Mobility in the Network: A Phased Technology Approach

Transcription

1 Extreme Networks White Paper Mobility in the Network: A Phased Technology Approach Make Your Network Mobile Do not reproduce.

2 Introduction Several global trends are driving a fundamental shift in the way IT is conducting their business. First, the move to a global workforce is driving a 24x7, always-on model of operation with the constant need for access to content, data and applications. Second, the proliferation of smart mobile devices such as smart phones, tablets and laptops that support enterprise productivity tools are enabling an increasingly mobile workforce that demands anytime, anywhere, enterprise application and content usage. Finally, the growing pervasiveness of connectivity whether 2G/3G/4G, Wi-Fi, or traditional wired connectivity, is further boosting the demand for both the global and mobile workforce to operate in an always connected mode of operation. The demands that these changes pose on IT infrastructure is driving a fundamental shift in the way content, data and applications are delivered to and managed for the mobile and global workforce. Technologies such as virtualization (server, desktop and storage) are rapidly changing the way IT thinks about making content and applications available to the user. Cloud-based services are gaining adoption at a rapid rate as a way to provide on-demand capacity and accessibility. As a result, the definition of mobility is changing from offering connectivity or portability of users and devices across different technologies such as wired and wireless, to offering, managing and supporting a seamless user experience across devices, applications and networks. In this transition from connectivity/portability to mobility, the network infrastructure has fallen behind when it comes to dealing with the dynamism associated with mobility. While wireless and wired technologies are admittedly making rapid strides in terms of the bandwidth they can offer, the networking world is still fundamentally focused around connectivity. Consequently, the tools, processes and constructs available to network administrators are still mired in a world of VLANs, IP addresses and MAC addresses, rather than moving up the stack to users, devices, and applications. For example, a user today can access the same data and applications over his/her smart phone, tablet device, desktop or laptop, all within a short span or perhaps even simultaneously. This could be happening over various different mediums of connectivity such as 3G smart phone access, Wi-Fi tablet access, and wired Ethernet desktop access. All mediums and devices present different IP addresses, different MAC addresses and potentially different VLANs. And yet, the network for the most part today does not offer any constructs to see who the user is behind these IP or MAC addresses, what role the user plays in the corporate structure, and the connectivity pattern for that user over time. Worse still, many corporations today deal with a collaborative workforce simply through VLANs. For example, in conference rooms where employees and guests are transported over a guest VLAN to the outside internet - thus requiring employees to back in just to access their data from within a conference room inside the company. Internet Concentrator Firewall Router Core Guest VLAN WiFi Ethernet Conference Room Data Center Server Farm Guest Employee Guest Employee

3 In order to ensure consistency of user experience, visibility for troubleshooting and audit, and to provide adequate control over who has access to what from where and when, networking needs to evolve from providing connectivity tools to providing tools to manage mobility. This transition is one that will occur in phases and requires several building blocks to come together to provide a cohesive model that addresses mobility beyond connectivity. The rest of this paper will discuss the different phases the network needs to evolve through in order to address user, device and application mobility. Phases to Bring Mobility into the Network Phase 1 A World of Disparate Networks Phase 1 is where most of networking is today. Phase 1 is mostly about connectivity where you have different networks providing different forms of connectivity with little intelligence, awareness or synergy across the various connectivity options. For example, Wi-Fi networks today tend to be deployed as overlay networks over a wired network infrastructure. Tools and policies for managing users and mobility across wired and wireless infrastructures tend to be different and any co-relation, enforcement, or troubleshooting are handled separately for the different networks. The disparate nature extends beyond the campus environment to public access and to cloud models as well. There is no good model today for controlling and managing users access to corporate data and applications that is federated across the campus and the cloud. Likewise users access to the enterprise network, coming through a public infrastructure, typically imposes a discontinuity in user experience, for example, by forcing a user to go across a infrastructure which again, is managed separately. Equally important, throughout these different networks, there is little knowledge or awareness within the network or the network tools, of who the user is, what role the user plays in the corporate structure, or how access can be regulated based on this knowledge, particularly when dealing with a mobile user who may need access to data over different connectivity media, from different devices and locations, and at different times during the day. Monitoring, troubleshooting and security are all challenges in this mobile environment because the network lacks both the tools to deal with this and also because the disparate networks do not share information or data between them to provide co-relation and awareness. Network infrastructure providers are now beginning to move to Phase 2 where this level of intelligence that recognizes users is beginning to be built, deployed and utilized. Phase 2 Islands of Awareness The evolution to Phase 2 is currently underway. Phase 2 is marked by a move in the networking infrastructure to add a layer of intelligence that builds awareness of users, devices, and applications along with the ability to deal with their mobility across different media and locations, as well as time. This intelligence is then used to ensure both that the user has a good user experience from the network, and that the network administrator has the tools to deal with user, device and application mobility, from configuration and control, to visibility, monitoring and audit. In other words, the network is evolving from providing MAC, IP, VLAN-type information and services, to knowledge-based information and control of who, where, when and what the user is doing and allowed to do. These are explored below in more detail. Who is accessing the network and applications? A user can be a person, device or application. For example a user can be an employee, contractor, or guest at a certain facility. Knowing who the user is allows the administrator to provide access based on the role of the user, as well as instant visibility into who is accessing the network, from where and when. For example, threat conditions can be pinpointed to individual users along with their user/login names, their IP/MAC addresses, their location and time of day. The ability to discern the identity of the user may come from multiple sources such as snooping users Kerberos exchanges or snooping RADIUS exchanges which provide a non-intrusive mechanism, or through more traditional mechanisms such as captive portal which tend to be more intrusive. Similarly in the data center, users can be virtual machines (VMs) or applications. Knowing which VM is accessing the network at which attachment point significantly simplifies the operational complexity of isolating and provisioning of VMs as well as supporting highly virtualized data centers. For example in a data center with 5 rows of server racks, each row having 10 racks, and each rack 3

4 having 25 servers, each server having 10 VMs on average could lead to a data center with 10,000 VMs. The VMs could migrate within racks or between rows. Being able to pinpoint which VM is accessing the network at exactly what attachment point becomes critical to the ability to service and meet SLA response times. In the case of VMs in the data center, the ability to gain insight into the VM lifecycle can be made available through integration with VM management solutions offered by the different hypervisors. A user may also be a device such as a printer, a VoIP phone, or a handheld smart phone. Again, there can be multiple levels of granularity such as IT owned/managed devices and user owned devices which may drive different policies. For example, an IT owned asset may have Data Loss Prevention (DLP) software installed on the device which would permit the user access to confidential resources. On the other hand, a personally owned laptop, for example, may not be given access to the same data for fear of data leakage. The ability to identify and differentiate the device that is being used to access the network, can better help control and manage access from that device. Another example is the case where a device may not be permitted on the network unless it is up to date with its anti-virus software. In this case a device s patch level may need to be determined before it is granted access to the network. If the device is not at the right patch levels, it may be quarantined and pointed to a remediation site where it can update its patch level before being allowed back on the network. What is the user permitted to do? This is essentially the enforcement piece of the solution. Knowing the identity of the user, then allows the network to regulate and provision access to resources within the network by that user, be it a device, an application, or a person. The enforcement piece addresses not just access control and security but also user experience in terms of the quality of service that is made available to the user, as well as audit and compliance requirements. For these reasons, the enforcement needs to be done as close to the users point of attachment as possible, such as the network access switch. Knowing the identity and role of users additionally allows the enforcement piece to no longer rely on constructs such as guest VLANs. Rather, the enforcement and quality of the user experience piece can directly leverage policy-based constructs based on 5-tuple-type access rules or other higher level constructs such as application-based rules that are specifically associated with that user and the role of the user. For example, a user can be an employee or a contractor. An employee may be part of the company s engineering team, finance team or sales team. Knowing the role of the user allows finer grained control of enforcement policies as well as on the quality of experience extended to the user. Moving toward this type of policy enforcement model greatly diminishes the need for more traditional guest VLAN-type constructs. Note that VLANs still play an important role in terms of limiting broadcast segments, network partitioning, etc. But, their use as a way to manage and service a collaborative and mobile work force becomes deprecated. From where is the user accessing the network? Being able to provide visibility into a user s location can better help IT administrators to provide services as well as secure their resources. For example, in a secure facility, being able to identify from where a user is connecting, can help determine the level of network access the user should be given. A user accessing the network from the parking lot via Wi-Fi or from within the perimeter of a facility can help determine the access privileges. Services such as E911 can also better be served by knowing the user s location, for example, from within the enterprise. The network inherently has access to a lot of this information. However, traditionally this has not been exposed to the administrator. By identifying the location of the user based on the network switch port that the user is attaching into, or by triangulating his location using Wi-Fi, location-based policies can be tied into the enforcement piece. When is the user accessing the network? In a workforce increasingly driven by collaborative relationships, it is not uncommon for contractors, consultants and partners to all require access to different sets of resources within an enterprise. For example, temporary auditors may require access to financial data for certain periods of time, beyond which they may not be allowed further access. Contractors and consultants may require access to certain data during normal working hours, outside of which their access to the same data may be restricted. Being able to manage a user s access, not just based on who the user is but also based on the time of access, is becoming increasingly important. 4

5 Building intelligence into the network to identify the user and the user s role, the location of access, and time of access, along with the capability to provision, monitor, and control access based on the above is an important step in making the network more capable in dealing with an increasingly mobile, global and collaborative workforce. Components for Managing Mobility In order to provide visibility and control in a mobile user environment as outlined above, several components are required that when working together can provide a cohesive solution. These components include the following: and device identification The first piece of the solution is identifying the user. Several different mechanisms can be used to determine the identity of the user along with the role the user plays in the organization. As mentioned above, Kerberos and RADIUS snooping by network access switches provides non-intrusive mechanisms to determine the user s identity. Captive portal and 802.1x are other mechanisms that can be used. All of these mechanisms typically tie into a backend AAA server, such as Windows Active Directory, to determine a user s membership as well as other attributes of the user from which the user role can be derived. Attributes can include things such as employee title, status, location, etc. The user and device identification can be done by network switches, wireless access points, wireless controllers, as well as by connection brokers in the case of VDI type solutions or even concentrators. As the transition towards Phase 2 of mobility progresses, this functionality is increasingly built directly into the access network infrastructure such as access Ethernet switches. In addition, in the case of devices such as VoIP phones, printers, etc., Link Layer Discovery Protocol (LLDP) based mechanisms can be used to identify the device. Where a device needs to be fingerprinted for example, for the purpose of remediation, a device scan can be initiated to identify the OS and patch level. Finally, in the case of applications, for example VMs hosted in a data center, tying or integrating into the VM management solution can provide visibility into the VM lifecycle. Role and policy definition framework A centralized policy definition framework is a key component of the mobility management solution framework. The policy framework allows the specification of users roles, the associated policies for managing access and quality of experience based on users roles and attributes, as well as policies associated with managing access to/from devices and applications. The policy framework infrastructure can then be used by the policy enforcement devices to manage user, device and application mobility. The policy definition framework typically would support location and time of day-type constructs as well as functions such as role derivation and inheritance for each policy and role specification. Policy enforcement points Once the user, application or device has been identified, along with the role and policies associated with that user, the policy enforcement points then apply and enforce the policy in real time. Policy enforcement is most effective when done closest to the user. Policy enforcement points can be access switches in the network, or Top-of-Rack (TOR)/End-of-Rack (EOR) switches in the data center, as well as access points, wireless controllers and concentrators. Similarly in the case of VDI-type technologies the connection broker may also function as a policy enforcement point. What is important is that the policy enforcement points be as close to the user attachment points as possible to increase the effectiveness of the experience extended to the user. The policy enforcement piece is closely tied to the policy definition framework. Reporting, audit and visibility This is a critical component of the solution in that the ability to provide centralized real time visibility into the operating environment at the user, device, and application level is critical to meeting SLAs, ensuring uptime, and minimizing outage windows. All the components outlined above need to provide information into a centralized repository that can then assimilate the information and provide a window into the real-time operating environment. For example, being able to pinpoint the location of a user and device becomes important in being able to troubleshoot connectivity and user experience issues. The ability to provide an audit trail on a user s access pattern may be important in order to meet certain compliance requirements. 5

6 As networks transition to Phase 2 where they work to provide the visibility, control and tools to deal with an increasingly mobile and global workforce, these components are being built independently for each network technology. For example, Extreme Networks Identity Management solution provides the ability to detect user identity, define roles and policies and enforce those policies on a wired infrastructure. The policy definition repository leverages Ridgeline as the platform and uses Active Directory to derive user groupings and attributes. Using the ID Manager solution, IT administrators can enforce policies on users based on their roles, location and other attributes without having to rely on traditional MAC and VLAN-based configuration. A similar solution is offered by way of the wireless infrastructure which utilizes the Extreme Networks WLAN controller policy definition and enforcement infrastructure along with Active Directory as the database for user groupings and attributes. For device identification, ExtremeXOS Universal Port (UP) provides a broad set of solutions based on technologies such as LLDP that help identify end devices such as VoIP phones. For applications hosted in the data center, ExtremeXOS Network Virtualization (XNV ) solution provides the ability to address VM mobility and lifecycle management. These different solutions leverage some common elements, for example a common AAA services component such as Active Directory. But they also build and utilize their own specific modules for policy definition and enforcement. This leads to a certain inconsistency, both for the network administrator in how they deal with mobile users, and also for the end user in terms of the services they get when connecting using different technologies. In terms of deployment timelines and availability, networks are only just beginning to move to Phase 2 with solutions coming available on the market in recent months. OS Fingerprinting Device Identity Ridgeline Identity and Policy Framework Active Directory / AAA WLAN ID Manager ID Manager ExtemeXOS Universal Port ExtemeXOS Network Virtualization Connection Broker VM Wireless Device Virtual Machine VDI

7 Phase 3 Seamless Mobile Experience from Campus Edge to Core to Data Center Phase 3 marks the move toward a unified experience in the enterprise where users, devices and applications are tied together using a common framework for identification, policy definition and enforcement. Phase 3 also marks the move toward a converged enterprise edge where overlay wireless networks will be replaced by a converged wired and wireless infrastructure and standalone wireless controllers will be integrated into network switches to provide seamless wired/wireless management and experience. The components identified in Phase 2 above i.e. user and devices identification, policy definition, policy enforcement, and reporting, continue to evolve and improve in capabilities in this phase. However, some of these components become unified under a common umbrella. In Phase 3 convergence starts to happen in user, device and application mobility management within the enterprise network. Phase 3 availability and deployments will happen in two stages. Phase 3a Phase 3a marks the move toward a converged network edge, where wireless networks will be treated as an extension of the wired infrastructure rather than an overlay network. Wireless controller intelligence will start getting embedded into network switches and proprietary wireless tunneling technologies will start to be replaced by standards-based Control and Provisioning of Wireless Access Points (CAPWAP) tunneling technologies. The move toward embedding the wireless controller intelligence into the switching infrastructure allows the network to provide a unified mechanism for addressing user, device and application mobility. Components to address user and device identity, as well as policy enforcement can now be combined on the network access switches for both wired and wireless traffic. The policy definition component which typically resides externally can also be leveraged jointly for both wired and wireless traffic. As an example, as wireless traffic is tunneled to the switch and terminated at the switch using CAPWAP tunnels, the data plane for both wired and wireless traffic resides on the switch. As such, functions such as the identity module that traditionally was used for wired users, can now also be used to determine the identity of the wireless users and devices. Once the identity is determined, the roles and policy information can be queried and obtained from a common external policy manager for both wired and wireless users. Again, since the switch now participates in the data plane forwarding for both wired and wireless traffic, policy enforcement on the switch can be done in a unified and consistent manner for wired and wireless traffic and reporting and audit information can be combined for wired and wireless users. This unification provides great benefits in providing a seamless user experience to mobile users, who can now roam across wired or wireless Wi-Fi infrastructure in the enterprise, using any device such as smart phones, tablets, laptops or desktops and obtain a consistent user experience in terms of the applications and services they can access. To the IT administrator this provides a significant simplification since roles and policy definition are now common to both the Wi-Fi and wired infrastructure; the enforcement model is also consistent, and the tools that provide visibility and troubleshooting information are consistent as well, across both wired and Wi-Fi infrastructures. 7

8 Ridgeline and Device Identity Active Directory Device and OS Fingerprinting Unified and Wireless ID Manager ExtemeXOS Universal Port ExtemeXOS Network Virtualization Connection Broker VM Wireless Wireless Device Virtual Machine VDI Solutions for Phase 3a are expected to start rolling out sometime in the mid-2012 timeframe. Phase 3b One of the areas that phase 3a does not address in the enterprise segment is VDI technology. VDI typically refers to thin clients accessing applications through a connection broker. The connection broker connects the users to their applications based on users identities and preferences. Applications are typically hosted in the data center as a set of VMs. Traditional user and device mobility management solutions break down in a VDI environment since users personalities are manifested through VMs running in a data center, with the connection broker serving as a proxy to connect users to their VMs. In Phase 3b, solutions that deal with VM and application mobility in the data center such as Extreme Networks XNV, start working in conjunction with VDI technologies to determine the identity of users and enforce the appropriate policies. For example, just as XNV today talks to VMware vcenter to pick up VM information, XNV would talk to a connection broker to get user identity information along with the knowledge as to which user is assigned to which VMs. XNV would then use that information to query the same policy manager used for wired and wireless access, determine the policies for that user and dynamically apply those policies to the VM associated with that user. Now if the VM moves around within the data center, XNV would automatically migrate the users policies to track the VM and enforce policies on the target switch where the VM moved. 8

9 Ridgeline and Device Identity Active Directory Device and OS Fingerprinting Unified and Wireless ID Manager ExtemeXOS Universal Port ExtemeXOS Network Virtualization Connection Broker VM Wireless Wireless Device Virtual Machine VDI Solutions for phase 3b are expected to start rolling out in about a month timeframe. The combination of Phase 3a and 3b will allow users access to data and applications from a variety of devices (smart phones, PDAs, laptops, etc.,) across a variety of connectivity options from Wi-Fi to wired Ethernet, and across a variety of technologies from VDI to client-server to server virtualization. At the same time, the network administrator will have the tools and resources necessary at the granularity of the individual user, device and application, to serve up on-demand connectivity, manage security, address user and device mobility, and minimize troubleshooting and downtime. Phase 4 The increase in mobility is driving more and more applications to be hosted in the cloud as one way to provide ubiquitous access to data and applications. Other factors such as the move from a CAPEX to OPEX model, the ability to burst into the cloud on an as needed basis, as well as the ability to leverage the cloud in disaster recovery scenarios, is providing increasing momentum to the growth in cloud-based services. Two challenges arise when dealing with both user and application mobility in this move toward the cloud which are outlined below. The solutions to these will also come in two phases. Phase 4a The first challenge that arises is that enterprises will most likely have a federated model where applications may reside within the enterprise data center and also in the cloud. Some of these applications may be shared across the two islands while in other cases there may be one set of applications in the cloud and a different set of applications in the enterprise data center. In all of these cases, in order to create a seamless user experience, the enterprise data center and the cloud need to provide a single logical overlay network which appears as one to the user, though they may be separated by both logical network boundaries (i.e. multiple layer 3 boundaries) and physical boundaries (i.e. across multiple geographic locations). This problem exists even in a pure cloud model, where enterprises add capacity in the cloud over different periods of time resulting in a physical and logical separation of customers resources within the cloud in effect creating islands within the cloud. To make this more concrete, consider a customer who pays for certain resources such as compute and storage with a cloud provider. This gets assigned from the available capacity within say a certain rack in the provider s data center. At a later stage, the customer requirements grow and the customer seeks to add more capacity. That capacity will get added in perhaps some other rack within the provider s data center depending on where capacity is available. This creates two islands for the same customer which may be separated by say a layer 3 boundary even within the cloud provider s data center. 9

10 In order to create a seamless user experience, these customer islands need to appear as a single logical network externally. Technologies are being developed to address this challenge, most of which involve creating a logical network based on intelligent use of tunnels to connect the different customer islands, along with a provisioning solution which can intelligently provision these tunnels as customer capacity gets provisioned within the cloud, and across the cloud and enterprise data center. These solutions will extend the logical network view within the cloud provider s infrastructure as well as across the cloud and enterprise data center. To a user or application, this logical network view will create a unified application experience regardless of whether the application is hosted in the enterprise data center, in the cloud or a combination thereof. Phase 4b The second challenge that arises in a federated or hybrid cloud model is that the user, device and application intelligence that was built in Phase 3 now needs to extend into the cloud in order to both control and manage access to the applications and data that span private and public clouds. While Phase 3 provides a common framework to address user and device mobility in the campus and enterprise data center across both wired and wireless infrastructures, those concepts don t automatically extend into the cloud. A few key pieces of technology need to be developed to extend the notion of a user s identity, role and corresponding experience into the cloud. 1. A federated policy solution that allows policy and role information to be shared across private and public clouds is a key component. This policy management infrastructure can then be used to determine user roles and access privileges both for applications and resources being used within the enterprise campus as well as applications hosted within the cloud 2. Another key component is a federated AAA infrastructure that can be used to determine user groups and user attributes which then allow assigning users into specific roles. As cloud providers become more specialized in their offerings, the need for such solutions will extend not just between the enterprise and cloud, but also across different clouds. Indeed standards bodies are beginning to think about a standards-based open approach to federated cloud models. The combination of Phase 4a and 4b will allow users to access data and applications across wired and Wi-Fibased wireless infrastructures, using a variety of devices across the enterprise campus and cloud, and still provide administrators the ability to work at the user, device and application level rather than MAC, IP and VLAN level, thus ensuring users a good experience. Solutions for Phase 4 can be expected in an month timeframe. Phase 5 As the use of smart devices such as tablets and smart phones proliferate, the use of public wireless networks that employ for example 2G/3G and in the future 4G technology to access corporate data and applications is growing. With this there will be an increase in congestion as the demand for data and applications over the air grows. The increased use of video by both consumer and business is further aggravating the problem of bandwidth hogging and congestion in these wireless networks. While 4G is expected to provide some relief, the increasing use of public wireless networks for high bandwidth usage data and video will continue to pressure the spectrum and increasingly inhibit users from enjoying a seamless experience accessing data and applications as they would from within the corporate wired or Wi-Fi network. Phase 5 will see the extension of user and device policy and mobility management solutions into carrier networks to provision users access based on their roles and access privileges. Note that carriers today already have user, subscriber and policy management solutions in place. However, these are completely independent entities with no co-relation to cloud or campus user and policy management solutions. Phase 5 will see the integration of these solutions to provide a seamless experience to the user across enterprise, cloud and public infrastructures. Indeed, traditional carriers are already moving aggressively into providing cloud-based services through acquiring hosting and cloud service companies. With this move by carriers to provide traditional access-based services as well as hosting and cloud services, a move toward a unified user and application policy infrastructure will follow. Solutions for 10

11 Phase 5 may come about in parallel with Phase 4 solutions as traditional carriers aggressively move into the cloud space. Summary The evolution of the network to provide the intelligence needed to address user, device and application mobility is underway. This evolution is a longer term trend spanning the campus and enterprise data center, cloud providers and traditional wireless and wired carriers. The initial set of solutions to address mobility in the network is coming online in the form of campus and data center solutions. Extreme Networks Identity Management solution addresses mobility in the campus network, while Extreme Networks XNV Virtual Machine Lifecycle management solution addresses mobility in the data center. These are building blocks on which a broader set of solutions addressing mobility in the network can be built. Make Your Network Mobile Corporate and North America Extreme Networks, Inc Monroe Street Santa Clara, CA USA Phone Europe, Middle East, Africa and South America Phone Asia Pacific Phone Japan Phone extremenetworks.com Extreme Networks Confidential and Proprietary. Do not distribute without the express written consent of Extreme Networks, Inc. Extreme Networks, the Extreme Networks logo, ExtremeXOS, Ridgeline and XNV are either registered trademarks or trademarks of Extreme Networks, Inc. in the United States and/or other countries. Specifications are subject to change without notice. 1791_01 06/11