Visibility, control and response€¦ · Understanding Connectivity Options Customers want to manage what devices connect ... –DHCP Fingerprinting (MAC OUI & Certain Options) –AOS

Visibility, control and responseProtecting Clients and Unifying Policy

Tomas MuliuolisBaltics Lead

September 2018

2Sensitivity: Internal

Today’s Escalating Customer Challenges

Advanced attacks

and unforeseen

threats continue to

plague customers

Lack of network and

endpoint unified visibility

hampers time to detect

and remediate

Point solutions add to

complexity and

overloads security IT

personnel

3Sensitivity: Internal

Different Network Elements Must Work Together

Real-time sharing of

context provides

visibility for accurate

policy enforcement

Tightly integrated

workflows between

security protection

tools for efficiency

and speed

Holistic approach for

access control,

regardless of

location, time,

device

4Sensitivity: Internal

INTRODUCING THE ARUBA 360 SECURE FABRICOpen, Analytics-driven Security for the Mobile, Cloud, and IoT Era

Aruba Mobile First Infrastructurewith Aruba Secure Core

Secure Boot | Encryption | DPI | VPN | IPS | Firewall

ClearPass | IntroSpectDiscover, Authorization and Integrated Attack Detection and Response

360º active cyber protection and secure access

from the edge, to the core, to the cloud—for any network

AnalyticsSupervised and Unsupervised Machine Learning

3rd Party Infrastructure

Aruba 360 Security Exchange

New Version!

5Sensitivity: Internal

ClearPass at a Glance

CONTROL

• Reduce risk and workload through Automation

• All devices are Authenticated or Authorized – NO UKNOWN DEVICES

RESPONSE

• Adaptive response brokering best of breed security solutions

VISIBILITY

• Know what's connected, connecting in your wired & wireless multivendor environment

6Sensitivity: Internal

ClearPass Policy Manager - What’s Built-in!

Services

- Policy Engine

- 802.1X

- MAC Auth

- Guest

- TACACS+

- Profiling

- Context Database

- +100 RADIUS

dictionaries

IT Tools

- Policy Simulation

- Access Tracking

- Template-based policy

creation

- LDAP Browser

- Per Session Logs

- Advanced Reporting

- AirGroup

Bonjour/DLNA

Security

Exchange

(3rd Party Integration)

- API’s

- Syslog Feeds

- Extensions

- Ingress Events

Over 100+ Partners

7Sensitivity: Internal

Automated workflows

Enhanced security forBYOD and guests

Rules by user role and device types

Onboard Guest OnGuard

ClearPass Expandable Applications

Now Bundled With Access

License

8Sensitivity: Internal

Understanding Connectivity Options

Customers want to managewhat devices connect

Only some support .1Xsupplicants

50% of IoT may bewired

• ClearPass supports any customer Infrastructure and need

9Sensitivity: Internal

OnConnect for Wired Non-RADIUS Enforcement

Aruba

ClearPass

SNMP

Enforcement

Printer VLAN Infusion Pump VLAN

Existing 802.1X

wired/wireless support

No 802.1X

• Built-in device-centric security for all non-AAA ready customers

• Easy to configure on legacy multivendor switches

• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile

phones.

10Sensitivity: Internal

Technology Partners

Secure Connections: Authentication Before Access

Aruba

ClearPass

Existing 802.1X

wired/wireless support

• Multivendor support for all 802.1X ready wired and wireless customers

• Secure encrypted wireless access

• Built-in ClearPass profiling - IoT, laptops, mobile phones

• Easy to use policy creation templates

11Sensitivity: Internal

Comprehensive Profiler MethodsHelps ensure accurate fingerprints

Passive Profiling

– DHCP Fingerprinting (MAC OUI & Certain Options)

– AOS IF-MAP Interface, DHCP Relay or SPAN

– HTTP User-Agent

– AOS IF-MAP Interface, SPAN, Guest and Onboard Workflows

– TCP Fingerprinting (SYN, SYN/ACK)

– SPAN

– ARP

– SPAN

– Cisco Device Sensor

– Netflow/IPFIX/sFlow

– Identifies open ports

Active Profiling

– Windows Management Instrumentation (WMI)

– Nmap

– MDM/EMM

– SSH

– ARP Table

– SNMP

– MAC/Interface Table

– SNMP

– CDP/LLDP Table

– SNMP

New!

New!

12Sensitivity: Internal

NEW WAY:

Create your own Fingerprints!

OLD WAY:

Wait for new Fingerprints to be made and/or manually

override devices 1:1

Custom Fingerprinting – Solving IoT Issues

13Sensitivity: Internal

Adaptive Policy Using Device Ownership

Enterprise Laptop BYOD Phone

Authentication EAP-TLS

SSID CORP-SECURE

Authentication EAP-TLS

SSID CORP-SECURE

Internet OnlyInternet and Intranet

14Sensitivity: Internal

Adaptive Policy Using Device Ownership

Enterprise Laptop

Authentication EAP-TLS

SSID CORP-SECURE

Authentication EAP-TLS

SSID CORP-SECURE

Internet OnlyInternet and Intranet

1. Uses same identity store and EAP type

2. Leverages profiling and owner data

3. No need for separate SSIDs

4. Works at the office and over VPN

BYOD Phone

15Sensitivity: Internal

ClearPass Exchange Continues to Grow

Infrastructure

MDM / EMM

Network

controls using

real-time

device data

Visibility into

location and

time with

granular

controls

Next-Gen

Perimeter Defense

SIEM, Automation, MFA

Granular

traffic control

with user and device data

Visibility and

interactive

control

features

Client Devices

IoT Devices

16Sensitivity: Internal

ClearPass Exchange MDM/EMM Partners

MDM

DEVICE AND APP MANAGEMENT NETWORK ACCESS

ClearPass Policy ManagementDeviceWipe

JailbreakDetection

Push / ControlApps

AppBlacklist

AccessVisibility

AgentlessOnboarding(IT & BYOD) App Auto

Sign-On

Policies Using Device Attributes(Jailbreak Status,

Profile etc.)

AccessEnforcement(Deny/Allow)

User/Device Roles

Context-Based Policy

ClearPassMDM Connector

17Sensitivity: Internal

ClearPass Exchange MDM/EMM Partners

MDM

DEVICE AND APP MANAGEMENT NETWORK ACCESS

ClearPass Policy ManagementDeviceWipe

JailbreakDetection

Push / ControlApps

AppBlacklist

Jail-broken Device

Detected

Helpdesk

ticket auto

generated

Message to

device auto

generated

1.

2.3.

ClearPass

Denies Access

to Device

19Sensitivity: Internal

Adaptive Trust Context Sharing

Firewall policy

adapts to needContext sharedEmployee access

• Thomas

• Mac OS 10.9.3

• Marketing

• 10.0.1.12

Works with AD, LDAP, ClearPass dB, SQL dB

No agents/clients required

20Sensitivity: Internal

Adaptive Trust Defense based on real-time threat detection

** Firewall / IPS

LAN/WLAN

User connects and

uploads threat

NGFW/IPS sends

event to ClearPass

ClearPass isolates

client

• Offers enhanced user experience as ClearPass can initiate user

notifications, help-desk tickets, and update third-party security solutions

• ** Device in step 2 can be an on-premises MDM/EMM, SIEM, etc.

1 2 3

Ingress Engine Third-party Threat Protection

21Sensitivity: Internal

What Context Can We Share?

Context/Feature Palo Alto Juniper SRX Check Point Fortinet SonicWall Intel MLC

Source IP ✅ ✅ ✅ ✅ ✅ ✅

Username ✅ ✅ ✅ ✅ ✅ ✅

ClearPass Role ✅ ✅ ✅ ✅ ❌ ❌

Domain ✅ ✅ ✅ ❌ ❌ ✅

Device Type ✅ ✅ ✅ ❌ ❌ ❌

Machine OS ✅ ✅ ✅ ❌ ❌ ❌

Machine Name ✅ ✅ ✅ ❌ ❌ ✅

Health/Posture ✅ ✅ ✅ ❌ ❌ ❌

Ingress Event

Engine Dictionary✅ ✅ ✅ ✅ ❌ ❌

22Sensitivity: Internal

Logon to Applications (SSO)

Update Firewall

Update Web Proxy / Filter

Update EMM/MDM

Security and Usability Coordination

AD/LDAP

EMM/MDM

Who: Bob

Group: Faculty

Device: Personal iPad

Location: Room 104

Time: 9am, Monday

Compliance: Healthy

Mac Address: X

IP Address: Y

Airgroup Permissions

Update Enforcement Device (LAN/WAN/VPN)

Adaptive Trust Identity

ClearPass

23Sensitivity: Internal

Proactive Problem Identification and Resolution

– Use ClearPass to notify/alert helpdesk systems–The right teams with the right information

–As soon as a problem happens

– Not just Syslog/SNMP–Email

–HelpDesk Ticketing Systems

–SMS/Voice

24Sensitivity: Internal

• Opens doors for new Exchange

partnerships▪ Device authorization, MFA, visitor

registration, EMM/MDM and more…

• Extends use of existing security,

productivity solutions

• Fast, no heavy lifting integration model.

ClearPass Extensions

ClearPass

Cloud Service On-Prem Service

25Sensitivity: Internal

Challenges Delivering Guest Access

Everyone expects access –

even employees

Often requires staff to

assist each guest

Open Network!

Little to no security

& reporting

✗

✗

✗

26Sensitivity: Internal

Why ClearPass Guest?

Any industry,any # of guests

Any device, anynetwork vendor

Self-service / sponsor / social

Internet / managed Intranet

Portal fits phone, laptop, tablet

Only secure guest app in industry

27Sensitivity: Internal

Customizable Portal Features

Your branding and data fields✔

Advertising – mobile app, more…✔

Integration with 3rd party billing &

property management systems✔

Portal per department, location✔

Social login, MAC cache, QoS✔

www.grandarubahotel.com

www.levisstadium.com

28Sensitivity: Internal

Access Network

Sponsor confirms

guest is valid

ClearPass Guest

Account enabled,

visitor notified via

screen, SMS, or emailVisitor

information

collected

New Visitor

Sponsor

12

3

Self-service with Sponsor Example

29Sensitivity: Internal

Multi-Factor Authentication

– Vendor Support

– DUO

– ZOOM

– Imageware

– More to come!

– Captive Portal Login

– Bring MFA to captive portal logins

– Leverage built in database or external identity stores

– Onboard Login

– Support MFA for initial Onboarding

30Sensitivity: Internal

Multi-Factor Authentication (DUO Workflow)

Step 1 – Who are you? Step 2 – 1st FactorSomething You Have

Step 3 – Request Approval from Known Device

Step 4 – Approve from Known Device

Step 5 – 2nd FactorSomething You Know

Step 6 – Logging in!

31Sensitivity: Internal

Set # of GuestsStandard Guest for Enterprise, EDU

High Guest TurnoverHigh Capacity Guest (HCG) for Airports,

Arenas, Entertainment Venues

Scalable for Any Environment

32Sensitivity: Internal

Replaced often

Android, iOS, Windows

Work & personal use

Access from anywhere

User owned

Who can onboard?

Managing Personal Devices

33Sensitivity: Internal

Why ClearPass Onboard?

Self-service workflows

• Automated configuration:

Network settings and certs

• Can include in MDM/EMM

workflows

• Built-in certificate authority (CA):

Including user and device data

• Add security without increasing

IT workload or user frustration

34Sensitivity: Internal

User’s device redirected to portal1 User enters AD credentials

to start onboard2 Automatically places user on proper network segment3

Doctor

Easy No PasswordsSecure

Enter the password for “Acme-net”75%

Authentication Using Unique Device Certificates

35Sensitivity: Internal

Authentication Using Unique Device Certificates

User’s device redirected to portal1 User enters AD credentials

to start onboard2 Automatically places user on proper network segment3

Doctor

Easy No PasswordsSecure

Enter the password for “Acme-net”75%

• IT determines who can onboard devices

• Access differentiated by role and device

• Devices not entered into active directory

• No need for employees on guest network

36Sensitivity: Internal

Onboard Headless Devices (e.g. non-802.1X, IoT)

Protect your users and devices

37Sensitivity: Internal

• Check health before

network access

• Persistent and dissolvable agents

• Multiple operating systems

supported

Endpoint Health

• Can also be used with

BYOD workflows

Why ClearPass OnGuard?

38Sensitivity: Internal

ClearPass OnGuardAccess Network

Automate Device Health Checking

Detect

non-compliant

devices

39Sensitivity: Internal

Block access to network resources

across wired, wireless & remote

ClearPass OnGuardAccess Network

Detect

non-compliant

devices

Automate Device Health Checking

40Sensitivity: Internal

Block access to network resources

across wired, wireless & remote

Minimizes risk to network

Allows user self service

ClearPass OnGuardAccess Network

Detect

non-compliant

devices

Auto-remediate

the device

Automate Device Health Checking

41Sensitivity: Internal

ClearPass Reporting Using Insight

– One stop shop for all your reporting needs

– New Inventory dashboard

– Customizable inventory view of all learned devices

– New custom alerting options and filters

– Improves the ability for ClearPass to proactively notify admins/users of certain events

– Ability to import/export report templates

– Allows admins to create any template they want without needing a feature enhancement.

– Emailed reports now include the HTML version of the report as well as the raw CSV

42Sensitivity: Internal

Multivendor & 3rd Party integration

User-experience driven applications

Scalability and cost advantages

Business oriented policy services

– building blocks, roles, troubleshooting tools

Why ClearPass

Thank You