Network Access Control Achieving Enterprise Policy Security Control the easy way.

1
Network Access ControlAchieving Enterprise
Policy Security Control the easy way.

• Matthew Holden-Milner - NAC Business Manager

2
Security Control
Anti-virus
Management
Compliance reporting
Anti-Spyware
License management
Behavior blocking (HIPS)
Software deployment
Client firewall
Configuration management
Anti-Spam
Vulnerability assessment
(Web Security) Anti-URL
Patch management
Application control
Device control
Network access control
3
Agenda

• Yesterdays NAC.
• Evolving NAC.
• Why NAC?
• Achieving NAC today, it really is simple.
• NAC CAN.
• Why Sophos NAC.
• QuickScan.
• Questions?

4
How many of us would approach someone?
5
Why Software-based NAC?
Survey 40 tried to install NAC 4 completed
The hollowing of NACValue moves to the
endpoints
Source 2007, Trends Client Management 2.0
6
Recent Forrester report.

• The sheer variety of endpoint and network-based
  systems being sold under the NAC banner have made
  it challenging for IT decision makers to get a
  firm grip on which pieces to buy, which will
  force a vendor shakeout that favours the largest
  security and networking players, said Paul Stamp,
  analyst with Cambridge, Mass.-based Forrester
  Research.
• In a recent report, Forrester predicted that
  larger endpoint security players including
  Symantec, McAfee, and Sophos will end up
  supplying the brains behind NAC, rather than
  network-oriented vendors such as Cisco Systems,
  one of the pioneering companies in the space .

7
What the analysts are saying

• Gartner
• People are concerned about maturity, in large
  part because the industry giants are slow to
  deliver.
• Lawrence Orans, Research Director, Gartner Inc.
  February 2008.
• Forrester Group
• NAC is still absolutely a hot topic," said
  Robert Whitley, Forrester senior analyst. "A lot
  of companies are trying to implement it, but many
  are frustrated by the time it takes and,
  ultimately, what they get out of it. February
  208
• "Software is the preferred method for
  enterprises," said Forrester's Whitley.
  "Deployment cost is lower, and you get richer
  policy. February 2008

8
Where NAC is going
9
Evolution of NAC
to practical solutions
From theoretical approaches
10
NAC needs to solve real problems
DESKTOP
NETWORK
SECURITY

• Problem
• Lost security, productivity and control
• Out-of-date anti-malware protection, disabled
  firewall or missing security patches
• Use of prohibited applications
• Unauthorized re- configuration of computers

• Problem
• Uncontrolled accessto company network
• Unauthorized access to company network
• Network performance and availability
  disruptions
• Undetected access to company network-based
  resources

• Problem
• Rising business and security risk
• Unsecured or non- compliant use of company
  computers
• Undetected, unauthorized or unsecured guest
  access
• Unverified security and acceptable use policies

11

• About 90 percent of todays security
  breachesare preventable, according to analysts
  at Gartner, Inc., but known vulnerabilities
  continue to be successfully exploited because
  organizations fail to apply available patches or
  inadvertently misconfigured software
• January 2008

12
Endpoint Assessment Test 26 June 2008

• Sophos Endpoint Assessment Test (EAT)
• Time period 29 April 2008 (release date) 26
  June 2008
• 784 non-consumer assessments performed
• Checking for Microsoft security patches
• OS, Internet Explorer, Office, Media Player,
  Flash Player
• Anti-malware
• Installed, enabled,IDs current
• Personal firewall
• Installed, enabled

13
Endpoint Assessment Test 26 June 2008
14
Endpoint Assessment Test 26 June 2008

• Missing Microsoft SecurityPatch Breakout
• Of 784 Users
• 37 missing Office Patches
• 18 missing IE Patches
• 13 missing Media Player Patches
• 14 missing Flash Player Patches
• 58 missing OS Patches
• Note that end users can bemissing patches from
  oneor more categories

15
Compliance lessons learned

• Of business users who have used NAC Advanced
  technology to verify their endpoint security
  status
• 82 of users endpoints do not have full security
  protection
• 64 of endpoints are missing critical or high
  priority Microsoft security patches
• 53 of users did not have basic firewall
  protection enabled
• 16 of users with AV installed either did not
  have it running, or had old signature files

Sophos Endpoint Assessment Tool
https//endpointassessment.sophos.com/webagent
16
Sophos Quick Scan
17
NAC the easy way.
18
The NAC Case Study used by Gartner. NAC in 90
days.
700 offices globally
17 Countries
50,000 PCs
Goal Zero Vulnerabilities

• Before NAC
• 4.4 Vulnerabilities per PC
• 70 of systems patched within 30 days
• After NAC
• 1.4 Vulnerabilities per PC (trending down)
• 99 of systems patched within 7 days

• Approach
• Policy/Baseline SOPHOS
• Access Control DHCP
• Critical Success Factors
• Tested Usage Cases (employee PC, visitor PC, "bad
  guy)
• Focus first on audit, not enforcement

19
Sophos NAC Advanced Architecture
NAC Advanced Components

• Enforcement points
• Agent
• DHCP
• RADIUS
• 802.1x

20
NAC Life-Cycle
Centrally defines policy and enforcement actions
across granular groups
Pre and post connect compliance inspection
Centrally reports and alerts
Permits / denies access using multiple points of
enforcement
Provides quarantine for remediation
21
Its not just NAC, it can do a lot more..
22
Other real-life use cases!

• Configuration management
• Inspect for desired web proxy settings if not
  set, message the user via NAC agent providing
  instructions on how to set
• Application update
• Check for new VPN client installed if not
  installed, message the user via NAC agent
  providing download link
• Timesheet reporting
• Inspect for month-end timesheet submission if
  not submitted, message the user via NAC agent
  during grace period and quarantine after
• Data protection
• Check for disk encryption enabled if not
  enabled, message the user and assist remediation
  via NAC agent

23
Other real-life use cases!

• Wireless Access Points
• Have requirements for DHCP enforcement running on
  school wired or wireless networks and a guest
  policy which allows many operating systems and
  many antivirus vendors / releases.
• Patching issues
• A number of our deployments had requirements to
  integrate with SMS and to include clicking of the
  AUP as part of the policy check.
• PCI Compliance
• NAC can play a big part in strengthening PCI. The
  Body Shop , Spurs Proximity for example. Sophos
  are introducing a PCI policy within NAC next
  year.
• Segregate networks
• Have requirements to allow differentiate people
  to access different parts of the network defined
  on who they are. This could be due to a company
  merger or too flat network.

24
Why are customers buying Sophos NAC?
25
Sophos engineered for business

• Trusted
• Over 130M users world-wide protected Viruses,
  Spam, Spyware, Adware, NAC and soon Encryption.
• Financially stable - Not dictated to by
  shareholders or analysts
• Security Expertise
• Sophos - Founded over 30 years ago
• Innovation - (RD) Genotype technology,
  (Strategy) Multi-tier protection
• Strong commitment to security issues affecting
  business
• Industry leading solutions (business focus),
  lower TCO (licensing / operational)
• Award winning technical support (business focus)
• Global Reach and Reputation
• SophosLabs technical support 24/7 x 365
• Presence in 150 countries
• HQs Abingdon, UK and Boston, US
• Largest independent security and control vendor
  in Europe
• 38 Virus Bulletin VB100 Awards

26
Sophos and Endforce

• NAC is a vital part of Sophos security and
  control strategy
• Sophos acquired Endforce in February 2007
• Endforce is a market leader
• Experts in networking technologies
• Endforce NAC is designed to be highly flexible
  and standards based
• Tried and tested solution including the worlds
  largest deployment
• Referred to by Gartner and other analysts as a
  leading product

27
Recommends consideration of Sophos

• The Magic Quadrant for Endpoint Protection
  Platforms highlights NAC as a critical capability

"Buyers who prefer a broad and comprehensive EPP
suite with impressive management capability,
especially NAC...will do well to consider Sophos."
Sophos emerges as the first new leader in five
years propelled in part by its NAC solution
Source Gartner, Magic Quadrant for Endpoint
Protection Platforms 2007
28
Not only the largest deployment in the world, but
also

• The largest footprint in the UK Europe.

29
Sophos NAC Advanced The proven choice

• Works today The proven solution supporting
  the largest enterprise NAC deployments
• No forklift upgrade Works with your existing
  network equipment and security applications
• Preventive Stops problems before they happen
  for managed and unmanaged computers
• Simplified Automation for policy updates and
  correction of endpoint non-compliance
• Flexible Mix and match Agent, DHCP, 802.1X,
  Cisco NAC and VPN enforcement
• Works tomorrow Vendor- neutral, software-only
  coverage allowing your network to evolve

AOL avast! AVG Technologies BigFix BitDefender Cis
co CA F-Secure IBM ISS Kaspersky McAfee Microsoft
Panda Security Sophos Symantec Trend
Micro ZoneAlarm
Alcatel-Lucent Aruba Networks Check
Point Cisco ConSentry Networks Enterasys Extreme
Networks Foundry Networks HP Infoblox Juniper
Networks MetaInfo Nortel Novell RSA Sun
Microsystems 3Com
Supported Application Vendors
Compatible Network Vendors
30
Next steps

• Experience it
• Free evaluation
• Brilliantly Simple roll-out

Demonstration
Try NAC Now without forklift upgrades
Report-only, Correct and optionally Enforce