Udi and juniper networks BYOD

  • 725 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
725
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
37
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Universal Data is a local IT firm that provides the people, hardware & software to implement, maintain and support all facets of your IT infrastructure. We give our clients the ability to have access to their business information anytime and anywhere. UDI has been recognized to be in the top 1% of technology companies in North America for both its deep technical expertise and premier certifications. Universal Data has been in business for 30 years and has an established reputation with our clients and community.
  • Universal Data offers deeply integrated service offerings for seamless, dependable solutions. This is why UDI has chosen Juniper Networks as one of our premier technology partners. Juniper products and technologies run the world’s largest and most demanding networks today, enabling clients to create value and accelerate business success within the new, rapidly changing global marketplace. Juniper clients include the top 130 global service providers, the Fortune Global 100, as well as hundreds of federal, state and local government agencies and higher education organizations throughout the world.
  • Mobile devices have infiltrated every aspect of our lives, from our home and leisure time, to work. And, today’s workforce is mobile, which presents opportunities and challenges for enterprises and SMBs alike.For instance, today’s mobile worker would rather use their own personal, mobile device while at work. Today’s consumer mobile devices are many times more powerful and easier and more fun to use than standard, corporate-issued mobile devices. And, in many cases, organizations are encouraging their employees and contractors to use their personal mobile devices to access the corporate network, cloud, applications and data – this is the Bring Your Own Device, or BYOD initiative. Even companies that still distribute corporate-managed mobile devices have challenges, such as those corporate devices being put to personal use by employees and contractors. And, many mobile workers today have multiple devices – one, two or sometimes even three different smartphones, a tablet, and so on – all of which may be managed by different service providers and data plans, have different mobile operating systems, with all requested for use to access the corporate network and applications.Today’s mobile, global workforce also requires mobile, remote access to the corporate network, cloud, and resources from virtually anywhere in the world, at anytime.And, with the surge in personal, mobile devices being used in the corporate environment – as well as corporate-issued mobile devices being used personally – the organization no longer has control over this device that is accessing their “crown jewels”. The organization has no control over a user downloading unknown, unapproved or even ill- or unsecured apps to their personal or corporate issued mobile device. Plus, users store all sorts of data on mobile devices, whether they are their own device or the company’s. Personal information such as usernames and passwords, banking information, personal health data and more, as well as sensitive corporate data, critical apps, even corporate IP can be stored on these mobile devices. So, what happens to that stored data if the device is infected, hacked, lost or stolen?”
  • Global mobile data traffic to grow 26x in next 5 years to over 6M terabytes per month, Example:if you take a look at this graph we’ve got right here, I call that the “I” phenomenon. It’s a very large Midwestern university, about 9,000 access points, 300 acres, 50,000 students and you can see in the spring of 2010, about 40,000 wireless sessions per day, a little bit of a lull over the summer break and then come back in the fall of 2010 and more than three times the number of daily wireless sessions. Now look at the Fall of 2011 300000 wireless sessions .Now, the university didn’t go out and get another 100,000 students. This is students coming back with mobile devices, iPads, that kind of thing.
  • The time for enterprise mobility is now. According to IDC, by 2013, more than 1.19 billion workers worldwide will be using mobile technology, accounting for 34.9% of the workforce.*Mobile Internet just reached an inflection point – taking center stage as desktop computers becomes secondary The new security landscape Attacker - - in 2005, we saw a shift in attacker motivation from pursuing notoriety, to profitability. Today, cybercrime is fully organized and we see crime syndicates out to profit from attacksThreats - While we see new types of attacks we also see the morphing of existing attack types. As an example a few years ago, the majority of malware was in cleartext which could often be detected by AV or IDP solutions. Today over 80% of malware uses encryption, compression or file packing to bypass traditional AV or IDP technologies. We also see a transition of threats with the Web 2.0 trend, through the browsers and traditionally open ports like port 80.Target - Finally, we also see significant changes with attack targets. Over the past few years there has been an explosion in the volume of data, the devices that attackers target ranging from smartphones, to tablets and to cloud servicesThe explosive growth in mobility has no signs of slowing down and is driving demand for network innovations.
  • Identity theftLiabilityManagement of devices
  • How do we need to address these major market trends1.) Mobility to empower business success -Safe and simple mobility while protecting assets2.) Wired like experience every ware - Scalability without complicating the network 3.) Continuity of rich media app -Automated, uninterrupted service (NOTE that we need to add to the Simplicity message here)
  • Key points – Juniper provides a complete set of wireless, Ethernet and security products to easily manage multiple devices per user. The same access policy is applied irrespective of the number of devices and it is specific to A.J.In order for A.J. to connect to the VoIP and video websites, he will have to have both sessions authenticated and access via the wireless network. Let’s take a look at the functional blocks involved. We start by having both the phone and iPad authenticate to the AP using 802.1x. The AP then passes this information about A.J. to the wireless LAN controller . The WLC sends the request to the UAC/MAG for Radius authentication. After the authentication is verified, the information is sent to the LDAP for registration/validation and then it is passed back to the WLC. The WLC notes the new policy and send the access approval back to the AP. The AP sets the policies determined for A.J. Then it passes the IP addresses assigned down to the phone and iPad. Step one is complete. A.J. is authenticated for access on the company network.

Transcript

  • 1. SIMPLY CONNECTEDBYODPresented by Richard TandoChief Technology OfficerUniversal Data, Inc.
  • 2. MEET THE UDI TEAM Richard Tando Denise Biskupovich CTO SLED Account Executive Universal Data, Inc. Universal Data, Inc. Alex Battard Rachel Hymel Senior Connectivity Engineer Connectivity Account Manager Universal Data, Inc. Universal Data, Inc. Peter Dakin Joelle McWilliams Sales Manager Account Executive Universal Data, Inc. Universal Data, Inc.2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 3. MEET THE JUNIPER TEAM Molly Marks Chris Calvert Sr. Partner Account Manager Mobility Product Specialist Juniper Networks Juniper Networks Greg Luebke Commercial Account Manager Juniper Networks3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 4. Founded 30 years ago by Jim Perrier and remainsactive President.A company built on the principle as technologychanges UDI will adapt additionally helping our clientsrealize change.UDI is not identified by a single product or service, butby the adaptability and the strength of our team.4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 5. UDI AND JUNIPER5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 6. TODAY’S MOBILE WORKFORCE DEMANDS ANDCHALLENGES ANY Device ANY Location ANY Application Personal devices used Anytime, anywhere User’s download for work – BYOD mobile remote access unknown or ill-secured Work devices used for Users with multiple apps personal activities devices User’s access, store Multiple device types data from and service providers personal, business6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net apps
  • 7. INCREASED EXPECTATIONS FOR NETWORKS Unique Daily Wireless Sessions Large American University ~50,000 Students, Multiple Devices Per Student 400000 350000 300000 250000 6x 200000 150000 100000 50000 0 Spring Summer Fall Spring Summer Fall 2010 20117 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 8. MAJOR MARKET TRENDS…MOBILITY WITH INCREASING SCALE New Devices Device proliferation New Applications App Internet Information Services proliferation ERP Type of Attack Sophistication APT Security (Maturity) Botnets risks Malware DOS proliferation Worms Trojans Virus8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 9. IF A COFFEE SHOP CAN DO IT, WHY CAN’T I?9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 10. HOW ARE WE ADDRESSING THESE CHALLENGES?SIMPLY CONNECTED Unified Policy / Security Industry’s most comprehensive solution with unified policy and security for BYOD and Mobility Switching Wireless High Performance at Scale Security Routing Industry’s highest performance network Highly Resilient Industry’s only full automated, uninterrupted network service “All the great things are simple.” - Albert Einstein10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 11. MOBILE USER TYPES Open access, BYOD (Employee owned) Captive Portal • Self provisioning• Self provisioning • Secure Cert based auth• Simple experience • Device type aware policy• Device type aware policy • Application aware policy Employee Guest Owned Devices Devices Corporate Issued Devices Corporate • Self provisioning Owned • Secure Cert based auth Devices • Device type aware policy • Application aware policy • On Device Security • Device Management • Application Management • Content Monitoring 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 12. WHAT ARE THE NEEDS OF BYOD?Provisioning  Need to on-board mobile devices easily: clientless & app based  Support full cross section of devices (iOS, Android, Windows, Mac)  Self contained certificate management  Pulse Device Id server: for Pulse based provisioningDevice Profiling and Policy  Classify the devices types  Based on device type apply policy  Continuously profile devices for audit and other security reasonsVisibility  Inventory of device types, driver version  Reduce Help desk calls, by simplifying provisioning and remediation  Keep audit trail of client config12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 13. JUNIPER WIRELESS BYOD SOLUTION COMPONENTS Clientless Provisioning Smart Pass Connect Provisioning Client based Provisioning: Smart Pass Connect JUNOS PULSE Basic Profiling Juniper WL Controllers/ SmartPass Device Profiling Advanced Profiling WLAN Management Visibility and Ringmaster, SmartPass Ringmaster Management SmartPass13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 14. SMART PASS CONNECTCLIENTLESS PROVISIONING Product Offering  Wired/Wireless endpoint provisioning  Clientless provisioning: Complementary to JUNOS Pulse  Best of breed in the industry, very highly tested and widely deployed  Windows,  Mac, Wireless Provisioning  iOS,  Android  …even Linux!  Can provision NAC agents Software Provisioning  Can provision JUNOS Pulse  Or any other mandatory software  Check requirements on driver versions Advanced Validation  Disable existing Config applications  Normalize the Config elements and applications Management  Network management gains a 360 deg view Closed loop  Ability to post full details about devices Feedback  Device type, driver version, ..etc can be sent Wired Provisioning  Provisioning of wired Windows, MAC, Linux devices 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 15. How does SmartPass Connect Work? 1 2 Web Server AAA Server Network Management Admin Console Open SSID Secure SSIDSPC allows agent-less network provisioning: 4  IT Admin configures network parameters 1 3 6 5  IT Admin deploys the configuration files to local web server 2  User connects to local web server downloads configuration 3  SPC’s (dissolvable) client runs through configuration on device 4  User device connects to secure network 5  SPC Client securely logs device details to the network mgmt application and dissolves 6 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 16. ONBOARDING GUEST USERS 4 SmartPass sends 3 temporary credential User selects SmartPass to end user via Clickatell SMS self-registration and 1 Clickatell SMS Gateway service creates a temporary service user credential Unknown device connects to open captive portal SSID 2 User session is WLC  captured and redirected to SmartPass SmartPass EX Series EX Series Wireless User AP Tablet/smartphone 5 User uses temporary 6 credentials to User is connected to authenticate against the network using SmartPass mobile phone number and temporary password17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 17. ONBOARDING EMPLOYEE OWNED MOBILE DEVICES 3 SmartPass web portal 1 presents captive portal Unknown device and redirects client to connects to open provisioning portal captive portal SSID 2 SmartPass User session is WLC  captured and redirected to SmartPass UAC EX Series 4 EX Series Wireless User AP Provisioning portal AD/Certificate Tablet/smartphone pushes native 6 supplicant config Authority Provisioning wizard gets EAP-TLS wizard to client device configuration profile (and cert) from provisioning portal; agent dissolves 5 Provisioning portal gets User selects secure wireless network 7 user credentials from SmartPass Corporate wizard; validates against Connect and device authenticates to RADIUS Data without requiring user to enter AD; and requests user Center credentials cert for end user18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 18. PROVISIONING CORPORATE OWNED MOBILEDEVICES1 Device completes 3 registration with MSS and downloads Device installs profile wireless iOS profile via and acquires user cert MDM profile (user is from Corp Certificate still connected to open Authority via SCEP SSID) enrollment process WLC  W2K8 Certificate Server EX Series UAC EX Series Wireless User AP 2 Tablet/smartphone Wireless profile Corporate contains: 1) WiFi EAP- 4 5 TLS settings Data Center User connects to User is now connected (certificate based auth) secure SSID and to secure SSID with no 2) SCEP profile for Mobile Security authenticates to user input of credentials device to enroll for Suite RADIUS using required new certificate 3) CA certificate cert to use for server validation19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 19. ENFORCING A “NO BYOD” POLICY WITH DEVICEPROFILING 3 Device type policy is configured to restrict 1 iPads; WLA holds device traffic for Mobile device connects inspection to secure wireless network 4 WLA sends device type info to WLC for matching against WLC  policy UAC EX Series EX Series Android AP Tablet/smartphone 5 User dot1x 2 authenticates to Device is determined to wireless network be an Android device and is allowed on the network20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 20. NETWORK SEGREGATION AND APPLICATIONFILTERING FOR BYOD DEVICES SRX AppTrack feature 1 2 combined with MAG data collects per user application information  Active Directory DHCP Server/Smartpass providing detailed /LDAP  Device authenticated communicates User and reports in STRM on wireless network IP information to UAC via IF-MAP WLC Data SRX  Finance Wireless User AP EX Series  VideoTablet/smartphone DHCP and IF-MAP  Apps 5 4 3 UAC Corporate Data Center SRX AppSecure SRX enforces userPolices block non-work policies allowing user UAC pushes role based   related applications basic access to all ACL and FW policies to like Hulu and Netflix servers except finance EX and SRX Internet21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 21. ENFORCING NETWORK ACCESS POLICIES1 2 3Pulse detects During 802.1x authentication. Compliance check fails. Antivirus  Active Directorydevice is on signatures are out /LDAPcorporate MAG verifies of date and user  PC meets SRX AppTrack featurenetwork and is quarantined to company combined with MAGper user policy remediation VLAN. software and Patch server data collects per user Datadisables any security policy updates signatures. application informationactive VPNsessions Virus requirements User is now in compliance and providing detailed reports in STRM WLCs  SW too granted network Finance old access SRX   EX4200 VC Patch Remediation PC user EX4500 VC and EX4200 VC Video 6 5 4SRX AppSecure SRX enforces user policies allowing MAG pushes role Apps Polices block non- MAG user basic access based FW policies Corporate Data Centerwork related to all servers to EX and SRXapplications except finance  Internet  22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 22. SIMPLY CONNECTEDMOST COMPLETE CAMPUS/BRANCH ARCHITECTURE Simply Connected Unified Management Network Services Policy Unified Network Architecture EX Series Switching Unified Space JUNOSAccess Control AppSecure / Firewall  Complete enterprise portfolio with  options for deployments of all  Virtual /wirelessglass Single pane of Wired chassis Wired/Wireless/VPN sizes: WL, EX, SRX, UAC, Pulse    Highly appfault mgmt Proactive aware policy L2-L7 scalable Role based access One Policy  Architectural evolutions for Automated services   Highaware QoS App performance Policy orchestration seamless integration and One Network    Highly lifecycle mgmt Policy resilient investment protection Hostaware firewall App checking One Mgmt Ringmaster security for BYOD Best in class WL Series Wireless Wired or wireless devices Location  and corporate liable Full lifecycle  Clustering   Full lifecycle integration Seamless network management Guest self provisioning Advanced troubleshooting  Highly scalable  Application,support Automated reporting location 3rd Party user, device, Sophisticated policy  aware performance High network  Integrated guest access IF-MAP coordination RF-Firewall  Highly resilient23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
  • 23. LEARN MORE ABOUT SIMPLY CONNECTED Topographies for the Simply Connected Simply Connected Campus Horizontal Campus Solution Brief Solution Brochure Validated Design Guide Enterprise Strategy Group White Paper: A Business-Driven Approach to Mobile More Simply Connected Information Enterprise Security24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net