As organizations deal with threats they are also struggle with an increased push for efficiency and a demand by CEO’s to lower their cost of IT per employee. Managing this trade-off can be a very difficult task as the objectives seem to go in orthogonal directions. Security professionals must be able to provide security for their business within the context of these declining budgets. The complex system approaches of the past lead to both an increased number of devices and service contract requirements that drive costs up.
As network connections increase between customers and suppliers, businesses continue to deliver solutions as services over the network with perimeters which protect the organization from threats that are no longer secure. Organized crime has found ways to skirt perimeter defenses and leverage insiders knowingly and unknowingly to gain access to your critical information. As a result, organizations muct protect against internal and external threats.
Each user has been placed in an access policy group (APG) by the administrator. When a user is authenticated IDM looks at the rules for the user’s access policy group. The rules are based on time, location, Device ID, and client integrity status.When a rule match is found then an associated ‘Access Profile’ is invoked that sets a policy on the user’s port that can include ACL’s, VLANs, QoS and Bandwidth limitations.Access Control Lists (ACL’s) and client integrity checking are the new features.Access Controls Lists are filters on users enforced at the port or AP that allows or denies access to protocols, destination IP addresses, or destination TCP/UDP ports. The addresses (TCP/UDP or IP) may also be specified in ranges as well as individual addresses.Client integrity is an indicator sent to IDM from a 3rd party client integrity agent like Sygate, Zonelabs, etc. When IDM sees the client status indicator IDM can send a ‘dirty’ client to a remediation VLAN or server.
Microsoft® Network Access Protection is a policy enforcement technology built into the Windows Vista® and Windows® Server 2008 operating systems that allows customers to better protect network assets from unhealthy computers by enforcing compliance with network health policies. Microsoft’s Network Access Protection technology is available with Windows Vista and Windows Server 2008 and will be available with Windows XP SP3.ProCurve IDM provides network administrators with the ability to centrally define and apply policy-based network access rights that allow the network to automatically adapt to the needs of users and devices as they connect, thereby enforcing network security while providing appropriate access to network users and devices.
HP ProCurve NetworkingHow to Integrate Wired and Wireless LANs Lars Koelendorf Category Manager, Wireless HP Networking, EMEA Email: firstname.lastname@example.org
3 21 May 2009 Agenda Mobility Market Highlights The challenges WLAN Evolution Unified wired and wireless Integration options Improved user experience Advanced security Simplified management
4 21 May 2009 Mobility Market Highlights Increasing number and diversity of clients Persistent wireless coverage Reduced cost Dramatic improvements in technology Business critical applications via wired or wireless
Business Needs Driving everywhere Wireless Access Collaboration of mobile workforce Access from Anywhere Secure guest access IMPROVED PRODUCTIVITY Wireless Asset tracking Physical security Converged voice and data over WiFi 5
The business challenge 6 21 May 2009 With access to the network coming from any device you need a centralized approach to wired and wireless management to streamline device configuration and enable network monitoring and response to wired and wireless network threats. Build an agile security aware network that support all types of users and devices – not barriers to entry IT
The Network Administrator Challenge Need a wireless solution that can be managed easily, and integrated with wired infrastructure and existing user policies – not another administrative burden Single management solution Wireless network management Policy coordination Wired network management
The Security challenge What is the activity inside the network ? How to protect against internal threats ? How to deal with an increasingly mobile and fragmented workforce ? How to meet new regulatory compliance requirements ? …….Within the (declining?) IT budget ?
Key Components Development over time 12 21 May 2009 Time
Commandfrom the Center Unified network:Wired and wireless is just two was of accessing it Increased productivity: Consistent user experience Seamless access to business applications Servers WirelessClients IntelligentEDGE Interconnect Fabric Ease of management: Single management platform with common tools, optimization Intelligent Switches Clients Intelligent Switches Clients Security: One user identity, and system for access control One system for network threat management EdgePortal WirelessAccess Points EdgeNetwork Internet WirelessClients
External and internal threats 15 21 May 2009 98% uses Firewall to protect the perimeter Internal represents 80% of the threat
Importance of factors when adding wireless to the network Need to meet increased mobility 3,5 requirements Ability to define single user 3,9 based network security policy Management of security across 4,4 network Desire to use new technology to 3,4 the full Ave score out of 5 3,4 Time required to deploy Ongoing mantenance/ support 3,7 costs 3,7 Cost of initial purchase 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 5 2008
Security is a process 17 21 May 2009 Validation and Monitoring Policies Trusted Network Infrastructure
Users rights policy Unified strategy Overlay strategy What’s my policy? Wired Unified wired and wireless Different security solutions Same security at any entry point:
Policy management – wired and wireless 19 21 May 2009
Use a tool that allows network administrators to efficiently manage the users and devices connecting to their network
A way to virtualize the network versus the user
Easy creation and management of user policy groups
Dynamically apply security, access and performance settings at port level based on policies
Network Reports and Logs based on Users for Audit
Authenticating and Provisioning Client Integrity Status Location Based on => Time Device ID User/Group ACLs per user / Packet filtering FW Set => Bandwidth Limit I/O port VLAN QoS
How it works Access only to Internetat 2 Mbps Guest Access to Internet and corp. servers Employee Access to financial information Employee finance Networkadministrator Conference room Internet 1. Sets up role based access policy groups & assigns rules and access profiles:
One Network Wired & Wireless Unified and Secure Real OPEX Savings Reduced network management administration costs Improved Security Consistent policies, applied once, removes error Improved End-User Experience Network follows the user from work site to work site
Conclusion 25 21 May 2009 Unified Networking Equals 10/ 11/ Mbps 54/ 100/ 300/ 600/ 450/ 10000 1000/ With Single management and consistent policy