secure enterprise mobility
TRANSCRIPT
Aruba / Palo Alto NetworksSecure Enterprise Mobility
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved2 #AirheadsConf
Today’s Agenda
• Mobility / BYOD
• Threat Landscape & Challenges
• Integration Points
• Demonstration
3CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Networking Challenges of Mobility
Silos increase IT touch points and errors
NETWORKNAC, Roles, Policies
DEVICESBYOD, Onboarding, MDM
APPsUse, Distribution, Control
VISIBILITYWhat’s on the Network?
WORKFLOWNo automation on unmanaged devices
SECURITYCompany data on personal devices
4CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Quality of Security Tied to Location
malware
botnets
exploits
Exposed to threats, risky
apps, and data leakage
Enterprise-secured with
full protection
Headquarters Branch Offices
Palo Alto NetworksSafe BYOD Application Enablement
6CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Applications Get Through the Firewall
Network security policy
is enforced at the firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls
don’t work any more
7CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Technology Sprawl and Creep
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address application control challenges
IMDLPIPS ProxyURLAV
UTMInternet
8CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Firewall as a Business Enablement Tool
Applications: Safe enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting against
all threats – both known and unknown; with
Content-ID and WildFire.
9CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Security Enforcement in the Enterprise Network
Pe
rim
ete
r
• App visibility and control in the firewall
• All apps, all ports, all the time
• Prevent threats
• Known threats
• Unknown/targeted malware
• Simplify security infrastructure
Da
ta C
en
ter
• Network segmentation
• Based on application and user, not port/IP
• Simple, flexible network security
• Integration into all DC designs
• Highly available, high performance
• Prevent threats
Dis
trib
ute
d E
nte
rpri
se
• Consistent network security everywhere
• HQ/branch offices/remote and mobile users
• Logical perimeter
• Policy follows applications and users, not physical location
• Centrally managed
Enabling Enterprise Mobility & BYOD
12CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
The ClearPass Access Security Platform
CONFIDENTIAL
© Copyright 2013. Aruba Networks, Inc.
All rights reserved12 @arubanetworks
Policy Services
IdentityStores
3rd PartyMDM
App Servers
DIFFERENTIATEDACCESS
UNIFIEDPOLICIES
DEVICEVISIBILITY
GUEST EMPLOYEE
POLICY SERVICES
ENTERPRISE-CLASS AAARADIUS, TACACS+
VPN
OnboardDevice
Provisioning
OnGuardPosture &
Health Checks
GuestVisitor
Management
ONBOARDING AND ASSESSMENT
Multivendor Networks
ClearPass Policy Manager
AAA Services ProfilingPolicy Engine
13CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
All Things Network, Device and App Management
WORKFLOW POLICYVISIBILITY
Role-basedEnforcement
Health/Posture
Checks
Device Context
Device Profiling
Troubleshooting
Per Session Tracking
Onboarding, Registration
Guest Management
MDMIntegration
The ClearPass Solution
Threat Prevention
15CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
The Basics on Threat Prevention
Threat What it is What it does
Exploit Bad application input
usually in the form of
network traffic.
Targets a vulnerability
to hijack control of the
target application or
machine.
Malware Malicious application
or code.
Anything – Downloads,
hacks, explores,
steals…
Command and
Control (C2)
Network traffic
generated by malware.
Keeps the remote
attacker in control ands
coordinates the attack.
16CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
The Lifecycle of Network Attacks
16 | ©2012, Palo
Alto Networks.
Bait the
end-user
1
End-user lured to
a dangerous
application or
website
containing
malicious content
Exploit
2
Infected content
exploits the end-
user, often
without their
knowledge
Download
Backdoor
3
Secondary
payload is
downloaded in
the background.
Malware
installed
Establish
Back-Channel
4
Malware
establishes an
outbound
connection to the
attacker for
ongoing control
Explore &
Steal
5
Remote attacker
has control inside
the network and
escalates the attack
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Secondary
Payload
Spread
Laterally
Custom C2
& Hacking
Data Stolen
Exploit Kit Malware From
New Domain
ZeroAccess
Delivered
C2
Established
Hidden
within SSL
New domain
has no
reputation
Payload
designed to
avoid AV
Non-standard
port use evades
detection
Custom
malware = no
AV signature
Internal traffic is
not monitored
Custom protocol
avoids C2
signatures
RDP & FTP
allowed on the
network
18CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Our systematic approach for better security
Copyright © 2014, Palo Alto Networks, Inc. All Rights Reserved
Provide global visibility & intelligence correlation
Discover
unknown
threats
Inspect all traffic across ports, protocols & encryption
Prevent
known threats
2 3Apply
positive
controls
1
Aruba / Palo Alto NetworksValidated Architecture
20CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba and Palo Alto Networks
Mobility Services• Core AAA, NAC
• Device Profiling
• Guest + BYOD
Aruba Wi-Fi &
ClearPass
Palo Alto Networks
Next Generation
Firewall• L7+ AppFW
• Content Security
• Threat Protection
• Exchange rich endpoint
context and access
policies to securely
support BYOD
• Identify, monitor and
control traffic by
user, device and
application
• Map and enforce
security of head-less
network devices such
as printers, faxes and
automation systems
21CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Solution Overview
Feed User-ID Data
– Centralized Username to IP address
mapping
– No software agents required, support
multiple identity stores
– Rich visibility and reporting for compliance
Endpoint/Device Context
– Feed device context to PAN eg.
iPad, Android Phone
– Enable policy enforcement based
on new device context
– Extensible schema allows adding more
context to endpoint data
Centralized Identity Store
– FW admin authentication using Radius
– Provide services for VPN authentication
22CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Populate the Device Objects
23CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Aruba ClearPass Configuration
24CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved#AirheadsConf
Customer Benefits
Improved visibility and security
– Identify all devices connecting to the
network, including headless devices
– NAC / access control policies designed for
mobility
– Protection against a wide variety of threats
Granular, context-aware policies
– Address emerging trends of
BYOD, cloud, SDN, PFE / guest access and
more
Improved performance
– Optimize app performance over wired and
wireless
– Deliver better end-user experience
25CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Thank You
#AirheadsConf
26