Slide 1

Download Report

Transcript Slide 1 

Andrew Noonan, SE ForeScout
February 2015
1
#
Strong Foundation
Market Leadership
Enterprise Deployments
• In business 13 years
• Campbell, CA
headquarters
• 200+ global channel
partners
• Independent Network
Access Control (NAC)
Market Leader
• Focus: Pervasive
Network Security
• 1,700+ customers worldwide
• Financial services, government,
healthcare, manufacturing,
retail, education
• From 500 to >1M endpoints
© 2014 ForeScout Technologies, Page 2
Corporate Resources
Non-corporate
Endpoints
Network
Devices
Antivirus out of date
Unauthorized application
Agents not installed or
not running
Applications
Users
VISIBLE
© 2014 ForeScout Technologies, Page 3
NOT VISIBLE
MDM
Inadequate Collaboration
© 2014 ForeScout Technologies, Page 4
Detection-Mitigation Divide
© 2014 ForeScout Technologies, Page 5
+
IT Risks
Greater
IT Security
Risks
IT Costs
$
Rogue devices
System breach
Data leakage
Compliance violation
© 2014 ForeScout Technologies, Page 6
+
Investigation
Mitigation
Greater
IT Costs
Real-time Visibility
+ Coordinated Controls
Switches
© 2014 ForeScout Technologies, Page 7
SIEM
Ticketing
Remediation
MDM
Endpoint
Security
AAA
Systems
Management
Vulnerability
Wireless
1
Visibility
• Discovery and inspection - who, what, where
• Managed, unmanaged, corporate, BYOD, rogue
• Flexible policies - allow, alert, audit, limit, block
• 802.1X, VLAN, ACL, virtual firewall, hybrid-mode
2
Access Control
3
Onboarding
• Guest management and BYOD onboarding
• Automated MDM enrollment
4
Interoperability
• Works with your existing IT infrastructure
• ControlFabric open integration architecture
5
Ease of Deployment
© 2014 ForeScout Technologies, Page 8
• Fast implementation, agent-less, all-in-one appliance
• Multi-vendor environments, no upgrades needed
Continuous
Visibility
Endpoint
Mitigation
Network
Enforcement
© 2014 ForeScout Technologies, Page 9
Endpoint
Authentication
& Inspection
Information
Integration
Who are you?
Who owns your
device?
• Employee
• Corporate
• Partner
• Windows, Mac
• iOS, Android
• BYOD
• VM
• Rogue
• Non-user
devices
• Contractor
• Guest
What type of
device?
© 2014 ForeScout Technologies, Page 10
Where/how are
you connecting?
•
•
•
•
•
•
Switch
Controller
VPN
Port, SSID
IP, MAC
VLAN
What is the
device hygiene?
• Configuration
• Software
• Services
• Patches
• Security Agents
CORE LAYER SWITCH
AD / LDAP / RADIUS / DHCP
WHO?
•
•
•
•
•
FIREWALL
VPN CONCENTRATOR
USER
NAME
EMAIL
TITLE
GROUPS
DISTRIBUTION
LAYER
SWITCH
CORPORATE LAN
WHAT?
GUEST LAN
POSTURE?
APPS
SERVICES
PROCESSES
VERSIONS
•
•
•
•
© 2014 ForeScout Technologies, Page 11
REGISTRY
PATCHES
ENCRYPTION
ANTIVIRUS
OS
BROWSER AGENT
PORTS
PROTOCOLS
VPN CLIENTS
INTERNAL
•
•
•
•
•
•
•
•
INTERNET
EXTERNAL
WHERE?
•
•
•
•
•
MAC ADDRESS
IP ADDRESS
SWITCH IP
CONTROLLER IP
PORT / SSID / VLAN
Complete Situational Awareness
© 2014 ForeScout Technologies, Page 12
Modest
Strong
Alert / Allow
Open trouble ticket
Send email notification
SNMP Traps
Start application
Trigger / Limit
Deploy a virtual firewall around
the device
Reassign the device to a VLAN
with restricted access
Run script
Update access lists (ACLs) on
switches, firewalls and routers to
restrict access
Auditable end-user
acknowledgement
DNS hijack (captive portal)
Send information to external
systems such as SIEM etc.
HTTP browser hijack
© 2014 ForeScout Technologies, Page 13
Automatically move device to a
pre- configured guest network
Trigger external controls such as
endpoint protection, VA etc.
Remediate / Block
Move device to quarantine VLAN
Block access with 802.1X
Alter login credentials to block
access, VPN block
Block access with device
authentication
Turn off switch port (802.1X,
SNMP)
Install/update agents, trigger
external remediation systems
Wi-Fi port block
• Visibility of corporate and
personal devices
WEB
EMPLOYEE
• Automated onboarding
– Identify device
CONTRACTOR
– Identify user
– Assess compliance
• Flexible policy controls
– Register guests
GUEST
UNAUTHORIZED
– Grant access (none, limited, full)
– Enforce time of day, connection type, device type controls
• Block unauthorized devices from the network
© 2014 ForeScout Technologies, Page 14
EMAIL
CRM
User Type
Guest
Contractor/Partner
Employee
Authenticate via
Corporate Credentials
Guest Registration
Sponsor
Authorization
Internet Access
© 2014 ForeScout Technologies, Page 15
Authenticate via
Contractor Credentials
BYOD Posture Check
Limited Internal Access
Personal Device
Corporate Asset
BYOD
Posture Check
Corporate Asset
Posture Check
Internal Access
1–
Device connects to network
 Classify by type
 Check for mobile agent


MDM
2–
ForeScout
CounterACT
?
If agent is missing
 Quarantine device


 Install mobile agent
(HTTP Redirect)
3–
Once agent is activated
 Check compliance
 Allow policy-based access
 Continue monitoring
© 2014 ForeScout Technologies, Page 16
Your
Enterprise
Network
)))))))
MDM
MDM
Security
Gateway
GRC
AAA
SIEM
NGFW /
VPN
VA/DLP
System
Management
© 2014 ForeScout Technologies, Page 17
Host
Controls
MDM /
MAM
• Easy to use
– 802.1X not mandatory
– Non-intrusive, audit-only mode
– No agents needed (dissolvable or persistent agent can be used)
• Fast and easy to deploy
– All-in-one appliance
– Out-of-band deployment
– No infrastructure changes or network upgrades
– Rapid time to value – unprecedented visibility in hours or days
– Physical or virtual appliances
• Ideal for multi-vendor, heterogeneous network environments
© 2014 ForeScout Technologies, Page 18
Thank You
© 2014 ForeScout Technologies, Page 19
Dynamic and Multi-faceted
Multiple methods
• Poll switches, APs and controllers for
list of devices that are connected
RADIUS
SERVER
DHCP
REQUESTS
• Receive SNMP trap from switches
• Monitor 802.1X requests to the built-in
or external RADIUS server
SNMP
TRAPS
• Monitor DHCP requests to detect when
a new host requests an IP address
• Optionally monitor a network SPAN port
to see network traffic such as HTTP
traffic and banners
• Run NMAP scan
• Use credentials to run a scan on the
endpoint
• Use optional agents
© 2014 ForeScout Technologies, Page 20
USER
DIRECTORY
Device
Operating System
Security Agents
Type of device
OS Type
Anti-malware/DLP agents
Manufacturer
Version number
Patch management agents
Location
Patch level
Encryption agents
Connection type
Services and processes
installed or running
Firewall status
Hardware info
Authentication
Registry
MAC and IP address
File names, dates, sizes
Certificates
Configuration
Network
Malicious traffic
Applications
Rogue devices
User
Installed
Name
Running
Peripherals
Authentication Status
Version number
Type of device
Workgroup
Registry settings
Manufacturer
Email and phone number
File sizes
Connection type
© 2014 ForeScout Technologies, Page 21
Authentication Options
• LDAP based Directory Systems
• MAC Address Lists
Access Control Options
• VLAN Assignment
• ACL Management
• RADIUS/802.1X
• Guest Registration
• External Repositories
Flexible Implementation
• Virtual Firewall
• 802.1X Block, VLAN, ACL
Hybrid Mode
• Direct integration with directory
systems and external databases
• 802.1X for wireless,
non-802.1X for wired
• Built-in RADIUS
• Use 802.1X as default, fall back
to non-802.1X if needed
• Can operate as RADIUS proxy
© 2014 ForeScout Technologies, Page 22
Switches & Routers
Endpoint & APT Protection
Endpoints
Firewall & VPN
IT Network Services
MDM
Wireless
Network Devices
SIEM/GRC
Vulnerability Assessment
© 2014 ForeScout Technologies, Page 23
© 2014 ForeScout Technologies, Page 24