Upload
vankhue
View
230
Download
4
Embed Size (px)
Citation preview
7/31/2014
1
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
ClearPass Policy Manager Overview
Xin Mei
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 2
PC, Tablet and MobilePhone Shipments
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 3
Personal devices for work
By: Dimensional Research 2011
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 4
The Network Access Challenge
Complex to deploy and manage
Poor security and app management
Lack of visibility of employee & guests personal devices
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 5
IT Confusion
How do I get personal devices provisioned?
NAC?
MDM?
MAM?
How do I keep corporate data safe?
How do I protect my network?
What if a mobile device is lost?
How do I maintain user privacy?
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 6
Trusted • Company-owned
• Fully managed
• Fully controlled
Corporate
Liable
Employee
Liable
Tolerated • Company or
Employee owned
• Limited visibility
• Limited control
How do I: • Maintain visibility
& control?
• Deliver secure,
differentiated
access?
• Simplify device
provisioning?
Requirement: Securely Support all Devices
Managing Corp and Personal Devices
7/31/2014
2
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 7
The Solution: Best in Class Enterprise Network Access and Policy Management
- Always Connected - Voice & Video Optimized - Employee & Corp Owned
Simple & Flexible Workflows
Policies for Network, Device & Apps
Device and App Security & Management
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 8
ClearPass Security Architecture
Users / Endpoints
Identity Stores
► ► Publisher / PAP / PDP
Logical Local or Remote Cluster
► Subscriber 1 / PDP
Network Devices
Policy Information Points
Policy Information Points Policy Enforcement Points
Network
ClearPass Policy Manager
ClearPass Policy Manager
Mobility
Controller
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 9
Unified Access Control and Visibility
ClearPass Policy Manager
Employee Mac
Employee Mac
Guest PC
Captive
Portal
DNS/DHCP
Identity Stores Enterprise Data
Simplified Policy
Deployment
Real-time
Visibility
and
Analysis
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 10
OnGuard
• Posture / Health Checks (computers)
Guest • Secured Guest Access
Onboard
• Device Configuration / Provisioning
Profiler
ClearPass
Policy
Manager
ClearPass Packaging
• Device Identification and Classification
•Policy-based AAA Services •RADIUS
•TACACS+
•SSO-SAML2.0
•Contextual Policy Elements • Time,location,device etc.
• 3rd party additional context
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 11
Built-in Advanced Services
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 12
SSO & ASO
Leverage network state for application authentication
User requests Cloud App
802.1x Network Auth
SAML based SSO
App Access Granted
7/31/2014
3
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 13
Multi-vendor Policy Enforcement
ClearPass Policy Manager
POLICY
ENFORCEMENT:
Policy Enforcement Optimized for Aruba,
But Works with Any
Any Network
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
ClearPass Policy Manager
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 15
Core AAA Feature support
• Policy-based AAA Services – Support for 802.1X, MAC, Web (HTTPS), Certificate based auth
– EAP support: PEAP, TLS, TTLS, GTC, FAST
– Read from multiple authentication sources (AD, LDAP, SQL,
Kerberos, Oracle LDAP, Token Server,)
– SSO support for SAML 2.0 (Service Provider), Okta
– Enforcement Options – Aruba Role, VLAN, dACL, VSA,
SNMP,HTTP
– Full TACACS+ services
– XML API’s to trigger CoA from 3rd party applications
• Contextual Policy Elements – Time, location, device, OS version, posture, asset type, etc.
– Connect to 3rd party systems for additional context
VPN
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 16
Setting Network Policy Based on Context
Policy Example
Use context from ClearPass & external sources to set network policies
• Application installed
• blacklisted
• Device Profile • OS version • Endpoint health • Jailbreak status • Pincode/encryption
• Location • Trusted or
untrusted network
• Time/Date
• eg. in semester
• User/group membership
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 17
Use Context to build rich policies
– Layer Profiling, Authentication and multiple Authorization conditions
into one policy
– Enforce at the access layer and use CoA for ongoing Authorization
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
5 - 18
Policy/Services Model
• Define Multiple Methods and Sources
• AD, LDAP, SQL, Token Server, Internal db Authentication
• Same process as above
• Multiple attributes from multiple sources Authorization
• Define identity or device based roles
• Define rules and conditions to assign role Roles
• Endpoint health collection
• Define level of checks and method Posture
• Rules based on role, condition
• Multiple options - VLAN, ACL, SNMP, SSH,HTTP
Enforcement
7/31/2014
4
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
ClearPass Guest
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 20
ClearPass Guest - Access Features
Self-registration
• Customizable, automated workflows
• Notification via SMS, email, badge printer
• One time registration
Sponsored Guest Access
• Reception sponsor interface
• Email sponsor approval workflow
• Enable any employee to instantly sponsor
Pre-registration
• Bulk import from file eg. Excel, text
• Generate visitor badges or notify via branded email templates
3rd Party Integration
• XML API’s for integration with existing applications
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 21
Highly Secure Guest Access
Customizable branding
and data entry fields
• No IT involvement
• Automated SMS/email
credential delivery
• Sponsor privileges with
access verification
• Per session access
controls
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 22
Automated Guest Self-service
1. 3.
Access Network
2. Sponsor prompted
to confirm that
guest is valid
ClearPass Policy Manager
Account enabled,
visitor notified via
screen, SMS, or email Collect visitor
information
New Visitor
Sponsor
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 23
Customized page
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 24
Guest access with MAC cache
MAC auth
7/31/2014
5
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
ClearPass-Supported Social Login Providers
Bitbucket
Box
Disqus
Dropbox
Eventful
Fitbit
Flickr
Foursquare
Google Apps
Microsoft
RightSignature
Salesforce
Scoop.it
StockTwits
SurveyMonkey
Tumblr
VK
Withings
Yahoo
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
ClearPass Onboard
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 27
Network Access
Provisions 802.1X
configuration
Access to
Secure Network
User Experience
Self-serve connectivity
Windows, Mac, iOS, Android
Impact to IT
Eliminates time to provision new devices
Allows for faster updates
OR
Simple 802.1X Device Configuration
Captive Portal
Local or Remote
Access
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 28
• IT creates configuration and certificate data
• Authorizes BYOD enrollment
• Maintains device database for policies and device revocation
ClearPass Policy Manager
Simplified Enrollment and Provisioning
User
• User connects device and is redirected to portal
• Enters AD credentials to begin onboarding device
• Accepts certificate and connects to secure network
IT
ClearPass Onboard
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 29
Intermediate CA
Onboard CA
Profile Signing Certifica
te
Server Certifica
te
Device Certifica
te …
Root CA
Enterprise certificates
Other certificates Unique device credentials
Onboard Provisioning
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 30
Built in CA for BYOD
Revoke Device
Network Access
Device
Inventory Data
Built in CA
7/31/2014
6
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
ClearPass Onguard
CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc.
All rights reserved 32
Compliance Control for Laptops/Desktops
Full Access
Quarantine / Remediation
• Firewall on
• Out of date A/V, A/S Restricted / Denial of Access
• VM not allowed
• Firewall off
• USB Device not allowed
• Encrypted disk
• Current A/S, A/V Dat file
• All Services on
Ch
ecks p
rio
r to
Access
Wireless, Wired, VPN
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 33
Supported Endpoint Computers
• All Windows Versions
• Checks for A/V, A/S, FW, registry keys,
services, patch mgmt, processes, peer-to-peer
apps, USB storage devices, Hot Fixes, VMs,
network interfaces, and more…
• Red Hat, CentOS, Fedora, SUSE
• Status of services, anti-virus and firewall
• Persistent agent only
• Mac OS X
• Status of anti-virus, anti-spyware and firewall
Persistent and Dissolvable Agents
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 34
ClearPass Posture Screen Views
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 35
Example: ClearPass OnGuard Configuration
Over 150 supported
Antivirus products
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 36
OnGuard with Aruba Agent
Windows w/OnGuard Agent ClearPass Policy Manager Aruba Controller
Authentication request is forwarded to CPPM
CPPM sends Quarantine Role to Controller Controller places endpoint in quarantine
1
A. OnGuard returns Good health information, or
B. OnGuard enables auto-remediation (if enabled on CPPM) and re-authenticates, or
C. User addresses compliance issues and tries to manually re-authenticate
CPPM sends Full Access Role to Controller Controller sends role and Full access
When health is good or remediation is successful
Information is send back to CPPM
7/31/2014
7
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
Clearpass profiler
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 38
AC
CU
RA
CY
BASELINE FINGERPRINTING
EVENTS-CENTRIC FINGERPRINTING
NETWORK HEURISTICS PROFILING
IDENTITY CENTRIC
PROFILING
DEVICE
PROVISIONING
iPad 1
iOS 5.0.1
5-Tier Device Profiling
Data Collectors
SNMP DHCP HTTP
Enterprise Infrastructure
ActiveSync
IF-MAP
AD
Policy Manager
Mobility Controller
OnGuard
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 39
What is Profiled
ClearPass
Profile
Smart
Devices
Laptops/
Desktops
Network/
Non Login
Devices
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 40
Profile Dashboard View
Active
Filtering Detailed
Session
Info
Device
Visibility
Per
Classification
Real-time
tracking
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 41
Fingerprint Dictionary
Updates
visibility
Over 110 device
dictionaries
CONFIDENTIAL © Copyright 2012. Aruba Networks, Inc.
All rights reserved
7 - 42 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
Clearpass Others
7/31/2014
8
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 43
AirGroup Use-cases
AppleTV in the
meeting room
Printer in
Administrator's office
AppleTV in
the classroom
Printer in the
copy room
Admin’s iPad
Laptop in close
proximity
Teacher
Macbook
iPhone in close
promixity
Personal AirGroup “CFO”
Local AirGroup “Apple TVs”
Shared AirGroup “Teachers”
Local AirGroup “Printers”
Aruba Access Network
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 44
Reporting: Insight 2.0
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved 45
Summary
Complete Visibility, Workflow and Security Access Management
One Platform for all things Access
Multi-vendor Independence
Scalability to One Million Endpoints
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc.
All rights reserved
Thank you!