secure enterprise mobility

Aruba / Palo Alto NetworksSecure Enterprise Mobility

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved2 #AirheadsConf

Today’s Agenda

• Mobility / BYOD

• Threat Landscape & Challenges

• Integration Points

• Demonstration

3CONFIDENTIAL


All rights reserved#AirheadsConf

Networking Challenges of Mobility

Silos increase IT touch points and errors

NETWORKNAC, Roles, Policies

DEVICESBYOD, Onboarding, MDM

APPsUse, Distribution, Control

VISIBILITYWhat’s on the Network?

WORKFLOWNo automation on unmanaged devices

SECURITYCompany data on personal devices

4CONFIDENTIAL



Quality of Security Tied to Location

malware

botnets

exploits

Exposed to threats, risky

apps, and data leakage

Enterprise-secured with

full protection

Headquarters Branch Offices

Palo Alto NetworksSafe BYOD Application Enablement

6CONFIDENTIAL



Applications Get Through the Firewall

Network security policy

is enforced at the firewall

• Sees all traffic

• Defines boundary

• Enables access

Traditional firewalls

don’t work any more

7CONFIDENTIAL



Technology Sprawl and Creep

Enterprise Network

• “More stuff” doesn’t solve the problem

• Firewall “helpers” have limited view of traffic

• Complex and costly to buy and maintain

• Doesn’t address application control challenges

IMDLPIPS ProxyURLAV

UTMInternet

8CONFIDENTIAL



Firewall as a Business Enablement Tool

Applications: Safe enablement begins with

application classification by App-ID.

Users: Tying users and devices, regardless of

location, to applications with User-ID and

GlobalProtect.

Content: Scanning content and protecting against

all threats – both known and unknown; with

Content-ID and WildFire.

9CONFIDENTIAL



Security Enforcement in the Enterprise Network

Pe

rim

ete

r

• App visibility and control in the firewall

• All apps, all ports, all the time

• Prevent threats

• Known threats

• Unknown/targeted malware

• Simplify security infrastructure

Da

ta C

en

ter

• Network segmentation

• Based on application and user, not port/IP

• Simple, flexible network security

• Integration into all DC designs

• Highly available, high performance

• Prevent threats

Dis

trib

ute

d E

nte

rpri

se

• Consistent network security everywhere

• HQ/branch offices/remote and mobile users

• Logical perimeter

• Policy follows applications and users, not physical location

• Centrally managed

Enabling Enterprise Mobility & BYOD

12CONFIDENTIAL



The ClearPass Access Security Platform

CONFIDENTIAL


All rights reserved12 @arubanetworks

Policy Services

IdentityStores

3rd PartyMDM

App Servers

DIFFERENTIATEDACCESS

UNIFIEDPOLICIES

DEVICEVISIBILITY

GUEST EMPLOYEE

POLICY SERVICES

ENTERPRISE-CLASS AAARADIUS, TACACS+

VPN

OnboardDevice

Provisioning

OnGuardPosture &

Health Checks

GuestVisitor

Management

ONBOARDING AND ASSESSMENT

Multivendor Networks

ClearPass Policy Manager

AAA Services ProfilingPolicy Engine

13CONFIDENTIAL



All Things Network, Device and App Management

WORKFLOW POLICYVISIBILITY

Role-basedEnforcement

Health/Posture

Checks

Device Context

Device Profiling

Troubleshooting

Per Session Tracking

Onboarding, Registration

Guest Management

MDMIntegration

The ClearPass Solution

Threat Prevention

15CONFIDENTIAL



The Basics on Threat Prevention

Threat What it is What it does

Exploit Bad application input

usually in the form of

network traffic.

Targets a vulnerability

to hijack control of the

target application or

machine.

Malware Malicious application

or code.

Anything – Downloads,

hacks, explores,

steals…

Command and

Control (C2)

Network traffic

generated by malware.

Keeps the remote

attacker in control ands

coordinates the attack.

16CONFIDENTIAL



The Lifecycle of Network Attacks

16 | ©2012, Palo

Alto Networks.

Bait the

end-user

1

End-user lured to

a dangerous

application or

website

containing

malicious content

Exploit

2

Infected content

exploits the end-

user, often

without their

knowledge

Download

Backdoor

3

Secondary

payload is

downloaded in

the background.

Malware

installed

Establish

Back-Channel

4

Malware

establishes an

outbound

connection to the

attacker for

ongoing control

Explore &

Steal

5

Remote attacker

has control inside

the network and

escalates the attack

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Secondary

Payload

Spread

Laterally

Custom C2

& Hacking

Data Stolen

Exploit Kit Malware From

New Domain

ZeroAccess

Delivered

C2

Established

Hidden

within SSL

New domain

has no

reputation

Payload

designed to

avoid AV

Non-standard

port use evades

detection

Custom

malware = no

AV signature

Internal traffic is

not monitored

Custom protocol

avoids C2

signatures

RDP & FTP

allowed on the

network

18CONFIDENTIAL



Our systematic approach for better security

Copyright © 2014, Palo Alto Networks, Inc. All Rights Reserved

Provide global visibility & intelligence correlation

Discover

unknown

threats

Inspect all traffic across ports, protocols & encryption

Prevent

known threats

2 3Apply

positive

controls

1

Aruba / Palo Alto NetworksValidated Architecture

20CONFIDENTIAL



Aruba and Palo Alto Networks

Mobility Services• Core AAA, NAC

• Device Profiling

• Guest + BYOD

Aruba Wi-Fi &

ClearPass

Palo Alto Networks

Next Generation

Firewall• L7+ AppFW

• Content Security

• Threat Protection

• Exchange rich endpoint

context and access

policies to securely

support BYOD

• Identify, monitor and

control traffic by

user, device and

application

• Map and enforce

security of head-less

network devices such

as printers, faxes and

automation systems

21CONFIDENTIAL



Solution Overview

Feed User-ID Data

– Centralized Username to IP address

mapping

– No software agents required, support

multiple identity stores

– Rich visibility and reporting for compliance

Endpoint/Device Context

– Feed device context to PAN eg.

iPad, Android Phone

– Enable policy enforcement based

on new device context

– Extensible schema allows adding more

context to endpoint data

Centralized Identity Store

– FW admin authentication using Radius

– Provide services for VPN authentication

22CONFIDENTIAL



Populate the Device Objects

23CONFIDENTIAL



Aruba ClearPass Configuration

24CONFIDENTIAL



Customer Benefits

Improved visibility and security

– Identify all devices connecting to the

network, including headless devices

– NAC / access control policies designed for

mobility

– Protection against a wide variety of threats

Granular, context-aware policies

– Address emerging trends of

BYOD, cloud, SDN, PFE / guest access and

more

Improved performance

– Optimize app performance over wired and

wireless

– Deliver better end-user experience