Tw2392 suhay imc getting started with byod_final

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.


IMC BYOD Workshop:Getting StartedTW2392Bob Suhay & Juliano Forti / June 5, 2012


Balancing Security and Ease of Use

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4

Balancing Security and Ease of Use

Protected Vulnerable

Ease of UseSecurity

802.1x + Fingerprinting

MAC Authentication / Fingerprinting

Easy to DeployComplex

Enterprise SMB


Features and Technologies


Network Access Control Requirements

Identity and Access Management

Real-time, Device and OS Agnostic802.1X, Fingerprinting, Portal, Client, Digital Certificates

Policy Enforcement Who, What, When, WhereVLAN, ACL, URL Filtering, Location, Time-of-day

Health and Compliance Patch Management, Application ControlWSUS / Live Application Policy Enforcement

Quarantine Real-time Detection, Location and Isolation

HP TippingPoint IPS Integration

Active vs. Passive Access Control vs. Access Detection


Guest and Employee Access Control Requirements

Guests Employees

BYOD Company Asset BYOD

MAC Authentication 4 3 3

Portal Authentication 4 0 3

Device Finger Printing 4 0 3

Policy Enforcement 4 “W’s” 4 4 4

802.1x Authentication 0 4 3

Digital Certificates 0 4 3

Client Posture 0 4 3

User Behavior Analysis 2 4 4


Device Fingerprinting Solutions


Device Fingerprinting with Active Solutions

SuperScan Run TCP port scanner

MetaSploit Analyze Vulnerability and Ports

NMAP Use Port scanning, Probes

HP iNode HP Portal, 802.1X and VPN Client


Device Fingerprinting with Passive Solutions

DHCP Options Analyze DHCP Request Options

HTTP User Agent View HTTP User-Agent Details

MAC OUI Use MAC Prefix to Determine Vendor


• MAC OUI: 00-30-6E-xx-xx-xx• Assigned by IEEE to Specific Vendors• Usually only identifies Device Vendor, not device type• Easy to change with Locally Administered Addresses• Example: HP MAC Prefixes

• 00-30-6E… 00-80-A0…• 08-00-09… 08-2E-5F…• 80-C1-6E… A0-B3-CC…• AC-16-2D… E4-11-5B…• E8-39-35… EC-9A-74…

Fingerprinting via MAC OUI (Vendor ID)


Fingerprinting via DHCP Request Monitoring

• Device Classification Based on DHCP Request Options / Fields

• Can Change by Software Version / Vendor Implementation

[os 907]description=HP ProCurve 3500ylfingerprints=<<EOT1,3,4,23,67,66,43EOT

[os 1102]description=Apple iPod, iPhone or iPadfingerprints=<<EOT1,3,6,15,119,78,79,95,2521,3,6,15,119,2521,3,6,15,119,252,46,208,921,3,6,15,119,252,67,52,13EOT

[os 1103]description=HTC Androidfingerprints=<<EOT1,121,33,3,28,51,58,59EOT


• Not 100% Reliable• Many Overlapping Device Signatures

[os 1111]description=Generic Android# 1,121,33,3,6,28,51,58,59 disambiguated from HTC# - confirmed as HTC ADP1 with 1.5 # - confirmed as Samsung Galaxy S running Android 2.2# - also seen on two other MAC vendor (Samsung, Motorola) unconfirmed device,# 1,3,6,28,33,51,58,59,121 disambiguated from HTC: seen on three other MAC Vendor (Sony-Ericsson, Maruta, Samsung, Motorola)# 1,121,33,3,6,15,28,51,58,59,119 disambiguated from HTC by community member.# - seen as Samsung (Galaxy S and Nexus S) running Android 2.2 and 2.3.6# 1,121,33,3,6,12,15,28,51,58,59,119 disambiguated from Pantech Android: seen on a Samsung MAC Vendorfingerprints=<<EOT1,121,33,3,6,28,51,58,591,3,6,28,33,51,58,59,1211,121,33,3,6,15,28,51,58,59,1191,121,33,3,6,12,15,28,51,58,59,119EOT

Fingerprinting via DHCP Request Monitoring (cont.)


• Attempts to determine device type base on HTTP User-Agent Details

• Example – Same Device – Two Different Browsers• Your User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101

Firefox/10.0.2Your IP Address: 166.249.193.65

• Your User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Your IP Address: 166.249.193.65

Fingerprinting via HTTP User-Agent Analysis


Best Guess

HTTP

DHCP

MACPassive Fingerprinting produces “Best Guess”

• Useful to Classify Unsecure Devices for Policy enforcement

• Guests & Employee BYOD

Results of Passive and Active Fingerprinting

“No false positive”

Resident or Dissolvable Client “No false positive”

• Provides Visibility to “full” OS & Device Details

• Allow for Device Posture Checking• Can provide “Control” of End Device

• USB Management• Proxy Control• Many others


HP Identity-Aware Solution Positioning


HP Identity-Aware Solution Positioning

Protected Vulnerable

Ease of UseSecurity

HP IMC HP IMC SNAC

Enterprise SMB


IMC SNAC IMC UAM + EAD

MAC Authentication 4 4

Portal Authentication 4 4

Device Finger Printing 1 4

Policy Enforcement 4 “W’s” 4 4

802.1x Authentication 0 4

Digital Certificates 2 4

Client Posture Check 0 4

User Behavior Analysis 4 4

HP Wired and Wireless Support 4 4

HP Identity-Aware Solution Comparison


HP Identity-Aware Solution for BYOD


HP Identity-Aware Solution – BYOD ArchitectureOne Network, One Policy, Any Device with Single Pane-of-Glass Management

Authentication

Device Agnostic

Network Agnostic

User SecurityCheck

Time Aware

Location Aware

Authorization Audit

Traffic Monitoring

UserBehavior

UserSelf-Service

Monitoring Provisioning

Policy enforcement based on level of trust

Traffic and User Behavior Analysis

User registrationDevice profiling

Onboarding

Employee Guest


HP Identity-Aware Solution – BYOD Combined Infrastructure and Access Management for BYOD, Wired and Wireless

• Seamless Wired and Wireless management

• BYOD user and device management

• Security policy provisioning and enforcement

• Network traffic monitoring

• User behavior analysis by user and device type

• Posture check and agent control


HP Identity-Aware – BYOD Diagram

IMCUAM (Mandatory)EADUBA/NTAWSM

Access Switch

(Agnostic)

WLAN Controller

AP

Employee

Guest

DHCP

DHCP ServerDHCP IMC Plugin

Core Switch(Comware)

BYOD


HP IMC BYOD


HP IMC BYOD Demonstration


Thank you

Technology

Tw2392 suhay imc getting started with byod_final