1 / 48

Network Access and the Acronym Soup – NAC, MDM, SBC & SSO

Network Access and the Acronym Soup – NAC, MDM, SBC & SSO. Shmulik Nehama, Identity Engines Portfolio Leader Avaya. Agenda. The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources. Disclaimer

jenski
Télécharger la présentation

Network Access and the Acronym Soup – NAC, MDM, SBC & SSO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Access and the Acronym Soup – NAC, MDM, SBC & SSO Shmulik Nehama, Identity Engines Portfolio Leader Avaya

  2. Agenda • The Acronym Soup • Network Access Control • Mobile Device Management • Session Border Control • Single Sign On • Resources Disclaimer Some of the material provided in this presentation is looking forward and may be subject to change without advance notice!

  3. The Acronym Soup NAC Network Access Control MDM Mobile Device Management SBC Session Border Control SSO Single Sign On Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.). Dynamically provisions the network to contain the access of users and the network attached devices MDM manages mobile devices in the context of which applications should / should not be on user handheld devices, password management, patch and software management. MDM manages mobile device data and apps but NOT control / provisions the network for access Provides network security for SIP-based applications without the need for a VPN client on the accessing device. Controls access of UC applications (NOT network access of users / devices) Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials. Avaya Solution Avaya Solution Avaya Solution Avaya Solution • DevConnect • (MobileIron) • Avaya SessionBorder Controller Avaya Identity Engines Avaya Identity Engines

  4. The Acronym Soup NAC Network Access Control MDM Mobile Device Management SBC Session Border Control SSO Single Sign On Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc.). Dynamically provisions the network to contain the access of users and the network attached devices MDM manages mobile devices in the context of which applicationsshould / should not be on user handheld devices, password management, wipe out and software. MDM manages mobile device data and apps but NOT control / provisions the network for access Provides network security for SIP-based applications without the need for a VPN client on the accessing device. Controls access of UC applications (NOT network access of users / devices) Single Sign On (SSO) is an area of access control that enables users to login once and/or with same enterprise credentials and gain access to applications without being prompted to login again at each of them and/or without the need to maintain different set of credentials. Avaya Solution Avaya Solution Avaya Solution Avaya Solution • DevConnect • (MobileIron) • Avaya SessionBorder Controller Avaya Identity Engines Avaya Identity Engines

  5. The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources Agenda

  6. What is it? • Network Access with policies, controls and provisions access to a network • Including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do • Role-based Access is where access to the network is given according to profile of the person and the results of a posture / health check. • e.g. in an enterprise, the HR dept could access only HR dept files if both the role & endpoint meets anti-virus being up-to-date.

  7. Enterprise Networkw/Multiple Policy Enforcement Locations • Multiple repositories of identity information • Multiple locations of enforcement points • Challenges with in providing access to • Guest Access • Contractors Access • Challenges in implementing consistent access behavior across the network • Challenges with mergers and acquisitions Enterprise Network with Multiple Constituents and Policy-Enforcement Locations

  8. Enterprise Networkw/Centralized Identity and Policy Services • Network Access Control is centralizationof both identity and policy information in a single location • Simplification • Consistency • Facilitate self-service Guest Access • IT Hands-off • Contractor Access Identity and Policy Service in theEnterprise Network

  9. Why is it important? 1. Define roles • Granular Control • Network operators define policies, such as roles of users and the allowed network areas to access and enforce them based in switches, WLAN Controllers etc. • Enhanced Security • Ability to prevent access from end-stations that do not meet security posture requirements • Regulatory Compliance • Enforce access policies based on authenticated user identities 2. Define network access level

  10. Network Access Features • It is not only about users and their devices but also about any network attached device • Each access port is not assigned until a user/device attempts access. • Once authenticated & authorized, user/device is granted appropriate access level. EnterpriseNetwork Visitor or Business Partner IP Phone Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Guests & Guest Devices

  11. Typical Network Access Architecture PolicyEnforcement Point PolicyDecision Point PolicyInformation Point NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Guest Access Mgmt Posture Assessment Reporting & Analytics Access Portal CASE Wizard Identity Engines

  12. Network Access Features Basic Features • Authentication & Authorization • Guest Access Management • Posture Compliance • Compliance checking for un-managed devices e.g. BYOD • Reporting and Analytics • Directory Federation Advanced Features • Unified Solution for wired and wireless network access • IT Hands-Off self-service Guest access management • Device Finger-printing • BYOD On-boarding • High Availability

  13. SPB Network Access Automation CAMPUS BRANCH UC Zone Corporate Zone Guest Zone Contractor Zone DATA CENTER DATA CENTER • User connects to edge switch • User placed on a VLAN • VLAN mapped to an ISID • Done! 1 2 3 CAMPUS BRANCH

  14. Multi-Host Multi-Authentication • MHMA is a network switch capability where Identity Engines separately authenticates and authorizes multiple clients connected to a switch port • Each client must completeEAP authentication beforethe port allows traffic fromthe users MAC address,only traffic from authorizedhosts is allowed • Enables to direct multiple hosts on a single port to different VLAN’s. Used for separating voice and data traffic on the same port

  15. The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources Agenda

  16. What is it? • Mobile Device Management (MDM) secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. • MDM functionality typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices • Smart-phones, tablets, mobile printers, mobile POS devices, etc

  17. Why is it important? • Reduce support costs and business risks • Control and protect the data and configuration settings for all mobile devices in the network • Manage devices • IT can use MDM to manage the devices over the air with minimal intervention in employee schedules • Visibility • With mobile devices becoming present “everywhere” and applications flooding the market, mobile monitoring is growing in importance. Support Saying YESto BYOD

  18. …Anyone here still using flip phone? • Tablet market $45B by 2014– Yankee 2011 • 50% Enterprise users interested in or using consumer applications– Yankee 2011 • Smartphone app revenue to triple by 2014– Yankee 2011 700 000 700 000 119 000 000 491 000 000 686 000 000 1 200 000 000 Android apps iPhone/iPad apps Tablets in 2012 Smartphones in 2011 Smartphones in 2012 Social Media Users Time Magazine cover Aug 18 1997. Bill Gates invests $150M to save Apple.

  19. Typical MDM Solution • Server & Client Components • Server componentsends out management commands to devices • Client component runson device to receive and implement commands • Must have an agentinstalled and maintained • Constant 24x7 race after device and OS updates • Deployment -- On-premise and Cloud based solutions

  20. MDM Capabilities Basic Features • Inventory Management & Real Time Reporting • Setting Passcode Policies • Remote Lock and Full Wipe • Remote Selective Wipe • Configuration of Email, Wi-Fi, VPN, Certs. • Email Access Controls • Jail-broken / Rooted Device Detection Advanced Features • Enterprise App Catalog • App Blacklisting / Whitelisting • Secure Document Sharing • Geo Location • Event-based Security and Compliance Rules Engine • Roaming Usage • Dual Persona  separate Personal vs. Corporate content • Monitor access to App Store • Data encryption

  21. MDM Market Landscape • 100+ vendors who claim some level of MDM functionality • 20 vendors in Gartner MDM MQ • Noneof the Networking vendors provide true MDM capabilities • Requires to keep-up with intense pace of mobile device market updates and innovation

  22. MDM Capabilities and the Use Cases • Cross platform device support • Configuration management • Device monitoring • License control • Software distribution • Inventory & asset control MDM requirements vary depending on use case

  23. MDM Capabilities and the Use Cases data encryption, dual persona, selective wipe strongly regulated e.g. Finance, defense non-regulated organizations (e.g. retail) small number of mobile users organizations w/ very large number of mobile users detect OS & version, installed apps, roaming usage, content, device wipe MDM requirements vary depending on use case

  24. Avaya’s MDM strategy Avaya Flare & one-XC Applications on user devices • Today • Avaya Flare and one-XC Applications interoperability tested with MobileIron • Tomorrow • Identity Engines MDM integration with top vendors • Ignition Server will query mobile device attributes from the MDM and make attributes part of the Access Policy

  25. Avaya’s MDM strategy MDM

  26. Avaya’s MDM strategy Identity EnginesAccess Policy MDM

  27. The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources Agenda

  28. What is it? • A device or application that governs the manner in which calls, also called sessions, are initiated, conducted and terminated in a VoIP network. • An SBC can facilitate VoIP sessions between phone sets or proprietary networks that use different signaling protocols. • An SBC can include call filtering, bandwidth use management, firewalls and anti-malware programs to minimize abuse and enhance security

  29. Why is it important? Mobile Collaboration Security Threats • Denial of Service • Call/registration overload • Malformed messages (fuzzing) • Configuration errors • Misconfigured devices • Operator and application errors • Theft of service • Unauthorized users • Unauthorized media types • Viruses and SPIT • Viruses via SIP messages • Malware via IM sessions • SPIT – unwanted traffic Enterprise Adoptionof Collaboration Tools Source: Nemertes Research

  30. UC Security – Should You Care? Credit card privacy rules: other compliance laws require security architecture specific to VoIP and other UC. In 2010 50% Increase In VoIP hacking at new levels Up to 25%of attacks VoIP scanning - botnets, Cloud used for VoIP fraud  Huge Bills Reduce Deployments by 1/3 VoIP / UC security reduces VoIP / UC deployment timeby one third Collection of Analysts (Yankee survey & Aberdeen) Toll fraud: yearly enterpriselosses in Billions inadequate securing of SIP trunks, UC and VoIP applications5

  31. OSI Model - 7 Layers of Attacks Think of OSI model as a 7 foot high jump • Typical firewall protection • Layer 3-4 protection • Emerging layer 7 FWs • Email spam filters layer 7 application specific email firewall • SIP, VoIP, UC layer 4 to layer 7 application • SIP Trunking - a trunk side application • SIP Line (phone) side (internal and external) access another application Wikipedia on 22Jul2011: http://en.wikipedia.org/wiki/OSI_Model Avaya SBCE provides a VoIP/UC trunk/line side layer 4-7 application protection

  32. Agenda Application LevelSecurity Proxy(Policy Application,Threat Protection Privacy,Access Control) Firewall Firewall Avaya SBCE Complements Existing Security Architecture

  33. Session Border Control Use Cases Use Cases SIP Trunking Remote Worker CS1000 Avaya SBCfor Enterprise SIP Trunking SIP Trunking Avaya SBCfor Enterprise SIP Trunking Avaya SBCfor Enterprise SIP Trunking Avaya SBCfor Enterprise

  34. SBC Use Cases – SIP Trunking • Use Case: SIP Trunking to Carrier • Carrier offering SIP trunks as lower-cost alternative to TDM Enterprise Internet DMZ SIP Trunks IPPBX Carrier Firewall Firewall Avaya SBCE • Carrier SIP trunks to the Avaya SBC • Avaya SBC located in the DMZ behind the Enterprise firewall • Services  security and demarcation device between the IP-PBX and the Carrier • NAT traversal • Securely anchors signaling and media, and can • Normalize SIP protocol

  35. Secure Remote Worker with BYOD Avaya Aura Conferencing • Avaya Aura® Aura Messaging PresenceServer Communication Manager SystemManager Session Manager Avaya SBCE • Personal PC, Mac or iPad devices • Avaya Flare®, Avaya one-X® SIP client app • App secured into the organization,not the device • One number UC anywhere Untrusted Network (Internet, Wireless, etc.)

  36. Secure Remote Worker with BYOD • Use Case: Remote Worker • Extend UC to SIP users remote to the Enterprise • Solution not requiring VPN for UC/CC SIP endpoints Enterprise Internet DMZ IPPBX Remote Workers Firewall Firewall Avaya SBCE • Remote Worker are external to the Enterprise firewall • Avaya Session Border Controller for Enterprise • Authenticate SIP-based users/clients to Aura Realm • Securely proxy registrations and client device provisioning • Securely manage communications without requiring a VPN

  37. The Acronym Soup Network Access Control Mobile Device Management Session Border Control Single Sign On Resources Agenda

  38. What is it? Single Sign On (SSO) is a property of access control that enables users to login with one set of enterprise credentials and gain access to systems without being prompted for different credentials or login again. Maintaining one set of credentials and reducing multiple logins.

  39. Why is it important? • Reduces password fatigue from different user name and password combinations • Reduces time spent re-entering passwords for the same identity • Reduces IT costs due to lower number of IT help desk calls about passwords

  40. Single-Sign-On EnterpriseIdentity Realm • 3rd Party Web Sites • ERP • Salesforce • EnterpriseDirectoryInfrastructure • HRM • Social Media • CRM WebSingle-Sign-On LocalSingle-Sign-On • Social Media • Intranet Applications

  41. Single-Sign-On • Current Situation • The enterprise and Aura realms are separate where each app has its own notion of user identity, credentials and manages them separately. • Integration with enterprise AAA is difficult, inconsistent and brittle EnterpriseIdentity Realm • EnterpriseDirectoryInfrastructure Aura ApplicationsIdentity Realm • CM • SM • PS • AAC

  42. Single-Sign-On • Customers Want • Users to authenticate to enterprise AAA service • Minimize the number of user identities and credentials • Minimize and standard approach to authentication & credential mgmt • Consistent user experience EnterpriseIdentity Realm • EnterpriseDirectoryInfrastructure Aura Applications • CM • SM • PS • AAC

  43. Stepping Identity Engines Up into the Applications Access • Incorporating SAML as an authentication protocol • Web Clients • Think Clients • Introducing the concept of Identity Provider for Applications • Introducing the concept of Service Providers • Focus on Aura UC Applications • Flare • One-X Communicator • Avaya Aura Conferencing

  44. Agenda • Network Access • Mobile Device Management • Network Access Control • SIP Security • Single Sign On • Resources

  45. MDM Mobile Device Management NAC Network Access Control SBC Session Border Controller SSO Single Sign On • “Avaya is the company that is stepping in with a true, holistic BYOD proposalthat covers all the pieces.” • Zeus Kerravala, ZK Research

  46. Resources • Identity Engines Product Management • Shmulik Nehama • snehama@avaya.com • Session Border Controller Product Management • Jack Rynes • jrynes@avaya.com • Secure BYOD YouTube Video • http://www.youtube.com/watch?v=0ZrMOqzGMpE

More Related