Upload
simoninsa
View
871
Download
8
Tags:
Embed Size (px)
DESCRIPTION
OCS LIA. The intergration of the Enterasys NAC Solution and Siemens Enterprise Networking - Totally Intergrated Security Architecture The first technical intergration that provides a truely unique proposition when combining an Enterasys NAC solution with a SEC UC solution
Citation preview
“There is nothing more important than our customers”
Identity Management and Network Access ControlAn open communication solution for location and identity assurance OCS LIA formerly known as SALERNO
Markus Nispel
VP Solutions Architecture
Inderpreet Singh
Director, Solution Architecture
© 2008 Enterasys Networks, Inc. All rights reserved.
Why should you care ?
• OCS LIA is the first technical integration that provides a true unique selling proposition when combining a Enterasys (NAC) solution with a SIEMENS Enterprise Communications UC solution
even using standard protocols and API´s noone in the market is able to provide a similar solution
a unique value in projects and RFP´s and still open to other vendor´s infrastructure as
Enterasys NAC does support this inherently
• It provides a tangible value to the customer that results in a lower TCO (through lower OPEX) and a higher security along with visibility into the IT infrastructure
• The solution is not limited to VOIP only. A professional services based integration into any asset/inventory database at the customer site is always possible: the result is IT workflow integration, reduced operational costs and a loyal customer
© 2008 Enterasys Networks, Inc. All rights reserved.
What does it for you ?
• Automatic inventory and location service reduces risk of operation of non-compliant end-devices with invalid configuration or software release.
• Automatic adaptation and location-based configuration of end-devices and usage of special functionalities (e.g. configuration of speed dial button)
• IP phone monitoring Detecting non-compliant and compromised end-devices
• Automatic authentication and authorization Warranty of secure, reliable and high-quality operation of real-time applications through automatically assigned QoS-parameter and security profiles (ACL and VLAN)
• Finally the use of this solution provides the following value add:
• Reduces administrative effort and costs
• Increases protection and reliability of real-time applications
• Minimizes the risk of attacks and the probability of outage
• Increases compliance to enterprise’s security policies
• http://www.enterasys.com/company/literature/auto-voip-deploy.pdf
© 2008 Enterasys Networks, Inc. All rights reserved. 4
What is NAC ?
• A User focused technology that:
Authorizes a user or device (PC, Phone, Printer) and
Permits access to resources based on identity authentication of the user (and/or device) as well as based on the security posture of the device along with location and time
The parameters are set in the so called Pre-Connect Assessment (aka Health Check), i.e. before connecting to the infrastructure
However, during normal operation, regular checks should be conducted as part of the Post-Connect Assessment
© 2008 Enterasys Networks, Inc. All rights reserved.
What do you need to deploy OCS LIA ?
• Enterasys Network Access Control NAC Version 3.1.2 or above
at least implemented in discovery mode (with MAC authentication (802.1x can be used too) enabled on the access sitches and access points) using a default autorization for all endpoints
along with professional services from Enterasys to implement the solution and the OCS LIA middleware
• Siemens HiPath Deployment Service DLS V2R4
supporting OpenStage and Optipoint VOIP endpoints in both SIP and HFA mode
Additional location service licenses for each device that should be supported for this feature
Along with professional services from SEN to properly setup up the DLS (also for web services usage) and optionally configure the infrastructure policies
5
© 2008 Enterasys Networks, Inc. All rights reserved.
Enterasys NAC - in Any Environment
•Hybrid deployment Best of both models for mixed environments
Single, integrated solution – seamless management from single system
.
EnterpriseNetwork
Enterasys Policy capable switch
RFC3580 capable switch
RFC3580 capable Wireless Access PointNAC Gateway
Core EdgeDistribution
Non-intelligent Wireless
VPN
Non-intelligent edge switches
Shared Access LANNAC Controller
NAC Manager
© 2008 Enterasys Networks, Inc. All rights reserved. 7
• Enterasys Matrix™ and SecureStack™ Switches, HiPath WLAN, Roamabout
• and/or
• Third Party Switch or WLAN Access Point(RFC 3580-compliant)
• and/or
• NAC Controller (includes all Gateways functions and Assessment Service)
• Enterasys NAC Manager
Software plugin to NetSight Console
Centralized administration of NAC Gateways and Controllers
Management
Enterasys NAC - Components
Detection, Authentication, Remediation, Assessment
• Enterasys NAC Gateway
(Proxy) RADIUS
Remediation and Registration
Optional Assessment Service integrated
• Assessment Service
optional
Nessus, Retina Eye, Enterasys
Interface to integrate other servers
Authorization
© 2008 Enterasys Networks, Inc. All rights reserved.
NAC Gateway – with „any“ access device
• Policy Mapping table in NAC 3.2 - create independency of device type and topology
More flexible VLAN name based approaches
Globally configured
Location based = Switch IP and Switch Port (and AP´s, SSID´s etc. ..)
• Will also support authorization methods like Cisco ACL, Login-LAT Group or a combination of these along with fully customizeable radius attributes to map Policy to an appropriate authorization alternative
© 2008 Enterasys Networks, Inc. All rights reserved.
wiredLAN
SiemensHiPath DLS
Event-based synchronization of data-bases via API: IP phone, phone number, switch, switch-port, building, room
NACManager
HiPath/OpenScape
Platform
Enterasys NAC Appliance
Database with physical infrastructure / cabling - wall-socket - Building- Room
Open Communication Solution for Location and Identity Assurance: Enterasys NAC / Siemens HiPath DLS
12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4
34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4
56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2
Phonenumber
Phone IP Address
Phone MAC Address
Switch-name
Switch IP Address
Switch-port
Building Room Wall jacketPhoneSoftware
pro services
© 2008 Enterasys Networks, Inc. All rights reserved. 10
Agile enterprises use service-oriented architectures (SOAs) and extend SOA with events where appropriate. Service and event architectures make enterprise computing more effective and flexible than traditional, monolithic "stovepipe" systems. Success requires a knowledge of common deployment patterns and fundamental success factors.
Source: Gartner, 4. April 2007 Applied SOA: Transforming Fundamental Principles Into Best Practices
OCS LIA Integrator/Middleware – SOA based
© 2008 Enterasys Networks, Inc. All rights reserved. 11
•WSDL (Web Services Description Language) is the proposed standard that is used for the service interface definition in most new development tools
•XML (eXtended Markup Language) is used to transport the messages in a machine to machine communication scenario over IP based networks
•OCS LIA is based on these widely accepted and deployed standards
OCS LIA Integrator/Middleware – SOA and Web Services
© 2008 Enterasys Networks, Inc. All rights reserved.
OCS LIA Integrator/Middleware – General Features
• Synchronize endsystem data from NetSight (NAC) database to HiPath DLS
• Synchronize VoIP phone number, type and SW version to NetSight endsystem database
• Detect HiPath DLS restarts (for full re-sync)
• Detect new phones on DLS side (for individual sync)
• Periodic cache cleanup to eliminate old outdated cache entries
• Retry mechanism in case of unreachable external systems
• Detection of IP mismatch due to VLAN configuration with delayed DLS update (to prevent DLS jobs sent to old device IP)
• Flexible logging configuration
• Very flexible component configuration
• Support of multiple switches
• Support of multiple DLS servers
© 2008 Enterasys Networks, Inc. All rights reserved.
All device relevant data from NetSight, HiPath DLS servers and switches are collected and cached within the Integrator using an internal cache. The IP Infrastructure data record used here contains the following information:
Open Communication Solution for Location and Identity Assurance: IP Infrastructure Cache
© 2008 Enterasys Networks, Inc. All rights reserved.
• The exchanged data is presented as additional endsystem data in the NAC Manager but also on the HiPath DLS
Device phone number(e.g. 43254)
Device Type and SW version(e.g. OpenStage 80:V1
R4.14.0)
DLS IP Infrastructure
Enterasys NMS NAC Manager: Endsystem View
Open Communication Solution for Location and Identity Assurance: data exchange
© 2008 Enterasys Networks, Inc. All rights reserved.
Siemens OpenStage VOIP Phone
Open Communication Solution for Location and Identity Assurance: location based configuration
© 2008 Enterasys Networks, Inc. All rights reserved. 16
MU
A&
P L
og
ic
802.1X
PWA
MAC
RA
DIU
S au
tho
rity
Dynamic admin rule
DFE
802.1X credentials
PWA credentials
802.1X login
Filter ID policy sales
SMAC = Anita
SMAC = BobPWA login
SMAC = PhoneMAC traffic
MAC credentials
Filter ID policy phone
Dynamic admin rule
Dynamic Admin rule
Port X
Filter ID credit
Policy sales
Policy credit
Policy Phone
• Inherent advantage, from 2 (3) up to 2048 devices per port and system
• Supported by B/C/G/D and N/NGN/S Series (partially dependant on licenses)
• Different authentication methods (in random (depends on the product) combination per port/user)
802.1x, PWA (Web), MAC authentication, RADIUS, Kerberos, Default role ....
• Single physical interface but multiple roles (and VLAN´s)
The value of using Enterasys switch hardware Multi-user authentication AND policy
Enterasys Switch
© 2008 Enterasys Networks, Inc. All rights reserved.
Roles, Services , Rules
NetworkAdministrator
VOIPOffice Non-Office
De
ny
RIP
De
ny
OS
PF
De
ny
Ap
ple
De
ny
IPX
De
ny
DH
CP
Re
ply
De
ny
IP R
an
ge
Allo
w A
RP
, DN
S
Allo
w R
TP
12
8 k
bit/s
Allo
w S
NM
P
Allo
w S
IP 2
Mb
it/s
De
ny
SN
MP
De
ny
Te
lne
t
De
ny
TF
TP
Dro
p A
pp
le
Dro
p IP
X
Dro
p D
ec
Ne
tDeny FacultyServer Farm
AdministrativeProtocols
Acceptable UseLegacy
Protocols SIP Only
The value of using Enterasys switch hardware Authorization/Policy – roles & rules
© 2008 Enterasys Networks, Inc. All rights reserved. 18
Corporate &RegulatoryCompliance
Can I enforce these regulations prior to granting network access?
Do I have reporting and auditing tools to verify compliance?
NAC – other application scenarios
NetworkUsage
Who is using the network infrastructure?Are these users authorized?
Does access correspond to organizational role?
WorkstationSecurity
Does system have up-to-date OS patches?Does every system conform to corporate security standards?
GuestUsers
Does a guest system contain threats?Can I limit access for guest users?
Non-WorkstationEnd Systems
Is this device what it claims to be?Can I assess its security posture?
Can I locate rogue Access Points, hijacked print servers etc?
© 2008 Enterasys Networks, Inc. All rights reserved.
IAM - principles
• Network technology, distributed computing and the Internet have made it possible to dramatically extend application and information access to users well beyond the typical organizational boundaries. The related security risks, management issues and compliance requirements mus be adressed.
o Who is accessing my applications or data?
o What are they authorized to do?
o Should they have those authorizations?
• The tools that allow to answer these questions and maintain control over users and their access make up an identity and access management (IAM) solution
© 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM integration - Why
• NAC is a very useful tool in reducing and controlling the risks to your network infrastructure. However, although it relies on user authentication, on its own this is really no more than a means to identify a device.
• The problems of providing each individual user with only the access they are authorised for, and no more, remain. The solution is to tie the authentication process with a robust identity management (IDM) solution, applying network controls to an individual or a well-defined group. This process is sometimes referred to as Identity Driven Networking (IDN).
© 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM – Positioning
EnterasysNAC
Gateway
Enterasys NAC
Controller
Directory
MS-NPS
RADIUS
SIEM
802.1X
MS AGENT
1X, M
AC,
WEB
LDAP
EAP-PEAP [TNCCS-SOH]PAP, CHAP, EAP-MD5
HEALTH CHECK
XML_
API
802.1X
IF-M
AP
PEP and PDPPolicy Enforcement Point
Policy Decision Point
Kerberos
Location
Asset Management
Policy provisioning
and assignmentEnterasysAGENT
XML API
© 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM integration - Advantages
• Users are managed centrally in the IDM system for all connected applications (including the network).
• The process of managing joiners, movers and leavers can be automated and linked to other key processes (e.g. HR).
• Users are automatically added or deleted when they join and leave the organisation. This not only eases the administrative burden for IT support, but also enhances security because users have their access revoked or suspended the moment they leave.
Guest
Guest users is allowed to connect to the WWW.
Employee
Manager
Non-compliantEmployee
Corporate LAN
Internet
EnforcementPoint
NAC System
IDM
CorporateResources
HR System
RemediationServer
Employees can access general corporate resources
Managers can additionally access the HR server
Non-compliant users are directed to the remediation server
© 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM - Status
• Integration of Enterasys NAC and the SEN TISA – Totally Integrated Security Architecture
proof of Concept shown at Open Minds event in april 2009
plans to show at Interop 2009
Joint Whitepaper available on BeFirst
• Currently based on NAC 3.2 with LDAP integration (role/policy assigment based on LDAP attributes) and Kerberos based authentication
Offical integration and documentation underway
Possible Web- and 802.1x-based Integration
23
© 2008 Enterasys Networks, Inc. All rights reserved.
First Win – Higher Education Vertical
European School of Management and Technology (ESMT)
Berlin, Germany
Business Drivers ESMT Solution
Case Results…
Segregated data and telecom networks IP phone inventory and config
management was cumbersome No single view of IP comms
infrastructure and devices for admin and
management
Enterasys NMS and NAC solution HiPath DLS Full policy enabled networking
infrastructure with N-Series switches Voice/Telephony HiPath 3000
Low cost, low effort to integrate ETS and SEN components (within one week) Total view (location, state, posture) of IP devices throughout network under one
management domain Rules based policy enforcement, error flagging and notification in real time
“The open architecture and integration of SEN and Enterasys’ systems required
minimal effort from our team. Their professional services experts succeeded in implementing an overarching management system in just one week, saving us a huge
amount of work while at the same time making communication more secure.”
Thomas Giese, IT Network Services for ESMT.
© 2008 Enterasys Networks, Inc. All rights reserved.
More questions
• Just contact
Markus Nispel
VP Solutions Architecture
Enterasys Networks
Solmsstrasse 83
60486 Frankfurt
Phone: +49 69 47860 253
Fax: +49 69 47860 364
Cell: +49 172 8638003
Email: [email protected]
www: http://www.enterasys.com
25
Inderpreet Singh
Director, Solutions Architecture
Converged Networks and Security
Siemens Enterprise Communications
271 Mill Road
Chelmsford, MA 01824
USA
Phone: +1 978 367 7604
Cell: +1 978 764 6855
Email: [email protected]
Please contact us if you have additional input on potential joint solutions of Enterasys and SEN
“There is nothing more important than our customers”
Thank YouThank You