DELIVERING SECURE ELASTIC NETWORKS

Transcription

1 DELIVERING SECURE ELASTIC NETWORKS Shmulik Contact vcard Shmulik Nehama Identity Engines Portfolio Leader Avaya Networking 1

2 Thank you Sponsors! Global Sponsors Gold Sponsors Silver Sponsors

3 Join the #AvayaATF

4 SECURE ELASTIC NETWORKS OPTIMIZING END USER & IT EXPERIENCES NETWORK FLEXIBILITY Elastic Networks Fast, Automation & Security with Identity Engines USER & IT EXPERIENCE NETWORK SECURITY Control WHO gets access, from WHERE, and with WHAT NETWORK SIMPLICITY Automate BYOD and IOT onboarding Avaya Fabric Networking Delivers the Architecture, Capacity & Control to Optimize the IT and End User Experiences 2016 Avaya Inc. All right reserved 4

5 CUSTOMER NETWORK EDGE CHALLENGES INFLEXIBILITY Traditional Networking Complex & Inflexible Time consuming and error prone to enable new services Many complex protocols to manage Lacks end to end virtualization and security Long Convergence Times Unable to support Internet of Things Services Manual network provisioning for the access & core 2016 Avaya Inc. All right reserved 5

6 CUSTOMER NETWORK EDGE CHALLENGES SECURITY RISKS FROM TO Corporate Computer Corporate Computer Personal Phone Personal Tablet Significant Growth in Mobile Devices & Applications Business & Personal Applications Becoming Intermixed 2016 Avaya Inc. All right reserved 6

7 CUSTOMER NETWORK EDGE CHALLENGES SECURITY RISKS Increasing global security concerns BYOD is here to stay!! Mandates the need to protect IT infrastructure However, it is also imperative to provide Great IT Experience Great User experience Network Completely Open Network Completely Locked Policy-based Access 2016 Avaya Inc. All right reserved 7

8 CUSTOMER NETWORK EDGE CHALLENGES COMPLEXITY FROM TO 2016 Avaya Inc. All right reserved 8

9 CUSTOMER NETWORK EDGE CHALLENGES COMPLEXITY Billions Billions of IOT devices by 2020 Wired and Wireless Network of Everything (wired and wireless) Badge Scanners Smart Signs Smart Lights (POE-based) Medical Devices Ceiling Fans IP Cameras IP Phones Printers With so many network attached devices, the need for Edge Automation is greater than ever 2016 Avaya Inc. All right reserved 9

10 IDENTITY ENGINES QUICK BASICS Vendor Agnostic Any Network Vendor Any User Any Device Wired & Wireless Unified Access Centralized Policy Directory Federation All major directory servers MDM AirWatch, Citrix Identity Routing Virtual Mapping Guest Access Self-service Sponsor / Front Desk Audit logs Virtual Appliance Software-based solution VMware ESXi BYOD Device On-boarding Device Fingerprinting non-802.1x access 2016 Avaya Inc. All right reserved 10

11 IDENTITY ENGINES SECURE ACCESS, INTERNET OF THINGS, ANALYTICS IF (identity = HR employee) AND IF (device = corp laptop) AND IF (medium = wired) THEN GRANT CORPORATE ACCESS IF (device = MDM enrolled) AND IF (device = has pin-lock) AND IF (device = is not Jail-broken) THEN GRANT CORPORATE ACCESS IF (identity = HR employee) AND IF (device = personal ipad) AND IF (medium = wireless) THEN GRANT LIMITED ACCESS IF (device = Vending Machine) OR (device = POE Lighting) AND IF (building = main campus) THEN GRANT NETWORK SERVICE 2016 Avaya Inc. All right reserved 11

12 IDENTITY ENGINES IDENTITY & POLICY BASED ACCESS Advanced Policy Engine Based on firewall concepts High Availability Active-Active Active-Standby Not inline 2016 Avaya Inc. All right reserved 12

13 SECURE ELASTIC NETWORKS OPTIMIZING END USER & IT EXPERIENCES NETWORK FLEXIBILITY Elastic Networks Fast, Automation & Security with Identity Engines USER & IT EXPERIENCE NETWORK SECURITY Control WHO gets access, from WHERE, and with WHAT NETWORK SIMPLICITY Automate BYOD and IOT onboarding Avaya Fabric Networking Delivers the Architecture, Capacity & Control to Optimize the IT and End User Experiences 2016 Avaya Inc. All right reserved 13

14 TRADITIONAL VS. FABRIC NETWORKING COMPLEX & INFLEXIBLE VS. SIMPLE & FLEXIBLE Time consuming and error prone to enable new services Many complex protocols to manage Lacks end to end virtualization and security Long Convergence Times Unable to support Internet of Things Services Manual network provisioning for the access & core Traditional Networking Complex & Inflexible Fabric Networking Simple & Flexible Unified network fabric no wireless overlay with disparate capabilities Reduced risk provision endpoint only not hop by hop Improved network control single protocol and FIB Increased performance no controller bottleneck Reduced latency no controller looping of traffic Improved resiliency no single point of controller failure Enhanced security Secure Elastic Network Enabled BYOD Identity Engines 2016 Avaya Inc. All right reserved 14

15 ELASTIC NETWORKS WITH FABRIC ATTACH SIMPLE & FLEXIBLE WITH IDENTITY ENGINES Fabric Attach allows automated network attachment with or without Fabric Connect. Fabric Attach Elements: FA Server An SPB switch at the Fabric edge running an FA agent in FA Server mode. FA Server creates ISID/VLAN bindings based FA Signaling. FA Proxy A non-spb switch at the network edge (wiring closet) running an FA agent in FA Proxy mode. FA Proxy supports directly attached users, end devices and FA Clients. FA Proxy supports FA Signaling with FA Server and FA Clients. FA Client - A network attached end device running an FA agent in FA Client mode. FA Client can be Avaya WLAN 9100 APs, ONA, Hypervisors supporting FA Client on Open vswitch, or other future planned 3 rd party devices. FA Policy Server Avaya Identity Engines network access policy server fully automates Fabric Attach. FA-Client(s) FA Signaling FA-Proxy FA Signaling FA-Server Fabric Connect Fabric Attach DHCP WOS Avaya Fabric Connect FA-Policy Server Devices (non-fa endpoints) FA Policy Signalling FA Policy Signalling FA Signaling - Protocol that leverages standard extension of network protocols to exchange msgs and data between FA Elements to orchestrate network automation Avaya Inc. All right reserved 15

16 ELASTIC NETWORKS WITH FABRIC ATTACH FA ELEMNT MODEL & FA SIGNALING Fabric Attach elements are FA agent roles in devices Below are all the FA elements required to create a Fabric Attach solution with the supported element interconnections (tiers). Adhere to this FA architectural model when designing FA solutions end to end with an SPB Fabric Connect Core. SPB Device Non-SPB Device Non-SPB Device SPB Fabric FA Server (BEB) FA Proxy FA Client FA Client SPBM LLDP Control plane I-SID VLAN Services Data plane FA TLV Element Type TLV Type [127] TLV Length [50 octets] Avaya OUI [ D] Subtype [11] HMAC-SHA256 Digest Element Type State Mgmt VLAN Reserved System ID 7 bits 9 bits 3 octets 1 octet 32 octets 6 bits 6 bits 12 bits 1 octet 10 octets FA Client - Access Point (6) Data integrity and source validation FA Client - Switch (8) using HMAC-HA256 FA Client - IP Phone (10) FA Client MAC address Symmetric private keys are used for FA Client - IP Camera (11) of the network interface digest generation FA Client - IP Video (12) 2016 Avaya Inc. All right reserved FA Client - Virtual Switch (14) 16

17 ELASTIC NETWORKS WITH FABRIC ATTACH FA ELEMNT MODEL & FA SIGNALING Fabric Attach elements are FA agent roles in devices Below are all the FA elements required to create a Fabric Attach solution with the supported element interconnections (tiers). Adhere to this FA architectural model when designing FA solutions end to end with an SPB Fabric Connect Core. SPB Device Non-SPB Device Non-SPB Device SPB Fabric FA Server (BEB) FA Proxy FA Client FA Client SPBM LLDP Control plane I-SID VLAN Services Data plane FA TLV VLAN-SID Assignment TLV Type [127] TLV Length octets Avaya OUI [ D] Subtype [12] HMAC-SHA256 Digest Assignment Status 7 bits 9 bits 3 octets 1 octet 32 octets 4 bits 12 bits 3 octets VLAN ISID Assignment status data returned by the FA Server for Data integrity and source validation each pending ISID/VLAN assignment. Requested VLAN Example of potential values: using HMAC-HA256 Requested ISID to have VLAN Assignment accepted (2) Symmetric private keys are used for Rejection: Duplicate data (5) traffic mapped to on the FA digest generation 2016 Avaya Inc. All right reserved Rejection: VLAN invalid (6) Server switch Rejection: VLAN resources unavailable (8) 17

18 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES FA POLICY SERVER IDE as Fabric Attach Policy Server IDE can be added as a centralized Policy engine to fully automate the attachement of Non-FA devices & certain FA Clients (such as WLAN 9100 APs). End users and devices that support 802.1X/EAP supplicant/client functions can connect to FA Proxy or FA Server switches, and can be authenticated & attached to specific VLANs and I-SIDs according to IDE Policy rules. SPB Fabric FA Policy Server (IDE) VSP - Fabric edge (switch cluster) FA Server (BEB) vist FA Server (BEB) ERS - Access (wiring closet) FA Proxy OVS / 3 rd Party FA Client ONA FA Client WLAN AP FA Client End devices/users Wired IoT device Non-FA device Laptop/tablet/Smartphone Non-FA device IP Phone/PC/Printer/Camera Non-FA device PC/Server Non-FA device Switch (ERS3510) Non-FA device Non-FA devices can be connected to a switch enabled with Fabric Attach services. However, FA signaling on the FA Server or FA Proxy switch downstream port(s) must be disabled (IE: server/host, or additional ERS off an FA Proxy) Avaya Inc. All right reserved 18

19 ELASTIC NETWORKS WITH FABRIC ATTACH FA POLICY SERVER USERS / DEVICES WITH SPB Adding Identity Engines fully automates provisioning of ISIDs/VLANs and port memberships Automated example Users and end (EAP) devices (MAC/MEAP/FA) are authenticated by IDE and placed in automatically provisioned VLAN/I-SID based on Policy SPB Fabric FA Server VSP4/7/8K vist FA Proxy ERS4800 / 5900 (Wiring Closet) End Users or IOT Devices Alternate vist path FA Policy Server Identity Engines Fabric Attach Management VSN (I-SID) Data VSN (I-SID) Voice VSN (I-SID) VLAN MGMT VLAN 10 VLAN 20 Authenticated users/devices placed in Data VSN Authenticated voice devices placed in Voice VSN On successful authentication of user or device, IDE sends VLAN/ISID mapping to FA Proxy which dynamically creates the VLAN, adds port membership for user/device, uplink port, and also sends request to FA Server to create VLAN/ISID mapping Avaya Inc. All right reserved 19

20 ELASTIC NETWORKS WITH FABRIC ATTACH FA POLICY SERVER USERS / DEVICES WITH SPB FA Policy for IOT Device (non-fa Client) Example of policy for Employees and Contractors 2016 Avaya Inc. All right reserved 20

21 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES ATTACHING WLAN 9100 AP IDE is used to securely authenticate attachment of new WLAN 9100 series AP s to an FA enabled network. Automated Plug-in AP 9100, IDE authenticates AP, and signals to FA Proxy what VLANs to provision for AP based on policy in IDE. WOS SPB Fabric Alternate vist path FA Server VSP4/7/8K vist FA Proxy ERS4800 / 5900 (Wiring Closet) FA Client AP 9100 End Users or IOT Devices FA Policy Server Identity Engines Fabric Attach Management VSN (I-SID) Data VSN (I-SID) VLAN MGMT VLAN 10 Authenticated users/devices placed in Data VSN Guest VSN (I-SID) VLAN 50 Authenticated users/devices placed in Guest VSN 2016 Avaya Inc. All right reserved 21

22 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES ATTACHING WLAN 9100 AP FA Client AP 9100 connects to FA Proxy Standalone switch FA Client AP 9100 communicates via FA Signaling with the FA Proxy Standalone switch FA Proxy Standalone discovers and authenticates the FA Client AP 9100 against FA Policy Identity Engines Simple Authentication Secure Authentication FA Policy authorizes AP 9100 with Auto Create VLAN VLAN:ISID pairs PVID AP 9100 obtains DHCP IP AP 9100 discovers WOS AP 9100 registers & downloads profile AP 9100 ready for wireless clients WOS AP Discovery AP Profile FA Signaling DHCP Request DNS Lookup Avaya-WOS FA Policy Ignition Server Authentication Authorization Auto Create VLAN VLAN:ISID pairs PVID FA Proxy Standalone FA Client WLAN AP Avaya Inc. All right reserved 22

23 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES ATTACHING WLAN 9100 AP FA Policy for FA Client AP 9100 Traditional FA Policy for FA Client AP 9100 Secure 2016 Avaya Inc. All right reserved 23

24 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES ATTACHING WLAN 9100 AP FA Policy for FA Client AP 9100 Traditional FA Policy for FA Client AP 9100 Secure 2016 Avaya Inc. All right reserved 24

25 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES FA POLICY TEMPLATES 2016 Avaya Inc. All right reserved 25

26 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES FA CLIENTS INVENTORY FA Client automated fingerprinting On successful authentication the FA Client device is seen in the FA Client Devices inventory table. Click on Last Seen Authenticator to find out the last switch and location of the FA Client 2016 Avaya Inc. All right reserved 26

27 ELASTIC NETWORKS WITH FABRIC ATTACH IDENTITY ENGINES FA CLIENTS MONITORING The Device Name, Device Type and Subtype are also seen in RADIUS AAA Summary Avaya Inc. All right reserved 27

28 SECURE ELASTIC NETWORKS OPTIMIZING END USER & IT EXPERIENCES NETWORK FLEXIBILITY Elastic Networks Fast, Automation & Security with Identity Engines USER & IT EXPERIENCE NETWORK SECURITY Control WHO gets access, from WHERE, and with WHAT NETWORK SIMPLICITY Automate BYOD and IOT onboarding Avaya Fabric Networking Delivers the Architecture, Capacity & Control to Optimize the IT and End User Experiences 2016 Avaya Inc. All right reserved 28

29 ENTERPRISE MOBILE DEVICE MANAGEMENT SECURING BYOD DEVICES Challenges Associated with Mobility Jail-broken / Rooted device Fragmented OS Unwanted / Wanted Apps Personal / Corporate device Regulatory Compliance Data Containerization Encryption / Passcode HIPPA Access Policy MDM 2016 Avaya Inc. All right reserved 29

30 ENTERPRISE MOBILE DEVICE MANAGEMENT SECURING BYOD DEVICES a User access requests Mobile Devices b Identity Engines RADIUS 3 Fed to PE Database Policy Engine Device sync-up 2 REST APIs 1 Device enrollment MDM Cloud-service / MDM On-premise Server 2016 Avaya Inc. All right reserved 30

31 ACCESS PORTAL EXTERNAL LOGIN EXTERNAL LOGIN FOR WLAN 9100 BENEFITS Device Onboarding with Access Portal Access Portal can now act as an external Captive Portal for WLAN 9100 BYOD onboarding redirect from WLAN 9100 Users get Authenticated and Fingerprinted Works over L2 and L3 network Highly customizable Login Page Highly customizable Success Page Post authentication, user traffic will be out-of-band the Access Portal and in line with WLAN AP Avaya Inc. All right reserved 31

32 ACCESS PORTAL EXTERNAL LOGIN EXTERNAL LOGIN FOR WLAN 9100 HOW IT WORKS? Ignition Server User Devices AP 9100 Access Portal 2016 Avaya Inc. All right reserved 32

33 ACCESS PORTAL SOCIAL MEDIA LOGIN SOCIAL MEDIA LOGIN FOR WLAN 9100 BENEFITS Guest Access with Social Media Login Benefits of Access Portal Social Media Login for WLAN 9100 BYOD onboarding redirect from WLAN 9100 Users get Authenticated and Fingerprinted Works over L2 and L3 network Highly customizable Login Page Highly customizable Success Page No need for user / front desk to create guest account Feed for Analytics Social Media login requires user consent Basic user information retrieved from Social Media site Plans to feed Analytics with Social Media user attributes Post authentication, user traffic will be out-of-band the Access Portal and in line with WLAN AP Avaya Inc. All right reserved 33

34 ACCESS PORTAL SOCIAL MEDIA LOGIN SOCIAL MEDIA LOGIN FOR WLAN 9100 HOW IT WORKS? 2016 Avaya Inc. All right reserved 34

35 ACCESS PORTAL ADDITIONAL ENHANCEMENTS Lightspeed Integration Standard-based feed to Security Gateways for Content Filtering Override NATing Configurable as separate RADIUS Accounting server User Custom VSA Obtain user input prior to granting access Use case example Schedule for Backups Consistent with Ignition Server and Guest Manager Recurring configurable schedule Example of customized login Maintenance networks are segregated Contractor arrives onsite to perform maintenance work Contractor selects the network needed for access Identity Engines confirms access rights and grants appropriate access 2016 Avaya Inc. All right reserved 35

36 SECURE ELASTIC NETWORKS OPTIMIZING END USER & IT EXPERIENCES NETWORK FLEXIBILITY Elastic Networks Fast, Automation & Security with Identity Engines USER & IT EXPERIENCE NETWORK SECURITY Control WHO gets access, from WHERE, and with WHAT NETWORK SIMPLICITY Automate BYOD and IOT onboarding Avaya Fabric Networking Delivers the Architecture, Capacity & Control to Optimize the IT and End User Experiences 2016 Avaya Inc. All right reserved 36

37 SIMPLIFYING DEVICE ONBOARDING IDENTITY ENGINES SMARTPHONE APP User can use QR code scanner to auto populate MAC address and device name. QR code scanner can only parse Avaya supported QR code format. QR Code Format for ONA with example data: SERIAL:X A2A0 MAC:48:C0:93:00:A2:00 MACNUM:16 PEC:EC E6 MAN:AVAYA MOD:ONA 1101GT REV: Avaya Inc. All right reserved 37

38 SIMPLIFYING DEVICE ONBOARDING IDENTITY ENGINES SMARTPHONE APP WLAN 9100 APs ship with QR code label 2016 Avaya Inc. All right reserved 38

39 SIMPLIFYING DEVICE ONBOARDING API FOR PROGRAMMATIC PROVISIONING INTO IDE APIs APIs APIs APIs APIs Fetching Provisioning Fetching Devices iteratively or Fetching devices with filter Bulk Delete of Guest Close Cursor Id groups for a Provisioner a Provisioner and without details Users for a Provisioner Fetching Provisioning Group details for Group Name GET Cursor Id of device API to query the status of single device Device Registration GET next N devices API to query the status of multiple devices Fetching Guest User details by username for a Provisioner Fetching Guest Users iteratively for a Provisioner Fetching Guest User with filter Fetching Guest Users with filter and without details Update a device GET first N devices Guest User Registration GET Cursor Id API to query the status of single user Delete a device GET last N devices Re-send Credentials through /SMS to Guest User by Username Deleting multiple Devices GET count of total available Update a Guest User device records GET next N Guest Users GET first N Guest Users API to query the status of multiple users Bulk Delete of devices for a Provisioner Close Cursor Id Delete a Guest User GET last N Guest Users Fetching Device details by MAC for a Provisioner Fetching devices with filter Deleting multiple Guest Users GET count of total available Guest Users Records 2016 Avaya Inc. All right reserved 39 Note: Authorization Scheme : Basic (Base64 Encryption)

40 SIMPLIFYING DEVICE ONBOARDING TWO CLICKS TO ADD DEVICE Network attached device attempts access Users right click on log record to add device to local DB Available from Succeeded & Failed Authentications In addition, edit a device directly 2016 Avaya Inc. All right reserved 40

41 SIMPLIFYING DEVICE ONBOARDING ONBOARD IOT/BYOD DEVICE BASED ON ACCESS POLICY NEW on POR NEW CONCEPT: Access Policy Actions Register Device Add device to IDE local store automatically based on a Access Policy rule Use case example: MAC Learning, more Assign Group(s) Assign a group or groups to a device based on an Access Policy rule Use case example: MAC Learning, BYOD Onboarding, more Trigger COA Disconnect Disconnect device based on a Access Policy rule Use case example: BYOD Onboarding, more Alert Send alert based on a Access Policy rule Use case example: Send alert when device that belongs to STOLEN group attempts to access the network 2016 Avaya Inc. All right reserved 41

42 SMART HEALTHCARE IOT FOR WIRELESS SOLUTION OVERVIEW Easy onboarding & tracking of medical devices and smart traffic tunneling to Central Medical Application Challenges & Benefits addressed Mobility of patient monitors & imaging devices Currently constrained due to manual reconfiguration of network Tracking of medical devices usage, their location & IT compliance Secure traffic segmentation of clinical data and one-hop transport from care-giving area to central application in data center Example: patient vital data, EHS records, imaging Solution Summary Easy & safe on-boarding of WiFi patient monitor (or simulator) into Avaya WLAN 9100 WiFi + ERS 4800/5900 edge network o Fabric Attach based auto onboarding of WLAN 9100 o QR-Code based auto onboarding of medical device using Identity Engines IDR mobile App Smart traffic segmentation & diversion directly into central medical application server (HMS) o Dynamic GRE tunnel from AP into IGT VM running adjacent to central medical application (imaging, EHR, HMS, etc.) 2016 Avaya Inc. All right reserved 42

43 SMART HEALTHCARE IOT FOR WIRELESS ARCHITECTURE 2016 Avaya Inc. All right reserved 43

44 SMART CLASSROOM & SAFE-SCHOOL SOLUTION ARCHITECTURE Automatic Class Attendance Dynamic control of in-class application access Detect Students in unsafe Locations & Auto-alert 2016 Avaya Inc. All right reserved 44

45 SIMPLIFYING DEVICE ONBOARDING ONBOARD IOT/BYOD DEVICE BASED ON ACCESS POLICY NEW on POR Access Policy Actions available from: User Authorization Policy (including Failed Authentication) Mac Authorization Policy (including Failed Authentication) 2016 Avaya Inc. All right reserved 45

46 SECURE ELASTIC NETWORKS OPTIMIZING END USER & IT EXPERIENCES NETWORK FLEXIBILITY Elastic Networks Fast, Automation & Security with Identity Engines USER & IT EXPERIENCE NETWORK SECURITY Control WHO gets access, from WHERE, and with WHAT NETWORK SIMPLICITY Automate BYOD and IOT onboarding Avaya Fabric Networking Delivers the Architecture, Capacity & Control to Optimize the IT and End User Experiences 2016 Avaya Inc. All right reserved 46

47 Visit Our Smart City Expo Hours Monday, April 4 Tuesday, April 5 Wednesday, April 6 Thursday, April 7 6:30pm 9:00pm 7:00am 8:30am 7:00am 8:30am 7:00am 8:30am 12:15pm 1:30pm 12:15pm 1:30pm (Expo closes after breakfast) 6:00pm 8:00pm

48 Complete your survey at the end of the session in the Mobile App

49 2016 Avaya Inc. All right reserved 49

50

51 IGNITION TUNNELING SERVER GRE TUNNELING FOR WLAN 9100 AP 9100 WOS Admin Ignition Server GRE Guest Tunneling Access Portal Captive Portal Switch Firewall Internet 2016 Avaya Inc. All right reserved 51