Secure Networks Technology Foundation

Reviews
Shared by: C Gunnison
Categories
Tags
Stats
views:
162
rating:
not rated
reviews:
0
posted:
12/29/2007
language:
English
pages:
0
Secure Networks Technology Foundation Page 1 of 24 • Whitepaper Table of Contents 1. Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Basis for Secure Networks: Multilayer Frame Classification and Distributed, Flow-Based Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 4 Role Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Port-Based Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 User-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Frame Inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Link (OSI Layer 2) Inspection. . . . . . . . . . . . . . . . . . . . . . . 5 Network (OSI Layer 3) Inspection. . . . . . . . . . . . . . . . . . . . . . . . 5 Transport (OSI Layer 4) Inspection . . . . . . . . . . . . . . . . . . . . . . . 5 Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Discard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Prioritize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Rate Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Contain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Distributed, Flow-Based Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Advanced, Policy-Based Management Capability . . . . . . . . . . . . . . . 9 Policy Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Policy Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Enforcement of Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Web-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 IEEE 802.1X EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Architectures Built for Speed vs. Architectures Built for Security . . . 1 3 5. Traditional Approaches Make Robust Security Difficult. . . . . . . . . . 14 6. Secure Networks Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Acceptable Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Secure Application Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Secure Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Dynamic Intrusion Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Page 2 of 24 • Whitepaper 1. Executive Summary Today’s security threats place new expectations on network architectures that are vastly different than the demands driven by the simple connectivity and applications of the past. Enhanced security means adding visibility and granular control while at the same time intensifying the need for rapid response and flexibility. This creates a “push-and-pull” effect where the security officer of an organization wants to lock everything down and the traditional information officer desires maximum information flow. Unfortunately, traditional infrastructure technologies that have been optimized for moving data present real issues when attempting to locate, isolate and contain security threats. Over the last decade these technologies—specifically switching and routing—have done exceedingly well at increasing performance and adding feature/functionality, but have essentially remained status quo in terms of the overall architecture. For example, solutions that use Access Control Lists (ACL) and VLANs in a centralized switch design are severely limited when it comes to providing the level of control needed to combat security threats. However, Secure Networks technology from Enterasys leverages distributed, flow-based switching and advanced policy-based management to bridge the gap between the need for rapid response and flexibility, and the demands for greater visibility and granular control. Drawing from technologies that Enterasys developed and refined over years, Secure Networks solutions combine unique software management capabilities with embedded hardware features to create a more intelligent and cohesive network architecture that provides advanced security mechanisms without compromising network flexibility or performance. Page 3 of 24 • Whitepaper 2. Basis for Secure Networks: Multilayer Frame Classification and Distributed Flow-Based Architecture Enterasys has developed a unique capability in its network products that enables Secure Networks—an ability to classify traffic as it enters the network at the first intelligent ingress point. This ability is based upon Enterasys’ use of classification rules built into network hardware that understands a role definition, can perform inspection and then can take action on traffic as it enters the network. These classification rules combine with a distributed, flow-based implementation to provide this capability at high speed, essentially creating the only solution in the industry able to deliver a true Secure Network. To better understand this capability, each component of multilayer classification will be examined along with its uses and advantages. The use of a distributed, flow-based architecture in this implementation will then be further explained. Role Definition Defining the role of a specific device that wants to connect to the network is very important in creating the classification rules. Understanding what will be connecting to the network, defining how it will connect, and who will be using it determines what kind of classification rule is applied at this ingress point. With Enterasys technology, classification of traffic can be applied as either a port-based rule (the approach used by most vendors), or as a userbased rule. The difference between the two applications depends on the level of control and granularity that is desired. Port-Based Rules A port-based rule can be applied to a single port, a group of ports or an entire switch. A port-based rule is fairly generic in nature and does not care specifically about the device connecting to the port. In general, a port-based rule is used when greater granularity is not required or when the user of the port cannot be determined. User-Based Rules As it implies, a user-based rule is applied to a known user on the network. This is much more granular than a port-based rule in that many users could potentially be sharing the same port, each with a different classification rule defined for them. This is generally the case when a port is used as an uplink from a wireless access point or another access layer network device. For a user-based rule to be implemented, the network will need to invoke some authentication mechanism such as IEEE 802.1X or a web-based authentication system. The authentication mechanism, combined with an advanced policy-based management system (discussed in the next section), makes it possible to create as much granularity as is desired in any network environment. Page 4 of 24 • Whitepaper Frame Inspection Once a classification rule is defined (either port or user based) the next step in multilayer classification is to inspect the frames entering the network. Here the traffic is identified based on the frame’s Data Link (OSI Layer 2), Network (OSI Layer 3) or Transport (OSI Layer 4) information. Enterasys technology makes classification decisions based on information at Layers 2 through 4, but then subsequently forwards the information using either a switching or routing engine depending on the particular device. Data Link (OSI Layer 2) Inspection Frame inspection that occurs at this level can either be very specific or very general, depending on what classification is desired. At this level, frames can be identified by their hardware-issued MAC address. This allows a rule to be applied to a specific (usually unique) Ethernet device, or to a specific hardware manufacturer (MAC prefix). The other option at this level is to apply inspection to a specific Ethertype field. This defines which Layer 3 protocol is being used, such as IPX, AppleTalk or IP. This can be very useful in filtering out all IPX or AppleTalk traffic from a network. Network (OSI Layer 3) Inspection Frame inspection that occurs at this level can be used to classify traffic based on very specific information within the Network Protocol (IP or IPX) header being examined. The information contained at the network layer is quite useful and is defined to provide significant flexibility. At this layer it is possible to determine IP Type of Service (ToS) used for DiffServ Quality of Service. It is also possible to determine what higher layer protocol is being used (TCP, UDP, ICMP, etc.). With IP it is possible to determine the source and destination network addresses of the computers that are communicating, including the subnets they are using. This is not as useful as it once was. The advent and widespread usage of DHCP means that the connection between IP address and actual user identity is no longer guaranteed. With IPX it is possible to examine the frames based on IPX Class of Service, Packet Type, Network and Socket Numbers. Transport (OSI Layer 4) Inspection Frame inspection at Layer 4 is the simplest to understand and also the most powerful. At Layer 4 it is possible to classify frames based on the TCP or UDP port numbers for IP packets. The Layer 4 port number identifies the specific applications and in many cases a defined type of communication for that application. For example, at this layer it is possible to identify web (HTTP) traffic, e-mail traffic, SNMP management traffic or a whole host of other types of traffic. Using classification rules at this layer, it is possible to create rules that identify and classify applications, and therefore allow network administrators to control who sees which applications. Figure 1. The OSI Layer Model Page 5 of 24 • Whitepaper Action Now that roles have been identified, rules defined and frames inspected, it is time to determine what action will be taken when appropriate. There are two main actions that are possible, with three sub-actions. The possible actions are Discard or Forward. When forwarding, there are a number of other options: Containment, Prioritization and Rate Limiting. Figure 2. Secure Networks multilayer classification Page 6 of 24 • Whitepaper Discard Discarding frames is used to simply drop undesirable traffic. Any traffic that is prohibited by business or security policy usually falls into this category. While many organizations do not implement this capability, it is worth considering. In many cases there are clearly undesirable types of traffic that should not, under any circumstances, be allowed to traverse certain ports. A few examples of this are: • Router table updates being sent by end-user stations • Unwanted protocols such as AppleTalk or IPX that an organization has decided should no longer exist on the network • End-user stations acting as DHCP servers • Malformed IP frames or IP frames with illegal flags set In all of these cases discarding the frame at the first opportunity makes a great deal of sense. There are a number of other things that should also be considered for discard; these are just a few examples. Forward Forwarding frames can take on many forms. In its simplest form a frame is forwarded without any further processing. This is usually done if no other policies are set and nothing else needs to be considered beyond elimination of bad or undesirable traffic. In most cases, however, some further processing of the frame is preferred. This is usually done to meet the goals of the business and to make sure that all applications are being well served. The additional processing that is possible includes prioritization, rate limiting and containment. Prioritize As part of a Quality of Service (QoS) system, it is possible to define different classes of service. The different classes of service are defined by priority levels that can be set in the frames themselves. This prioritization determines which frames (usually applications) get serviced first in various devices along their communications path. By setting different prioritizations, it is possible to ensure that some applications, like a mission-critical voice conversation, get served before other applications, like web surfing. Rate Limit In addition to prioritizing, it is also sometimes desirable to set rate limits for traffic. The rate limits can be set by application to ensure that some applications do not overburden the network. By combining rate limits with prioritization, a Committed Information Rate (CIR) can be constructed. In addition, by dynamically setting and adjusting rate limits based on outside influences, it is possible to construct a system that changes based on external conditions. For instance, if it was determined that a necessary protocol was being hijacked by an attacker to propagate an attack, it would be possible to dynamically set a rate limit so that each user could still have enough bandwidth to keep working with this critical protocol, but not enough so that the attack spreads. Page 7 of 24 • Whitepaper Contain Containment is usually done when it is desirable to group certain users, protocols or applications together. You can also contain the broadcast domain of users that are grouped this way. This was the original intention of VLANs when they were first developed years ago. As the frames in question enter the network, a containment rule segregates the traffic and places it into a contain group. This is typically used as a simple classification rule, a default way to handle a specific type of applications. For many vendors this is the only option available to handle differing applications. The most typical use of this kind of rule is for vendors who sell VoIP equipment as well as network equipment. This rule is used to identify a VoIP handset or SoftPhone as it enters the network. A containment rule is created to group all of those application types together in order to protect them from any outside influence. While this does protect the application from some outside issues, it does not protect the application if the problem is inside the VLAN. An issue can occur if one of the members of the group has a virus, worm or is in some other way compromised. It can also occur if an attacker manages to convince the ingress device that they also belong in the containment VLAN. Distributed, Flow-Based Architecture With the advent of multilayer classification in Enterasys technologies, a great deal of power was provided in order to build more secure solutions. Having this level of control, however, is not enough if the bandwidth that is demanded cannot be met. In order to make sure that granularity and control could be maintained, while at the same time providing industry-leading performance, a distributed, flow-based architecture was developed. This means that all of the capabilities described above are applied to data streams as they traverse the fabric of the network, starting at the first ingress point to the network. As networks have increased in speed, there was a serious concern that providing this capability could become a burden to the network and create a bottleneck as traffic is processed. At Enterasys, this problem was examined and a unique solution was applied. Enterasys built a distributed, flow-based architecture into its Matrix N-Series switching platform. This means that when a specific communications flow is being established between two end points, the first packets in that communication are processed through the multilayer classification engine in the switch. In this process, the role is identified, the applicable rules are determined, the frames are inspected and then the action is determined. After the flow is identified, all subsequent frames associated with that flow are automatically handled without any further processing. If that flow were to change in any way, a new flow would be identified and new rules would be applied. In this way it is now possible for Enterasys to apply a very granular level of control to each flow at the switch level, while at the same time handling a large volume of traffic. The architecture is distributed in that each switch blade in a Matrix N-Series platform can function independently of other blades. In this way there is distributed processing and no single point of failure. This capability is unique in the industry and provides Enterasys with a leading position in terms of building Secure Networks. Page 8 of 24 • Whitepaper 3. Advanced Policy-Based Management Capability While the multilayer frame classification and distributed, flow-based architecture form the foundation for Secure Networks, the system would not be useful if it were difficult to manage or configure. That is what led to the development of an advanced policy-based management system. In order to take advantage of all the capabilities in the underlying network infrastructure, a simple yet powerful management system was required. There are three distinct steps in the policy management system: 1. Policy Creation 2. Policy Distribution 3. Enforcement of Policy Policy Creation In order to understand the policy-based management system, it is necessary to look at how organizations today use their networks. The network has become the delivery mechanism for services that are provided to various groups within the organization. Different groups are defined by the roles that they fulfill, or the behavioral profile that they follow. For instance, sales people will likely need to use the network differently and access different resources than engineers or administrators. These different roles are in many cases already defined in directory services that reside in human resource departments or elsewhere. Once these roles are understood, the services that are needed for each role can be determined. Services can be defined as the underlying protocols that access specific applications and the understanding of which of these protocols are more important than others. Once this relationship is understood, the classification rules that will allow these services to be delivered can be defined for each service. Figure 3. Matching roles to services to rules Page 9 of 24 • Whitepaper Enterasys’ NetSight Atlas Policy Manager allows all of these things to happen easily in a single interface. The purpose of the policy manager is to allow operators to: 1. Define roles that match the roles used in the organization (generally these should match the names already used in any existing system) 2. Define the services that are required by the these roles 3. Determine the classification rules that make the delivery of the defined services possible A number of policies are already defined in the system for operators to use right from the start. These policies cover standard situations where certain types of malicious or suspect traffic should be handled in a special way or dropped altogether. For a more detailed discussion of the NetSight Atlas Policy Manager see http://www.enterasys.com/products/management/NSA-PM-LIC/ Policy Distribution Once the definition of these different objects is determined, policy distribution is accomplished easily with the NetSight Atlas Policy Manager application. Each policy is created in a graphical user interface and deployed on the policy management system. The policy management system is then responsible for distributing these policies across the entire infrastructure, without manual intervention on the operator’s part. This means that any policy can be defined once on the management system and then disseminated to potentially hundreds or thousands of devices with one action. The NetSight Atlas Policy Manager application, in conjunction with other applications in the NetSight Atlas suite of products, understands the topology of the network and what devices make up that topology. Each device may need to have different classification rules deployed in different ways in order to affect the policy desired by the business. The policy manager will understand this dynamic and make the necessary changes as required for the device. The policies themselves will then be sent to the various Enterasys devices via a secure link using SNMPv3. All of this is part of policy distribution and can happen initially upon system setup, or it can happen alternatively as required by a changing environment. This dynamic use of policy distribution is described and used later with various Secure Networks solutions. It is important to note that once a policy is distributed to the infrastructure devices, it resides on these devices. This means that during normal operation, an intelligent switch (like the Matrix) can immediately look up the policy locally to determine proper action without having to communicate with the central management system, eliminating costly delays. The only time the management systems gets involved is when policies are added, changed or deleted. Page 10 of 24 • Whitepaper Enforcement of Policy Once the policies are defined and distributed, enforcement is the last part of the policy management system. Enforcement can take place at the first ingress point to the network (assuming it is an intelligent edge capable of this function), further in at the distribution layer of the network, or at any point where an Enterasys intelligent device has been deployed. As noted previously, Enterasys multilayer frame classification makes this all possible in the network. Since the frame classification can act on ports or users, it is necessary to discuss the differences between these two methods. Port-based definitions allow operators to statically control all traffic entering at a specific location the same way. This can be useful if the device connected at that point is static and not likely to change, such as routers, servers in computer rooms, printers or other fixed resources. On the other hand, people are not generally fixed resources. They change and move constantly. For this requirement, a more dynamic approach is required: user-based definitions. As mentioned previously, for user-based definitions to be effective, the network must be able to identify the specific user. This can be accomplished by using either webbased authentication, or IEEE 802.1X Extensible Authentication Protocol (EAP). Web-Based Authentication Web-based authentication presents the user with a sign-on screen on their browser the first time they attempt to access the network through an Enterasys switch. This is useful for users who do not have an 802.1X supplicant built into their operating system, or for organizations who do not wish to deploy 802.1X at this time. The web authentication system captures the user credentials supplied and then connects to a back-end RADIUS server. The RADIUS server can then either authenticate the user based on information in its own database, or alternatively can pass the credentials further back to a directory service for authentication and authorization. The directory service, in conjunction with the RADIUS server, or the RADIUS server alone, then responds back to the originating switch with a PASS/FAIL message indicating whether the user was recognized or not. In addition, if the user was recognized, the authentication system also passes along the group membership for that user. This is then used by the switch to tie the user to a role and therefore a set of services and classification rules. Page 1 1 of 24 • Whitepaper IEEE 802.1X EAP IEEE 802.1X EAP is a standards-based method to pass user credentials to networking devices. Developed by Enterasys in conjunction with Microsoft, 802.1X has already been widely deployed in most operating systems. The benefit of 802.1X is that the user’s credentials can be passed to the network, without the manual intervention of the user. When the users first identify themselves to the operating system, those credentials are used to also identify the user to the network. This provides for a single, unified set of credentials that can more easily be managed in new Identity Management (IdM) systems. The credentials are provided to the network by the operating system when the network challenges the OS with an 802.1X request. Once the credentials are given, the system works the same way as with web-based authentication. The switch takes the user credentials supplied and then connects to a back-end RADIUS server. The RADIUS server can then either authenticate the user based on information in its own database, or alternatively can pass the credentials further back to a directory service for authentication and authorization. The directory service in conjunction with the RADIUS server, or the RADIUS server alone, then responds back to the originating switch with a PASS/FAIL message indicating whether the user was recognized or not. In addition, if the user was recognized, the authentication system also passes along the group membership for that user. This is then used by the switch to tie the user to a role and therefore a set of services and classification rules. At this point the user’s role is understood and enforcement of policy takes place. Page 12 of 24 • Whitepaper Figure 4. Secure Networks policy and authentication system 4. Architectures Built for Speed vs. Architectures Built for Security Over the years customers have demanded increased functionality of their networks in the area of access control, packet classification and QoS capabilities of the edge devices. However, this has been dramatically overshadowed by most vendor’s drive to increase the capacity and bandwidth of the interfaces and concurrently the backplane. Unfortunately, most traditional network and switch architectures that evolved to increase “speed” have actually decreased their ability to deliver greater “control.” These architectures place an emphasis on 10/100/1000 and 10-Gigabit Ethernet performance without regard for better managing how this bandwidth is used and by whom. Specifically, centralized and even semi-distributed switch designs require a single engine to do the “high-touch” control of traffic. This was fine for limited QoS control for all traffic for all users. However, the granular management required to implement the proper security measures demands a much greater level of access control, packet classification and QoS capabilities of the edge switch. Security mandates that a network administrator be able to isolate and control traffic right down to a specific user and application—without adversely affecting other applications and users. This is the reason Enterasys’ Matrix N-Series has a distributed, flow-based design to handle hundreds of thousands of unique policies to isolate and control traffic. It is fully distributed, placing CPUs and custom ASICs on every module in every slot. This enables the switch to pinpoint the exact flows of a virus or worm and prevent that traffic from affecting other users on the network, quickly and efficiently. The harmful traffic can be modified, redirected or dropped entirely. Page 13 of 24 • Whitepaper 5. Traditional Approaches Make Robust Security Difficult As networking technology for the enterprise has evolved over the last twenty years, access control of users and applications has been tightly coupled with the edge devices’ architecture. Specifically, traditional edge switches exclusively use Access Control Lists (ACLs) to control traffic. ACLs are simply a list of deny or permit commands typed (via a CLI) into the switches’ configuration. Separate ACLs are required for setting QoS parameters (e.g., more command entries required). ACLs are very static and even the order of entry can adversely affect the outcome. Moreover, ACLs must be configured on specific switches AND at either the interfaces, VLAN (a collection of users typically defined by department, floor, etc.) or port level. In general, most switches do not support ACLs at the port level, so the highest level of granularity is the VLANs. Another disadvantage of using ACLs is the ongoing collection of “ACL Dust Bunnies.” ACL Dust Bunnies are ACLs that may have been configured at some point, but are rendered unused by the addition of other ACLs over time. Typically, network administrators no longer know what these ACLs are for and would rather leave them alone versus removing them and waiting for the consequences. Furthermore, most of these traditional approaches combined users in a VLAN and then applied an ACL. Using VLAN containment for security presents additional challenges— namely that the VLAN must first be created and configured network wide, requiring time and additional network expertise. Additionally, VLANs are notoriously hard to troubleshoot in the event of an issue, because they are “virtual” and the traffic traverses the entire network. Simply stated, there is no control (or protection) between users (and their traffic) within the same VLAN. You can be sure that a virus or worm will propagate within VLANs rapidly and freely. VLANs were originally designed as a broadcast containment mechanism, not a security mechanism. Page 1 4 of 24 • Whitepaper 6. Secure Networks Solutions The innovative technology found with Enterasys hardware and software products is fully leveraged to deliver several Secure Networks solutions. The core Secure Networks solutions from Enterasys include Acceptable Use Policy, Secure Applications Provisioning, Secure Guest Access and Dynamic Intrusion Response. Acceptable Use Policy Organizations understand that there are many possible ways in which to use a network, but that only a clearly defined set of these uses actually meets the objectives of the business. Developed as a set of business rules and policies that dictate how an organization’s network infrastructure should be used, an Acceptable Use Policy is the foundation of a more business-enhancing network. Typically, an Acceptable Use Policy is formulated from a number of different business policies. A company’s security policy, for example, may highlight specific network traffic and services that should be disallowed from some or all usability points of the network, while other business policies may dictate how high-priority, business-critical applications should be used. Leveraging intelligent infrastructure products and innovative policy management, an Acceptable Use Policy solution from Enterasys enables organizations to enforce their own acceptable use policy, proactively and effectively. Using a central administration and control point for configuring the enterprise Acceptable Use Policy, an IT organization can quickly configure and enforce usage policies throughout the entire infrastructure. As network-attached devices connect and communicate, their traffic patterns will be monitored right at the network access device, and appropriate policies will be enforced against the traffic. Undesirable network traffic can be eliminated right at the source. Specific attacks to network services can be quickly identified and eliminated through filtering policy rules. With an Acceptable Use Policy solution from Enterasys, a company can work more securely and efficiently. As access to undesirable applications and resources is eliminated, the bandwidth previously being consumed can be redirected to support business-critical applications and resources, greatly optimizing the efficiency of the network. This more secure and intelligent use of network resources extends infrastructure viability and lifecycle. Page 15 of 24 •Whitepaper Figure 5. Secure Networks Acceptable Use Policy solution With a Secure Networks Acceptable Use Policy solution, the initial step is to use the NetSight Atlas Policy Manager application to centrally configure and distribute an enterprise policy of acceptable use. Once the security policy is defined through the NetSight Atlas Policy manager, it is distributed to every applicable Enterasys network infrastructure device using SNMPv3 as the transport protocol. At this point, the Acceptable Use Policy can be statically applied to, and enforced at, each appropriate physical access port in the enterprise network. The policy is then used to enforce security rules against all traffic entering the network through the access port. Policy parameters may include the filtering of undesirable protocols, known threats, and Internet-borne attacks to the network and its resources. The policy parameters may also provide QoS and application priority values that are consistent with the acceptable use of enterprise resources. Examples of typical Acceptable Use Policies that many organizations implement include: • DHCP services only allowed from designated servers • Routing protocol updates allowed only from designated routers • Voice conversations limited to 100K of bandwidth per voice stream • Malformed IP packets not allowed anywhere on the network • Potential Buffer Overflow packets not permitted on systems susceptible to that vulnerability There are a host of other valuable Acceptable Use Policies that can be deployed, many of which are predefined and ready for use by an organization. Page 16 of 24 • Whitepaper Secure Application Provisioning A business cannot run without the use of business-critical applications and network resources. Today the network infrastructure is not just a communications path, but a foundation for the availability of the applications that allow the business to operate effectively. Securing and provisioning these business-critical applications is a requirement of all IT organizations. A Secure Application Provisioning model should allow an enterprise to differentiate security and Quality of Service levels for various business applications based upon their importance to the organization. Some business applications may also have different levels of security and importance to different groups or departments within the business. Sales may get high-priority access to a database while engineering may get little or no access to the same database. The basis of the priority and level of service is decided by the business policy, security policy, and operation requirements of the specific enterprise. Leveraging intelligent infrastructure products, innovative policy management, and the ability to identify the users of a network when they first connect, a Secure Application Provisioning solution from Enterasys can be used to dynamically apply security and Quality of Service policies for acceptable applications and services used on the network. A Secure Application Provisioning solution provides a policy definition or a set of business rules that dictate how organizations will use the many applications and services that are offered on the enterprise network. The Secure Application Provisioning policy configuration will provision a security and quality level to an application or service based on the business role of the user who is utilizing the application or service. Using a central administration and control point for configuring the Secure Application Provisioning policy, an IT organization can quickly and effectively configure and enforce the rules that determine the secure, prioritized usage of applications throughout the infrastructure. As network-attached devices connect and communicate, specific application traffic will be provisioned appropriately based upon the policy guidelines. If an application has a specific provisioning requirement based upon who in the business is using it, the user will be identified upon connecting to the network, and the user’s role within the business will be used to determine the appropriate application provisioning policy to be enforced. This model allows for the dynamic provisioning of policy for any business user no matter where they connect to the enterprise network. With a Secure Application Provisioning solution from Enterasys, a company can increase availability and efficiency of the most critical business applications while also securing the usage of these applications to only those users who depend on them. Page 1 7 of 24 • Whitepaper Figure 6. Secure Networks Secure Application Provisioning solution With a Secure Application Provisioning solution, the initial step is to use the NetSight Atlas Policy Manager as the central configuration and administration of all application usage policies for the various business roles in the organization. The role-based policy configuration is then distributed to the network infrastructure using SNMPv3 as the transport protocol. Once the role-based policy configuration is distributed to the infrastructure fabric, the appropriate role-based policy rules can be enforced to a specific user based upon their identity through a user-authentication methodology. The Enterasys infrastructure supports a default application provisioning policy, as well as dynamic application provisioning policies applied by user authentication through Source MAC Address, web-based manual credentials, and EAP 802.1X digital certificates. Application access, priority, and performance can be manipulated through the role-based policy configuration. The end result of a Secure Application Provisioning solution is the ability to better control application usage, including the priority that a specific application may have to a user, and the ability to rate limit the flow between a specific user and the application. Page 1 8 of 24 • Whitepaper Secure Guest Access Many companies have a need to provide some level of basic network communication services to visitors or “guests” of the company. Contractors, vendors, consultants, customers, and other non-employees may be a common presence in a company’s facilities and being able to provide these guests with basic Internet connectivity, or even certain restricted application usage can improve overall productivity and enhance business relationships. The problem that typical IT organizations face with the guest user is how to allow access to the basic services that would help them be more productive, while at the same time protecting the business-critical network services that employees utilize. An additional concern when creating a “guest network” environment is to make sure that different “guests” do not have the ability to breach the security of each other. A secure guest network environment must dynamically identify a guest and enforce a security and application usage policy that keeps the host business safe—along with other guests—and also allows a set of appropriate network services. Leveraging intelligent infrastructure products, innovative policy management, and the ability to identify a trusted employee versus a guest when they first connect, a Secure Guest Access solution from Enterasys can be used to dynamically provision basic services while securing the critical business services. A Secure Guest Access solution provides a policy definition that includes basic guest access to services as well as application and service provisioning for various trusted employee organizational groups. Using a central administration and control point for configuring the Secure Guest Access policy, an IT organization can quickly and effectively configure and enforce basic application and service usage policies throughout the entire infrastructure. These policies would be appropriate for guests who connect anywhere in the network infrastructure. As an unauthenticated user connects to the enterprise network, they will be designated as a “guest” and a default policy will be applied that will provision only the limited application and services desired for a guest. In the case of a trusted employee connecting to the enterprise network, they will be authenticated as a “trusted user” and will be designated as a member of a specific business group in the company. Access to required network services will be allowed, and specific application traffic will be provisioned appropriately based upon the role-based policy guidelines. This model allows trusted employees and guests to share the same network infrastructure while differentiated security and application usage policies are enforced for each type of user. With a Secure Guest Access solution from Enterasys, a company can safely allow visitors and guests to access basic network services while ensuring full security of the business. By providing these services to guests, productivity increases for both the guest and potentially the company hosting the guest. Page 19 of 24 • Whitepaper Figure 7. Secure Networks Secure Guest Access solution With a Secure Guest Access solution the initial step is to use the NetSight Atlas Policy Manager as the central configuration and administration point of all business policy rules for the access of business-critical services as well as guest-only services. The “default” policy in this environment will be the configuration applicable for a guest or visitor who accesses the network as an unauthenticated user. Authenticated users (trusted employees) will receive a distributed policy that includes access to appropriate business services. The role-based policy configuration is distributed to the network infrastructure using SNMPv3 as the transport protocol. Once the policy configuration is distributed to the network infrastructure, it can be enforced dynamically through the authentication or non-authentication of a connecting user. If a guest user connects to the access device, they will not pass any authentication criteria, and will dynamically inherit the default “guest” policy that was administered through the NetSight Policy Manager application. If the user happens to be a trusted employee or other trusted user, they will pass authentication credentials and an appropriate role-based policy will be enforced based upon their identity to the business. Page 20 of 24 • Whitepaper Dynamic Intrusion Response Most large organizations have deployed perimeter firewalls, enterprise antivirus software and server patch management processes to protect their IT infrastructure. But these defenses have failed to stop the recurring waves of Internet-borne worms in the past few years—resulting in major business disruptions and lost productivity. The security features embedded in Enterasys’ Dynamic Intrusion Response solution address this problem by identifying and isolating malicious activity based not just on specific threats and attack signatures, but on the abnormal behavior that accompanies these attacks. Therefore an organization can minimize its exposure to targeted threats and opportunistic predators, assuring business continuity. Dynamic Intrusion Response protects the IT infrastructure against both known and new vulnerabilities. Using security technologies integrated into the network infrastructure, Dynamic Intrusion Response identifies and categorizes internal and external threats, isolates the source of these attacks, then automatically reconfigures the network to eliminate any intrusion. Dynamic Intrusion Response enforces access control and resource usage policies based on established security profiles. No other solution in the industry offers an automated framework for identifying, locating, and mitigating threats to the enterprise. Most organizations have already configured stateful packet inspection firewalls, DMZs, NAT servers and router ACLs to protect the perimeters of their corporate network. These measures provide strong defense but fail to protect the enterprise from more sophisticated attacks (e.g., e-mail has become an important “attack transport;” new workstation and server OS vulnerabilities are identified regularly; and mobile laptops constantly move between trusted and untrusted environments). To protect against these threats, a Secure Networks infrastructure works to rapidly identify abnormal behavior and automatically isolate the source. Dynamic Intrusion Response addresses these sophisticated attacks and is designed to complement and enhance already deployed perimeter defenses, not to replace them. Page 2 1 of 24 • Whitepaper Figure 8. Secure Networks Dynamic Intrusion Response solution Reacting to security events is a major undertaking for enterprise IT organizations today. Automation is a key component of reacting quickly and effectively to emerging threats to the infrastructure. If a new worm or hacker attack is detected, this is only the first part of the process of eliminating threats. The IT organization must now decide what actions to take, and where to implement the security policies. With Enterasys Secure Networks, a Dynamic Intrusion Response system can be implemented that integrates industry-leading Intrusion Detection Systems along with a security policy architecture. As threats are identified by the Intrusion Detection System (IDS), automated triggers are used to react to the event. Reaction involves locating the source of the threat (a unique capability of the Enterasys infrastructure), and then dynamically applying a security policy to the source network port. The policy could be to simply “turn off” network communications, or it could be to apply a “quarantine” policy so that the traffic from the source is highly restricted to only pre-determined “safe” services. The initial step in this specific solution is to use the NetSight Atlas Policy Manager as the central configuration and administration of an Acceptable Use Policy that provides a basic network security framework and a policy-enabled infrastructure. A special policy role named “Quarantine” is included in the basic policy foundation, and it is configured with policy rules specific to the enterprise environment and its rules on quarantining users. The Acceptable Use Policy and the Quarantine Role configuration are centrally configured by the NetSight Atlas Policy Manager application and then distributed to the network infrastructure using SNMPv3 as the transport protocol. Page 22 of 24 • Whitepaper Enterasys Dragon IDS sensors are strategically deployed throughout the network infrastructure so that intrusions and penetrating threats can be identified. Once a Dragon appliance detects a security breach, it will correlate the event based upon pre-established event categories. If the event is of a nature that warrants action from the Dynamic Intrusion Response System, it will be forwarded to the NetSight Atlas Console and Automated Security Manager applications using SNMPv3 as the transport protocol. The NetSight Atlas Console and Automated Security Manager application will read the events sent from the Dragon system and use the source IP address of the event in conjunction with several technologies to locate the actual physical source of the intrusion. Technologies such as the innovative Enterasys “Node and Alias Table,” “Enterasys Discovery Protocol,” 802.1d forwarding tables, etc. can be utilized to accurately locate the source of the intrusion. Once the physical source (switch port) of the intrusion is located, the NetSight Atlas Automated Security Manager application will automatically take the pre-defined action for the event category. This could include turning the physical port off, disabling communications for some pre-defined length of time, enforcing the Quarantine policy role to the physical port, etc. This action can also be delivered manually by an administrator after notification is made by the system. 7. Conclusion The goals related to security have traditionally gone against the demands of networking. With security, the underlying objective is to lock down information, restricting access to only authorized users. Conversely, the concept behind networking has been to open up data and resources, and provide access to everyone associated with the business. Because of these competing desires, security has been viewed as a constant trade off between network availability and risk. However, with Enterasys Secure Networks, it is now possible to maintain a high level of granular control to secure the network and minimize risk, without sacrificing the critical access to applications and resources that drives today’s business. Leveraging the technologies and solutions developed by Enterasys, global enterprises are able to meet the wide range of security, information and business goals without compromise. Page 23 of 24 • Whitepaper All contents are copyright © 2004 Enterasys Networks, Inc. All rights reserved. Lit. #9013680 06/04 Page 2 4 of 24 • Whitepaper

Related docs
Secure Networks Technology Foundation Whitepaper
Views: 234  |  Downloads: 3
Secure Peer-to-peer Networks for Trusted Collaboration
Views: 8  |  Downloads: 0
Secure Networks for Process Control Whitepaper
Views: 191  |  Downloads: 9
Secure Future.doc
Views: 8  |  Downloads: 0
Título Wireless Sensor Networks Introduction and secure data
Views: 18  |  Downloads: 4
Conference Report ISSE SECURE September ISSE SECURE was held
Views: 2  |  Downloads: 0
Secure_Shell
Views: 6  |  Downloads: 0
Networks
Views: 9  |  Downloads: 3
Secure_Digital
Views: 3  |  Downloads: 0
Guide to Secure Web Services
Views: 26  |  Downloads: 7
TRUSTTeam for Research in Ubiquitous Secure Technologies
Views: 1  |  Downloads: 0
Juniper_Networks
Views: 32  |  Downloads: 0
Nortel_Networks
Views: 26  |  Downloads: 2
premium docs
Website Development Agreement$19.95
Website Design Non Disclosure$14.95
Web Hosting Agreement$14.95
Website Vendor Evaluation Matrix$19.95
Website Design RFP Template$49.95
Web Audit Report Tool$19.95
Web Metrics Reporting Tool$19.95
Other docs by C Gunnison
Three-Year Profit Projection
Views: 396  |  Downloads: 52
Start-up Expenses
Views: 626  |  Downloads: 90
Personal Financial Statement
Views: 367  |  Downloads: 35
Opening Day Balance Sheet
Views: 564  |  Downloads: 23
Loan amortization schedule
Views: 254  |  Downloads: 18
Financial History and Ratios
Views: 246  |  Downloads: 21
C Projected Balance Sheet
Views: 269  |  Downloads: 6
Break-Even Analysis
Views: 627  |  Downloads: 94
12 Month Cashflow Form Rev
Views: 334  |  Downloads: 11
12 Month Sales Forecast
Views: 354  |  Downloads: 28
12 Month Profit and Loss Projection1[4]
Views: 175  |  Downloads: 7
BankLoanRequestforSmallBusiness[3]
Views: 333  |  Downloads: 24
Competitive Analysis[4]
Views: 811  |  Downloads: 79
invoice_quadplay
Views: 1625  |  Downloads: 56
invoice_eternity
Views: 2332  |  Downloads: 111