Dimensioning enterprise cloud platforms for Bring Your Own Devices (BYOD) BYOD Device Emulation and Policy Analysis

Similar documents
Deploying TeraVM in an OpenStack Environment

TeraVM in CloudNFV Test Data as a Service (TDaaS)

Performance Testing for Multicast Services Using TeraVM Application Note. The most important thing we build is trust

Shenick Network Systems. diversifeye TeraVM. Massively Scaled IP Test Solutions using Cisco Unified Computing Systems

BYOD: BRING YOUR OWN DEVICE.

How Parallels RAS Enhances Microsoft RDS. White Paper Parallels Remote Application Server

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Provide One Year Free Update!

McAfee Network Security Platform 9.2

Enabling Efficient and Scalable Zero-Trust Security

2013 InterWorks, Page 1

OpenStack and Beyond Built on ProphetStor Federator

BYOD the HP Way: Secure, Device-Agnostic Network Access Management Jochen Fischer Solution Architect (MASE) September 2013

Version 1.26 Installation Guide for SaaS Uila Deployment

McAfee Network Security Platform 8.3

Next Generation Privilege Identity Management

McAfee Network Security Platform 8.3

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cisco Network Admission Control (NAC) Solution

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Network Edge Innovation With Virtual Routing

Version 1.26 Installation Guide for On-Premise Uila Deployment

McAfee Network Security Platform 8.3

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

Ethernet Fabrics- the logical step to Software Defined Networking (SDN) Frank Koelmel, Brocade

McAfee Network Security Platform 8.3

Portnox CORE. On-Premise. Technology Introduction AT A GLANCE. Solution Overview

IBM Security Access Manager

MPLS vs SDWAN.

McAfee Network Security Platform 8.3

Introduction to Cisco and Intel NFV Quick Start

PCI DSS Compliance. White Paper Parallels Remote Application Server

Pulse Secure Application Delivery

Managing BYOD Networks

Simplifying the Branch Network

Delivering the Wireless Software-Defined Branch

HP SDN Document Portfolio Introduction

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

WELCOME TO THE NEW HYPER-INTEGRATED NETWORK MANAGEMENT

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Easy Setup Guide. Cisco FindIT Network Probe. You can easily set up your FindIT Network Probe in this step-by-step guide.

ElasterStack 3.2 User Administration Guide - Advanced Zone

Intel Network Builders Solution Brief. Etisalat* and Intel Virtualizing the Internet. Flexibility

ONAP VoLTE Use Case Solution Brief

Setup Guide: TeraVM on Microsoft Azure. TeraVM Version 11.4

Version 1.24 Installation Guide for On-Premise Uila Deployment Hyper-V

Innovative Solutions. Trusted Performance. Intelligently Engineered. Comparison of SD WAN Solutions. Technology Brief

WatchGuard XTMv Setup Guide

CLOUD COMPUTING. Rajesh Kumar. DevOps Architect.

Huawei Agile Controller. Agile Controller 1

VMware vsphere Clusters in Security Zones

Microsoft Azure Integration and Security. Course Code: AZ-101; Duration: 4 days; Instructorled

Performance Testing for Multicast Services

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

BYOD Business year of decision!

Cloud on z Systems Solution Overview: IBM Cloud Manager with OpenStack

Enterprise Guest Access

ForeScout Extended Module for MaaS360

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Real-time Communications Security and SDN

NFV and SDN what does it mean to enterprises?

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Dialogic PowerMedia Media Resource Broker (MRB)

Deploy the Firepower Management Center Virtual On the AWS Cloud

ForeScout Extended Module for MobileIron

ExtremeWireless WiNG NX 9500

Introduction and Datacenter Topology For Your System

McAfee Network Security Platform 9.1

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

vsan Security Zone Deployment First Published On: Last Updated On:

Securing Your Amazon Web Services Virtual Networks

McAfee Network Security Platform 8.3

NX 9500 INTEGRATED SERVICES PLATFORM SERIES FOR THE PRIVATE CLOUD

Cisco Data Center Network Manager 5.1

Introduction to Device Trust Architecture

The Benefits of Wireless Infrastructure Management in the Cloud

INSTALLATION GUIDE. Virtual Appliance for Inspector and Reporter 9/20/2018 1:32 PM

WatchGuard XTMv Setup Guide Fireware XTM v11.8

Virtual Network Functions Life Cycle Management

System requirements for Qlik Sense. Qlik Sense September 2018 Copyright QlikTech International AB. All rights reserved.

SYMANTEC DATA CENTER SECURITY

Hitachi Unified Compute Platform Pro for VMware vsphere

A10 HARMONY CONTROLLER

CloudStack Administration Guide

White Paper: Next-Gen Network Traffic Analysis (NTA): Log-based NTA vs. Packet-based NTA

XenApp, XenDesktop and XenMobile Integration

Resiliency Replication Appliance Installation Guide Version 7.2

VDI What is it? Virtual Desktop Infrastructure in Plain Vanilla. Clifford Gabriel Data Center and Virtualization Trends and Technologies Inc.

MyCloud Computing Business computing in the cloud, ready to go in minutes

Service Automation Made Easy

Cisco Nexus 4000 Series Switches for IBM BladeCenter

CHEM-E Process Automation and Information Systems: Applications

Data Path acceleration techniques in a NFV world

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Validate Pre-Deployment and Live Networks and Applications

Conquer New Digital Frontiers with leading Public Cloud Platforms.

Cisco Universal Wi-Fi Solution 7.0

Forescout. Configuration Guide. Version 2.4

Virtualized Infrastructure Managers for edge computing: OpenVIM and OpenStack comparison IEEE BMSB2018, Valencia,

Symantec Network Access Control Starter Edition

Transcription:

Dimensioning enterprise cloud platforms for Bring Your Own Devices (BYOD) BYOD Device Emulation and Policy Analysis

Enterprise Policy Management for BYOD Dimensioning enterprise cloud platforms for BYOD 1 Deploying Voice over LTE (VoLTE)... Error! Bookmark not defined. 1.1 Benchmarking LTE for voice... Error! Bookmark not defined. 2 Defining a Test Strategy for VoLTE... Error! Bookmark not defined. 2.1 IP testing in 4G networks... Error! Bookmark not defined. 2.2 Radio Access Network an IP based test strategy for VoLTE... Error! Bookmark not defined. 2.3 Evolved Packet Core an IP based test strategy for VoLTE... Error! Bookmark not defined. 2.4 IMS Core an IP test strategy for VoLTE... Error! Bookmark not defined. 3 TeraVM enabling LTE cost savings... Error! Bookmark not defined. 3.1 Introducing TeraVM... Error! Bookmark not defined. 3.2 The cost benefits to a per flow test strategy... Error! Bookmark not defined. 2015 Cobham - 2 -

Enterprise Policy Management for BYOD Dimensioning enterprise cloud platforms for BYOD 1 Enterprise Policy Management for BYOD Enterprises are making use of the fact that their employees are using personal computing devices which are far more advanced than that which would be allocated by their own IT departments. A number of advantages can be associated with allowing the employee to use their own smartphone or tablet computing device in the work place - Bring Your Own Device (BYOD). The first real advantage is the increase in productivity. The second advantage is the zero cost associated with the maintenance and technical support of the BYOD. On the opposite side of the coin, BYOD brings with it a new set of security challenges. Enterprise s must maintain the high level of protection around sensitive corporate data, while enabling network access to the BYOD. Additional consideration must be made for the extra network loads associated with the number of guest devices attaching to the network, which will vary on a daily basis. 1.1 BYOD means scaling resources A fundamental challenge to implementing BYOD is the need to scale existing infrastructure and security. However, with the rapid expansion in virtualization techniques and virtualization of network functions, the challenge of scale can easily be met, through the use of cloud managed platforms. Through the use of software defined networks (SDN) and network function virtualization (NFV) enterprises can with ease deliver secure network infrastructure at minimal costs. Enterprises now have the flexibility to offload the BYOD to virtual network segments, with the ability to manage guest devices based on the device type and the applications running on the device. The agility of virtualization and NFV/SDN enables enterprises to quickly adopt and meet the demand of varying load on a daily basis. 2015 Cobham - 3 -

Enterprise Policy Management for BYOD 1.2 Securing virtual network and infrastructure for BYOD For enterprise the challenge is to maintain a high level of security whilst enabling access. A tight security policy will dictate that each BYOD is correctly identified and mapped to a resource accordingly. Security policies are implemented based on information contained in each layer of the BYOD s stack. Policing no longer solely relies on the information associated with Layer 2 and Layer 3 but also includes information that is contained in the application - Layer 7. Policy settings are using stateful per flow analysis of each BYOD attempting to access the network. For example by using HTTP protocol headers, information can be gathered which will enable better referencing of the device type, operating system version and software on the device. For example the following tables below highlight the level of detail which can be collected from the HTTP protocol header. On quick inspection of the table, it s possible to clearly identify the device types. This simple procedure is used to assess the threat level associated with device. Network administrators can now effectively push the traffic originating on the device to a network segment, it deems suitable based on the policy settings. This stateful approach to managing devices enables enterprises manage access and network privileges on a per BYOD device - type, OS version or even browser version. Example BYOD HTTP header information Android User-Agent Mozilla/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1\r\n Accept text/html, application/xhtml+xml, */* Accept-Language en-us Accept-Charset Connection Host Accept-Encoding utf-8, iso-8859-1, utf-16, *;q=0.7\r\n keep-alive\r\n devimages.apple.com gzip, deflate 2015 Cobham - 4 -

Enterprise Policy Management for BYOD ipad OS 5.0 User-Agent AppleCoreMedia/1.0.0.9A334 (ipad; U; CPU OS 5_0 like Mac OS X; en_us) Accept text/html, application/xhtml+xml, */* Accept-Language en-us Accept-Charset utf-8, iso-8859-1, utf-16, *;q=0.7\r\n Connection keep-alive\r\n Host devimages.apple.com Accept-Encoding Identity iphone User-Agent Mozilla/5.0 (iphone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3 Accept text/html, application/xhtml+xml, */* Accept-Language Accept-Charset Connection Host Accept-Encoding en-us utf-8, iso-8859-1, utf-16, *;q=0.7\r\n keep-alive\r\n devimages.apple.com gzip, deflate 2015 Cobham - 5 -

Implementing a correctly dimensioned cloud platform for BYOD 2 Implementing a correctly dimensioned cloud platform for BYOD 2.1 BYOD device and per flow management Once the underlining virtual infrastructure and relevant network security policies are in place, the challenge is to then dimension the virtual infrastructure functionality and the ability to scale ensuring a robust and reliable deployment of the cloud managed platform. A part of correctly dimensioning a cloud managed platform for BYOD is to ensure that the security settings and policy updates that occur on a regular basis do not impact services. These regular updates will require regular appraisal ensuring there is no lapse in security. The need for regular or repeatable dimensioning highlights the need for an emulation and performance measurement solution. Furthermore, the underlining principles of BYOD emphasizes the need for the ability to assess security on a per device, per application flow basis. This represents unique devices attempting network connection. As the security policies are focused on higher levels of the internet protocol stack, there is a need for stateful application flow emulation. 2.2 TeraVM precision dimensioning of cloud platforms for BYOD TeraVM enables validation of services running in either physical or virtual platforms and is deployable as a virtual network function on a cloud managed platform. TeraVM provides emulation of device types and applications, with the ability to analyze the performance of each of the emulated flows on an individual application flow basis with dedicated performance metrics for data, voice and video. TeraVM s per flow architecture with real time analysis provides the granularity necessary to determine if services are reliable in a cloud managed architecture, but more importantly can be used ephemerally throughout the lifecycle of the cloud managed platform ensuring updates to the security policies and upgrades on the platform are robust and reliable. A further benefit of using a stateful emulation tool such as TeraVM, is the ability to reliably repeat functional verification of security policies with a consistent set of BYOD use cases. A key benefit for enterprise users of TeraVM is the considerable time saved to automate repeatable dimensioning 2015 Cobham - 6 -

Implementing a correctly dimensioned cloud platform for BYOD assessments on the BYOD cloud network, with minimal configurations and/or management of actual physical devices connecting to the cloud. Furthermore, TeraVM enables performance analysis of many protocols running over secure VPNs or unsecure connections using either IPv4 and/or IPv6 address assignments. Other advantages of using TeraVM; is the ability to grow the dimensioning network function, in a pay as you grow manner. Delivering the necessary scale of stateful application flows required to assess the elasticity or limitations of the configured virtual network architectures. TeraVM is supported on all major Hypervisors - ESXi, Hyper-V, KVM and Xen, plus can be deployed to cloud services such as Amazon or launched in OpenStack enabling further cost savings to the enterprise. 2.3 TeraVM stateful application flows TeraVM emulates as close to real the actual BYOD attempting connection with the enterprise s private network or public cloud infrastructure with real stateful application flows. TeraVM enables users emulate the layer 2 and layer 3 properties of the BYOD. In addition, TeraVM facilitates the option of basic authentication mechanisms, in which the TeraVM emulated BYOD may authenticate with a peer using EAP MD5 with simple username/password authentication. The advantage of emulation is the ability to quickly scale to thousands of BYODs, each with unique characteristics. An example onboarding scheme for a guest BYOD could be dependent on the media access control address (MAC) i.e. if MAC address = 00:33:33:33:AA:AA and the user of the guest BYOD presents the correct authentication details e.g. username and password, then the guest BYOD may be granted access to a dedicated network segment. For example the visitor on the enterprise network may be granted privileges to use a limited network container enabling the guest access the world wide web. 2015 Cobham - 7 -

Implementing a correctly dimensioned cloud platform for BYOD Figure 1: TeraVM emulating BYOD devices and applications 2.4 Assessing guest privilege and policies As network administrators grow the cloud platform for BOYD access, it becomes even more important to assess the capability (and vulnerability threat) of the complete BYOD policy management implementation. For example, in figure 1 above once the guest has access to the inside or the public container, the BYOD characteristics are again assessed e.g. log on to a virtual VPN gateway server webpage, using your employee credentials. The VPN gateway may include HTTP transaction header assessment enabling automated policy management decisions based on the device and application details. Essentially this means a device threat level is established, dependent on the device type, OS type and browser version. In the case where the BYOD validated as authorized, the BYOD instance is allocated a dedicated IP address using DHCP. This enables the network administrator apply network segmentation. 2015 Cobham - 8 -

Implementing a correctly dimensioned cloud platform for BYOD The use of various protocols such as EAP-MD5, DHCP and HTTP further highlights the need for stateful traffic emulation, for the enterprise this means less resource wastage and more importantly time efficiency when it comes to validation of BYOD access policies. Validating the resiliency of the security policy engine requires network administrators to consider the normal and abnormal. What if a device has a unique OS version, or indeed the access login has additional header parameters? This is further justification to using TeraVM, TeraVM s per flow substitution functionality makes it possible to generate requests with unique details including using malformed header data (fuzzing) or even varying the legitimate data such as version numbering. Using the sample device data in section 1.2 above, a genuine validation technique is to vary the emulated BYOD characteristics on each connection attempt to the BYOD network. This implies that the HTTP header properties per connection will be different. TeraVM is the only solution available today that provides such unique capability. The TeraVM substitution element will iterate through a serious of defined substitutions e.g. OS-Ver-{NUM:1.0-5.0/i} will iterate through a number series ranging from 1 to 5. This could be representative of different browser versions running on the BYOD i.e. version/1, version/2, version/3, etc. Alternatively, TeraVM s string substitution element {STR:String_substitution} enables the users define a list of elements which include normal/legal parameters and malformed parameters. This simple technique validates the BYOD policy manager s ability to detect when a device that was known as good and had authorized access, is now rogue and should not have access. Figure 2 Sample malformed BYOD header manipulation in TeraVM 2015 Cobham - 9 -

Implementing a correctly dimensioned cloud platform for BYOD Once the basic security policy engine has been exercised, users of TeraVM can begin to validate robustness and resiliency of the cloud managed platform to serve thousands of devices in order to verify the clouds scalability. Further dimensioning requirements include validating the quality of experience associated with using the BYOD to determine connectivity with real application servers or even virtual services. Basic dimensioning will include latency and throughput. However, if BYOD policies enables device quarantine further validation is required on the server application which may be launched into the virtual quarantine container, the aim should be to determine that there is minimal disruption for the BYOD end user. An additional example of disruption could be contraction on the BYOD cloud managed security platform. Take a simple scenario - a HR manager is updating records after 6pm. As the number of guest BYODs dissipate, the cloud managed platform may be administered to contract the number of running virtual network functions or virtual machines to a base core number. As highlighted in figure 3 below, the only noticeable impact on the hard working HR manager, should be a lower quality of experience, in that the service took longer than normal to complete. But in terms of enterprise network administration this shows that there is no service outage. Enabling further cost savings in the enterprise by reducing operational expenditure (OPEX savings). Figure 3: Service disruption on the cloud managed platform 2015 Cobham - 10 -

TeraVM enabling effective and efficient BYOD deployments 3 TeraVM enabling effective and efficient BYOD deployments 3.1 TeraVM overview TeraVM is a virtualized IP service validation solution that can emulate and assess performance on millions of unique application flows. TeraVM provides comprehensive performance analysis on each and every application flow with the ability to easily pinpoint and isolate problems flows. TeraVM is deployed on any industry standard hardware (e.g. Cisco, Dell, HP, IBM) running any major hypervisor (e.g. VMware ESXI, Hyper-V, KVM) and can be used in cloud services such as Amazon and OpenStack. 3.2 TeraVM facilitating enterprise to deliver cost effective and robust cloud managed platforms for BYOD BYOD is the future of how enterprises will conduct business, an era in which the employee brings their own computing equipment to work. Enterprises are capitalizing on this phenomenon by allowing the employee to use the smart device in the work place. By combining virtualization techniques, virtual network functions (VNF) and software defined networks (SDN), never before has it been easier and more cost effective to deliver scaled infrastructure to meet the growing demand for BYOD in a secure manner. Using TeraVM, enterprise have the confidence to continually expand and update the network infrastructure required for BYOD by continually validating and dimensioning the reliability and robustness of the cloud managed platform and the security mechanisms used for BYOD management. However, more importantly enterprises continue to use TeraVM for continual assessment of security policy performance and threat resiliency throughout the lifecycle of the cloud managed platform. An important factor of dimensioning any cloud managed platform for BYOD is the ability to emulate and measure performance on each and every device on a per application basis. Per flow delivers the necessary precision to ensure each and every individual BYOD device and flow is managed correctly. TeraVM is the only solution available today that offers enterprises the ability to validate both security and services running as part of the cloud managed platform. TeraVM is helping enterprise to implement greater cost savings, by ensuring enterprises have the correct infrastructure and operational plans in place. 2015 Cobham - 11 -

The most important thing we build is trust For further information please contact: Cobham Wireless Ireland: +353-1-236-7002 USA: +1 408-385-7630 TeraVM@aeroflex.com As we are always seeking to improve our products, the information in this document gives only a general indication of the product capacity, performance and suitability, none of which shall form part of any contract. We reserve the right to make design changes without notice. All trademarks are acknowledged. Cobham 2015.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback