Upload
grant-small
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
www.novell.com
NetVision’s PolicyManagement Suite: Security for eDirectory™, the NetWare® File System, Auditing, Enforcement, and Synchronization
NetVision’s PolicyManagement Suite: Security for eDirectory™, the NetWare® File System, Auditing, Enforcement, and Synchronization
Jim AllredVice President of MarketingNetVision, [email protected]
Todd LawsonPresident and CTONetVision, [email protected]
Novell Security Solutions Partner
• NetVision’s Policy Management Suite—security for Novell eDirectory™, NetWare® OS/file system
Real-time monitoring, auditing and enforcement Automate policy enforcement Detect security breaches in real-time Trigger action to reverse the change, disable
the user account, and stop the perpetrator Automate the granting and revoking of access
rights
Novell Security Solutions Partner (cont.)
• NetVision has a seven-year history of delivering solutions in Directory Management/Integration and Security
Currently serves over 500 customers from Fortune 1000 to government and education
NetVision recognized early on that security solutions are not secure at all unless they are directory-based and directory-enabled
Focus on the authentication and authorization heart of the enterprise—the directory—to safeguard digital assets
Benefits of NetVision’s Policy Management Suite
• Eliminates gaps in traditional Intrusion Detection System (IDS)
• Leverages the directory to centralize and streamline management of enterprise security
• Delivers real-time monitoring, real-time reporting, and proactive security policy enforcement
Benefits of NetVision’s Policy Management Suite (cont.)
• A turnkey solution which is non-intrusive, easy to implement, and cost effective
• Addresses core needs right out of the box and is fully customizable and extensible
• By filtering out non-critical events or activities, it produces real-time auditing that doesn’t overload network traffic
Benefits of NetVision’s Policy Management Suite (cont.)
• Fortifies authentication and authorization through password strengthening and password synchronization across diverse platforms and systems
• Automates granting and revoking of access privileges and resources (provisioning)
• Lowers cost of security management through automated policy enforcement
Directory-Enabled Intrusion Detection
• FBI/CSI 2000 Computer Crime & Security Survey showed 90% of survey respondents had security breaches in last 12 months, even though 40% of them had IDS systems in place
• 70% had experienced network security breaches that led to theft of confidential information, financial fraud, or sabotage
90 70
10
40
0
20
40
60
80
100
All Breaches Damaging Breaches No Breaches IDS Systems
Three-Tiered Intrusion Detection—Host-Based IDS
• Collect and analyze system logs and events originating on host computers like web servers or application servers
• Watch for known security violations that take place
• Focus on internal attacks, which still make up over half of business networks’ security breaches
Host-based IDS
Network-based Network-based IDSIDS
Directory-basedDirectory-basedIDSIDS
Three-Tiered Intrusion Detection—Network-Based IDS
• Analyze data packets that travel across the network and compare them to known attack signatures
• Detect attempted security breaches that originate outside the firewall
• Two-tiered approach (host and network) has been viewed as solid, but both solution classes have inherent weaknesses
Host-based Host-based IDSIDS
Network-based Network-based IDSIDS
Directory-basedDirectory-basedIDSIDS
Three-Tiered Intrusion Detection—Directory-Based IDS
• Burton Group indicates: OS resource managers (host-
based solutions) can’t impose enterprise-wide policies over resources
Perimeter products (network base solutions) have no concept of user identities, permissions, or profiles
These gaps have created the demand for a new breed or additional layer in IDS
Host-based Host-based IDSIDS
Network-based Network-based IDSIDS
Directory-basedDirectory-basedIDSIDS
The Directory-Enabled Control Layer
• The need for a third IDS level: “Unlike the OS resource manager, the Control
Layer can implement centrally defined security policies in a consistent manner across multiple platforms. Unlike the perimeter layer, the Control Layer is aware of user identities, user roles and privileges, and fine-grained application functions.”
The Burton Group Network Strategy Report:
Directory Landscape 2002
The Directory-Enabled Control Layer
• The need for a third IDS level—the directory-enabled control layer
Directory-based IDS solutions allow centrally defined security policies that are aware of user identities, roles, and privileges
NetVision leads the charge in the new IDS security layer-delivers the first directory enabled IDS solution with the NetVision Policy Management Suite
SANS Institute on IDS Solutions
“The intrusion detection community will continue to move away from the simple signature-based systems that are so prevalent. Rule-and profile-base intrusion detection will start to become more dominant”
Eugene Schultz, SANS NewsBites January 2002
Secure Audit Trail Technology
• Policy Management Suite securely automates the routine collection of audit data
• Tracks and reports directory, data, and server activity
• Tells who instigated the actions, what the actions were, when the actions occurred, and where the actions took place
• Filtering and reporting occurs in real-time; does not tax network resources with burden of large log files and constant polling
Secure Audit Trail Technology (cont.)
• Secure Audit Trail technology produces filtered events
Some solutions yield an unwieldy amount of excess data and logs, creating a disincentive to do auditing
NetVision’s solution restricts reporting to information that is pertinent to specific security concerns
Delivers only critical event data—a manageable amount to review and securely store
Secure Audit Trail Technology (cont.)
• Variety of reporting methods Ensures that security information remains secure Can be encrypted and sent to an ODBC database Can be sent to a secure web site Audit logs can be sent to and stored on any LDIF
directory Reports and alerts can be sent via e-mail or pager to
security managers Audit data can be captured in SNMP traps for secure
integration with other network management systems
Authorization and Provisioning
• Automates and streamlines the provisioning of new hires and the revocation of network access rights as part of the termination process
• Manages the entire life cycle of user/group management by:
Updating users new rights and revoking previous rights when moving user from one group to another
When account is added to or removed from a particular group, rights can be automatically granted or revoked from all other applicable groups
Authorization and Provisioning (cont.)
• Account additions, modifications, deletions (rights, access) in one system (directory) are automatically updated in other applicable systems (directories)
• Performs true cross-platform (bi-directional) synchronization across:
eDirectory, Active Directory, NT, iPlanet, Exchange, Notes, GroupWise®
• Provides automated Provisioning right out of the box• Open architecture can be extended to additional
systems
Password Synchronization
• Simplifies users access to multiple platforms and systems
• Eliminates multiple authentication points• Decreases user inconvenience and help desk
requirements• Increases security by eliminating multiple
passwords and user names• Flexible naming rules resolve differing user names
a user might have on different systems (John_doe and jdoe)
Password Management
• Automates enforcement of password policies
• Prevents weak, easily-hacked passwords• Policies enforce minimum length, inclusion
of special characters, and scheduled password resets
Policy-Based Security Enforcement
• Rather than simply monitoring, auditing, and reporting, the NetVision solution leverages custom policies to automatically respond to and act against potential security threats—to prevent rather than just report
• Provides tools to create and define security policies for unique needs
• Provides standard settings for common threats• Customize Visual Basic scripts to execute when
predetermined conditions occur• As far-reaching and creative as you want
Proactive Actions
• User accounts automatically terminated when users engage in questionable activities or gain inappropriate rights
• Blocks attempts to change a directory object’s ACL list
• Prevents certain file types from being stored on network servers ( .MPEG, .JPEG, .GIF, .MP3s)
Flexible Policy Execution Provides Both Power and Flexibility
• Inherent filtering capabilities can set thresholds
• Determine when activity moves from innocent to suspicious, to outright malicious
• Block user access only after a set number of failed login attempts
• Audit but don’t initiate alerts for actions below threshold
Solution Components
• Global Event Services (GES) Efficiently gathers data from all areas of the
network Event-driven service Tracks all changes (events) to eDirectory,
NetWare, and the file system in real-time• Who• What• Where• When
Policy Management Suite
• Fully integrated tools• Patented technology providing real-time:
Directory integration Cross-platform policy enforcement Advanced auditing and reporting
Product Demonstration
• NetVision Policy Management Suite