Network Access Control

Transcription

1 Network Access Control It is about saying YES! to BYOD but staying on control Jan Michael de Kok Sales Engineering Manager Caribbean & Central America

2 Realities of Smart Devices, Like It Or Not A new device launches on Thursday Joe the VP will buy one on Friday or over the weekend He ll want to use it on the company network on Monday And you still have to come to work on Monday 2011 Avaya Inc. All rights reserved. 2

3 And It s Not Just the Executives 2011 Avaya Inc. All rights reserved. 3

4 Anyone here still with a flip phone? Android apps iphone apps Tablets in 2012 Smartphones Social Media Users TIME s Person of the Year: YOU Tablet market $45B by 2014 Yankee % Enterprise users interested in or using consumer applications Yankee 2011 Smartphone app revenue to triple by 2014 Yankee Avaya Inc. All rights reserved. 4

5 Is Bring Your Own Device (BYOD) a Risk or Reward? Risk Security Increased risk of financial and information exposure Guest access IT Compliance Who gets on? To do what? To go where? Network Capacity and QoS Multiple devices, high bandwidth and prioritisation Higher OPEX Supporting myriad of devices can be more complex Reward Reduced CAPEX Employer does not have to pay for device Increased Employee and Business Partner Productivity Using latest and greatest devices they are familiar with Devices they WANT to use True mobility 2011 Avaya Inc. All rights reserved. 5

6 It is not About Saying No!! It is about saying YES! but staying on control NO you cannot bring your ipad NO you cannot connect outdoor NO you cannot bring your fancy laptop NO you cannot do video conferencing YES bring your own ipad YES you are welcome to do mobile collaboration YES you are welcome to use virtual desktop YES you are welcome to use Wifi VOIP 2011 Avaya Inc. All rights reserved. 6

7 Network Security Background Perimeter firewall: a cat-and-mouse game between attackers and defensive enforcers Security devices began first as specific software products, later became appliances, and finally were embedded in the network infrastructure. Today, firewall, intrusion detection, and VPN can all be found embedded within a router, Ethernet switch, or other network device. The emergence of mobility paired with a diversity of endpoint devices that allow network access have created an environment where simply looking deep into a packet is no longer sufficient Authenticated Network Architecture introduces a single new element to existing security designs: the authentication and authorization of all network users, regardless of their connection method Avaya Inc. All rights reserved. 7

8 Network Security Background ( cont) Authenticated Network Architecture Network security has been evolving since its inception. What was a good idea two years ago is still likely a good idea today, with minor variations based on the evolving threats and business requirements. However, we are currently at an inflection point in the use of network-based security controls. Where as previous designs focused almost exclusively on static policies, filter rules, and enforcement controls, A newer approach has emerged that promises much more dynamic options to address the increased mobility and diversity of today s network users. Authenticated Network Architecture (ANA), is based on the notion of authentication of all users on a network and the association of each user with a particular set of network entitlements 2011 Avaya Inc. All rights reserved. 8

9 Authenticated Network Architecture Today s Threat and Regulatory Reality Mobility Traditional firewalls, which use IP addresses almost exclusively for rules, cannot make any intelligent identification of users. Contractors and Guests The notion that all users on a LAN are equal is quite outmoded. Regulations: Whether it be Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm- Leach-Bliley Act (GLBA), Payment Card Industry Security Standards Council (PCI), Digital Millennium Copyright Act (DMCA), Communications Assistance for Law Enforcement Act (CALEA), or Federal Information Security Management Act (FISMA), chances are there is an acronym (or more) that spells out security guidelines and restrictions you must impose on your organization and your network 2011 Avaya Inc. All rights reserved. 9

10 Authenticated Network Architecture Cost of Change vs. Operations Cost Reduction Enterprise Network IP Phone Visitor or Business Partner Personal Machine Corporate Desktop Network Printer Network Device Wireless Access Point Surveillance Camera Fax Machine Medical Device Local Server/App Guests & Guest Devices Several type of users, devices and policies Each wired or wireless access port is not assigned until a user/device attempts access. At that point it is given the appropriate level of access. Direct annual TCO savings just by avoiding simple VLAN changes. Indirect TCO saving just by avoiding network outages following manual configuration changes Avaya Inc. All rights reserved. 10

11 NETWORK ABSTRACTION LAYER DIRECTORY ABSTRACTION LAYER Example of a Authenticated Network Architecture Avaya Identity Engine as a Network Access Control Policy Enforcement Point Policy Decision Point Policy Information Point Guest Access Mgmt Posture Assessment Reporting & Analytics Access Portal CASE Client Identity Engines 2011 Avaya Inc. All rights reserved. 11

12 What is Network Access Control (NAC) Ensures consistent and predictable network access for managed and unmanaged devices Controls who can use the network to access which resources, when and where they may do so Supports any device, any network, any vendor Centralized, out-of-line solution for maximum scalability and cost effectiveness Automated, standards-based Software-only, highly available Facilitates regulatory compliance 2011 Avaya Inc. All rights reserved. 12

13 Why Employ NAC? Corporate Governance Do world class companies try to exceed customer expectations? Regulatory Compliance Do you have a legal / regulatory obligation to uphold (ex. HIPAA, SOX, PCI)? Operations Cost Reduction Do you have to choose between leaving your network wide open or investing excessively in network operations to deal with all the change requests? Do you have employees bringing in their own personal devices now with expectations of accessing the network? Network Analytics How well do you know your network? What type of asset logs on the most? When do peak logons occur? How much are ipads/tablets growing on your network? Identity Aware Networking is NOT ABOUT keeping people off the network Identity Aware Networking is ABOUT giving appropriate level of access as safely and as efficiently as possible 2011 Avaya Inc. All rights reserved. 13

14 Operations Cost Reduction Network Access Control is not necessarily always about security it can be used to improve operational effectiveness. If you have more than 1 VLAN you have probably had to respond to change requests to move a device from port to port or VLAN to VLAN. A Network Access Control can do that for you! 2011 Avaya Inc. All rights reserved. 15

15 Example of Network Access Control Identity Engines Role-based Access Case 1 Employee with corporate laptop IF (identity = HR employee) AND IF (device = corp laptop) AND IF (medium = wired) THEN GRANT FULL ACCESS IF (identity = HR employee) Case 2 Employee with personal ipad (same corporate credentials) AND IF (device = personal ipad) AND IF (medium = wireless) THEN GRANT LIMITED ACCESS 2011 Avaya Inc. All rights reserved. 16

16 Which solution where and why? Access Control UC/SIP Security Mobile Device Management Wireless LAN Authenticates & authorizes network access of users and any network attached device (IP phones, medical devices, user devices, printers etc). Dynamically provisions the network to contain the access of users and the network attached devices Secures remote and mobile SIP devices and applications Controls access of UC applications (NOT network access of users/devices) VPN-less access option for mobile devices MDM manages which applications should /should not be on user handheld devices, password management, patch and software management. MDM does NOT control nor provision the network for access, is more like a corporate shield Enables wireless network access and campus roaming Best Solutions are Best Solutions are Best Solutions offer Best Solutions are 1. Simple to use 2. Intuitive, powerful policy engine 3. Vendor agnostic 1. Capable of Enabling personal & enterprise use on a single device by securing SIP apps 2. Ease of use 1. Interoperability 2. Pre-validated solution 1. Industry Leading not only Data, but Voice and Video over Wi-Fi 2. High Scalable 3. Part of a Unique Unified Architecture 2011 Avaya Inc. All rights reserved. 17

17 Is My Company Ready For The BYOD Trend? Ask yourself 1. Start with Do I allow Guest Access on your Network? 2. Follow with Have I considered the implications of BYOD on your network? Use Identity Engines as the wedge Controls who gets on, to go where, to do what Once devices on-boarded, expand discussion into wireless Can my WLAN support mobile growth? Offer QoS for video and voice over Wi-Fi? 3. Can I quantify the TCO of not having a Network Access Control? 2011 Avaya Inc. All rights reserved. 18

18 Best Practices Open-Standards / Multiple Device Support: Works with ANY vendor regardless of make, model or version. Standard-based: RADIUS, 802.1x, Non-EAP Out-of-Path: Look for a solution that does not require the deployment of devices in path to ensure access control. In-path solutions become a choke point. Don t accept solutions that use span/mirroring ports or a L3 route to enable access control Granular Policies: Policies should support re-usable attributes as well as multiple group enumeration after all, security is about exceptions Virtualized with Central Authentication: To keep costs down, the solution should take advantages of virtual technology and provide a centralized policy inspection point Distributed Enforcement: Enforcement should be done out at the edge where the user/device is connecting Look for vendors that: Can offer an end to end BYOD solution AND are pretested - guaranteed to work as promised. Offer best quality of experience for Data/UC/Video AND are Vendor agnostic 2011 Avaya Inc. All rights reserved. 19

19