Upload
aruba-networks-an-hp-company
View
570
Download
0
Embed Size (px)
Citation preview
© Copyright 2014. Aruba Networks, Inc. All rights reserved
It’s a Matter of Trust
Adaptive Trust for Strong Network Security
Alan Ni, Sr. Product Marketing Mgr, Aruba Networks, @AlanJNi
Trent Fierro, Sr. Product Marketing Mgr, Aruba Networks, @Trentf_CA
Mike Raggo, Security Evangelist, MobileIron, @MikeRaggo
© Copyright 2014. Aruba Networks, Inc. All rights reserved
The New Enterprise Perimeter - #GenMobile
CORPORATECORPORATEOFFICEOFFICE
HOMEHOMEOFFICEOFFICE
BRANCHBRANCHOFFICEOFFICE
ANYWHEREANYWHEREOFFICEOFFICE
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Today’s Emerging Mobility Threats
Increased exposure to data, call charges, lost productivity Hackers deliberately targeting open Wi-Fi networks Rising instances of malicious apps, infections, password theft
Higher Usage of
Unsecured Networks
Mobile App Targeted
Malware
Greater Loss / Theft
Of Devices
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Mobile App Usage and Hacker Targeting
telnet
Apps we put up with
Apps needed
Apps ignored
Needed and ignored apps areoften targeted more often
(Only 0.4% of all threats observed)
UDP
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Anatomy of Recent Retail Breaches
5
POS devices
Dump Site
POS Update Server
Malware moved to retailers
internal distribution
servers through vulnerability, or
weak contractor account
2
Hacker accesses FTP dump site and
downloads card data to later
transfer of funds from accounts
5
Malware scrapes unencrypted RAM in real-time and sends card information to
Dump Site…for 15-20 DAYS!!!
4
Russian hacker sells BlackPOS malware for
$2,300 on darknet. Attacker uses this to
stage attack.
1
Distribution servers move
malware to legacy POS terminals
3
LEGACY APPROACHES WON’T WORK!!!
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Common Mobile Attack Vectors
User Data Leakage
Data exfiltration
Open to vulnerabilities that lead to data exposure
- Weak NAC - Man-in-the-middle
- Untrusted Networks
Jailbroken / Rooted Devices
- Forwarding of data- Cloud Storage
- Social Engineering
Un-protected Networks
Malicious / Risky Apps
Users and networks are now low-hanging fruit
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Perimeter Defense
IDS/IPS
Firewalls
Mobility Defense
Firewalls
IDS/IPS/AV Web gateways
EMM/MDM
Physical
Webgateways
A/V
Time for a New Perimeter Defense Model
Policy needed for central point of controlPolicy needed for central point of control
Access Policy Management
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Use of Context Awareness
ClearPass
FIREWALLS
IDS/IPS WEB GATEWAYS
EMM/MDM
The Building Blocks of Adaptive Trust
Granular control with user and device data
Identity, IP address
Network controls using device attributes
Highly credible user and device data
Visibility into user and device OS
Enabling Adaptive Trust
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Deciphering Context for Policy Decisions
Jailbrokenphone?
BYOD?
Guest?
Office?Device type?
Firewallenabled?
Employee?
Policies must adapt to conditions
Nonfat?
© Copyright 2014. Aruba Networks, Inc. All rights reserved
The Heart of an Adaptive Trust Decision
User & role
Ownership -IT or BYOD
Device & type
Usable Context
Device assessment
Location -Secure oropen access
Auth type - credentials or certificate
Session rules
Access type
Time-of-day / Day-of-Week
App traffic & behavior
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Sources of Usable Context
DeviceDeviceProfilingProfiling
• Samsung SM-G900• Android• “Jons-Galaxy”
EMM/MDMEMM/MDM
• Personal owned• Registered• OS up-to-date
• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true
IdentityIdentityStoresStores
EnforcementEnforcementPointsPoints
• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London
• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Sources of Usable Context
DeviceDeviceProfilingProfiling
• Samsung SM-G900• Android• “Jons-Galaxy”
EMM/MDMEMM/MDM
• Personal owned• Registered• OS up-to-date
• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true
IdentityIdentityStoresStores
EnforcementEnforcementPointsPoints
• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London
• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps
• Android 4.4, Knox• MDM enabled = true• In-compliance = true• At Bldg 10, floor 3• 21:22GMT, 21/12/14
• Hansen, Jon [Sales]• COO, Executive Office• London• Personal Owned • Samsung SM-G900
Adaptive Trust Identity
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Adaptive Policy Driven by Context
Corporate TabletCorporate Tablet BYOD TabletBYOD Tablet
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet OnlyInternetand Corporate Apps
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Time for Policy Management Vs. AAA
Role-based Enforcement - Users and devices
Expandability - BYOD, guest access
Central Context Database - Users, device profiles, location
Per Session Control
© Copyright 2014. Aruba Networks, Inc. All rights reserved
POLICY
Profiler
EMM / MDM
NAC
TACACS
RADIUS
Guest
Device Registration
ClearPass
Automated mobile security workflows
Context-based adaptive policy enforcement
Integration with Third Party Solutions
WIRELESS and WIRED SECURITY
Reporting
Exchange
Auto Sign On
Single Sign On
Onboarding
AirGroup
SIEM Support
Network Starting Point: ClearPass
ANY MULTIVENDOR NETWORK
© Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Access Management System
Guest
ClearPass
Onboard OnGuard
Baseline Hardware or VM Appliances(500, 5,000 or 25,000) Remote Location
Expandable Applications
© Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass Exchange
Mitigating Risks using 3rd Party Integration
Jail-broken device
detected
Helpdesk ticket auto generated
Message to device auto generated
1.
2.3.
ClearPass denies access
to device
RESTful APIs
Syslog Messages
Adaptive TrustIdentity
© Copyright 2014. Aruba Networks, Inc. All rights reserved
Device Starting Point: MobileIron EMM
Device configuration and security
Separation between enterprise and personal data
Secure corporate email
Enterprise mobile apps
Device choice
Native user experience
Secure access to enterprise web apps
Secure access to enterprise content
Selective wipe
© Copyright 2014. Aruba Networks, Inc. All rights reserved
NAC and EMM Better Together
20
Mobile Device
MobileIron – ClearPass Core
Certificate-based authentication
Network Access Control
Policy enforcement, lockdowns, restrictions
Monitor for out-of-compliance devices, closed-loop compliance actions (online & offline)
Malicious and Risky App Detections
Jailbreak/Root Detection
Quarantine Wipe/Selective Wipe
User and IT notification
Core monitors, alerts, and reports on out-of-compliance devices, ensures closed-loop actions.
4
Core enforces security policies, lockdowns, restrictions.
3
Hacker attempts MITM or targeted attack on mobile device. Brute-force attacks both mitigated through use of certs.
1
ClearPass validates if device is known or registered, and in compliance by checking in with MobileIron.Device blocked.
2
X As Jailbreak/rooting occurs, device is Auto-Quarantined.
6
Quarantine removes Managed Corp App & Data to mitigate exposure, network access is changed to only allow for remediation
7
X EMM identifies malicious app and alerts.
5
X
© Copyright 2014. Aruba Networks, Inc. All rights reserved
NAC/AAA to apply appropriate contextual-based policies; Shares
adaptive trust identity with other IT systems
Adaptive Trust Counter-Measure Framework
EMM to apply consistent policy for device, apps and content across all mobile
MD
M
MA
M
MC
M
Device password, encryption, on-going compliance monitoring, and automated remediation
Jailbreak /Root DetectionOnline & offline + quarantine
Identity Certificate-based authentication to prevent MiTM
Best-of-Breed Network Security Systems utilizing adaptive trust identity
Containerized apps- Data-at-rest encryption
- Enterprise App Store- Secure App Eco-system- App-reputation Services
- Restrict Copy/paste and Open-in for DLP- Secure On-device Content repository
- Secure Web-browser
THANK YOUAlan Ni, @AlanJNi
Trent Fierro, @Trentf_CA
Mike Raggo, @MikeRaggo