Michal Zlesák Area Sales Manager Michal.zlesak@enterasys.com Secure IT consumeration (BYOD), users will like you How to make secure access for smart mobile devices A Siemens Enterprise Communications Company Telfor 2011
Enterprise needs Consumerization Expectations from the network infrastructure today USER ADMINISTRATOR EXECUTIVE Seamless application access - Across any access technology wired, wireless and remote - Using any device laptop, desktop, mobile phone, game console - Reliable and fast access Automation, visibility and control - Reduce complexity and number of of tools to manage mixed wired / wireless access networks - Automated detection and service provisioning for users and endsystems accessing the network - User-centric management & endsystem, application awareness Aligned with business objectives - Optimize CAPEX & OPEX - Support the business with a agile and reliable infrastructure 2
Workforce and users are increasingly mobile More than 50% of organizations spend more than 40% of their day away from their desk 40% of employees have high-speed data cards 90% of workforce are transient or in remote offices 38% of enterprises identify a cellular phone or smart phone as their primary device 45 % of corporations are interested in mobile applications Increasing mobile worker productivity is part of the new CIO mandate
The Challenge with BYO Bring your own PC (BYOPC) programs are becoming increasingly popular for today s businesses - Allows individuals to work from the device of their choice - Increases employee satisfaction - Lowers IT costs Various types of devices - Bring your own (BYO) iphone, ipad, tablet, netbook, smartphone. Higher security and management challenges even corporate devices are used - private and sensitive corporate data reside together on a single device - Apps that get typically installed on today s smartphones and Pads are not controllable - so this opens a huge backdoor into today's enterprise IT infrastructures. - Variety of hardware and software platforms must be supported - Restricting the use of additional apps on the devices via organizational rules is not really a workable solution - If one does so the value of these new devices to the employee is suddenly very limited 4
Foundation - Network & Security Management with Enterasys NMS Manage with a single application framework - Unified wired/wireless access - Core networks - Data center fabrics - Security VM Management Directory, PKI Integrates with existing IT with a SOA approach and automates process - Open API s (XML/SOAP..) and a single database - Does not replicate but leverage available data Fabric management not node management - System wide management instead of node by node since the launch of NMS in 2001 - Interworking with highly manageable switches is in our DNA since the 90 s Enterasys NMS CMDB Asset Management Alarm Management Systems Management 5
Introducing Isaac (Patent Pending) Intelligent Socially Aware Automated Communications Isaac is a Social Media Interface to NMS that securely enables networks to communicate with humans in the language of social networking.
NAC NG - Managing the Endsystem Explosion Production Control Facility Management Building Control Sensors, Machines Medical systems Smart Phones xpads System/OS Diversity VoIP Phones IP Printers PC Laptops IP Video Surveillance (Virtual) servers Number of Connected Devices 7
Foundation NAC NG Endsystem & User Awareness Expanding on the dectection capabilities of Enterasys NAC solution NAC NG : - Available since 2005 - Successfully deployed in 1000 s of networks Authorization, policy enforcement based on - End-System information - User information - Location (and tracking history) - Time - Status & Health - Authentication, Identification method MAC Address IP Address Hostname Username Operating System Current Location Access Point /SSID Switch/port Health State Applied Policy Phone# Tracking First/last seen Asset ID Switch/port Location 8
Foundation - Device Profiling Automated profiling and device type detection - NAC NG detects new devices on the infrastructure automatically and profiles them to determine the type of device - Automated policy assignment is possible - Various sources such as - network and agent based assessment - DHCP OS fingerprinting - captive portal (used for remediation and registration, guest services) - and external profilers (via Netflow, IDS Signatures) can be used. - The Device type can be an Operating System Family, Operating System or Hardware Type, for example, Windows, Windows 7, Debian 3.0, HP Printer, iphone, ipad etc. 9
Registration Process an important role BYO devices are not managed by the corporate IT 10 - Lack proper security configuration - Strong authentication - Certificates or/and encryption settings for Wi-Fi NAC NG provides an embedded web portal that allows users to register their device using their credentials Subsequent actions could include - Enrollment of certificates - Configuration of the device in a automated workflow using appropriate protocols - WMI (Windows Management Instrumentation) or MDM (Mobile Device Management)
Leveraging VDI to connect BYO devices The safest alternative - Use of Virtual Desktop and sandbox technology - Restrict access into coorporate network to VDI usage - Enforce user based policies for the VDI session in the data center - All other traffic only destined to external ressources Internet DMZ Other internal traffic blocked Internet traffic from other apps Only VDI (i.e. ICA) traffic to internal ressources allowed policy enforcement at the access layer device based Intranet policy enforcement at the server user based VDI traffic user based enforcement Server with VDI instances 11
Native Access for BYO devices The cost effective alternative - Does not require a VDI intrastructure less CAPEX and OPEX - Restrict access into coorporate network only the necessary ressources - Strong authentication recommended - No full control of the data on the device Internet DMZ Other internal traffic blocked Internet traffic from other apps service access to necessary ressources service access to necessary ressources policy enforcement at the access layer user or device based Intranet Application server B Application server A 12
Fighting A Two Front Mobility War Cloud and virtualization on one side and BYOD on the other Highly Dynamic Data Center Highly Dynamic Access Edge VM VM VM VM VM VM Cloud, Virtualization and Server/storage consolidation BYOD 13
Enterasys OneFabric Delivering the first enterprise class network fabric Introducing the industry's first fabric-based networking solution to extend visibility and control from virtual servers to mobile devices for cloud computing and data center environments 15
OneFabric Difference Consistent controls and automation delivering end-to-end QoS Realizing best in class user experience across the entire network 16
OneFabric Simplified interoperable solutions Innovative single fabric with data center to edge view of application services OneFabric Data Center OneFabric Edge OneFabric Security Uncompromised user experience One Network Fabric. One Network Experience 17
OneFabric Solutions OneFabric Control Center, Data Center, Edge and Security 18
OneFabric Characteristics and unique values OneFabric Characteristics Single fabric management pane Unified wired and wireless Business Value Proposition Allows network manager to know the network Consistent user experience (QoS) across wired/wlan Pervasive security Enables consumerization, reduces risk End-to-end: Data center, Campus, Branch Open and standards based High performance ASIC User and application focused, not infrastructure Migration away from legacy, no rip and replace. No vendor lock-in Purpose built innovation; allows customers to leverage enhancements without a prohibitive price 19 Power and operationally efficient Achieve more with fewer IT resources
Summary Automation - Automates the provisioning of access for any device type entering the corporate network Visibility and Control - Granular control of access increased security for unmanaged, unmanageable and private/byo devices on the corporate network Reduced cost - Leverage the efficiency gains through new and innovative devices - Reduced OPEX through automated service provisioning - No dedicated infrastructure required - Leverages the same technology as for any other device access control 20