EAD Technology White Paper(VPN Access Scheme not Supported)

 

Keywords: EAD, CAMS, security, admission, anti-virus

Abstract: EAD is a solution to network endpoint access control. By cooperation of the security clients, access devices, security policy server, and third-party server, it enhances the active defense ability of network endpoints, effectively controlling the spreading of viruses. This document provides the mechanism, technical characteristics, and typical applications of the EAD solution.

Acronyms:

Acronym

Full spelling

ACL

Access Control List

BAS

Broad Access Server

CAMS

Comprehensive Access Management Server

EAD

Endpoint Admission Defense

IAG

Intelligent Application Gateway

L2TP

Layer 2 Tunnel Protocol

QoS

Quality of Service

VLAN

Virtual Local Area Network

VPN

Virtual Private Network

 



Overview

1.1  Background

With the application and development of network technologies, people have higher and higher requirements for information networks and are becoming more dependent on networks. At the same time, people have to face increasing information security threats. Replacing network reliability, switching ability and service quality, network security has become the focus of corporate users. Network security infrastructure is now one of the most important parts in corporate network construction. In corporate networks, new security threats are found now and then, and more destructive viruses are spreading in a wider area, resulting in system crash and network outage, which means severe loss of corporations. In a corporate network, compromise of any endpoint will affect the security of the entire network. That is, the security of any end point, which depends on the anti-virus ability, patch completeness, and system security settings, is crucial to the security of the entire network.

However, the current defense systems for viruses support mainly standalone defense, for example, installing anti-virus software and firewall software on personal computers. When a new virus or network attack is detected, network administrators usually need to issue virus alerts or patch upgrade bulletins, requesting that all computers on the network be installed with the relevant defense software. This defense scheme is far from effective, as the spreading of viruses and the resulting loss of corporations show. The following are some of the disadvantages of the current defense scheme:

l              Passive defense, which cannot fight security threats before they occur.

In most cases, when an endpoint is infected, the viruses may already be everywhere on the entire network. Remediation after damages may help, but what corporate users want is to detect possible security threats and implement necessary system repair before they can cause damages. However, network administrators have no active defense tools for security monitoring, quarantining, and system repair at present.

l              Single-point defense, which cannot deal with repetitious and cross infection.

As long as one device on a network is infected or has not been repaired, the entire network is compromised.

l              Decentralized management, which cannot provide consistent security policies and global defense ability.

Security control of all endpoints is required to prevent security threats from occurring. Nevertheless, decentralized management of endpoints cannot ensure that all endpoints are compliant with the corporate security policies, and therefore cannot block security threats at the access points. In addition, newly advertised patches and virus alerts are often neglected in a decentralized management system. Therefore, decentralized security management is not the answer to security threats from viruses and operating system (OS) bugs.

To provide a more effective defense system, H3C developed the Endpoint Admission Defense (EAD) solution.

1.2  Functions

The H3C EAD solution is intended to integrate standalone single-point defense systems to implement centralized management of users, consistent security policy throughout the corporate network, and active defense on endpoints. By cooperation of the security clients, access devices, security policy server, and third-party server, the solution can quarantine non-compliant endpoints in the quarantined area. This can not only prevent compromised endpoints from affecting the security of the entire network, but also protect vulnerable endpoints against viruses.

The EAD solution provides the following functions:

l              Evaluating the security compliance and defense ability of endpoints.

This is to ensure that the OS has been patched properly, the anti-virus software and virus database have been updated, and no virus is present. An endpoint that does not meet these criteria is vulnerable to external attacks, while an endpoint that is infected may launch attacks to other devices on the network and is therefore dangerous. The EAD solution can evaluate the security compliance of endpoints and permits only compliant endpoints to access the network. In addition, in conjunction with identity authentication techniques such as 802.1x, VPN, and Portal, the EAD solution ensures that only legitimate endpoints can access the network.

l              Quarantining dangerous endpoints and vulnerable endpoints.

The EAD solution redirects all non-compliant endpoints to the quarantined area, where the endpoints can access network resources for system repair, such as the anti-virus server and patch server.

l              Enforcing system patching and anti-virus software upgrade.

The EAD solution automatically notifies endpoints in the quarantined area to patch their OSes and applications and/or upgrade their virus databases, and can help endpoints take necessary actions automatically or manually. If an endpoint is proved compliant with the security policy after system repair, EAD will allow it to leave the quarantined area to access the network.

l              Managing security policies and monitoring security events in a centralized way.

EAD provides a user management platform for access policy, security policy, and service policy management and security event monitoring. It can help network administrators to customize identity-specific network policies. Moreover, EAD can enforce security configuration and security event monitoring on endpoints. The security configurations include whether to check mails and the registration table in real time, restrict proxy usage, and permit using dual network adapters. The security events include virus checking and killing events and security configuration changing events.

1.3  Technical Characteristics

The EAD solution provides a brand-new security defense architecture. It combines anti-virus functions with network access control, enforces centralized management of endpoints, and improves the active defense ability of endpoints. The EAD solution features these technical characteristics:

l              Integrated anti-virus and network access control, which can improve network security dramatically.

EAD can help ensure that all endpoints accessing the network normally are compliant with the anti-virus and system patching criteria of the corporation. Non-compliant endpoints will be redirected to the quarantined area, where only resources specified by administrators for quarantined endpoints are available. An endpoint in the quarantined area can leave the area only after the required system repair configurations are complete and it is proved to compliant with the security policy. This can effectively prevent endpoints from becoming victims of attacks or being exploited by attackers.

l              Support for multiple authentication methods and wide applicability.

EAD supports authentication methods including 802.1x, VPN, and Portal and therefore holds wide applicability. It supports LAN access, VPN access, and convergence devices, securing the entire network at all layers.

l              Quarantine of dangerous endpoints

In EAD, endpoints not compliant with the security policies are quarantined by VLAN or ACL.

l              Flexible and easy deployment and maintenance

EAD allows network administrators to customize different security evaluation criteria and quarantine levels based on the identities of endpoints. Depending on the requirements of applications, it can work in monitoring mode, alert mode, quarantine mode, or kickout mode. In monitoring mode, EAD only records non-compliant endpoints; it does not prompt non-compliant endpoints to perform system repair. In alert mode, EAD only prompts non-compliant endpoints to perform system repair; it does not quarantine them. In kickout mode, EAD logs out all non-compliant endpoints.

l              Detailed security event log and audit

EAD logs the login processes, security compliance, and virus killing events of endpoints in detail, allowing network administrators to know the security defense ability and virus infection situation of all endpoints.

l              Cooperation with professional anti-virus vendors

As an integrated solution, EAD implements anti-virus by a third-party server. Currently, EAD supports the anti-virus software of the main vendors. By the cooperation feature of EAD, the anti-virus software gets used to a better degree, from supporting single-point defense to supporting network wide defense.

l              Support for corporate policy implementation

EAD can not only evaluate the security compliance of endpoints, but also help administrators to set security policies for endpoints, allowing consistent security policy implementation throughout the corporate networks.

l              Scalability for saving user investment

EAD is a highly scalable solution. It requires just a few changes to the existing network devices and networking mode. As long as simple upgrading is made on the network devices and the anti-virus software, access control and anti-virus cooperation can be implemented.

1.4  Applications

EAD is a general access security solution. It features great flexibility and applicability. By cooperating with H3C network devices such as switches, routers, VPN gateways, and SecPath IAGs, it can provide endpoint defense in a variety of networking scenarios:

l              LAN access

In a corporate network, endpoints are usually connected through switches. Security of an endpoint is critical to the security of the entire network. On such a network, the EAD solution can force all endpoints to go through 802.1x identity authentication and security authentication before accessing the network. By this solution, administrators can enforce corporate security policies and ensure timely virus database upgrade and system patching, reducing the risk of virus spread and preventing security threats from internal networks.

l              WLAN access

WLAN access endpoints are usually roaming about and out of monitoring of network administrators. Therefore, they are more likely to be vulnerable to viruses and Trojan horses and may not be equipped with the required patches. Together with standard 802.1x authentication, the EAD solution can secure networks with WLAN access endpoints.

l              VPN access

Some corporate networks need to support VPN access of mobile users and cooperators, which may bring potential security trouble. By using VPN gateways, the EAD solution can ensure that remote endpoints have the up-to-date virus database and all the required system patches installed before accessing the corporate network. Remote endpoints without the EAD security client may be rejected or restricted, depending on the configuration.

l              Key data protection

In addition to access control, the EAD solution also addresses the security of core data areas (such as the data center and ERP server area), which some corporations may be concerned about. EAD supports deploying security cooperation gateways at the entrance of such data areas to force all users trying to access the areas to go through Portal authentication and security compliance evaluation. This ensures that endpoints accessing critical data are not suffering from viruses and will not affect the security of the critical data. EAD can also prevent illegal external users from accessing sensitive corporate data and attacking the corporate network.

l              Corporate entrance protection

Large enterprises usually have many branch offices and affiliated organizations, which are connected with the corporate networks through dedicated lines or WAN. Some enterprises even allow employees working at home or traveling on business to access the corporate networks directly. This is very common in open enterprises but also means potential security threats. To ensure network security, you can deploy security gateways at the entrance of such a corporate network to force all users to go through Portal authentication and security compliance evaluation before accessing the corporate network.

l              Corporate exit protection

In corporate networks under relatively strict management and monitoring, endpoints are seldom threatened when accessing the internal networks. When accessing external networks, however, these endpoints have to face much more security threats. If they do not have the up-to-date virus database or do not have the required patches, they may get infected or attacked, or even be exploited to initiate attacks to the corporate networks. The EAD solution allows you to deploy EAD devices at the exit of a corporate network, so as to force endpoints to go through Portal authentication and security compliance evaluation before accessing external networks.

EAD Implementation

2.1  Components

The EAD solution is an integrated scheme. It includes these components: security client, security cooperation device, security policy server, and third-party server such as anti-virus server and patch server. Each component fulfills its own functions, while the security policy center takes the responsibility of coordinating and integrating all the components to implement endpoint security compliance evaluation, quarantine, and system repair for better defense of the entire network.

Figure 1 Network diagram for EAD

2.1.1  Security Client

The security client is installed on endpoints for endpoint authentication, security compliance evaluation, and security policy enforcement. It functions to:

l              Provide multiple authentication methods, such as 802.1x, Portal, and VPN. In cooperation with H3C switches, routers, VPN gateways, and SecPath IAGs, it can control endpoint admission at the access layer, convergence layer, and VPN level.

l              Check the security compliance of endpoints by checking OS version, completeness of system patches, and other information. In conjunction with the anti-virus client, it can check anti-virus software version, virus database version, and virus scan/kill history. These data will be transferred to the security policy server for endpoint admission determining and controlling.

l              Implement security policies. It receives the security policies issued by the security policy server and force endpoints to take specified actions, including performing security configurations (whether to monitor mails and the registration table) and notifying and implementing system repair (automatic or manual upgrade of patches and the virus database). Endpoints that do not observe the security policy will be restricted in the quarantined area.

l              Monitor system security status in real time and regularly report security events to the security policy server for security auditing. System security status information includes whether security settings have been changed and whether new virus types are found.

2.1.2  Security Policy Server

The core of the EAD solution is integration and cooperation, and the management and control center of the EAD solution is the security policy server. As a software set, the EAD solution can run on Windows and Linux and functions to manage users and security policies, evaluate security compliance, control security cooperation, and audit security events:

l              Manage security policies. The security policy server defines a set of policies for endpoint admission control, covering aspects such as endpoint security compliance evaluation criteria, patch checking items, endpoint recovery method, and quarantine criteria.

l              Manage users. In a corporate network, different users may use different types of endpoints and require different levels of security checking and controlling. The security policy server can provide differentiated identity-specific security configurations and network service classes, allowing administrators to customize security policies for users as needed.

l              Control security cooperation. The security policy server can evaluate the security reports of endpoints, command the security cooperation device to quarantine endpoints or to remove quarantine, and issue security policies to endpoints. Owing to the control function of the security policy server, security clients, security cooperation devices and the anti-virus server can cooperate to implement end-to-end admission control.

l              Audit logs. The security policy server can collect and log the security events reported by security clients, so that administrators can trace and monitor the security of the entire network.

2.1.3  Security Cooperation Device

In a corporate network, it is security cooperation devices that execute security policies, forcing users to perform access authentication and quarantining invalid endpoints to provide better services for valid users. Depending on the application scenario, a security cooperation device can be an H3C switch, router, VPN gateway, or SecPath IAG, and can use different authentication methods (such as 802.1x, VPN, and Portal) for admission control. However, regardless of its device type and authentication method, a security cooperation device delivers the following functions:

l              Force endpoints attempting to access the network to go through identity authentication and security compliance evaluation.

l              Quarantine non-compliant endpoints. Based on quarantine commands and quarantine removal commands from the security policy server, a security cooperation device can quarantine endpoints or remove quarantine by VLAN or ACL.

l              Provide identity-specific network services. Based on security policies from the security policy server, a security cooperation device can provide differentiated services by QoS, ACL, and VLAN.

2.1.4  Third-Party Server

In an EAD solution, the third-party server could be an anti-virus or patch server providing online virus database upgrade or patch upgrade services to endpoints.

2.2  Mechanism

EAD functions are implemented by cooperation of the security clients, security cooperation devices (for example, switches, routers, and SecPath IAG), security policy server, anti-virus sever and patch server, as shown in Figure 2.

Figure 2 Mechanism of EAD

(1)         When an endpoint tries to access the network, its security client cooperates with the security cooperation device and security policy server to authenticate the endpoint.

(2)         After the endpoint passes authentication, the security policy server issues a security policy to the endpoint and requests the endpoint to check security compliance.

(3)         The third-party desktop management system on the client cooperates with the security policy server to check whether the required patches and virus databases are on the endpoint and are up-to-date. The security client reports the check result to the security policy server.

(4)         The security policy server controls the rights of the endpoint based on the check result.

l              If the endpoint passes the security authentication, it will perform the security configurations required by the security policy server, and the security cooperation device will provide it with identity-specific network services.

l              If the endpoint fails the security authentication, the security cooperation device restricts the endpoint to the quarantined area. An endpoint in the quarantined area can perform system repair and patching and virus database upgrading.

After an endpoint passes identity authentication and security authentication and gets online, a heartbeat mechanism is used to detect whether the endpoint is still online and the endpoint will be monitored in real time. If the endpoint is found not compliant with the security policy at a time, relative security repair and management operations will be performed for it.

As indicated by its functions and mechanism, the EAD solution integrates endpoint security measures (such as anti-virus and patching) and network security measures (such as network access control, access right control) into a cooperative security system. By checking, quarantining, repairing, managing, and monitoring endpoints, the integrated system implements the changes from passive defense to active defense, from single-point defense to all-around defense, and from decentralized management to centralized management. As a result, networks deployed with EAD are equipped with all-around defense ability against new viruses and security threats.

Application Scenarios

3.1  802.1x Access Scheme

Figure 3 802.1x access scheme

As shown in Figure 3, the security cooperation access gateway runs 802.1x to control connections of endpoints to the network. The CAMS servers perform authentication, accounting, EAD admission policy controlling, and security compliance evaluation. The third-party servers cooperate with security clients to implement automatic upgrade management of the clients. In addition, CAMS can cooperate with 802.1x to provide functions such as ACL authorization, VLAN authorization, and port-IP address binding, implementing a finer granularity of user access control. This scheme can prevent internal security threats of the network effectively. But it does not support strict quarantine of endpoints.

3.2  VPN Access Scheme

Figure 4 VPN access scheme

As shown in Figure 4, the security cooperation VPN gateway uses L2TP authentication to control remote user access. The CAMS servers perform authentication, accounting, EAD admission policy controlling, and security compliance evaluation. VPN clients initiate VPN connection requests to the security cooperation VPN gateway to establish reliable secure connections to the corporate network for branches, mobile employees, and partners. The VPN gateway is responsible for ensuring that remote users have the up-to-date virus database and patches before accessing the internal network. Remote users without the EAD security client will not be able to access the internal network or will be restricted to a certain area. This scheme helps in relieving security threats that may occur when remote users access the internal network.

3.3  Portal Access Scheme

Figure 5 Portal access scheme

As shown in Figure 5, the security cooperation access gateway uses Portal authentication to control user access at the convergence layer. The CAMS servers perform authentication, accounting, EAD admission policy controlling, and security compliance evaluation. In addition to access control, the EAD solution also addresses the security of core data areas, which some corporations may be concerned about. EAD supports deploying security cooperation devices at the entrance of such data areas to force all users trying to access the areas to pass Portal authentication and security compliance evaluation. This ensures that endpoints accessing critical data are not suffering from viruses and will not affect the security of the critical data. This scheme can also be deployed at corporate network exits and branch entrances. It features wider application.

References

RFC 2865: Remote Authentication Dial In User Service (RADIUS)

Copyright ©2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.