective, it’s requiring the company to certify the processes by which this information is generated. Think for a moment about what you would need to do to guarantee accurate financial reports and certify the process used to generate these reports:• You would need to prevent unauthorized access to sensitive information – i.e., financial performance data before the end of the quarter is confidential• You would need to prevent sensitive information from being modified by unauthorized personnel• You would need to make sure the information is protected against accidental or malicious loss• You would need to make sure that a system is in place that allows financial, production and sales data to flow from one place to another in an expedient mannerIn any business, there is a flow of information, which is shown in the illustration below:Sales StaffPoint ofSale ReportsSalesOperationsSupplyChainFinanceCXOAccountingStockReportsInventoryReportsPaymentsCollectedInventoryMadeWarehouseBillingDisbursementREPORTPage 4 As can be seen from this diagram, there is a clearly defined flow of information into the corporation, and a clearly defined process for tabulating this information. At any point in this process, there is the possibility for the introduction of erroneous or fraudulent information. Thus, all information feeding the financial report must be protected. To safeguard against the compromise of data, the organization must implement access controls and monitoring systems, similar to what must be deployed to comply with HIPAA. Stated simply: The requirements of Section 404 mandate that the processes used to arrive at the financial results be certified. Information Technology systems are intimately involved in the generation of these results, and therefore are part of the Sarbanes-Oxley compliance regimen.Governance Control FrameworksOrganizations must establish Governance Control Frameworks around which actual policies, procedures and work flows will be built. Think about this for a moment. A mandate is passed, either internally or externally. Management cannot just say “comply with it” and expect compliance to magically happen. They must ensure that processes and procedures are created within the organization to foster compliance, and people need to be responsible to make it happen. For example, at a high level, compliance with Sarbanes-Oxley makes use of an accounting procedural framework known as Internal Controls – Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission, otherwise known as COSO. The processes defined in COSO, to be put in place by the most senior management, help to establish procedures and an organization which provides assurance of achieving:• Operational efficiency• Reliable reporting of financial data• Compliance with regulations and lawsAuditing firms rely on the guidelines established within COSO to determine if an organization is compliant with Sarbanes-Oxley. From the perspective of compliance, COSO can be thought of as the guidelines which drive the actual business processes involved in financial reporting.Other regulations will rely on other frameworks, but generally a well known framework which is auditable is required.So, what about a framework for IT?A Governance Control Framework for ITJust as there are Governance Control Frameworks around which the practices and procedures for accounting are built, there are some for IT as well. As explained, IT systems are a critical component in complying with any regulation, hence there are Control Frameworks for IT. One excellent example is Control Objectives for Information and Related Technology (CobiT), introduced by the IT Governance Institute.As stated by the IT Governance Institute, CobiT defines a control as: “ The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.” CobiT includes guidelines which would guide an auditor in rating a particular organization for its compliance against processes defined within:1. Non Existent – There is no evidence of the process being in place.2. Initial/Ad Hoc – There is evidence of the process being in place but it is not well defined and is not consistently applied.3. Repeatable – Process is in place and follows a regular pattern but relies on knowledgeable people to apply; in other words, it is not documented.4. Defined – Process is well documented and progress on achieving the objectives of the process are communicated.5. Managed – A system is in place to monitor and measure the process.6. Optimized – Processes are strictly followed and automated.Let’s tie it all together. There are many organizational components involved in compliance: business objectives, regulations and legislation, a control framework to ensure that regulations are complied with, an organizational framework to control IT, and the IT infrastructure itself. These relationships are shown generically on the next page:Page 5 RequirementsGovernance & Control FrameworksImplementationProcesses& ControlsCOBIT Processes& ControlsBusiness andRegulatoryRequirementsCOBITControlFrameworkIT Infrastructure& OperationalProceduresOperational efficiencyReliable reporting of financial dataCompliance w/regulations & lawsPlan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate CobiT defines IT activities in a generic process model within four areas:• Plan and Organize – Identify how IT can best contribute and align with business objectives• Acquire and Implement – Identify, acquire, and integrate IT solutions which solve business problems into the infrastructure• Deliver and Support – Deliver, manage and secure services in support of the business objectives• Monitor and Evaluate – Ensure that the IT system continues to function and remains compliant with the security policy of the organizationHow these processes relate to each other is shown in the diagram below:RequirementsBusiness andRegulatoryRequirementsControlFrameworkPlan andOrganizeFEEDBACKFEEDBACKAcquire andImplementDeliver andSupportMonitor andEvaluateMost important is the Feedback from the Monitor and Evaluate process. This allows the other processes of CobiT to be adjusted as necessary. It also allows for processes within the Control Framework to be modified, as well as the business objectives themselves.These generic processes map into traditional IT processes which already exist, which means compliance does not require “reinventing the wheel”.Since CobiT drives the IT organization and the implementation of the IT infrastructure, we will discuss the four processes defined by this governance template. Page 6 Please note that a complete description of CobiT is beyond the scope of this document. The reader is referred to the IT Governance Institute website at http://www.itgi.org for additional detail.Plan and OrganizeThis process details how the IT organization contributes in the most efficient manner to the business objectives of the enterprise. All members of the enterprise should be engaged in this process, which not only defines the IT infrastructure itself but also the organization behind that infrastructure. Typical questions answered as part of this process include:• How well does IT align with the enterprise’s business strategy?• Is the IT Infrastructure being used as efficiently and cost effectively as possible?• Are the risks that the IT infrastructure places on the rest of the organization well understood?• Is the IT infrastructure robust enough and secure enough to support the business objectives of the organization?CobiT defines 10 subsections to the Plan and Organize section. Later in this document, this process will be abbreviated as PO.Acquire and ImplementOnce the overall IT strategy is defined and aligned with the business objectives of the organization, the actual technical IT solutions, as well as the policies and procedures for their use, may be established. A plan for the integration of the solution of the business process must be established. Impact to existing systems and procedures must be considered to ensure that no adverse effects to existing infrastructure occur. This process typically addresses the following management questions: • Will the project meet its objectives from a business perspective? • Will the new project meet its schedule and cost targets? • Can the new system be implemented in a non-disruptive manner? • Will the new system cause any unanticipated security risk? CobiT defines 7 subsections to the Acquire and Implement section. Later in this document, this process will be abbreviated as AI.Deliver and SupportThe Deliver and Support process ensures that the required services are actually being delivered in a cost-effective, secure and productive way which is aligned with the business objectives which called for the development of the service in the first place. It ensures that the users of the services are receiving adequate support.This process typically will answer the following questions:• Is the service aligned with the business?• Is the service being delivered in a cost effective manner?• Are the clients able to use the service productively?• Is the service available and secure – does it comply with Confidentiality, Integrity and Availability requirements established by the organization’s security policy?CobiT defines 13 subsections to the Deliver and Support section. Later in this document, this process will be abbreviated as DS.Monitor and EvaluateThis critical process monitors IT services over time to ensure that the service is compliant with its initial objectives and that the services are secure, confidential and available. Questions to be answered here include:• Is the performance of the IT organization in its delivery of the service being adequately monitored?• Is there adequate feedback for management to ascertain that the service is being efficiently delivered and meeting its objectives?• Is the service meeting its business objectives?• Are Confidentiality, Integrity and Availability being achieved in proportion to the value of the service?CobiT defines 4 subsections to the Monitor and Evaluate section. Later in this document, this process will be abbreviated as ME.Page 7Compliance for the NetworkThis section will detail technical implementation of compliance, using CobiT as the guideline for IT control. The reader is strongly encouraged to obtain a copy of CobiT 4.1, which is available for free download at http://www.itgi.org. Familiarity with this document will allow the reader to enjoy the maximum benefit from this whitepaper. Although the computer systems themselves are obviously part of the IT infrastructure, this discussion will limit itself to the conduit through which the information passes – the network infrastructure. Any compliance strategy should be intent on enabling the network infrastructure to be a transparent, secure and available conduit through which the information of the organization passes. As has been discussed, in any business:• Information flows from one place to another. • Information is processed, which means that it is tabulated and modified by authorized and responsible personnel.• Information is stored in repositories as it is being processed.At all phases of the information lifecycle, it must be protected from modification and compromise, either accidently or maliciously. Drawing from our conventional analog:• The Confidentiality of information must be protected as it flows from one place to another.• The Integrity of information must be protected as it flows from one place to another.• The information must be Available when and where it is needed in a timely manner.This means that the traditional security attributes of Confidentiality, Integrity and Availability (CIA) as they relate to information will be a significant component of compliance. Access to information must be granted only to those with a need to know, and modification of information must take place only by those who are authorized to do so. As will be seen here, the network plays a strong role in the support of a CIA strategy and hence will also play a strong role in the overall compliance strategy for any organization.An Architectural ApproachEnterasys Networks provides an architectural approach to building a Compliance Supportive Network. Unlike other vendors’ approaches, Enterasys fully integrates a security-enabled infrastructure, advanced security applications and centralized visibility and control to enable IT organizations to deploy networks that will enforce critical compliance policies and provide important auditing of compliance.Security-Enabled Infrastructure• Switches, Routers, WirelessAdvanced Security Applications• Intrusion Detection/Prevention• Network Access Control• Security Information ManagementCentralized Visibility and Control• Automated Security Management• Asset & Change Management• Element Management• Policy ManagementPage 8 This architectural approach delivers significant capabilities. The architecture enables network usage policies for users and devices to be established centrally and enforced throughout the entire network environment. These policies for network communication enable an IT organization to ensure compliance to internal and external policies while supporting secure access to all business-critical network services. Policies can be applied to restrict or enable communication from individual users and devices in the network based on their role to the organization.The architecture will enforce access control of users and devices attempting to communicate on the network and to specific services. Various end systems can be detected and identified when they connect to the network infrastructure. Once an end system is identified, access to the network as well as to specific services can be controlled based on the type of end system, the organizational role of the end system and/or the person who may be using it, the location of the connection, and the time of day. This allows specific users and end systems to be identified when they show up in the network, and their communication on the network controlled to ensure compliance with important policies for network usage.The architecture will detect threats and anomalies anywhere in the network and locate the exact source. Because of the increased business importance of the network infrastructure, it is imperitive that threats to critical services are detected and mitigated in real-time. In addition, some compliance regulations require certain reactive measures to be taken in the event of a policy breach. Enterasys leverages patented technology to deliver a unique capability of detecting non-compliant situations as they occur in the network and isolating the exact source of the problem. In a network of thousands of end systems, the exact source of a threat or network problem can be determined in just seconds.The architecture will respond to threats and non-compliant situations with specific and measured action and will enable users to self-remediate when appropriate. The architecture’s ability to locate the exact source of a problem enables an appropriate response to be taken. The response might vary based on the type of threat or compliance issue, and the Enterasys solution allows for measured response options including disabling a port, changing a VLAN, enforcing a specific set of communication policy rules, notification, quarantine, and compliance reporting. In cases where the problem being addressed involves a user, the architecture allows for the enforcement of specific policy rules to completely protect all critical network services, but still enable the user to self-remediate so they can quickly start working productively in a compliant manner.The architecture will proactively protect the network from vulnerable and dangerous end-systems, preventing them from compromising critical business services, other users and end systems. Defenses are established to protect the environment from known threats and network misuse. In addition, end-systems of all types (including convergence endpoints) can be assessed for vulnerability, non-compliance, and threat posture before they are allowed to communicate on the network.With the advantage of the architectural approach, IT organizations can deploy an Enterasys solution to ensure compliance through proactive and reactive policy enforcement and auditing through complete visibility.Toolkit for Network ComplianceThe components of the architecture described above enable Enterasys to provide a comprehensive toolkit to support the objectives of your compliance strategy and maintain high levels of Confidentiality, Integrity and Availability. These tools are shown in the diagram below. Page 9 Establish and Enforce PolicyThe first element of the Compliance Toolkit is the ability to Establish and Enforce network utilization strategies. Enterasys switches have the ability to enforce granular policies at Layer 2, Layer 3 and Layer 4. Complex rate limiting and traffic shaping policies can be created, allowing for the enforcement of limits on certain types of traffic. Traffic can be prioritized using 802.11p and the IP Type of Service (ToS) field. Further, through the Enterasys NetSight Policy Manger application, it is a quick and simple matter to create these network utilization policies for different traffic types. Enterasys allows for the creation of both static policies and dynamic policies. Static policies are used to enforce accepted network communications, where each port in the infrastructure is used to filter out unwanted protocols and control acceptable protocols. Dynamic policies can be bound to specific user groups. With SAP, the user is authenticated, then the policy is dynamically enforced at the point of attachment. This “role-based” policy enforcement allows for individual determination of what people or devices can do when connected to the network. For example, someone in the accounting organization should not be able to use Simple Network Management Protocol (SNMP). On the other hand, someone from the network operations team must have access to SNMP in order to do their job. So, unique policy rules are created for each group. A policy disallowing SNMP is created for the accounting group, while a policy enabling SNMP is created for the network administrators group. When an accountant logs in, SNMP is disabled. When a network administrator authenticates, SNMP is enabled. So, extremely fine grained, user specific policies can be created by tying policies to groups, and users to groups. This is shown in the diagram below. Business RolesIT PortsServicesSalesE-MailWebOracleSQLSAP /R3GuestEngineerStudentDoctorAs can be seen, roles map to policies, and policies map to specific network services.Network utilization policies are an important part of any compliance strategy. Policies dictate:1. What the network can be used for2. What the network cannot be used for3. How much network resource is allowed to be used by each application4. Where are certain applications allowed to be run from5. Where are certain applications not allowed to be run from6. What parts of the network can a user or device be allowed to accessPage 10 Let’s discuss these attributes one-by-one.What can the network be used for? Or, in more technical terms, what protocols are allowed to run on the network? One of the most important tenets of good security and compliance practice is that “less is more”. The purpose of the network is to serve the objectives of the business. Therefore, the traffic that traverses the network must have a purpose related to the objectives of the organization. Traffic that should not be there at best is a waste of resources and at worst is malevolent. Therefore, policies which limit traffic which enters the network to just that which is purposeful are indeed necessary. Unauthorized/Malevolent traffic can:• Waste bandwidth• Be disruptive to normal business operations• Be used as a vehicle to exploit vulnerabilities in end systems in an attempt to obtain confidential informationExamples of unnecessary and potentially malevolent traffic include:• Peer to Peer file transfer protocols• Streaming video or audio from commercial sources• Network management traffic from computers which should not be modifying network devicesA concrete example of the type of damage that can take place through the use of unauthorized protocols is given by the “Winnie” worm in Japan. In this case, employees were bringing laptops with the unauthorized peer-to-peer application Winnie. Like any other peer-to-peer program, Winnie shares pre-defined “share” directories over the Internet. Unfortunately, a virus, known as Antinny, infected Winnie, causing directories and documents other than those within the share directories to be readily available over the Internet. As a result of this, information such as access codes to 29 airports, surgical procedures performed on 2,800 people, and even details on surface to air missile test on the ‘K’ peninsula, was compromised. From the previous example, drawing a connection to compliance is trivial. The lack of policies which prevented the Winnie application combined with the lack of monitoring for the Antinny virus caused notable compromises in information which should have been secure. What if this information had been a spreadsheet with earnings information for a publicly traded company? Sarbanes-Oxley would have been violated with the serious ramifications expressed earlier in this paper. What if this information had been patient related? HIPAA regulations would have been violated.Access ControlThe second element of the Compliance Toolkit is access control. Access Control helps network administrators to answer the following questions:• Who can access the network?• What devices can access the network?• Is the device which is trying to access the network ‘healthy’ or might it expose the organization to undue risks?The Enterasys Network Access Control (NAC) solution helps to answer these questions, which are very important in any compliance strategy.Access Control is not just a “switch” which allows users in or keeps users out. It is in reality a pro-active security defense. One of the most important functions of Access Control is the ability to perform a pre-admission assessment of an attached device before that device is granted access to the network. When a device is attached to a NAC capable network, it is tested to determine if the device is ‘safe’ or if the device poses a risk. Should the device pose a risk, it is individually separated (quarantined) from the rest of the network until corrected.Two different models can be used for assessment. An agentless strategy does not require any specific software to be pre-configured on an end system. There are two variations of the agentless model: • Network-based, which leverages assessment engines such as Tenable Networks’ Nessus technology• Applet-based, or Dissolvable Agent Based, which forces the end station to download a Java applet, an ActiveX control or a dissolvable software agent. Local assessment is performed while the end system is accessing a Web page. Enterasys leverages technology from Symantec, Check Point and Lockdown Networks to perform end-system assessment from a software agent that is pushed to the end system through the network. The agent-based model for end-system assessment requires the installation of a software agent on the end system. The software agent provides a “presence point” on the end system to communicate with the assessment server. The software agent typically provides the ability to check the presence and the configuration of antivirus, anti-spyware and personal firewall, and to perform deep system scans. Page 11 There are two variations of the agent-based model: • “Thin” Agent-Based Model: The “thin” agent requires minimal resources and zero configuration on the client side (agents are preconfigured, installed and updated by the assessment server). The “thin” agent-based model is deployable in specific operating system environments based upon the assessment vendor’s support for end systems. Enterasys NAC integrates with the thin agent-based assessment technology from Lockdown Networks.• “Thick” Agent-Based Model: The “thick” agent provides a built-in personal security solution such as personal firewall or host IDS. The “thick” agent-based model is typically Microsoft operating system-centric. It also may require significant resources (memory, CPU, etc.) on the client side. Enterasys NAC integrates with several technologies for “thick” agents: — Symantec with the Sygate Enterprise Protection product. Enterasys has certified Sygate Enterprise Protection across its product line (leveraging 802.1X/EAP). — Check Point with the Integrity product. Enterasys has certified Integrity across its product line (leveraging 802.1X/EAP). — Microsoft with the Network Access Protection (NAP) technology. Enterasys is actively demonstrating NAP interoperability on Windows Vista clients and Windows “Longhorn” servers. There are other important requirements to access control as well. An access control solution must also:• Be open – provide support for multi-vendor environments so that existing investments in infrastructure are leveraged, and to allow for interoperability with third-party components.• Be able to support multiple types of end-systems – Today, not every network device is a computer with a person behind it. In fact, the drive towards ‘convergence’ is introducing a multitude of new types of network attached devices. • Take into account more than just user or device credentials when performing authentication – There are many other things that should be considered before a device is allowed to attach to the network, and when making a decision as to what access rights will be granted once authentication is complete. For example, time of day, location of device, type of device and so-on are attributes that should be considered before a device is granted access. The ability to do this is called Multi-Context Authorization.• Quarantine – A Network Access Control solution must be able to isolate non-compliant devices safely from the rest of the network, optimally preventing those devices from impacting other quarantined devices.• Notification and Remediation – A Network Access Control solution needs the ability to notify the user or network administrator that a machine is being excluded from network access. Further, it needs to provide a mechanism to facilitate “self remediation”, whereby the end-user can take steps to correct the identified deficiency himself. Alternately, logging of the presence and isolation of non-compliant devices should be provided to network administrators so that they can take remedial action if necessary.An important aspect of a NAC solution is the ability to quickly view the state of the network environment. IT administrators need information on who and what is attaching to the network; where and at what time are the devices connecting; are the devices safe and secure; are the users of the devices posing any threat to the network environment. Comprehensive real-time and historical information on the end systems and users communicating on the network is critical to understanding the state of compliance to any pre-determined policy. The data collected from the Enterasys NAC solution includes: • MAC Address –The physical address of the end system • Switch IP Address – The switch in the network where the end system attached • Switch Port Index – The physical port on the switch where the end system connected • Switch Port – The “name” of the switch port where the end system is connected • IP Address – The last known IP address of the end system • Authentication Type – The method used to authenticate the end system • State – The authorization state of the end system • Reason – The reason for the authorization state of the end system • Username – The username of any user leveraging the end system • First Seen – The first recognition of the end system on the network • Last Seen – The most recent recognition of the end system on the network • Last Scanned – The last time that the end system was assessed Page 12 From the data collected by the Enterasys NAC solution, IT administrators can account for end-system compliance in real time as well as historically. The reporting capabilities of the Enterasys NAC solution allow IT organizations to report on end-system compliance, justify technology expenditures and provide regulatory compliance information when required. Now, let’s tie all this back into why Access Control is important from a Compliance Supportive Network perspective. We can use the Japanese ‘Winnie’ example again. If a pre-connect assessment had been performed against the laptop containing the disallowed program, then this laptop would have been denied access to the network until the program in question had been removed. Keeping this non-compliant device off of the network would have avoided the information leak all together. Detect, Locate, Respond and RemediateThe ability to actively detect and locate the source of malicious or disallowed activity is another element of the Compliance Supportive Network.Enterasys Networks provides an automated detection and mitigation solution leveraging intrusion detection, location awareness and policy enforcement together to create a system which can detect, locate and mitigate attacks or network misuse in near real-time. The diagram to the right explains how it works. First, a policy is created which will restrict network usage. Specifically, a “quarantine” policy is created which defines how malicious traffic will be dealt with. The policy will be distributed to the network infrastructure switches where it will lay dormant until needed. Second, a security event is detected. This can be detected in any number of ways, including host or network based intrusion detection, from a syslog, from behavioral anomaly detection and any other of a number of detection strategies. A key attribute to the Enterasys solution is the fact that it is open; both Enterasys detection technology and third-party detection technology can be integrated into the solution. Third, the source of the event is located. A typical intrusion detection device provides the source IP address of the offending end system, along with the nature of the offence. Although useful, the IP address does not indicate the physical location of the offence, hence action cannot be taken against it. Enterasys’ switches provide a distributed directory database which contains information about the physical location of any given end system on the network. Included in this database is the IP address, MAC address, physical port, and authenticated user. By searching this database for the IP address, the actual switch and port of the offending end system is located. Note that strategies exist to also perform this search function in non-Enterasys networks which leverage the industry standard IpNetToMedia and Dot1dTpFdb MIBs. Lastly, action against the perpetrator is taken. The quarantine policy established in step 1 is dynamically applied to stop the attack or non-compliant activity. Enterasys switches have very granular policies, such that only the specific protocol or traffic flow which is being abused is blocked. This has the distinct advantage of allowing critical traffic such as VoIP to continue to flow while stopping only the traffic in question. Third party switches can be employed as well, but the policies won’t be as granular. Two additional benefits of the solution are:• Ability to redirect an errant user to a web page explaining the violation and how to remedy it and become compliant• Ability to notify the network administrator of the event so that remedial action and auditing can occurThus, the non-compliant activity is stopped, while maintaining the availability of the infrastructure. A key compliance benefit of this solution is that attacks can be stopped before they have a material impact on the operation of the business.A concrete example of this comes from a large petrochemical company in Australia. This company had a converged network, which means that not only data but voice traffic was traversing the infrastructure. Unfortunately, this organization was hit by virulent worm attack, which was totally uncontained and infected the vast majority of the Windows based workstations within the infrastructure. The attack was so potent that administrators were unable to even download the required patch. The infrastructure had to be halted for more than 48 hours to patch the devices, adversely impacting the productivity of 3,600 employees. Imagine if this attack had occurred during the end-of-quarter sales push, or while the quarterly financial report were being prepared – the impact would have been exceptionally severe, and indeed would result in a major compliance anomaly. Deployment of Enterasys integrated technology would have contained this event to a very small part of the infrastructure, and would have effectively mitigated this serious event.QuarantinePolicy AdminIntruderSecurityEvent DetectionEventSource LocationAction AgainstEvent SourcePage 13 Auditing and ReportingOf course, the ability to audit activities and generate reports on these activities is critically important as compliance with regulations is frequently audited. Enterasys offers the Dragon Security Command Console, or DSCC, to integrate and simplify network monitoring, auditing and reporting. DSCC automatically learns:• Attached devices• What devices are servers and what devices are clients• What protocols are allowed• The traffic volume of each protocol• The traffic profile vs. timeDSCC can leverage existing installed infrastructure as a security or monitoring device. DSCC can gain critical information from:• NetFlow• Syslog from devices or servers• Check Point OPSEC• SNMP/SNMP Trap• Intrusion Detection SystemsTherefore, existing network devices such as switches and routers can be used as sampling flow sensors and contribute to the flow anomaly detection capabilities of the device. Existing firewalls and intrusion detection/prevention devices can also be integrated into the DSCC framework. Servers can add to this information through syslog. DSCC serves as a virtual data warehouse for all security related events that traverse your infrastructure. DSCC has the ability to mine this data for significant events, and then generate reports based on these events to help prove compliance. An example of some of the compliance report templates found in DSCC is shown below.Page 14 SummaryAll organizations today are faced with mandated regulatory compliance issues. We have demonstrated some typical compliance problems that all organizations may face, and why compliance is important to your organization both competitively and legally. As explained, the IT infrastructure is a significant tool to be used in a comprehensive compliance program, as it is in effect the path through which all business information flows. We have introduced a management framework, CobiT, which can be used to guide you through the implementation of a technical solution, and the subsequent auditing of that solution. Finally, we have introduced the Enterasys Secure Networks™ architecture as a virtual “toolkit” to implement the technical solution. With an Enterasys solution, you can ensure the security and reliability of data on the business network, and you can obtain critical visibility into the status of compliance with regulations and mandates important to your organization. If you want to architect a compliance supportive network that easily and effectively enforces the right business and security policies, at the right time, look to Enterasys to provide the industry’s leading solution.Contact Us© 2007 Enterasys Networks, Inc. All rights reserved. Enterasys is a registered trademark. Secure Networks is a trademark of Enterasys Networks. All other products or services referenced herein are identified by the trademarks or service marks of their respective companies or organizations. NOTE: Enterasys Networks reserves the right to change specifications without notice. Please contact your representative to confirm current specifications.10/07Delivering on our promises. On-time. On-budget.For more information, call Enterasys Networks toll free at 1-877-801-7082, or +1-978-684-1000 and visit us on the Web at enterasys.com