Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Aruba 360 Secure Fabric
Paul Gallant, Eng.CWNA, CWSP, ACCA, ACSA, ACEAP, ACMX #377, ACDX #380
System Engineer – Quebec Region
2
Paul Gallant, Eng.CWNA, CWSP, ACCA, ACSA, ACMX #377, ACDX #380
• More than 20 years of experience in telecommunications
• Experiences:
• Banking system integration
• Embedded software development in security appliances (firewall, VPN)
• Numerous wired and wireless deployments at national and international scale
• Passionate trainer
AGENDA
Current state
• Devices
• Applications
• Threats
Solutions
• Visibility and control
• Automation and Agility
• Solution Portfolio
Aruba Networks + HP = HPE
Source: Gartner Magic Quadrant for the Wired and Wireless LAN Access Infrastructure October 2017. Tim Zimmerman, Bill Menezes, Andrew Lerner, ID Number: G00277052 This Magic Quadrant graphic was published
by Gartner Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from HP. The Magic Quadrant is a graphical representation of a
marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or
service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to
be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
HPE and Aruba… Better Together!
Rapidly Changing Security Landscape
Focused, Targeted
Attacks
Expanding Points
of Vulnerability
Mobile, cloud, BYOD
breaking down
traditional perimeter.
Some attacks inevitably
will get to inside of
network.
Attacks change more
rapidly than traditional
defenses can combat.
Digital assets continue to
increase in value and
vulnerability.
Security Team
Under Stress
Security teams understaffed
with inefficient tools. Need
analytics-driven insights to
focus on right threats
before damage is done.
?
Smart Buildings Smart Retail Smart Manufacturing Smart Hospitals
Object Assisted Intelligence
Smart Manufacturing
Manufacturing IoT Integration
IoT Connectivity Types
72%
of connections will be
short range 2025
Wi-Fi, Ethernet,BLE, Zigbee…
Lora, Sigfox, 5G Backhaul
10
DYN Attack – Video surveillance
10
XiongMai Technologies
11
LifeCare PCA™ Infusion System - Hospira
11
Drug Infusion Pump Is the "Least Secure IP Device“ he’s ever seen
https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03
12
Static perimeter defense
IDS/IPS
Firewalls
Adaptive Trust – Zero Tolerance
Physical
Components
A/V
Web
gatewaysIDS/IPS
Firewalls
Physical
Components
A/V
Web
gateways
Security and policies
for every user or
group
A new defense model is required
13
Aruba 360 Secure FabricSimplifies Digital Enterprise Security
Aruba 360 Secure Fabric
Aruba Secure Core
Secure Boot | Encryption | DPI | VPN | IPS | Firewall
ClearPass | IntroSpect
Integrated Threat response
Aruba360 SecureExchange
Active Cyber-protection and 3600 secure access
From Access, Core, WAN and cloud – covers all networks
14
Need for a Unified Access Policy Management
Network Edge
Network Core
Silos
Profiler
EMM / MDM
NAC
TACACS
RADIUS
Guest
Devices Enrolment
Visitor
Employee
BYOD for employees
IoT/Machines
Contractor
Administrator
USERS
Consistent Policy enforcement and end user Experience
AD/LDAP
SQL
Token
PKI
Identity Sources
ClearPass
Visibility and Control
Embedded DPI
Layer 7 Analysis
REPUTATION BASED WEB
CONTENT FILTERING
Filter inappropriate WEB content
Prioritize cloud applications
Block inappropriate content
RBAC – Role-Based Access Control
Enforce a security context based on
user / device / location
Intelligent traffic control with AppRF™
Critical applications are prioritized
Applications allocated bandwidth are based on the
organization’s productivity goals
Normal priority
High priority
Low priority
17
Identity-based Dynamic SegmentationPer User Tunneled Node
• Primary User Role (Switch)• User/Device VLAN assignment• Access Policy can be dynamically
downloaded from ClearPass• Initialize a user tunnel with “tunneled-
node-server-redirect” which contains the secondary user role
• Secondary Role (Controller)• Assigns firewall rules and controller
based access policy• Can also be dynamically downloaded
from ClearPass
Wired Access
Point (Switch)
Wireless
Access Point
18
ClearPass for wired and wireless security Enforcement
19
ClearPass OnConnect for Easy Wired NAC Enforcement
Aruba
ClearPass
SNMP
Enforcement
Printer Vlan Infusion Pump Vlan
Existing 802.1X
wired/wireless support
No 802.1X
• Built-in device-centric security for all non-AAA ready customers
• Easy to configure on legacy multivendor switches
• Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobile
phones.
20
Profiling MethodsEnsures proper device visibility
Passive Profiling
– DHCP Fingerprinting (MAC OUI & Certain Options)
– DHCP Relay or SPAN
– HTTP User-Agent
– AOS IF-MAP Interface, Guest and Onboard Workflows
– TCP Fingerprinting (SYN, SYN/ACK)
– SPAN
– ARP
– SPAN
– Cisco Device Sensor
– Netflow/IPFIX
– Identifies open ports
Active Profiling
– Windows Management Instrumentation (WMI)
– Nmap
– MDM/EMM
– SSH
– ARP Table
– SNMP
– MAC/Interface Table
– SNMP
– CDP/LLDP Table
– SNMP
22
User / Role Device Type / Health
LocationTime / Day
Device based security strategy
APPLICATIONIDENTIFICATION PROTECTION
ClearPass
23
IoTFor IoT it’s all about visibility
Vision
Meters
Access Rights
Access Control
Point
Sensors
PLCs
Meters
Vision
Sensors
PLCs
Contractors
Multi-vendor
switching
Multi-vendor
WLANs
ClearPass
Device type
24
Internet of
Things (IoT)
BYOD and
enterprise owned
REST API,
RADIUS Accounting,
SyslogSecurity monitoring and
threat protection
Device management and
multi authentication factors
Vocal assistance service
SMS
Multi-vendor
wired network
Multi-vendor
wireless network
Access Control
End-to-End coordinated access control
25
ClearPass Exchange – Inter-Operability
CONTROLLER SWITCHACCESS POINT Firewall / IPS
INFRASTRUCTURE PERIMETER
SECURITY & DEVICE MANAGEMENT
26
Real-time threat detection
Confinement integration (CoA).
Detection
Existing wired and wireless
Integration to isolate compromised
devices
Ticketing system integration
Confinement
Layer 7 inspection UTM;
Zero-Day threat prevention
(sandboxing)
Prevention
Automated Access Control: Instant Security Enforcement
27
Automated Access Control: User Entity Behavior Analytics
Device Context
Real-time access policies modifications
• Real-time quarantine• Bandwidth contract• Black list• Dynamic role change
2
3
6
7
ANALYSER
ENTITY
ANALYTICS INVESTIGATION
DATA FUSION BIG DATA
Device/User Authentication
Actions
UEBA
Risk Profile
Machine Learning4
5
1
Packets
Flow
Logs
Alerts
Device/UserProfiling
28
Finding the malicious event among all anomalies
Behavior
Analysis
SUPERVISED
NON-SUPERVISED
MACHINE LEARNING
DLP
Sandbox
Firewalls
STIX
Rules
Etc.
THIRD PARTIES ALERTS
CONFIDENTIEL © Droit d'auteur 2018. Aruba, une société HPE. Tous les droits sont réservés
Portfolio 802.11ac wave 2
Model Performance Density Location type
300 Series Indoor Moderate Moderate
(50 active devices)Classes
310 Series Indoor HighModerate
(75 active devices)Administrative Zones
320 Series Indoor HighHigh
(125 active devices)
Cafeterias
Amphitheaters
340 Series Indoor ExtremeVery High
(150+ active devices)Amphitheaters
360 Series Outdoor HighModerate
(50 active devices)Outdoor
370 Series Outdoor ExtremeHigh
(125 active devices)Outdoor
ARUBA CONTROLLERSSCALE FROM BRANCH TO CAMPUS, APPLIANCE TO VM
7030Large branchUp to 64 APs and up to 8Gbps throughput
Midsize branch with integrated
switch12 or 24 ports of PoE+ for unified branches
Up to 32 APs
Small branchVirtualized or PoE-powered controllers
Midsize CampusHigh performance, fixed form factor
Up to 256 APs, 12 Gbps throughput
Large CampusHigh performance, redundant power/fan
512 – 2048 APs, up to 80Gbps throughput
7240
7220
7210
7205
7024 (24 PoE+)
7010 (12 PoE+)
VMC-TACT (8/16 AP)
7005/7008 (16 AP)
Bra
nc
h Ca
mp
us
7280
Access
Ag
gre
ga
tio
n
Co
re/D
CPortfolio HPE Aruba Switches
ArubaOS-CX
84008320
CONFIDENTIEL © Droit d'auteur 2018. Aruba, une société HPE. Tous les droits sont réservés
Rightsized Switchingwith the lowest TCO
HPE Aruba 2930
HPE Aruba 5400R zI2
Gigabit AccessWith POE+
Multi-Gigabit AccessWith SmartRate technology
Lifetime warranty
Lifetime firmware upgrades
Lifetime support
Aruba allowsFlexible deployment
WITHOUT CONTROLLER USING
ARUBA INSTANTMOBILITY CONTROLLER
Simplified Sites
using embedded controller
embarqué
Centralized encryption with
advanced services
Unique Architecture for all sites
Double personality Access Points
Enterprise class
Network Management Platform Unique Policy Platform
CONFIDENTIEL © Droit d'auteur 2018. Aruba, une société HPE. Tous les droits sont réservés
End to end Client
to network visibilityVisual RF
Historical ReportsAutomatic Configuration
Configurations management
Online monitoring: critical
services RADIUS,
DHCP, DNS
Predictive Wi-Fi coverage
Visualization of Wi-Fi
problems
Complete visibility with Aruba AirWaveUnified heterogeneous network management
CENTRALIZED MANAGEMENTAruba Instant + Switches + SD-WAN
ENTERPRISE CLASSHigh Availability, Reports, Guest Access,
Zero-Touch Provisioning
AFFORDABLESubscription 1/3/5 years, Technical Support
included with Central
Aruba CentralCloud visibility and management
TrustedInnovators
Thousands of
Partners
“Customer First, Customer Last” Culture
Complete Indoor
location Solution
Enterprise Class Leader
integrated wired and wireless
Security FirstComplete policy engine, behavior analysis and dynamic segmentation
Complete Portfolio
THE ARUBA DIFFERENCE
Mobile First Architecture
Openmulti-vendor
Unified approach and architecture for all
deployments
Global Reach and Go-to-Market,Fortune 100 Customer Base backed by
Become a mobility Hero
with
Aruba!
Thank you!