Produkt Update: Aruba 360 Secure Fabric ClearPass 6.7 neues Lizenzmodell & IntroSpect Reinhard Lichte, Consulting Systems Engineer
ClearPass 6.7 @ArubaNetworks
What s New in ClearPass 6.7? New license methodology for AAA, Guest and Onboard. Endpoint profiling improvements Client support improvements for OnGuard Insight custom reporting and alerting options ClearPass Extensions and API enhancements Enhanced support for IPv6 Improved internalization support for Guest workflows 3
ClearPass 6.7 Licensing @ArubaNetworks
Challenges With Existing Licensing Difficult to count or explain license usage Customers feel we over license them (e.g. HW/VM + AAA) and lack granularity (500, 5K, 25K) Some competitors include Guest features in the base product Competitors position Onboard on a per-user basis versus per-device 5
What is Changing? Decouple AAA licensing from Hardware and Virtual Machine Appliances Creation of a new license type (Access) which includes 802.1X, MAC Auth, TACACS, Guest, OnConnect, Security Exchange and Endpoint Profiling Move to concurrent authenticated/authorized endpoint counting methodology for Access license with blocks as small as 100 Shift Onboard licensing from per device to per user counting 6
What is Going Away? Replacement of the Subscription ID for access to software downloads HPE Passport credentials will be used instead for authorization to ClearPass web services platform Will reduce customer issues due to mismatch of Subscription ID expiration date with support contract Elimination of 25K, 50K, 100K license bands Software still supports high volume license SKUs but are infrequently purchased so they are removed from the generally available pricelist to reduce SKU count. Elimination of High Capacity Guest Mode With the move to concurrent authenticated/authorized Access counting and the bundling of Guest into the Access license, this mode is no longer needed. Elimination of the Enterprise licensing offering With the bundling of Guest into the Access license, the Enterprise offering had limited value going forward to just cover Onboard and OnGuard. Migration will be available for existing customers. Elimination of 5 Year Subscription offering for OnGuard Aligns our offering with the 3 rd party we license technology from for use in OnGuard. 7
ClearPass 6.7 Licensing Subscription Or Perpetual OnGuard (Endpoint Health/Posture) Onboard (BYOD/CA) Sold as 100, 500, 1K, 2500, 5K, 10K Perpetual and 1/3/5* year Subscription based offerings Subscription Or Perpetual Access (802.1X, MAC-Auth, Guest, TACACS+, OnConnect, Endpoint Profiling & Security Exchange) Sold as 100, 500, 1K, 2500, 5K, 10K Perpetual and 1/3/5 year Subscription based offerings Perpetual VM Appliance / Hardware Appliances Sold as Small, Medium, Large Sizes (HW) Perpetual VM license * OnGuard will no longer be offered as a 5 year subscription 8
What is Concurrency? Method Session Begins Session Ends 802.1X RADIUS Accounting START RADIUS Accounting STOP MAC-Auth RADIUS Accounting START RADIUS Accounting STOP Guest (anonymous, self-reg, social, etc) RADIUS Accounting START RADIUS Accounting STOP VPN RADIUS Accounting START RADIUS Accounting STOP TACACS TACACS Accounting START TACACS Accounting STOP OnConnect MAC Learned (mac-notify or switch link-up) MAC Removed/Aged (mac-notify or switch link-down) Under the concurrency model, a user/device authenticating/authorizing on the network consumes an Access license during an active session. If the session end cannot be identified (e.g. no accounting), the license will be removed from the pool for a period of 24 hours from the time it was consumed. NOTE: Interim-accounting (more chatty) is NOT required to determine start/stop 9
Appliance Transition Existing Appliances (Short Descriptions) Aruba ClearPass 500 HW v2 Appliance Aruba ClearPass 5K DL20 HW Appliance Aruba ClearPass 25K DL360 HW Appliance Aruba ClearPass 500 Virtual App E-LTU Aruba ClearPass 5K Virtual App E-LTU Aruba ClearPass 25K Virtual App E-LTU Replacement Appliance (Short Descriptions) Aruba ClearPass C1000 S-1200 R4 HW Appl Aruba ClearPass C2000 DL20 Gen9 HW Appl Aruba ClearPass C3000 DL360 Gen9 HW Appl Aruba ClearPass Cx000V VM Appl E-LTU Performance numbers (Concurrency & Burst) will be available in a NEW Scaling & Ordering Guide. An ASE based sizing tool is under investigation to assist with ordering. Previous generation hardware will also map to the Cx000 numbering scheme upon upgrade. 10
Sample BoM #1 - University EXAMPLES Requirements Redundancy required 30,000 concurrent/active/connected devices (max at any given point in time) 100 are guests 8,000 total users (all of which will Onboard their devices, ~3 EAP-TLS devices) Dedicated reporting node due to size 6.7 Licenses 3 Cx000V (2 VMs used for AAA, 1 VM used for Insight)* 30,000 Access licenses 8,000 Onboard license 6.6 Licenses 3 CP-VA-25K (2 VMs used for AAA, 1 VM used for Insight)* Includes 75,000 Policy Manager licenses 100 Guest licenses 24,000 Onboard license * These are NOT hard coded functions like in Cisco ISE (personas). Any node can perform any function. 11
Sample BoM #2 - Corporate EXAMPLES Requirements Redundancy required (2 VMs) 10,000 concurrent/active/connected devices (max at any given point in time) 100 are guests 2,000 users will Onboard (~2 devices each) 100 active contractors who require posture assessment on their laptops Inbound events from other solutions 6.7 Licenses 3 Cx000V (2 VMs used for AAA, 1 VM used for IEE)* 10,000 Access licenses 2,000 Onboard licenses 100 OnGuard licenses 6.6 Licenses 3 CP-VA-5K (2 VMs used for AAA, 1 VM used for IEE)* Includes 15,000 Policy Manager licenses 100 Guest licenses 4,000 Onboard license 100 OnGuard licenses * These are NOT hard coded functions like in Cisco ISE (personas). Any node can perform any function. 12
Sample BoM #3 LPV: Airport EXAMPLES Requirements Redundancy required (2 HW) 30,000 concurrent/active/connected guest devices (max at any given point in time) 100,000 unique guest devices per day High Capacity Guest Mode (HCG) 6.7 Licenses 2 C3000 30,000 access licenses 6.6 Licenses 2 CP-HW-25K Calculated as 100K Policy Manager license (HCG) 100,000 guest licenses 13
Conversion HOW IT WORKS During the upgrade, ClearPass will take the original Policy Manager license (500, 5K, 25K) and use it as a pre-activated, Platform Activation Key (PAK) ClearPass will also pre-install 6 month license keys for Access, Onboard and OnGuard MNP will be the first method to convert licenses Due to the complexity of Enterprise and Subscription-based licenses, the Support Welcome Center (TAC) will need to assist in converting them IN SUMMARY With the six month licensing buffer, customers do not need to worry about converting their licenses the day of upgrade. There is plenty of time to convert them without alarm. 14
Conversion Plan (cont.) HOW IT WORKS Existing customers will get a 1:1 license exchange Legacy ClearPass 25K (e.g. CP-VA-25K) = 25,000 Access Licenses Also includes one set of 25 licenses for each feature (Access, Onboard, OnGuard) Legacy ClearPass Guest 500 = 500 Access Licenses Legacy ClearPass Onboard 10K = 10K Onboard Licenses (new key) Legacy ClearPass OnGuard 5K = 5K OnGuard Licenses (new key) Legacy ClearPass Enterprise 100 = New xaccess/yonboard/zonguard Licenses in multiples of 25 For example, 25 Access + 50 Onboard + 25 OnGuard = 100 Enterprise license conversion is a one-time, one-time way process per license key Existing customers will continue to pay support on the original product purchased. 15
1 One year parts warranty and can be extended with a support contract. TechNote TechNotes @ support.arubanetworks.com ClearPass 6.7 License Conversion TechNote SCALING & ORDERING GUIDE ClearPass Policy Manager INTRODUCTION ClearPass 6.7 introduces a new licensing methodology that aims to simplify ordering, offer customers an easier to understand model and ultimately provide more value and flexibility. This new methodology includes the following high-level changes: Ability to order appliances (hardware or virtual) independent of capacity licenses. Bundling of guest licensing into a new license type called Access. The Access license includes 802.1X, MAC Authentication, TACACS+, Guest, OnConnect, Security Exchange (previously ClearPass Exchange) and Endpoint Profiling functionality. Access licenses are consumed based upon concurrent authenticated/authorized endpoints. Onboard licenses are now consumed based upon the number of users and not per device. ClearPass 6.7 License Conversion APPLIANCE & APPLICATION LICENSE SKUS Appliances ClearPass appliances (hardware or virtual) are available for purchase using the following SKUs. Hardware specifications and scaling details are provided later in this document. Hardware Appliances 1 Part Number JZ508A JZ509A JZ510A Description Aruba ClearPass C1000 S-1200 R4 HW-Based Appliance Aruba ClearPass C2000 DL20 Gen9 HW-Based Appliance Aruba ClearPass C3000 DL360 Gen9 HW-Based Appliance Virtual Appliances 2 Part Number Description JZ399AAE Aruba ClearPass Cx000V VM-Based Appliance E-LTU 2 This single SKU is used to order a Virtual Appliance irrespective of model type, e.g. C1000V ClearPass Application Licenses ClearPass application licenses are available in three types, Access, Onboard and OnGuard. They are available as perpetual and subscription-based licenses ACCESS LICENSES The Access license is used to enable 802.1X, MAC Authentication, TACACS+, Guest, OnConnect, Security Exchange (previously ClearPass Exchange) and Endpoint Profiling. Access license consumption is based upon a concurrent session per-endpoint model. Security Exchange and Endpoint Profiling are enabled when any Access license is installed but not restricted to any ClearPass 6.7 License Conversion - TechNote 1 https://support.arubanetworks.com/documentation/tabid/77/dmxmodule/512/entryid/28178/default.aspx 16
Introspect User and Entity Behavior Analytics @ArubaNetworks
Aruba Security Portfolio Continuous Security Monitoring Niara Per user/device/iot Security Analytics for advanced threat detection ClearPass OnGuard Ecosystem Integration API Access Control Identity Wired/Wireless Infrastructure Per user/device/iot App aware firewall SDN Per user tunnel mode Via VPN ClearPass Policy Manager 802.1X / OnConnect Onboard BYOD CA Profiler Trusted Infrastructure Wired/Wireless Infrastructure Encryption Trusted Boot process Embedded TPM FIPS 140-2 & Common Criteria 18
THE SECURITY GAP SECURITY SPEND DATA BREACHES 146 days median time from compromise to discovery PREVENTION & DETECTION (US $B) # BREACHES % DISCOVERED INTERNALLY SOURCES Mandiant M-Trends 2016, Verizon Data Breach Investigations 2016, IDC 2016 19
THE PROBLEM + PREVENTION & DETECTION NOT ENOUGH INCREASINGLY POROUS MONITORING SYSTEMS FALLING SHORT CANNOT DETECT UNKNOWN THREATS AND UNABLE TO SCALE 20
Attacks involving legitimate credentials COMPROMISED 40 million credit cards were stolen from Target s severs STOLEN CREDENTIALS MALICIOUS Edward Snowden stole more than 1.7 million classified documents INTENDED TO LEAK INFORMATION NEGLIGENT Employees uploading sensitive information to personal Dropbox for easy access DATA LEAKAGE 21
TECHNOLOGY + MACHINE LEARNING CAN DETECT UNKNOWN THREATS BIG DATA CAN SCALE 22
SOLUTION - AT A GLANCE IDENTITY INFASTRUCTURE Consoles / Workflows SaaS laas CASB SIEM ANALYZER ENTITY360 ANALYTICS FORENSICS PACKET BROKER NETWORK TRAFFIC PACKETS FLOWS ALERTS DATA FUSION BIG DATA THREAT INTELLIGENCE 23
Basics of Behavioral Analytics MACHINE LEARNING UNSUPERVISED + SUPERVISED Behavioral Analytics BASELINES HISTORICAL + PEER GROUP 24
Behavior Many different dimensions Authentication AD logins Internal Resource Access Finance servers Remote Access VPN logins External Activity C&C, personal email Behavioral Analytics SaaS Activity Office 365, Box Cloud IaaS AWS, Azure Exfiltration DLP, Email Physical Access badge logs 25
The Platform Behavioral Analytics 26
Customer Examples Ransomware Indicators UEBA C&C Communication DGA Detection e.g. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.], xxlvbrloxvriy2c5[.]onion, sqjolphimrr7jqw6[.]onion, 76jdd2ir2embyv47[.]onion SMB based bot scanning Behavioral Analytics on baseline behavior of systems and detecting anomalous communication patterns Stateful Risk Score for Compromised System 27
Customer Examples Data Exfiltration Indicators UEBA Access to internal sensitive information Abnormal access to internal data Moving sensitive data offshore Abnormal USB writes Abnormal Uploads to Box, Dropbox High Risk Score for user Michele 28
Customer Examples Abnormal Privileged Insider Activity Indicators UEBA Privilege Escalation Escalation of privileges for user not entitled to admin role Abnormal Data access Excessive Service Ticket requests Abnormal data access patterns High Risk Score for user Bob 29
Typical Solution Deployment Native or SIEM AD Logs ANALYZER DNS Packet metadata DHCP VPN Firewall Web Proxy Packet metadata PACKET PROCESSOR PACKET PROCESSOR Packets Packets Server farm Campus Data Center Minimum set of recommended data sources AD, DNS, DHCP, VPN logs native or from SIEM Network Activity ingress / egress - packets or firewall or web proxy logs Network Activity high-value targets(file shares, collaboration servers, etc.) packets or firewall logs [Optional] NetFlow, Threat feeds, Email logs, FireEye alerts 30
Licensing LICENSED BY MONITORED OPTIONS FORM FACTORS USERS SERVERS/IOT 1 YEAR SUBSCRIPTION 3 YEAR SUBSCRIPTION SOFTWARE ONLY APPLIANCE 31
Solution - Analyzer Deployment Options 2RU Appliance Customer Hadoop Cluster 1RU Scale Out Public/Hybrid Cloud (AWS / Azure) 32
ClearPass + IntroSpect = 360 0 Protection Wired/Wireless Device Authentication 1. Detect and Authorize ClearPass Policy Manager User/Device Context Actionable Alerts IntroSpect UEBA Entity360 Profile with Risk Scoring 2. Monitor and Alert 3. Decide and Act ClearPass Real-time Policy-based Actions Real-time quarantine, Re-authentication Bandwidth Control Blacklist 33
Notable Customer Wins F50 Financial CHALLENGE Monitoring privileged user activity Improve SOC efficiency INTROSPECT SOLUTION Behavioral analytics on AD, email, VPN, network FireEye alert context for investigations Legal Concerned about IP theft Lacking user-level visibility and profiling Behavioral analytics User-level visibility High Tech Security analytics initiative to supplement existing SIEM and detection systems User Behavior Analytics Splunk integration F50 Insurance F50 High Tech Alert white noise and overwhelmed SOC Splunk not delivering value High Value asset protection DLP and DNS Analytics SOC efficiency through machine intelligence Behavioral analytics for insider activity to high value assets User activity association with key assets 34
Differentiation Comprehensive visibility Most extensive attack analytics Accelerated Investigations and Response Deployment ease Packets, flows, logs No blind spots 100+ supervised and unsupervised machine learning models Adaptive learning Extensible models (new use cases, data sources) Business context in risk score Integrated forensics Seamless ClearPass integration Flexible: on-premise or cloud Ingest data natively or from SIEM, log management, packet broker solutions Quick Start, Enterprise Scale Standard Edition tuned for Aruba networks Tens of data sources, hundreds of behavioral models across tens of thousands of users 35
IntroSpect Summary Diverse Data Sources Analytics FOR + Forensics SUPPORTING Attack Detection + Incident Investigation Self-Contained Solution ALL IN A + Open Platform AVAILABLE Streamlined for Aruba Networks + Scaled for Enterprise UEBA 36
Thank You