ClearPass Ecosystem Tomas Muliuolis HPE Aruba Baltics lead
2
Changes in the market create paradigm shifts 3
Today s New Behavior and Threats GenMobile Access from anywhere? BYOD Trusted or untrusted? Bad Apps and Hackers How do you keep up? Open Networks Stay away or safe? 4
Ponemon 2015 Results 5
How to start to build solution? Why ClearPass Align to single security vendor strategy? Ask from colleagues from industry? Build own strategy based on best guess? Search for different solutions in web? Align to regulations and compliancy? Ask expert? Just leave as it is? 6
Time for a New Defense Strategy Perimeter Defense Mobility Defense Firewalls A/V Firewalls EMM/MDM IDS/IPS Web gateways Physical IDS/IPS/AV Access Policy Management Network Infrastructure Policy needed for central point of control 7
ClearPass Core Functionality USERS Employee BYOD Visitor Administrator Employee Contractor Headless Devices NETWORK EDGE Multi-Vendor Wired/Wireless/VPN NETWORK CORE AAA/RADIUS NAC Cert. Authority Onboarding Guest Profiler Device Registration PKI ClearPass Policy Visibility - Workflow User/Role IDENTITY SOURCES Token AD/LDAP SQL Time/Day Location Device Type/Health CONTEXT 8
ClearPass Exchange Partner Integration Integration catalog community.arubanetworks.com 9
Eco system is key for secure infrastructure ClearPass Exchange Over 120 different partners 10
ClearPass Exchange Continues to Grow Granular traffic control with user and device data Next-Gen Perimeter Defense MDM / EMM Network controls using real-time device data Visibility and interactive control features SIEM, Automation, MFA Infrastructure Visibility into location and time with granular controls NEW 11
ClearPass Why ClearPass Multivendor & 3 rd Party integration User-experience driven applications Scalability and cost advantages Business oriented policy services building blocks, roles, troubleshooting tools 12
CIS TOP 20 Controls for Effective Cyber Defense V 6.0 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software 4. Continuous Vulnerability Assessment and Remediation 5. Controlled Use of Administrative Privileges 6. Maintenance, Monitoring, and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports 10. Data Recovery Capability 11. Secure Configurations for Network Devices 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Security Skills Assessment and Appropriate Training to Fill Gaps 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises 13
14
ClearPass Policy and Network Access Control News 15
6.6.1 Release - Things of Note Only one Virtual Image instead of one for 500, 5K, 25K (Vmware and HyperV) Customer uses menu to select proper version during deployment Reports now include data on Social Login use You can see Hostname for devices that connect via OnGuard agents We ve gone to a single REST-based API architecture Replacing TipsAPI (XML), Guest SOAP APIs, and Guest XML-RPC APIs http://community.arubanetworks.com/t5/technology-blog/clearpass-6-6-1-what-s-in-and-what-s-out/ba-p/273297 16
6.6.2 Enhancements - Profiling DHCP TCP SSH NMAP CDP, LLDP SNMP WMI OnGuard We re adding NMAP Port-based Scanner On-demand or pre-scheduled scans Granular visibility for like devices Enhances our competitive advantage Before After Mac OUI Two IoT Endpoints Lighting Sensor NMAP Scan Accurate Policy Decision Temperature Sensor 17
ClearPass Exchange is Growing ClearPass Exchange arubanetworks.com Over 120 different partners 18
Customer s 3 rd Party Solution Provides needed Security or Service, But! Solution lacks needed wired/wireless feature IT lacks integration expertise They have ClearPass but no built-in integration What do you do? 19
ClearPass Extensions - New 3 rd Party Integration Option Extensions Repository Aruba ClearPass Opens doors for new Exchange partnerships Device authorization, MFA, visitor registration, EMM/MDM and more Extends use of existing security, productivity solutions Fast, no heavy lifting integration model. 20
Extensions for Intel Security - McAfee epo 1 Devices establish connections 2 Devices profiled 3 ClearPass checks epo for endpoint status Compliant endpoints allowed access Production Resources Corporate owned and IoT Multi-vendor switching Policy and NAC McAfee epo BYOD and corporate owned epo managed endpoints Multi-vendor WLAN 4 ClearPass enforces access privileges Quarantine Vlan Non compliant endpoints can be sent to quarantine 21
Security for IoT is a Concern, But! Devices have no 802.1X capability Not all switches support 802.1X IT lacks time or 802.1X expertise What do you do? 22
ClearPass OnConnect for Easy Wired NAC Enforcement No 802.1X Aruba ClearPass SNMP Enforcement Printer Vlan Infusion Pump Vlan Existing 802.1X wired/wireless support Built-in device-centric security for all non-aaa ready customers Easy to configure on legacy multivendor switches Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile phones. 23
Ingress Engine Third-party Threat Protection 1 User connects and 2 NGFW/IPS sends 3 uploads threat event to ClearPass ClearPass isolates client ** Firewall / IPS LAN/WLAN Adaptive Trust Defense based on real-time threat detection Offers enhanced user experience as ClearPass can initiate user notifications, help-desk tickets, and update third-party security solutions ** Device in step 2 can be MDM/EMM, SIEM, etc. 24
Enhanced Profiling and Policy Solving IoT Issues OLD WAY: Wait for new Fingerprints to be made and/or manually override devices 1:1 NEW WAY: Create your own Fingerprints! 25
Thank You