Upload
aruba-networks-an-hp-company
View
1.439
Download
2
Tags:
Embed Size (px)
Citation preview
CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved2#ATM15 |
Agenda
1. Better user experience and tighter security, is that possible?
2. Employees on Guest Network
3. The headless device dilemma
4 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Better user experience and tighter security, is that possible?
Solutions:
1. Status updates and notifications
2. Provide self-service workflows
3. Dynamically Update other network security systems
4. Implement proactive problem identification and resolution
5 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
The User Problem….
How do I get my device my on the
network?
What is a MAC Address?
Why is the network not working?
6 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Common Security Concerns
Who does this device belong to?
Does this device meet minimum corporate compliance standards?
Can I really support this technology?
7 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
1. Communicate with your users
Don’t just REJECT a connection if something goes wrong!
Sure that’s secure, but what does the user think?
Let a user know what went wrong:
SMS
Web Notification Page (Walled Garden)
Push Notification
Phone Call
OnGuard Message
• Most can be done even if you still send a REJECT
8 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
2. Provide Self Service Workflows
BYOD Provisioning and Management (Onboard)
802.1x Supplicant Configuration (QuickConnect)
Device Registration and Management
Guest Self Registration and Management
AirGroup Registration and Management
Posture Check (OnGuard DA)
Posture Remediation (OnGuard PA)
9 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
3. Dynamically Prepare the Rest of the Network
Getting past the front door is one thing…. How many more “identity” controlled doors do you have?
DHCP/DNS Controls?
Firewalls?
IDS/IPS?
Proxies?
Application Logins (SSO)?
10 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Example
Update WLAN
AD/LDAP
Update Firewall
EMM/MDM
Adaptive Trust Identity
Update Web Proxy / Filter
Logon to Applications (SSO)
Update EMM/MDM
Who: Bob
Group: Faculty
Device: Personal iPad
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
Mac Address: X
IP Address: Y
Airgroup Permissions
11 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
4. Proactive Problem Identification and Resolution
Use ClearPass to notify/alert helpdesk systems The right teams with the right information
As soon as a problem happens
Not just Syslog/SNMP Email
HelpDesk Ticketing Systems
SMS/Voice
12 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Example
Radius Action to force
notification page
Send user
SMS
notification
Update Palo Alto
Firewall
Open Help
Desk Ticket
Sound
the alarm!Send Email to
security team
14 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Why is it a bad idea?
1. Users/Devices are exposed to cyber-attacks
2. SSID Confusion
3. User circumvent web policy at work
Protect your users and devices
15 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Get visibility and control on your Guest SSID
Wireless Controller
ADSQL Store
ClearPass
MDM
RADIUS
LDAPSQL
1
2
3User
4AP
SSID: GuestMAC Authentication
MAC | 11:22:33:44:55:66
16 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
How can we identify corporate devices?
ClearPass Policy Manager
DATA CENTER
Network Infrastructure
WIRELESS WIRED VPNREMOTE
OFFICEOUTDOOR
ADORACLECMDBEndpoint
DatabaseMDM JAMF
Authorization Sources
18 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
CP Exchange – Integration with MDM
20 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
CP Exchange – Integration with CMDB
SELECT MAC_ADDR as cmdb_mac where MAC_ADDR =
‘%{Connection:Client-Mac-Address-Hyphen}’
23 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Endpoint Attribute Tagging
ClearPass
AD/LDAP
Device
Authentication
SSID: SecureWPA2-AES
[MACHINE AUTHENTICATED]
Certificate:Issuer-CN
Update Endpoint
Ownership:
Corporate
MAC | 11:22:33:44:55:66
Authorization
24 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Update Endpoint Enforcement
25 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Let’s build a Role Mapping Policy (Tagging)
26 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Policy Enforcement Options
Auto-generate
Helpdesk Ticket
Notify user:
SMS & voice
call to phone
IT administrator:
Email alert
Redirect to Captive
Portal
ENFORCEMENT
WORKFLOWS
Employee connects to
Guest SSIDCLEARPASS IDENTIFIES
Corp-Device Role
ClearPass
SSID: GuestMAC Authentication
27 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Let’s build an Enforcement Policy (Actions)
28 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Corporate Device Warning Page
29 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement Profile– SMS with twilio
31 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Enforcement Profile – Helpdesk Ticket
{"short_description":”Corporate Device
Event","priority":"3","description":"The
following Corporate device has attempted to
connect to the Guest WiFi network:\nMac Address:
%{Connection:Client-Mac-Address}\nEnrolled User:
%{Authentication:Full-Username}\nDevice Serial:
%{Endpoint:Serial Number}\nMobile:
%{Endpoint:Model}\nOS Version: %{Endpoint:OS
Version}\nLocation: %{Radius:Aruba:Aruba-
Location-
Id}","u_category":"%{u_category}","u_subcategory
":"%{u_subcategory}","assigned_to":"mobileadmin"
}
33 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Is 802.1X the only option?
1. Many wired/wireless devices do not support 802.1x authentication
2. How do we make sure only the desired devices get access?
3. What about MAC Spoofing?
34 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Supporting “Headless” Devices
For devices that do not support 802.1X: Wireless: Need a PSK SSID with MAC Authentication
Wired: Need to use MAB on the port
Two mechanisms for authentication:1. Device Profiler
2. Device Registration
35 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
1. Endpoint Profiler
• Authorize devices like IP Phones, Hand Scanners, Printers, or Access Points.
Protect your users and devices
36 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Profiling “Unknowns”
Recommended Best Practice: Allow DHCP, SNMP, and maybe redirects HTTP to CPPM
Once profiled, re-authenticate against new information
37 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Example Profiling Policy
• Create an enforcement profile and policy rule to send the dACL (in the case of, say, a Cisco LAN switch)
Protect your users and devices
38 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
Pulling it all together
39 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
2. Device Registration
• The default device registration page looks like this:
Protect your users and devices
40 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
MAC Spoofing
What if someone spoofs their device MAC
address?
41 CONFIDENTIAL © Copyright 2015. Aruba Networks, Inc. All rights reserved#ATM15 |
ClearPass can detect device conflicts