1 / 41

How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise

How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise. Shmulik Nehama, Identity Engines Portfolio Leader Avaya. The Beginning of Time…. Then came this…. …Anyone here still using flip phone?. Tablet market $45B by 2014 – Yankee 2011

webb
Télécharger la présentation

How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Implement Secure Guest Access and Enable BYOD without Compromising your Enterprise Shmulik Nehama, Identity Engines Portfolio Leader Avaya

  2. The Beginning of Time…

  3. Then came this…

  4. …Anyone here still using flip phone? • Tablet market $45B by 2014– Yankee 2011 • 50% Enterprise users interested in or using consumer applications– Yankee 2011 • Smartphone app revenue to triple by 2014– Yankee 2011 700 000 700 000 119 000 000 491 000 000 686 000 000 1 200 000 000 Android apps iPhone/iPad apps Tablets in 2012 Smartphones in 2011 Smartphones in 2012 Social Media Users Time Magazine cover Aug 18 1997. Bill Gates invests $150M to save Apple.

  5. It’s not about Saying NO…It’s About Staying in Control!! NO sorry you cannot bring your iPad NO sorry you cannot connect outdoor NO sorry you cannot do video conferencing NO sorry you cannot bring your fancy laptop YES pls do bring your own iPad YES pls do you are welcome to use Wifi VOIP YES pls do you are welcome to use virtual desktop YES pls do you are welcome to do mobile collaboration

  6. It is about a solution that combines control and flexibility!! Users

  7. It is about a solution that combines control and flexibility!! Devices

  8. It is about a solution that combines control and flexibility!!

  9. It is about a solution that combines control and flexibility!!

  10. BYOD Bring Your Own Difficulties Your Difficulties are to find AC Outlets

  11. Avaya Identity EnginesKey Value Points… • Vendor Agnostic • Any Network • Any User • Any Device • Wired & Wireless • Unified Access • Centralized Policy • Guest Access • Audit logs • Self-service • Sponsor / Front Desk • BYOD Access • Device On-boarding • Device Fingerprinting • non-802.1x access

  12. Avaya Identity EnginesKey Value Points… • Granular Policy Engines • XACML (eXtensible Access Control Markup Language) • Local User and Device Store • Flexible RADIUS VSAs (Vendor Specific Attributes) • Directory Federation • All major directory servers • AD, RSA, LDAP, eDirectory • Identity Routing • High Availability • Active - Active • Active - Standby • Virtual Appliance • All software solution • VMware ESXi • Windows applications

  13. Avaya Identity EnginesKey Value Points… • Simple and affordable licensing • Network Size License • LITE • SMALL • LARGE • Feature License • TACAS+ • Posture • Guest Manager • Access Portal & CASE Wizard • Analytics no per user license no per device license

  14. Identity-based Access Control…with Identity Engines • Identity Engines • Role-basedAccess IF(identity = HR employee) AND IF (device = corp laptop) AND IF (medium = wired) THEN GRANT FULL ACCESS Case 1 Employee withcorporate laptop IF(identity = HR employee) AND IF(device = personal iPad) AND IF (medium = wireless) THEN GRANT LIMITED ACCESS Case 2 Employeewith personal iPad

  15. Automating network access has direct impact on reducing cost of change • Each access port is not assigned until a user/device attempts access. • Once authenticated & authorized, user/device is granted appropriate access level. • MAC address lookup: • Ignition Server local store • Manual input • Wildcards (e.g. Avaya IP Phones 00:04:0d* and Cisco IP Phones 00:15:62*) • Import CSV file with list of MAC address and other device attributes • Access Portal auto-populate EnterpriseNetwork Visitor or Business Partner IP Phone Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Guests & Guest Devices

  16. Identity EnginesAuthenticated Network Architecture PolicyEnforcement Point PolicyDecision Point PolicyInformation Point NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Guest Access Mgmt Posture Assessment Reporting & Analytics Access Portal CASE Wizard Identity Engines

  17. Identity EnginesAuthenticated Network Architecture • Identity Information Sources: • Active Directory • Novell eDirectory • Sun Directory • Oracle Internet Directory • Generic LDAP • Kerberos • RSA SecurID • Token Based Services • RADIUS Proxy IgnitionAccess Portal Wired IgnitionServer Wireless VPN Firewall CorporateResources IgnitionAnalytics IgnitionGuest Manager IgnitionDashboard

  18. Identity EnginesIgnition Server • Centralized, standards-based policy engine • Vendor Agnostic • Highly-available AAA appliance for identity-based network access control • RADIUS integration with all enterprise network equipment • Quick and deep integration with major directories • Detailed logging and troubleshooting capabilities • Hitless upgrades where appropriate • VMware virtual appliance with support for VMware ESX(i)

  19. Ignition DashboardAccess Policy • Access Policy = Authentication Policy +Identity Routing + Authorization Policy & Posture Policy

  20. Ignition DashboardDetailed Logs

  21. Identity EnginesGuest Manager • Guest Manager is a Web-based applicationthat manages temporary network accounts forvisitors. • Provisioning/de-provisioning in 10 sec • Front-desk or Guest Self-service • Activation options • Immediate activation • Future activation • Account duration time • Activate on first login • Choose any access method toimplement: Wireless, Wired, and VPN • Track Users: Guests, Consultants,Contractors • Complete detailed logs

  22. Identity EnginesGuest Manager Administration • Multiple Guest Managersmay be deployed: • Against a single instance ofthe Ignition Server • Under a single GuestManager license • Authorization policies forguests are in the IgnitionServer • Guest Manager Administrator • Creates provisioners • Creates provisioning templates • Assigns provisioning templates to provisioners • Guest Manager Provisioners • May be internal or external (i.e. on LDAP / AD etc.) • Single or bulk provisioning • Provisioners are frequently called sponsors because they sponsor guest.

  23. Identity EnginesGuest Manager Administration • Administration • Notification options • Password complexity • Password generation • Username generation • Users bulk load • Expiration • Activation

  24. Identity EnginesIgnition Access Portal • Access Portal can deployed forfollowing use cases: • Access without 802.1x enablement • Contractor & Employee Access withdifferent modes of 8021.xenablement. • CASE Wizard hosting for Auto-configuration of 802.1x • iOS Profile file hosting (from AppleiPhone/iPad Configuration Utility) • BYOD On-boarding of managedand un-managed consumerdevices attributes • Device profiling • Auto-registration • Auto-updates • Serves as a Captive Portal for non-802.1x clients • Unifies Wired and Wireless access • Performs device fingerprinting • BYOD On-boarding • Hosting place for the CASE Wizard

  25. Identity EnginesIgnition Access Portal • Device Fingerprinting • Access the Captive Portal on the INinterface for wired and wireless users • User opens browser and enterscorporate or guest account credentials • User authenticated against IgnitionServer • If successful authentication, user sessionis inline through the OUT interface • Upon successful authentication, AccessPortal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server • Devices Type, Devices Sub-Type,Device OS, Devices OS Version • New Avaya RADIUS VSAs are used forsending the device fingerprint • If trusted, Ignition server automaticallycreates a device fingerprint records

  26. Identity EnginesIgnition Access Portal • Device Fingerprinting • Access the Captive Portal on the INinterface for wired and wireless users • User opens browser and enterscorporate or guest account credentials • User authenticated against IgnitionServer • If successful authentication, user sessionis inline through the OUT interface • Upon successful authentication, AccessPortal, if enabled, also performs profilingof user devices and sends deviceFINGERPRINT to the Ignition server • Devices Type, Devices Sub-Type,Device OS, Devices OS Version • New Avaya RADIUS VSAs are used forsending the device fingerprint • If trusted, Ignition server automaticallycreates a device fingerprint records Wireless UserDevices RADIUS Access Portal IgnitionServer IN D E V I C E P R O F I L I N G ADMIN HTTP Capturing RADIUS Wired RADIUS OUT

  27. Identity EnginesIgnition Access Portal • Multiple Access Portals maybe deployed: • Against a single instance ofthe Ignition Server • w/single Access Portal license • Device Profiling • Administrator will be able toset the Access Portal toperform device profiling of wired and wireless devices • Device fingerprinting: • Devices Type, Devices Sub-Type, Device OS, Devices OS Version • Devices attributes are sent to the Ignition Server for registration and association with user • BYOD On-boarding • Auto-register of Guest Visitor and Employee Guest devices • Device profiling of registering devices • Auto-association of devices with guest / employee records in Ignition Server • Populating device records in Ignition Server with device profile attributes

  28. Identity EnginesIgnition Access Portal Authorization Policy on the Ignition Server Employee with personal iPad will gain access with Employee with personal Blackberry will NOT gain access with

  29. Identity EnginesIgnition Access Portal • Pages Customization • Login page • Success page • Failure page

  30. Identity EnginesIgnition CASE Wizard • CASE Wizard • CASE = Client Access to the Secure Enterprise • A transient application to automate configuration of managed and un-managed Windows devices: • Auto-config of 802.1x • Auto-config of MS-NAP • Dissolvable application • Revertible or permanent configuration • Wired and / or Wireless • Network Profiles & Packages • Set of network and security settings thatdefine how a user connects to aparticular defined network • This profile is saved as an XML file andbundled into a CASE package, which inturn applies the settings to the user’scomputer system

  31. Identity EnginesIgnition CASE Wizard

  32. Identity EnginesIgnition CASE Wizard • Ignition CASE Wizard • CASE Wizard package hosted on acustomer internal web site or on theAccess Portal • Different packages may be createdfor different network connectivityneeds • Exit Behavior • CASE Wizard may be customized toeither exit or reside in the System tray. • Revert Settings • CASE Wizard may be customized tolet the user revert the settings • Reverting is achieved by clicking the“Revert Settings” in the System Tray.

  33. Identity EnginesiOS Devices • Apple configuration utility foriOS devices • Config profile contains settings: • Passcode policies • Restrictions on device features • Wi-Fi settings • VPN settings • Exchange ActiveSync • Credentials and keys • More… • Ways to deploy config profiles • Physically connecting to thedevice • In an email message • On a webpage • Using over-the air

  34. Identity EnginesBYOD Examples Access Portal for ITregistration of managed devices Access Portal for Employee registrationof un-managed devices • Employee login w/AD • Device attributescaptured • Config option with CASEfor Windows or iOS • Employee access via802.1x or Access Portal IgnitionAccess Portal Wired • IT login w/Admincredentials • Device attributescaptured • Associate devicewith Device Groupin the Dashboard • Handover deviceto employee • Policy in Ignition Server handles access Wireless VPN IgnitionServer Firewall CorporateResources IgnitionGuest Manager IgnitionAccess Portal

  35. Real Life Avaya Use-case:Self-Service Guest Wi-Fi Access WiFi access as a self-service based on Identity Engines Guest Manager & Access Portal Avaya Wi-Fi Guest Access Management Identity Engines R8.0 Live inSanta Clara &Baskin Ridgecampuses Option 1 Guest Self-service Avaya WLANInfrastructure Option 2 Employee sponsor www.avaya.com/sponsor

  36. Identity EnginesResources • Product Management • Shmulik Nehama • Email snehama@avaya.com • Office 408-496-3110 • Mobile 408-569-3635 • YouTube Video • http://www.youtube.com/watch?v=0ZrMOqzGMpE • 30-Days Free Trial • www.avaya.com/identitytrial • Long term lab licenses available fromproduct management

  37. Live Demo

  38. Identity EnginesSanta Clara Lab Topology (Rack F-14) DELL SERVER Ignition Server Guest Manager CASE Administration Internet AD SERVER (Windows 2008) Red Hat Enterprise Linux 10.1.2.234 Windows 7 10.1.2.232 AVAYA-NET 10.1.2.219 AVAYA-NET.219 NIC 1 NIC 2 Access Portal RADIUS NIC 1 Free BSD 10.1.2.229 SECURE ROUTER NAC SWITCH (ERS 2550PWR) 10.1.2.250 VLAN1 17-23 48 VLAN1 16 24 14 OUT LAN DHCP RANGE 10.1.2.10 - 49 DHCPServer 1 2 VLAN24 VLAN14 VLAN14 VLANX VLAN1 ADMIN WAN 4 x NAC Clients IN AVAYA-NET.216 10.1.2.240 Windows XP DHCP NIC 2 NIC 1 NIC 2 DHCP RANGE 10.1.2.50 - 99 DHCPServer 10.1.2.218 AVAYA-NET.218 LAN 10.1.2.244 VMware ESX1 4.1 10.1.2.220 / 222 SECURE ZONE (Windows 2003)

  39. Identity EnginesSanta Clara Lab Topology Remote Desktop (AVAYA-NET.IP) VMware vSphere Client Dashboard Web Browser Ignition Server NAC Clients Ignition Server Guest Manager Access Portal NAC Switch DELL SERVER Guest Manager CASE Administration Ignition Server Internet AD SERVER (Windows 2008) Red Hat Enterprise Linux 10.1.2.234 Windows 7 10.1.2.232 AVAYA-NET 10.1.2.219 AVAYA-NET.IP NIC 1 NIC 2 Access Portal RADIUS NIC 1 Free BSD 10.1.2.229 SECURE ROUTER NAC SWITCH (ERS 2550PWR) 10.1.2.250 VLAN1 17-23 48 VLAN1 16 24 14 OUT LAN DHCP RANGE 10.1.2.10 - 49 DHCPServer 1 2 VLAN24 VLAN14 VLAN14 VLANX VLAN1 ADMIN WAN 4 x NAC Clients IN AVAYA-NET.216 10.1.2.240 Windows XP DHCP NIC 2 NIC 1 NIC 2 DHCP RANGE 10.1.2.50 - 99 DHCPServer 10.1.2.218 AVAYA-NET.218 LAN 10.1.2.244 VMware ESX1 4.1 10.1.2.220 / 222 SECURE ZONE (Windows 2003)

More Related