HPE Aruba Focus Areas Security Tomas Muliuolis Baltics Country Lead
THE PERFECT STORM: MOBILE, IoT and CLOUD
Intelligent edge Connectivity Security Management Focus areas IoT Analytics Edge computing
Mobile-first network Policy Unified Multi-vendor ClearPass SDN Apps Management End-to-end Multi-vendor AirWave Central Wireless Wired 802.11ac Wave 2 APs Best of breed Mobility Controllers BLE Beacons Components Analytics Optimized for wireless aggregation Switches Routers VPN For IT For LOB Mobile engagement & business analytics 4
Connected work COWS Pager Cell phones (SMS) Bedside Terminal IP phones IP wireless phones MDA/PDA Tablets (MCA) Laptops IP- Converter ESPA 4.4.4 GSM Gateway IP Infrastructure Best OPC Server OPC, SMTP, SMNP Gateway Technical systems Gateway IP converter ESPA 4.4.4 I/O signaler Location Services Nurse Call Printing Baby Cams Lab/EPR Patient Monitoring Medical Devices Elevators Doors / Access PACS Security RFID Tags 5
v On-Ramps To Networks We are the IT Edge on IoT Small Site Medium/Large Site Cellular Backhaul Ruggedized Indoor HPE Edgeline IoT Server PHY And/Or Protocol Converters Native Ethernet Native Wi-Fi Power Line Twisted Pair RF BLE 6
Time For A New Mobility Defense Model Static Perimeter Defense Adaptive Trust Defense Anti/Virus IDS/IPS Firewalls Physical Components Web gateways Perimeter Defense Security and Policy for each user or group 7 7
ClearPass Policy Manager and NAC Solution Built-in: Policy Engine RADIUS/CoA/TACACS Profiling Accounting/reports Identity store CLEARPASS POLICY MGR Expandable Applications REMOTE LOCATION BYOD onboarding Simple guest access Health assessments Onboard Guest OnGuard 8
ClearPass Core Functionality USERS Employee BYOD Visitor Administrator Employee Contractor Headless Devices NETWORK EDGE Multi-Vendor Wired/Wireless/VPN NETWORK CORE AAA/RADIUS NAC Cert. Authority Onboarding Guest Profiler Device Registration 9 PKI ClearPass Policy Visibility - Workflow User/Role IDENTITY SOURCES Token AD/LDAP SQL Time/Day Location Device Type/Health CONTEXT 9
Clearpass for On-Boarding + Policy enforcement Identity stores (Active Directory/LDAP/SQL/SAML/Guest) Device information (Profiling, MDM, CMDB) Policy VPN Access method (Infrastructure, date/time, source) Policy (Infrastructure, Next-genfirewalling, QoS) 10
Clearpass for On-Boarding + Policy enforcement Policy Role VLAN Dynamic ACL Filter-ID WIRELESS WIRED VPN REMOTE OFFICE Policy Enforcement in the infrastructure 11
Connect-and-Protect Data Establishes trustworthy data sources for business intelligence and decision making Eight steps to trust 1. Make a physical layer (PHY) connection 2. Talk the talk with existing device protocols 3. Establish authenticity of devices and users 4. Encrypt the data 5. Secure communication pathways 6. Establish and enforce device and user roles 7. Implement access and usage policies 8. Monitor for vulnerabilities IoT Device 12
Aruba IoT profiling LAN/WLAN Remote Access 13
Enhancements - Profiling DHCP TCP SSH NMAP CDP, LLDP SNMP WMI OnGuard We re adding NMAP Port-based Scanner On-demand or pre-scheduled scans Granular visibility for like devices Enhances our competitive advantage Before After Mac OUI Two IoT Endpoints Lighting Sensor NMAP Scan Accurate Policy Decision Temperature Sensor 14
Customer s 3 rd Party Solution Provides needed Security or Service, But! Solution lacks needed wired/wireless feature IT lacks integration expertise They have ClearPass but no built-in integration What do you do? 15
ClearPass Extensions - New 3 rd Party Integration Option Extensions Repository Aruba ClearPass Opens doors for new Exchange partnerships Device authorization, MFA, visitor registration, EMM/MDM and more Extends use of existing security, productivity solutions Fast, no heavy lifting integration model. 16
Security for IoT is a Concern, But! Devices have no 802.1X capability Not all switches support 802.1X IT lacks time or 802.1X expertise What do you do? 17
ClearPass OnConnect for Easy Wired NAC Enforcement No 802.1X Aruba ClearPass SNMP Enforcement Printer Vlan Infusion Pump Vlan Existing 802.1X wired/wireless support Built-in device-centric security for all non-aaa ready customers Easy to configure on legacy multivendor switches Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile phones. 18
Ingress Engine Third-party Threat Protection 1 User connects and 2 NGFW/IPS sends 3 uploads threat event to ClearPass ClearPass isolates client ** Firewall / IPS LAN/WLAN Adaptive Trust Defense based on real-time threat detection Offers enhanced user experience as ClearPass can initiate user notifications, help-desk tickets, and update third-party security solutions ** Device in step 2 can be MDM/EMM, SIEM, etc. 19
Enhanced Profiling and Policy Solving IoT Issues OLD WAY: Wait for new Fingerprints to be made and/or manually override devices 1:1 NEW WAY: Create your own Fingerprints! 20
Automated Network and Security Controls 1 Wired/Wireless Device Auth 3 User/Device Context Shared Niara UEBA ANALYZER 4 Network and Log-based Machine Learning Packets ENTITY360 2 Devices Profiled ClearPass Policy Manager 5 Actionable Alerts Initiated ANALYTICS DATA FUSION FORENSICS BIG DATA Flows 6 ClearPass Performs Real-time Policy-based Actions Logs Real-time quarantine, re-authentication Bandwidth Control Blacklist Role-change Entity360 Profile with Risk Scoring Alerts www.arubanetworks.com/clearpass 21 www.niara.com
Innovation at the speed of the ecosystem, not a single vendor IT services Business apps Network controls Network management Policy management Cloud networking Network analytics Location services Aruba Mobile First Platform Infrastructure Wi-Fi & BLE Wired WAN 22
Easy to consume, developer ready infrastructure Innovation at the speed of the ecosystem not a single vendor Network controls Network management Policy management IT services Aruba infrastructure: Wi-Fi, BLE, Wired, WAN Cloud networking Location analytics Micro-location services Aruba Mobile First Platform Business & user facing apps 23
Aruba Mobile First Platform Components ArubaOS 8.0 (AOS8) New REST APIs and custom app signatures Aruba ClearPass New unified API library, extensions repository and OnConnect for secure IoT Aruba AirWave Northbound XML APIs to consume monitoring and reporting data Aruba Central New REST APIs, wired/wan support and network analytics Aruba Meridian Mobile app SDK for indoor location services, incl. the new location sharing and the new Meridian Goals Aruba Analytics & Location Engine (ALE, NIARA) Northbound REST APIs to consume user, device, app, location context 24
Global Wins ACS Replacement for Policy Mgmt, NAC, & BYOD Leveraged ArcSight Installation to drive AAA replacement ACS replacement for Policy Mgmt & Guest Worldwide Guest and Device Auth in Cisco / Juniper network Worldwide ACS Replacement for RADIUS and TACACS+ Increased security & simplified BYOD onboarding 25
Thank you tomas.muliuolis@hpe.com
Why compute at the edge? Time-Value of IoT Data The Edge Stage 1 Stage 2 Stage 3 Stage 4 Things Generate Data and Need Control Sensors/Actuators (Wired, Wireless) Data Aggregators Embedded Controllers IoT Gateways Edge Compute (Streaming and real time analytics) Operations Centers Data Centers / Cloud (At-rest Analytics, Management) Hard real-time If-then logic, event handling Near real-time Signal / video processing Streaming analytics Offline, batch processing Modeling Federated data analytics Increasing Data Scope Deep Edge Compute solves 7 major challenges Latency, Bandwidth, Cost, Security, Compliance, Duplication, and Integrity 27 27
Computing at the Edge: HPE is shifting left for radical results Introducing a New Product Category: Converged IoT Systems Goal Processing streaming data as close to the sensor as possible creates new opportunities Data flow Things generate data and need control Advantage Processing data streams in real time, before the data is stored for additional analysis, creates advantages Operations technology Result Fast action prior to data storage prevents data obsolescence and lost opportunities/alerts The Edge Control flow Edge IT, Datacenter and cloud Data is sensed, Things controlled New product category: Converged IoT Systems Integrate data acquisition, real- Data acquired time analytics and control Early analytics and aggregated and compute Deep analytics and compute Stage 1 Stage 2-3 Stage 4 Proven deep x86 compute Enterprise-class systems/device management Datacenter-class analytics Converged with embedded data 28 capture/control Copyright 2016 Hewlett-Packard Enterprise Corporation. The information contained herein is subject to change without notice. Shift Left from the data center to the edge 28
Why shift left and compute at the edge? The 7 benefits of computing at the Edge 1 2 3 Latency Latency in data transfer reduces time-to-insight from the data, which slows time-to-action for business and responses from the data. Bandwidth Using available but limited NW bandwidth then prevents other business critical uses of said NW bandwidth. Cost Sending data incurs IT costs, processing data at the Edge reduces NW related costs. 29 29
Why shift left and compute at the edge? The 7 benefits of computing at the Edge 4 5 6 7 Threats Duplication Corruption Compliance Transferring data by definition exposes data to security threats. Complexity and cost of storage and other assets must be duplicated to accommodate the data if sent to a data center/cloud. Data transmission, especially large amounts across large distances, can incur drops and delays associated with correction/recovery. Region and country compliance issues can complicate data transfer across borders and long distances. 30 30
Aruba IoT Location Solutions 31 31
ClearPass Exchange is Growing ClearPass Exchange arubanetworks.com Over 120 different partners 32 32