Visibility, control and response€¦ · Understanding Connectivity Options Customers want to manage what devices connect ... –DHCP Fingerprinting (MAC OUI & Certain Options) –AOS
Post on 27-May-2020
4 Views
Preview:
Transcript
Visibility, control and responseProtecting Clients and Unifying Policy
Tomas MuliuolisBaltics Lead
September 2018
2Sensitivity: Internal
Today’s Escalating Customer Challenges
Advanced attacks
and unforeseen
threats continue to
plague customers
Lack of network and
endpoint unified visibility
hampers time to detect
and remediate
Point solutions add to
complexity and
overloads security IT
personnel
3Sensitivity: Internal
Different Network Elements Must Work Together
Real-time sharing of
context provides
visibility for accurate
policy enforcement
Tightly integrated
workflows between
security protection
tools for efficiency
and speed
Holistic approach for
access control,
regardless of
location, time,
device
4Sensitivity: Internal
INTRODUCING THE ARUBA 360 SECURE FABRICOpen, Analytics-driven Security for the Mobile, Cloud, and IoT Era
Aruba Mobile First Infrastructurewith Aruba Secure Core
Secure Boot | Encryption | DPI | VPN | IPS | Firewall
ClearPass | IntroSpectDiscover, Authorization and Integrated Attack Detection and Response
360º active cyber protection and secure access
from the edge, to the core, to the cloud—for any network
AnalyticsSupervised and Unsupervised Machine Learning
3rd Party Infrastructure
Aruba 360 Security Exchange
New Version!
5Sensitivity: Internal
ClearPass at a Glance
CONTROL
• Reduce risk and workload through Automation
• All devices are Authenticated or Authorized – NO UKNOWN DEVICES
RESPONSE
• Adaptive response brokering best of breed security solutions
VISIBILITY
• Know what's connected, connecting in your wired & wireless multivendor environment
6Sensitivity: Internal
ClearPass Policy Manager - What’s Built-in!
Services
- Policy Engine
- 802.1X
- MAC Auth
- Guest
- TACACS+
- Profiling
- Context Database
- +100 RADIUS
dictionaries
IT Tools
- Policy Simulation
- Access Tracking
- Template-based policy
creation
- LDAP Browser
- Per Session Logs
- Advanced Reporting
- AirGroup
Bonjour/DLNA
Security
Exchange
(3rd Party Integration)
- API’s
- Syslog Feeds
- Extensions
- Ingress Events
Over 100+ Partners
7Sensitivity: Internal
Automated workflows
Enhanced security forBYOD and guests
Rules by user role and device types
Onboard Guest OnGuard
ClearPass Expandable Applications
Now Bundled With Access
License
8Sensitivity: Internal
Understanding Connectivity Options
Customers want to managewhat devices connect
Only some support .1Xsupplicants
50% of IoT may bewired
• ClearPass supports any customer Infrastructure and need
9Sensitivity: Internal
OnConnect for Wired Non-RADIUS Enforcement
Aruba
ClearPass
SNMP
Enforcement
Printer VLAN Infusion Pump VLAN
Existing 802.1X
wired/wireless support
No 802.1X
• Built-in device-centric security for all non-AAA ready customers
• Easy to configure on legacy multivendor switches
• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile
phones.
10Sensitivity: Internal
Technology Partners
Secure Connections: Authentication Before Access
Aruba
ClearPass
Existing 802.1X
wired/wireless support
• Multivendor support for all 802.1X ready wired and wireless customers
• Secure encrypted wireless access
• Built-in ClearPass profiling - IoT, laptops, mobile phones
• Easy to use policy creation templates
11Sensitivity: Internal
Comprehensive Profiler MethodsHelps ensure accurate fingerprints
Passive Profiling
– DHCP Fingerprinting (MAC OUI & Certain Options)
– AOS IF-MAP Interface, DHCP Relay or SPAN
– HTTP User-Agent
– AOS IF-MAP Interface, SPAN, Guest and Onboard Workflows
– TCP Fingerprinting (SYN, SYN/ACK)
– SPAN
– ARP
– SPAN
– Cisco Device Sensor
– Netflow/IPFIX/sFlow
– Identifies open ports
Active Profiling
– Windows Management Instrumentation (WMI)
– Nmap
– MDM/EMM
– SSH
– ARP Table
– SNMP
– MAC/Interface Table
– SNMP
– CDP/LLDP Table
– SNMP
New!
New!
12Sensitivity: Internal
NEW WAY:
Create your own Fingerprints!
OLD WAY:
Wait for new Fingerprints to be made and/or manually
override devices 1:1
Custom Fingerprinting – Solving IoT Issues
13Sensitivity: Internal
Adaptive Policy Using Device Ownership
Enterprise Laptop BYOD Phone
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternet and Intranet
14Sensitivity: Internal
Adaptive Policy Using Device Ownership
Enterprise Laptop
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternet and Intranet
1. Uses same identity store and EAP type
2. Leverages profiling and owner data
3. No need for separate SSIDs
4. Works at the office and over VPN
BYOD Phone
15Sensitivity: Internal
ClearPass Exchange Continues to Grow
Infrastructure
MDM / EMM
Network
controls using
real-time
device data
Visibility into
location and
time with
granular
controls
Next-Gen
Perimeter Defense
SIEM, Automation, MFA
Granular
traffic control
with user and device data
Visibility and
interactive
control
features
Client Devices
IoT Devices
16Sensitivity: Internal
ClearPass Exchange MDM/EMM Partners
MDM
DEVICE AND APP MANAGEMENT NETWORK ACCESS
ClearPass Policy ManagementDeviceWipe
JailbreakDetection
Push / ControlApps
AppBlacklist
AccessVisibility
AgentlessOnboarding(IT & BYOD) App Auto
Sign-On
Policies Using Device Attributes(Jailbreak Status,
Profile etc.)
AccessEnforcement(Deny/Allow)
User/Device Roles
Context-Based Policy
ClearPassMDM Connector
17Sensitivity: Internal
ClearPass Exchange MDM/EMM Partners
MDM
DEVICE AND APP MANAGEMENT NETWORK ACCESS
ClearPass Policy ManagementDeviceWipe
JailbreakDetection
Push / ControlApps
AppBlacklist
Jail-broken Device
Detected
Helpdesk
ticket auto
generated
Message to
device auto
generated
1.
2.3.
ClearPass
Denies Access
to Device
19Sensitivity: Internal
Adaptive Trust Context Sharing
Firewall policy
adapts to needContext sharedEmployee access
• Thomas
• Mac OS 10.9.3
• Marketing
• 10.0.1.12
Works with AD, LDAP, ClearPass dB, SQL dB
No agents/clients required
20Sensitivity: Internal
Adaptive Trust Defense based on real-time threat detection
** Firewall / IPS
LAN/WLAN
User connects and
uploads threat
NGFW/IPS sends
event to ClearPass
ClearPass isolates
client
• Offers enhanced user experience as ClearPass can initiate user
notifications, help-desk tickets, and update third-party security solutions
• ** Device in step 2 can be an on-premises MDM/EMM, SIEM, etc.
1 2 3
Ingress Engine Third-party Threat Protection
21Sensitivity: Internal
What Context Can We Share?
Context/Feature Palo Alto Juniper SRX Check Point Fortinet SonicWall Intel MLC
Source IP ✅ ✅ ✅ ✅ ✅ ✅
Username ✅ ✅ ✅ ✅ ✅ ✅
ClearPass Role ✅ ✅ ✅ ✅ ❌ ❌
Domain ✅ ✅ ✅ ❌ ❌ ✅
Device Type ✅ ✅ ✅ ❌ ❌ ❌
Machine OS ✅ ✅ ✅ ❌ ❌ ❌
Machine Name ✅ ✅ ✅ ❌ ❌ ✅
Health/Posture ✅ ✅ ✅ ❌ ❌ ❌
Ingress Event
Engine Dictionary✅ ✅ ✅ ✅ ❌ ❌
22Sensitivity: Internal
Logon to Applications (SSO)
Update Firewall
Update Web Proxy / Filter
Update EMM/MDM
Security and Usability Coordination
AD/LDAP
EMM/MDM
Who: Bob
Group: Faculty
Device: Personal iPad
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
Mac Address: X
IP Address: Y
Airgroup Permissions
Update Enforcement Device (LAN/WAN/VPN)
Adaptive Trust Identity
ClearPass
23Sensitivity: Internal
Proactive Problem Identification and Resolution
– Use ClearPass to notify/alert helpdesk systems–The right teams with the right information
–As soon as a problem happens
– Not just Syslog/SNMP–Email
–HelpDesk Ticketing Systems
–SMS/Voice
24Sensitivity: Internal
• Opens doors for new Exchange
partnerships▪ Device authorization, MFA, visitor
registration, EMM/MDM and more…
• Extends use of existing security,
productivity solutions
• Fast, no heavy lifting integration model.
ClearPass Extensions
ClearPass
Cloud Service On-Prem Service
25Sensitivity: Internal
Challenges Delivering Guest Access
Everyone expects access –
even employees
Often requires staff to
assist each guest
Open Network!
Little to no security
& reporting
✗
✗
✗
26Sensitivity: Internal
Why ClearPass Guest?
Any industry,any # of guests
Any device, anynetwork vendor
Self-service / sponsor / social
Internet / managed Intranet
Portal fits phone, laptop, tablet
Only secure guest app in industry
27Sensitivity: Internal
Customizable Portal Features
Your branding and data fields✔
Advertising – mobile app, more…✔
Integration with 3rd party billing &
property management systems✔
Portal per department, location✔
Social login, MAC cache, QoS✔
www.grandarubahotel.com
www.levisstadium.com
28Sensitivity: Internal
Access Network
Sponsor confirms
guest is valid
ClearPass Guest
Account enabled,
visitor notified via
screen, SMS, or emailVisitor
information
collected
New Visitor
Sponsor
12
3
Self-service with Sponsor Example
29Sensitivity: Internal
Multi-Factor Authentication
– Vendor Support
– DUO
– ZOOM
– Imageware
– More to come!
– Captive Portal Login
– Bring MFA to captive portal logins
– Leverage built in database or external identity stores
– Onboard Login
– Support MFA for initial Onboarding
30Sensitivity: Internal
Multi-Factor Authentication (DUO Workflow)
Step 1 – Who are you? Step 2 – 1st FactorSomething You Have
Step 3 – Request Approval from Known Device
Step 4 – Approve from Known Device
Step 5 – 2nd FactorSomething You Know
Step 6 – Logging in!
31Sensitivity: Internal
Set # of GuestsStandard Guest for Enterprise, EDU
High Guest TurnoverHigh Capacity Guest (HCG) for Airports,
Arenas, Entertainment Venues
Scalable for Any Environment
32Sensitivity: Internal
Replaced often
Android, iOS, Windows
Work & personal use
Access from anywhere
User owned
Who can onboard?
Managing Personal Devices
33Sensitivity: Internal
Why ClearPass Onboard?
Self-service workflows
• Automated configuration:
Network settings and certs
• Can include in MDM/EMM
workflows
• Built-in certificate authority (CA):
Including user and device data
• Add security without increasing
IT workload or user frustration
34Sensitivity: Internal
User’s device redirected to portal1 User enters AD credentials
to start onboard2 Automatically places user on proper network segment3
Doctor
Easy No PasswordsSecure
Enter the password for “Acme-net”75%
Authentication Using Unique Device Certificates
35Sensitivity: Internal
Authentication Using Unique Device Certificates
User’s device redirected to portal1 User enters AD credentials
to start onboard2 Automatically places user on proper network segment3
Doctor
Easy No PasswordsSecure
Enter the password for “Acme-net”75%
• IT determines who can onboard devices
• Access differentiated by role and device
• Devices not entered into active directory
• No need for employees on guest network
36Sensitivity: Internal
Onboard Headless Devices (e.g. non-802.1X, IoT)
Protect your users and devices
37Sensitivity: Internal
• Check health before
network access
• Persistent and dissolvable agents
• Multiple operating systems
supported
Endpoint Health
• Can also be used with
BYOD workflows
Why ClearPass OnGuard?
38Sensitivity: Internal
ClearPass OnGuardAccess Network
Automate Device Health Checking
Detect
non-compliant
devices
39Sensitivity: Internal
Block access to network resources
across wired, wireless & remote
ClearPass OnGuardAccess Network
Detect
non-compliant
devices
Automate Device Health Checking
40Sensitivity: Internal
Block access to network resources
across wired, wireless & remote
Minimizes risk to network
Allows user self service
ClearPass OnGuardAccess Network
Detect
non-compliant
devices
Auto-remediate
the device
Automate Device Health Checking
41Sensitivity: Internal
ClearPass Reporting Using Insight
– One stop shop for all your reporting needs
– New Inventory dashboard
– Customizable inventory view of all learned devices
– New custom alerting options and filters
– Improves the ability for ClearPass to proactively notify admins/users of certain events
– Ability to import/export report templates
– Allows admins to create any template they want without needing a feature enhancement.
– Emailed reports now include the HTML version of the report as well as the raw CSV
42Sensitivity: Internal
Multivendor & 3rd Party integration
User-experience driven applications
Scalability and cost advantages
Business oriented policy services
– building blocks, roles, troubleshooting tools
Why ClearPass
Thank You
top related