Securing BYOD with Palo Alto & Aruba: BYOD is driving an extensive change in the way that organizations design their networks and deploy security. With BYOD, the organization faces the task of securing devices that may not even be owned or managed by the company. As a result, the organization must secure the network and apply policy based on who is accessing their applications and what device they’re using. In this session, learn about how to build a more secure wireless environment through the adoption of “Zero Trust” principles at the access layer.
In this session, join Brian Tokuyoshi, senior product manager from Palo Alto Networks, to learn about how to integrate Aruba wireless infrastructure and Palo Alto's next-generation security platform. Please comment on what you think about the session and anything specific you would like us to cover. For more please visit http://community.arubanetworks.com
Aruba believes IT should think about building the all-wireless office for GenMobile. The all-wireless office has “4 S’s”:Stable Air – Companies can’t have Wi-Fi that slows down as the network experiences high density, especially as users move around to different areas of a building and introduce bursts of trafficSecure Air – Personal devices that GenMobile guests, employees, contractors bring in should be able to be secured without involving IT. The time it takes for IT to enable simple tasks like getting online, checking email, etc is just not worth the timeSimple Air – Logging in to the cloud apps, screen-projecting, or printing needs to be hassle-free. For GenMobile, having single-sign on, or automated authentication on mobile devices will dramatically simplify the login experience.Smart Air – Mobile apps should be able to learn their indoor location, get priority for work use, and get less priority for personal use.
All of the features just described are delivered as hardware or virtual appliances that can authenticate up to 500, 5000 and 25000 unique devices per week. ClearPass is also unique in that the base appliance includes our entire feature set – RADIUS and TACACS services, policy engine, identity broker features, as well as each of the add-on modules in the form of a starter bundle for Guest, Onboard, OnGuard and WorkSpace. The add-on modules are expandable per use case which means that customers with 100 guests per week only need to license for that amount. The same goes for onboarding personal or BYO devices. They’re not required to purchase advanced licenses or features they won’t use.Other customer benefits include the ability to create policies that query multiple identity stores, connect multiple active directory domains, leverage external MDM solutions and work in Wi-Fi, wired and VPN environments. Again without purchasing special licensing.
To eliminate silos Aruba ClearPass is designed to deliver user and device visibility, automated workflow services and policy management enforcement all from a single platform. Built-in device profiling provides a comprehensive picture of what’s connecting to the network which makes it simple to differentiate access for BYOD and IT managed devices. Real-time troubleshooting tools help IT create policies that work and also solve connectivity issues. For example, an access dashboard and per session logs allow IT to easily see why a user had a problem without having to peruse lengthy log databases. To help off-load IT, ClearPass includes automated features that allow users to self-provision personal devices and register media sharing devices like an Apple TV or just a printer. ClearPass Guest lets visitors self-register or sponsors can create credentials that automatically expire. Device management services extend MDM capabilities with network control and enforcement. A built-in CA can be used to distribute and manage device specific certificates. User can even re-install or revoke certificates for lost or stolen devices.The policy component brings it all together by allowing organizations to create granular policies for Aruba and multivendor Wi-Fi, wired and VPN networks. A role-based model allows you to assign and differentiate access by user, device and other contextual attributes like location, job function and device ownership. All this from a single pane of glass.
Real cyberattacks are considerably more sophisticated than the attacks that one would expect to see even a few years ago. Most of these attacks will leverage multiple steps, in which each step builds on the previous toward a strategic goal. Multiple techniques are coordinated to work together, and the attackers attempt to hide their traffic and infrastructure whenever possible. This example walks through the very common steps of a modern data breach.Step 1 – Many attacks today begin by using a compromised website to deliver an exploit and malware to an end-user. This process is called a drive-by-download and it often begins with something called an exploit kit. For example, Blackhole is a very well-known exploit kit. An attacker can craft a website that uses the exploit kit or simply find a vulnerable website where the attacker can add his exploit kit code. Either way, once the exploit kit code is running on the target website, the exploit kit will automatically identify vulnerable visitors to the site and exploit the end-user machine.Step 2 – Once the exploit has been delivered to the target, now the user is now compromised, and the attacker can deliver malware to the compromised user. The malware is typically not delivered from the same site hosting the exploit kit, as this would very quickly make it obvious that the site was infected. Instead the attacker will redirect traffic to new or unknown domain to deliver the malware. The attacker can constantly cycle through these domains to keep his operation a secret.Step 3 – Once malware is delivered to the target, it is often the job of the first stage malware to establish persistence and communication on the infected host. In many cases this is done via a root-kit and downloader. Zero Access is very common rootkit that meets this requirement, but there are many others.Step 4- Once the rootkit is installed, it now needs to set up a command-and-control channel with the remote attacker. This link is one of the most important in the attack lifecycle because it provides the attacker with remote control over his attack, and a control point inside the target network. This traffic tends to be highly evasive because the attacker is in control of both ends of the connection (both the malware sending the traffic and server that it is communicating with). This gives the attacker a great deal of freedom in terms of ports, protocols, encryption and tunneling.Step 5 – Once the attacker is inside the network, and communicate back out, he can now download a second wave of malware that is more geared to the actual goal of the attack, such as stealing information. These payloads can be customized to a particular attack and often give a more unique view into the attacker and the ultimate goal of an attack. Step 6 – Often it is the goal of the secondary payload to dig deeper into the network to access protected data. To do this the attacker will attempt to spread to other nodes in the network, and to attempt to escalate his privilege in the network. For example, the attacker may have initially compromised a low level employee with limited rights on the network. The attack may try to use that initial compromise in order to steal credentials for a network administrator in the network, which in turn would provide free reign over the network.Step 7 – As part of digging deeper into the network, attackers will often leverage a variety of hacking tools both to enumerate the internal environment, find weaknesses and steal data. Furthermore, the attackers will use a variety of techniques to quietly communicate from inside the network. This can include custom protocols that have been designed by the attackers or traffic and covert communications that are tunneled within allowed traffic. Step 8 – Of course the ultimate goal of most attacks is to steal data. What this data is will of course vary depending on the target, but can include everything from credit card numbers to personally identifiable information, to trade secrets and intellectual property. This often requires using applications that are effective at transferring large volumes of data such as FTP, peer-to-peer applications or other web-based file transfer applications.
In the next 10 minutes, I’m going to walk you through our unique approach to secure your network infrastructure and defeat advanced and targeted threats. It’s basically made of 3 steps:The one where you apply positive controls. It’s typically done the next-generation firewalls and Step 2 and 3 are about