家中等职业教育改革发展示范学校

RiskManagementusingNetworkAccessControlandEndpointControlfortheEnterpriseKurtisE.Minder–MirageNetworks-CONFIDENTIAL-2i-CONFIDENTIAL-3AgendaDriversofNACKeyElementsofNACSolutionsIdentifyAssessMonitorMitigateNACLandscape-CONFIDENTIAL-4BusinessNeedsDriveSecurityAdoption3UbiquitousSecuritytechnologiesAnti-virus-Businessdriver:FilesharingFirewalls-Businessdriver:Interconnectingnetworks(i.e.Internet)VPNs-Businessdriver:RemoteconnectivityToday’stopsecuritydriver-MobilePCsanddevicesBroadbandaccessiseverywhereIncreasedpercentageofthetimedevicesspendonunprotectednetworksPerimetersecurityisrenderedlesseffectivebecausemobiledevicesbypassitandaren’tprotectedbyitMobilityofIPdevicesisdrivingtheneedforNetworkAccessControlsolutionsLeadingsourceofnetworkinfectionsMoreunmanageddevicesonthenetworkthanever-guestandpersonaldevices-CONFIDENTIAL-5TheTraditionalApproachtoNetworkSecurityIsn’tEnough-CONFIDENTIAL-6TheProblemNACShouldAddressToday,endpointdevicesrepresentthegreatestrisktonetworksecurity—bypropagatingthreatsorbeingvulnerabletothem.InfectedDevicesUnknownDevicesOut-of-PolicyDevicespropagatethreats,resultinginlossofproductivity&hoursofcleanuplikehomePCs,contractorPCs,&WiFiphonescanintroducenewthreatsorcompromisedatasecurityaremorevulnerabletomalwareattacks,whilerunningservicesthatcouldjeopardizesecurity“Becauseofwormsandotherthreats,youcannolongerleaveyournetworksopentounscreeneddevicesandusers.Byyear-end2007,80percentofenterpriseswillhaveimplementednetworkaccesscontrolpoliciesandprocedures.”Gartner,ProtectYourResourcesWithaNetworkAccessControlProcess-CONFIDENTIAL-7TheCost1mi2gIntelligenceUnit,MalwareDamagein20042ICSALabs,9thAnnualComputerVirusPrevalenceSurvey-CONFIDENTIAL-8TheNumbersTelltheStory“Protection”isinplace…98%usefirewalls197%ofcompaniesprotectmachineswithantivirussoftware179%useanti-spyware161%useemailmonitoringsoftware1Butit’snotenough!Costofmalware:$14.2B280%ofcompaniesexperienced1ormoresuccessfulattacks,30%hadmorethan103AveragenetlossformalwareincidentsinUScompaniesisnearly$168,000peryear1Worldwide,32%ofcompaniesexperienceattacksinvolvingbusinesspartners43%ofthosewereinfections,while27%wereunauthorizedaccess475%ofenterpriseswillbeinfectedwithmalwarethatevadedtraditionaldefenses51ComputerSecurityInstitute/FBI’s2006ComputerCrimeandSecuritySurvey2ComputerEconomics,20063ICSALabs,9thAnnualComputerVirusPrevalenceSurvey4Cybertrust,RiskyBusiness,September20065Gartner,Gartner’sTopPredictionsforITOrganizationsandUsers,2007&Beyond,December2006-CONFIDENTIAL-9TheProblemisExpectedtoGetWorse2006StatisticsSteepincreaseinthenumberofsoftwaresecurityvulnerabilitiesdiscoveredbyresearchersandactivelyexploitedbycriminalsMicrosoftCorpissuedfixesfor97(versus37in2005)securityholesassignedcriticallabel14ofofthecriticalbecamezerodaythreats.ExpertsworrythatbusinesseswillbeslowtoswitchtoVista.Pre-VistaMSOfficeisexpectedtoremaininwidespreaduseforthenext5-10years.Source:WashingtonPost,Dec2006,CyberCrimeHitstheBigTimein2006-CONFIDENTIAL-10NACMarketExpectationsNACAppliancevendorswillsell$660mworldwidein2008NACApplianceswillgain17%worldwideshareoftheNACmarketby2008,upfrom6%in2005ResearchrevealsWorldNetworkAccessControl(NAC)ProductsandArchitecturesMarketsearnedrevenuesofover$85millionin2006andestimatesthistoreachover$600millionin2013GartnerestimatesthattheNACmarketwas$100Min2006andwillgrowbyover100%byYE2007-CONFIDENTIAL-11IncreasingNumberofTargetstoProtectOperatingSystemsInternetExplorerWindowsLibrariesMicrosoftOfficeWindowsServicesWindowsConfigurationWeaknessesMacOSXLinuxConfigurationWeaknessesNetworkDevicesVoIPPhones&ServersNetwork&OtherDevicesCommonConfigurationWeaknesses*SANSInstituteTop20InternetSecurityAttackTargets(2006AnnualUpdate),v7.0,11.15.06CrossPlatformApplicationsWebApplicationsDatabaseSoftwareP2PFileSharingApplicationsInstantMessagingMediaPlayersDNSServersBackupSoftwareSecurity,Enterprise,andDirectoryManagementServersSecurityPolicy&PersonnelExcessiveUserRights&UnauthorizedDevicesUsers(Phishing/SpearPhishing)SansInstitute2006TopAttackTargets*-CONFIDENTIAL-12Pre-admission(atnetworkconnect),30%Post-admission(continuousmonitoring),7%Both,60%Don'tknow,3%WhatClassofNACSolutionstoDeploy?AberdeenResearch,2006-CONFIDENTIAL-1311%12%12%17%22%24%41%42%53%59%0%10%20%30%40%50%60%70%MeetregulatoryrequirementsReduceIToperationscostImproveendpointvisibilityAutomateremediationofpolicy/configurationviolationsReducetimerequiredtorecoverfrommalwareoutbreakImprovenetworkuptimeEnforcesecuritypolicycomplianceEnforceendpointsoftwareconfigurationsControlnetworkaccessforstaff,partnersandcontractorsReduceincidentsofmalwarepropagation%ofRespondentsAllRespondentsTopDriversInfluencingNACSolutionsAberdeenResearch,2006-CONFIDENTIAL-14TopFeaturesRequiredinaNACSolution6%7%11%12%14%14%16%17%19%23%24%28%30%34%37%0%10%20%30%40%VisibilitytoendpointconfigurationsThreatpropagationdetection/IDSScalability/faulttoleranceReportingVisibilitytoendpointthreatsRedirectionofuserstoremediationresourcesEndpointconfigurationposturecheck(onadmission)EaseofdeploymentEndp