secure enterprise mobility

of 25 /25
Aruba / Palo Alto Networks Secure Enterprise Mobility

Author: aruba-networks-an-hp-company

Post on 18-Jul-2015




1 download

Embed Size (px)


The Aruba Networks PowerPoint Presentation Template

Aruba / Palo Alto NetworksSecure Enterprise Mobility1Todays AgendaMobility / BYODThreat Landscape & ChallengesIntegration PointsDemonstrationCONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved##AirheadsConf2Networking Challenges of MobilitySilos increase IT touch points and errors

NETWORKNAC, Roles, PoliciesDEVICESBYOD, Onboarding, MDMAPPsUse, Distribution, ControlVisibilityWhats on the Network?WorkflowNo automation on unmanaged devicesSecurityCompany data on personal devices

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfQuality of Security Tied to Location


Exposed to threats, risky apps, and data leakageEnterprise-secured with full protection


Branch Offices#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConf4Palo Alto NetworksSafe BYOD Application Enablement

5Applications Get Through the Firewall

Network security policy is enforced at the firewallSees all trafficDefines boundaryEnables access

Traditional firewalls dont work any more#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConf

Technology Sprawl and CreepEnterprise NetworkMore stuff doesnt solve the problemFirewall helpers have limited view of trafficComplex and costly to buy and maintainDoesnt address application control challenges








#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfFirewall as a Business Enablement ToolApplications: Safe enablement begins with application classification by App-ID.

Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect.

Content: Scanning content and protecting against all threats both known and unknown; with Content-ID and WildFire.

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfMitigating risk in allowed traffic8Security Enforcement in the Enterprise Network#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfEnabling Enterprise Mobility & BYOD10

#GenMobile Imperative: All-Wireless OfficeSMART AIRAllocate bandwidth for new collaboration apps at workSECURE AIRSecure personal devices and guests without involving ITSIMPLE AIRApp login and sharingwithout manual entry

STABLE AIRWi-Fi that doesnt slow downas many people connect#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfAruba believes IT should think about building the all-wireless office for GenMobile. The all-wireless office has 4 Ss:Stable Air Companies cant have Wi-Fi that slows down as the network experiences high density, especially as users move around to different areas of a building and introduce bursts of trafficSecure Air Personal devices that GenMobile guests, employees, contractors bring in should be able to be secured without involving IT. The time it takes for IT to enable simple tasks like getting online, checking email, etc is just not worth the timeSimple Air Logging in to the cloud apps, screen-projecting, or printing needs to be hassle-free. For GenMobile, having single-sign on, or automated authentication on mobile devices will dramatically simplify the login experience.Smart Air Mobile apps should be able to learn their indoor location, get priority for work use, and get less priority for personal use.11The ClearPass Access Security PlatformCONFIDENTIAL Copyright 2013. Aruba Networks, Inc. All rights reserved12

@arubanetworksPolicy ServicesIdentityStores3rd PartyMDMApp Servers




VPNOnboardDeviceProvisioningOnGuardPosture &Health ChecksGuestVisitor ManagementONBOARDING AND ASSESSMENT Multivendor NetworksClearPass Policy Manager

AAA ServicesProfilingPolicy Engine#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfAll of the features just described are delivered as hardware or virtual appliances that can authenticate up to 500, 5000 and 25000 unique devices per week. ClearPass is also unique in that the base appliance includes our entire feature set RADIUS and TACACS services, policy engine, identity broker features, as well as each of the add-on modules in the form of a starter bundle for Guest, Onboard, OnGuard and WorkSpace.

The add-on modules are expandable per use case which means that customers with 100 guests per week only need to license for that amount. The same goes for onboarding personal or BYO devices. Theyre not required to purchase advanced licenses or features they wont use.

Other customer benefits include the ability to create policies that query multiple identity stores, connect multiple active directory domains, leverage external MDM solutions and work in Wi-Fi, wired and VPN environments. Again without purchasing special licensing.12All Things Network, Device and App ManagementWORKFLOWPOLICYVISIBILITYRole-basedEnforcementHealth/PostureChecksDevice Context

Device ProfilingTroubleshootingPer Session Tracking

Onboarding, Registration

Guest ManagementMDMIntegration

The ClearPass Solution#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfTo eliminate silos Aruba ClearPass is designed to deliver user and device visibility, automated workflow services and policy management enforcement all from a single platform.

Built-in device profiling provides a comprehensive picture of whats connecting to the network which makes it simple to differentiate access for BYOD and IT managed devices. Real-time troubleshooting tools help IT create policies that work and also solve connectivity issues. For example, an access dashboard and per session logs allow IT to easily see why a user had a problem without having to peruse lengthy log databases. To help off-load IT, ClearPass includes automated features that allow users to self-provision personal devices and register media sharing devices like an Apple TV or just a printer. ClearPass Guest lets visitors self-register or sponsors can create credentials that automatically expire. Device management services extend MDM capabilities with network control and enforcement. A built-in CA can be used to distribute and manage device specific certificates. User can even re-install or revoke certificates for lost or stolen devices.

The policy component brings it all together by allowing organizations to create granular policies for Aruba and multivendor Wi-Fi, wired and VPN networks. A role-based model allows you to assign and differentiate access by user, device and other contextual attributes like location, job function and device ownership. All this from a single pane of glass.13Threat Prevention14The Basics on Threat PreventionThreatWhat it isWhat it doesExploitBad application input usually in the form of network traffic.

Targets a vulnerability to hijack control of the target application or machine.MalwareMalicious application or code.

Anything Downloads, hacks, explores, stealsCommand and Control (C2)Network traffic generated by malware.Keeps the remote attacker in control ands coordinates the attack.

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfThe Lifecycle of Network Attacks16 | 2012,Palo Alto Networks. Confidential and Proprietary. Bait theend-user1End-user lured to a dangerous application or website containing malicious contentExploit2Infected content exploits the end-user, often without their knowledgeDownloadBackdoor3Secondary payload is downloaded in the background. Malware installedEstablishBack-Channel4Malware establishes an outbound connection to the attacker for ongoing controlExplore & Steal5Remote attacker has control inside the network and escalates the attack

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConf17 | 2012,Palo Alto Networks. Confidential and Proprietary.

SecondaryPayloadSpread Laterally

Custom C2 & Hacking

Data Stolen

Exploit KitMalware FromNew Domain


C2 Established

Hidden within SSLNew domain has no reputationPayload designed to avoid AVNon-standard port use evades detectionCustom malware = no AV signatureInternal traffic is not monitoredCustom protocol avoids C2 signaturesRDP & FTP allowed on the network

Real cyberattacks are considerably more sophisticated than the attacks that one would expect to see even a few years ago. Most of these attacks will leverage multiple steps, in which each step builds on the previous toward a strategic goal. Multiple techniques are coordinated to work together, and the attackers attempt to hide their traffic and infrastructure whenever possible. This example walks through the very common steps of a modern data breach.

Step 1 Many attacks today begin by using a compromised website to deliver an exploit and malware to an end-user. This process is called a drive-by-download and it often begins with something called an exploit kit. For example, Blackhole is a very well-known exploit kit. An attacker can craft a website that uses the exploit kit or simply find a vulnerable website where the attacker can add his exploit kit code. Either way, once the exploit kit code is running on the target website, the exploit kit will automatically identify vulnerable visitors to the site and exploit the end-user machine.

Step 2 Once the exploit has been delivered to the target, now the user is now compromised, and the attacker can deliver malware to the compromised user. The malware is typically not delivered from the same site hosting the exploit kit, as this would very quickly make it obvious that the site was infected. Instead the attacker will redirect traffic to new or unknown domain to deliver the malware. The attacker can constantly cycle through these domains to keep his operation a secret.

Step 3 Once malware is delivered to the target, it is often the job of the first stage malware to establish persistence and communication on the infected host. In many cases this is done via a root-kit and downloader. Zero Access is very common rootkit that meets this requirement, but there are many others.

Step 4- Once the rootkit is installed, it now needs to set up a command-and-control channel with the remote attacker. This link is one of the most important in the attack lifecycle because it provides the attacker with remote control over his attack, and a control point inside the target network. This traffic tends to be highly evasive because the attacker is in control of both ends of the connection (both the malware sending the traffic and server that it is communicating with). This gives the attacker a great deal of freedom in terms of ports, protocols, encryption and tunneling.

Step 5 Once the attacker is inside the network, and communicate back out, he can now download a second wave of malware that is more geared to the actual goal of the attack, such as stealing information. These payloads can be customized to a particular attack and often give a more unique view into the attacker and the ultimate goal of an attack.

Step 6 Often it is the goal of the secondary payload to dig deeper into the network to access protected data. To do this the attacker will attempt to spread to other nodes in the network, and to attempt to escalate his privilege in the network. For example, the attacker may have initially compromised a low level employee with limited rights on the network. The attack may try to use that initial compromise in order to steal credentials for a network administrator in the network, which in turn would provide free reign over the network.

Step 7 As part of digging deeper into the network, attackers will often leverage a variety of hacking tools both to enumerate the internal environment, find weaknesses and steal data. Furthermore, the attackers will use a variety of techniques to quietly communicate from inside the network. This can include custom protocols that have been designed by the attackers or traffic and covert communications that are tunneled within allowed traffic.

Step 8 Of course the ultimate goal of most attacks is to steal data. What this data is will of course vary depending on the target, but can include everything from credit card numbers to personally identifiable information, to trade secrets and intellectual property. This often requires using applications that are effective at transferring large volumes of data such as FTP, peer-to-peer applications or other web-based file transfer applications.

17Our systematic approach for better security Copyright 2014,Palo Alto Networks, Inc. All Rights Reserved Provide global visibility & intelligence correlationDiscover unknown threatsInspect all traffic across ports, protocols & encryptionPrevent known threats23Applypositive controls1#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfIn the next 10 minutes, Im going to walk you through our unique approach to secure your network infrastructure and defeat advanced and targeted threats.

Its basically made of 3 steps:The one where you apply positive controls. Its typically done the next-generation firewalls and Step 2 and 3 are about

18Aruba / Palo Alto NetworksValidated Architecture19

Aruba and Palo Alto NetworksMobility ServicesCore AAA, NACDevice ProfilingGuest + BYOD

Aruba Wi-Fi & ClearPassPalo Alto NetworksNext Generation FirewallL7+ AppFWContent SecurityThreat ProtectionExchange rich endpoint context and access policies to securely support BYODIdentify, monitor and control traffic by user, device and applicationMap and enforce security of head-less network devices such as printers, faxes and automation systems

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfSolution OverviewFeed User-ID Data Centralized Username to IP address mappingNo software agents required, support multiple identity storesRich visibility and reporting for complianceEndpoint/Device ContextFeed device context to PAN eg. iPad, Android PhoneEnable policy enforcement based on new device contextExtensible schema allows adding more context to endpoint dataCentralized Identity StoreFW admin authentication using RadiusProvide services for VPN authentication

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfPopulate the Device Objects

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConfAruba ClearPass Configuration

#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConf

Customer BenefitsImproved visibility and securityIdentify all devices connecting to the network, including headless devicesNAC / access control policies designed for mobilityProtection against a wide variety of threatsGranular, context-aware policiesAddress emerging trends of BYOD, cloud, SDN, PFE / guest access and moreImproved performanceOptimize app performance over wired and wirelessDeliver better end-user experience#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reserved#AirheadsConf24#CONFIDENTIAL Copyright 2014. Aruba Networks, Inc. All rights reservedThank You#AirheadsConf#21:44 24:1626