View
6
Download
0
Category
Preview:
Citation preview
ClearPassMANAGING CRITICAL EDGE AND IoT SECURITY
Mindaugas RuginisSystems Engineer
2
Agenda
• Network Access Control
• Profiling
• Onboard - BYOD
• Onguard
• ClearPass Exchange
Aruba Template How-To-Guide
3
ClearPass
Access Policy Management on any network
4
Why ClearPass?
5
6
7
ClearPass products
ClearPass Policy ManagerMonitoring and profiling RADIUS/TACACS/802.1X/MAC-auth
ClearPass GuestAdvanced Guest management
ClearPass OnboardBYOD Certificate self-provisioning
ClearPass OnGuardEndpoint posture
• Appliance
• 500/5K/25K devices
• Hardware or VM
• AD Integration
• ClearPass Exchange
• Profiling
• MDM Integration
• ....
8
Multi-vendor Policy Enforcement
ClearPass Policy Manager
POLICY
ENFORCEMENT:
Policy Enforcement Optimized for Aruba,
But Works with Any network
Any Network
9
Technology OverviewAAA, RADIUS, Security
10
The AAA Model
– Authentication
– Who are you?
– What is your identity?
– Authorization
– What are you allowed to do? What are your permissions?
– What context can I use to make these decisions?
– Accounting
– Record keeping
11
Challenges with legacy RADIUS servers
– Visibility and troubleshooting
– No capability to profile devices connecting to the network.
– No contextual awareness (e.g. posture, device type, asset type).
– Poor per session troubleshooting tools and logs.
– Scalability and reliability
– Limited performance to handle EAP termination or higher loads.
– Poor active clustering technology and centralized management.
– Narrow feature sets
– Limited to core AAA, TACACS+
12
PDP PEP PIP
Identity Stores
Users / Endpoints
Policy Information Points
ClearPass Policy Manager
Policy Enforcement Points
Network Devices
Logical Local or Remote Cluster
Policy Decision Points
13
Layer 2 Authentication
–MAC
–802.1X
–EAP-PEAP
–EAP-MSCHAPv2
–EAP-GTC
–EAP-TLS
–EAP-TTLS
Layer 3 Authentication
–Captive Portal
–VPN
Authentication Methods
14
Onboard
15
Authentication Using Unique Device Certificates
EASY NO PASSWORDSSECURE
User’s deviceredirected to portal
1
BYOD
75%
User enters AD credentials to start onboard
2
Automatically places user on proper
network segment
3
DOCTORNURSE
16
Authentication Using Unique Device Certificates
EASY NO PASSWORDSSECURE
User’s deviceredirected to portal
1
BYOD
75%
User enters AD credentials to start onboard
2
Automatically places user on proper
network segment
3
DOCTORNURSE
• IT determines who can onboard devices
• Access differentiated by role and device
• Devices not entered into active directory
• No need for employees on guest network
17
Single-SSID Onboarding
18
Dual-SSID Onboarding
19
Leverage your guest network!
– You don’t need a dedicated SSID for Onboarding!
– Use your guest network. It’s already there!
– Additional SSIDs add overhead and confusion
20
Differentiated Access Enforcement
CORPORATE TABLET
Authentication EAP-TLS
SSID CORP-SECURE
BYOD TABLET
Authentication EAP-TLS
SSID CORP-SECURE
Internet and Corporate Apps Internet Only
21
CA Purpose-built for BYOD
• Domain
• Key &
Certificate
Enterprise PKI and CA Built-in ClearPass CA
Certificate
Authority
Validation
Authority
Registration
Authority
Active
Directory
IT-Managed
Devices
• Domain
• User
• Device
• Key & Unique
Certificate
IT-Managed
Devices
CA
Certificate
Authority
ADRAVA CA
22
23
Supported Devices
POPULAR OPERATING SYSTEMS
• Mac OX 10.7 and newer, iOS 5.X and newer
• Windows 7, Vista, 8, 10 and 8 Surface Pro
• Android 2.3 and newer
• Chrome OS (requires Management Console)
• Ubuntu
LAPTOPS, TABLETS,
SMART PHONES,
CHROMEBOOKS
24
25
Profiling
26
Device Visibility
– Works across multiple vendors
– Uses multiple active/passive techniques
– Automatic device fingerprint updates
– Use device fingerprints in policy, workflow.
27
Profiling
DHCP
SNMP
SSH
TCPWMI
CDP, LLDP
OnGuard
Accurate Policy Decision
NMAP
Mac OUI
NMAP Scan
Two IoT Endpoints
AfterBefore
Temperature Sensor
Lighting Sensor
28
Create your own Fingerprints!
Wait for new Fingerprints to be made and/or manually
override devices 1:1
Enhanced Profiling and Policy – Solving IoT Issues
29
ClearPass OnConnect
Aruba
ClearPass
SNMP
Enforcement
Printer Vlan Infusion Pump Vlan
Existing 802.1X
wired/wireless support
No 802.1X
• Built-in device-centric security for all non-AAA ready customers
• Easy to configure on legacy multivendor switches
• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile
phones.
30
Onguard
31
Detect unsecure
devices
• Block access to network resources
across wired, wireless & remote
• Auto-Remediate the device
Minimizes Risk to Network
Access Network
ClearPass Policy
Manager with OnGuard
Control Compromised Devices
VPN
32
Posture Checking
Persistent and
dissolvable agents for
laptops and desktops
33
OnGuard Is Better Than Ever
– Better Policy Manipulation
– Support for regular expressions (RegEx) in registry and installed application health classes.
– Better OS Support
– Persistent agent can now run as a system service on Windows
– Native dissolvable agent auto upgrade support
– OnGuard can now check if Mac OSX clients are missing any patches or not and if auto-remediation is enabled install missing patches.
34
OnGuard Persistent Agent
– OnGuard Persistent Agent is available for:
– Windows (both .exe and .msi files available)
– Often installed via GPO by an adminsitrator. Or hosted as a download for end-users
– Mac OS X
– Linux (Ubuntu)
– The Agent can be combined with the Aruba VIA component
– VIA is Aruba’s VPN solution
– Health checks can be performed on VPN clients
– Persistent Agent can auto-remediate.
– For example: The Persistent Agent will enable the firewall.
35
OnGuard Dissolvable Agent
– OnGuard Dissolvable Agent runs once and exits
– OnGuard Dissolvable Agent now uses native code
– Translation: No client-side java requirements!
– Tied to weblogin page
– Think: Guest configuration and captive portal
– Popular browsers are supported:
36
Guest access
37
Guest Registration Use Cases
37
Pre-registration
• Bulk import from file eg. Excel, text
• Generate visitor badges or notify via branded email templates
Self-registration
• Customizable, automated workflows
• Notification via SMS, email, badge printer
• Can require sponsor approval
Sponsored Guest Access
• Enable multiple employees to sponsor
• Receptionists, managers
38
Self Service Portal
39
Social Login
40
ClearPass Exchange
41
ClearPass Exchange Ecosystem
Infrastructure
MDM / EMM
Network
controls using
real-time
device data
Visibility into
location and
time with
granular
controls
Next-Gen
Perimeter Defense
SIEM, Automation, MFA
Granular
traffic control
with user and device data
Visibility and
interactive
control
features
42
Ingress Engine Third-party Threat Protection
Adaptive Trust Defense based on real-time threat detection
** Firewall / IPS
LAN/WLAN
User connects and
uploads threat
NGFW/IPS sends
event to ClearPass
ClearPass isolates
client
• Offers enhanced user experience as ClearPass can initiate user
notifications, help-desk tickets, and update third-party security solutions
• ** Device in step 2 can be MDM/EMM, SIEM, etc.
1 2 3
43
MDM Device Context in Action
44
More Ways to Talk To ClearPass
45
Information Resources
–Aruba Community
– http://community.arubanetworks.com/
–ClearPass Recipes
– http://community.arubanetworks.com/t5/ClearPass-Recipes/tkb-p/clearpass-recipes
–Aruba Solution Exchange– https://ase.arubanetworks.com
ClearPass is recognized as best among NAC’s here is a reporthttp://www.prnewswire.com/news-releases/frost--sullivan-recognizes-hpe-aruba-leadership-in-the-network-access-control-market-300317643.html
46
Global Wins
46
Worldwide ACS Replacement
for RADIUS and TACACS+Increased security &
simplified BYOD onboarding
ACS replacement for Policy
Mgmt & Guest
ACS Replacement for Policy
Mgmt, NAC, & BYOD
Worldwide Guest and Device
Auth in Cisco / Juniper network
Leveraged ArcSight Installation
to drive AAA replacement
47
Evaluation licenses
You can contact me via email and I will create you a 90-day evaluation license.
DEMOor
Recommended