More Related Content Similar to Shanghai Breakout: Access Management with Aruba ClearPass Similar to Shanghai Breakout: Access Management with Aruba ClearPass (20) More from Aruba, a Hewlett Packard Enterprise company More from Aruba, a Hewlett Packard Enterprise company (20) Shanghai Breakout: Access Management with Aruba ClearPass2. CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
2 #AirheadsConf
Agenda
Defining Adaptive Policies
Context Collection
Leveraging Context in NAC Policies
Enhancing User Experience, Operations, and Security
with Context
3. 3
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Why Adaptive Policies?
THEN
Predictable Desk Access
NOW
Access from Anywhere
4. 4
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Deciphering Context for
Policy Decisions
Jailbroken
phone?
BYOD?
Guest?
Office?
Device type?
Firewall
enabled?
Employee?
Skim
milk?
Policies must adapt to conditions
5. 5
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Common Security Questions
• Is this a corporate device or a personal device
connecting to my wireless network with my
employee’s account information?
• Is this a Printer or Computer connecting to my wired
network without 802.1x?
• How do I keep corporate devices off the Guest SSID?
• I trust my corporate assets, but I need to be able to
check the compliance of Contractor computers when
they connect, and restrict them from using mobile
devices, how?
6. 6
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Adaptive Trust: Context Collection
7. 7
Device
& type
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Access
type
App traffic &
behavior
#AirheadsConf
The Heart of an Adaptive Trust
Decision
User &
role
Ownership -
IT or BYOD
Usable
Context
Device
assessment
Location -
Secure or
open access
Auth type -
credentials or
certificate
Session
rules
Time-of-day /
Day-of-Week
8. 8
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sources of Usable Context
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Enforcement
Points
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
9. Adaptive Trust
9
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sources of Usable Context
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Enforcement
Points
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
Identity
• Hansen, Jon [Sales]
• COO, Executive Office
• London
• Personal Owned
• Samsung SM-G900
• Android 4.4, Knox
• MDM enabled = true
• In-compliance = true
• At Bldg 10, floor 3
• 21:22GMT, 21/12/14
10. 10
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Context Sources
• External:
• Network Devices
• Radius/TACACS
• AD/LDAP
• SAML/OAUTH2/Okta
• Radius
• Kerberos
• Token Servers
• SQL Databases
• MDM Systems
• Aruba Activate
• HTTP
• Internal:
• Endpoint DB
• Profiling information from:
• DHCP
• HTTP
• SNMP
• IOS Device Sensor
• ActiveSync
• OnGuard
• Onboard
• Insight DB
• Session/State Information
• Guest User/Device DB
• Date/Time
• LocalUser DB
11. 11
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Context Examples
12. Adaptive Trust: Leverage Context in Policy
12
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Decisions
13. 13
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Adaptive Policy Driven by
Context
Corporate Tablet BYOD Tablet
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet Only
Internet
and Corporate Apps
14. 14
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
ClearPass Policy Model –
AuthN vs AuthZ
ClearPass Policy Manager
AD/LDAP
Guest
Insight
Endpoint
Onboard
Service Matching
SQL
MDM
HTTP
Authentication
Authorization
Role Mapping
Enforcement
Username = Bob
Mac Address = XYZ
SSID = Secure
Location = Building 1
Request = Radius
Response = Radius
- Accept
- Reject
- Attributes
Added Context:
MDM Enrolled = True
Device Type = iPad
Owner = Bob
Required Apps = True
Active Sessions = 2
AD Group = Exec
Corp Asset = True
15. 15
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Role-Mapping
• Role-Mapping used to filter collected contextual
data into “tags” (roles) that can be used for
enforcement conditions.
• “Select All” vs “Select First” condition matching
• Careful of the “AND” “OR” conditons
• Available Options:
• Radius/TACACS Attributes
• Authentication Attributes
• Authorization Attributes (from any source)
• Certificate Attributes
• Endpoint Attributes
• Date/Time Attributes
16. 16
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sample Role Mapping
Device
Context
Auth
Context
User
Context
Cert
Context
Onboard
Context
MDM
Context
17. 17
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Enforcement Policies
• Condition based rules to determine which
enforcement profile(s) to use.
• Can signal multiple actions, more on that
later.
• Leverages “Roles” assigned during Role-
Mapping.
• Leverages “Posture” token assigned during
posture check.
• Typically a top down, “First Match” rule matching
algorithm.
18. 18
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sample Enforcement Policy
Using Roles
for User and
Device
Using Roles and
Posture
Enforcement
Policy
19. 19
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Enforcement Profiles
• Profiles are essentially the enforcement “actions”
you want to signal based on the set conditions.
• Multiple Types of Enforcement Profiles:
• Radius
• Radius CoA
• SNMP
• CLI
• HTTP
• Entity Update
• OnGuard Agent
• TACACS
20. Adaptive Trust: Security, Operational, and User
20
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Experience Advantages
21. 21
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Security Disconnect
Who: Bob
Group: Faculty
Device: Personal iPad
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
VPN
AAA/NAC
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
?
?
?
?
?
22. • User can’t connect to the
22
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
User and Operational
Disconnect
VPN
AAA/NAC
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
X
X
network
• User application access is
slow or disconnects
• Where does the problem
exist?
• When do you know about
the problem?
• Where do you start?
?
?
?
?
?
?
?
?
?
?
?
23. Time for a New Perimeter Defense
Model
23
Firewalls
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
EMM/MDM
#AirheadsConf
Perimeter Defense
IDS/IPS
Mobility Defense
Firewalls
Access Policy Management
IDS/IPS/AV Enforcement Points
Physical
A/V
Web
gateways
Policy needed for central point of control
24. 24
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Security and Usability
Coordination
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
Who: Bob
Group: Faculty
Device: Personal iPad
Location: Room 104
Time: 9am, Monday
Compliance: Healthy
Mac Address: X
IP Address: Y
Airgroup Permissions
What if when the user connects:
- Update the FW
- Update the IPAM
- Update the Proxy
- Logon the application
- Update the WLAN
25. 25
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
User Self Service
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
Self Service:
- BYOD Portal
- Device/Guest Registration
- Device Access Management
- Auto-Remediation
- Notification Pages
26. 26
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Operational Integration
VPN
ClearPass
DHCP/DNS
AD/LDAP
Network Applications
Ticketing System
Proxy/Filter
Network Mgmt
FW
- Auto Open Help Desk
Ticket
- Notify User
- Integration into Network
Management
27. 27
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Integration Options
• “Built In” Integration
• MDM Actions
• Palo Alto HIP Updates
• Syslog
• Splunk App
• CEF/LEEF Support (Future)
• Radius Proxy (future)
• Inbound API
• Web Pages:
• OnGuard DA, OnBoard, Device/User Registration,
Notification/Warning
• “Build your own” Integration
• ClearPass Exchange
• REST/XML Based API
28. Mitigating Risks using 3rd Party
Integration
28
Syslog Messages
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
ClearPass
denies access
to device
#AirheadsConf
ClearPass Exchange
Jail-broken
device
detected
Helpdesk
ticket auto
generated
Message to
device auto
generated
1.
3. 2.
RESTful APIs
Adaptive Trust
Identity
Jailbreak example
29. 29
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Enforcement Example
Radius Action to
force notification
page
Send user
SMS
notification
Update Palo
Alto Firewall
Open Help
Desk
Ticket
Sound
the
alarm!
Send Email
to security
team
30. 30
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Dynamic Content based on
Context
• Device, User, and Posture context can be pulled into
actions and web pages.
• Leverages “NameSpace” variables in enforcement actions
and web login pages.
31. 31
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
NameSpaces in ClearPass
• Almost all of the “context” that is collected by
ClearPass can be called up and used via
dynamic “namespace” variables.
• For example:
• %{Endpoint:Model}
• %{Radius:Aruba:Aruba-Location-Id}
• %{Authentication:Full-Username}
• These can be used in role mapping, enforcement
profiles and policies, auth source filters/queries,
etc in place of static variables.
• When used, the value is replaced with
information pertaining to that device or user
dynamically
32. 32
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Conclusion
33. 33
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
NameSpaces in ClearPass
• Context is the foundation of ClearPass
• More contextual sources than any other
vendor!
• Ability to share context with more vendors
than our competitors!
• Context provides for greater security, visibility,
and flexibility to support ever-changing
#GenMobile environment.
• Please check out the “Secure Air” booth during
your break for a demonstration of these
principles in action!
34. Thank You
34
#AirheadsConf
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
Editor's Notes When endpoints were static, corporate controlled and well-known, we could live with static rules. Today’s mobile technology and the velocity of endpoint change makes this old-style of access enforcement ineffective.
What’s needed is a policy solution as your foundation that includes RADIUS and TACACS, is built to handle a variety of operating systems, device types, identity stores, and provides the flexibility for how users work today – from anywhere, at any time.
The same solution should also support guest access, profiling, and device configuration from a single pane of glass. IT can create, manage and monitor policies from a central entity with less complexity.
The ability to leverage context and data from multiple identity stores, or auth methods is important as well. This lets IT treat IT-managed and personal devices differently and use more granular enforcement. Something that legacy AAA solutions do not support.
While IT has busily deployed a number of physical and legacy software security mechanisms like Palo Alto , Juniper and others for protecting the perimeter, #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security.
Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
As the centralized gatekeeper and contextual store for all user authentication and device profiling data, ClearPass constructs a composite identity for the user and device. This information is used for ClearPass’ own access decision making and is also shared with other network security systems in the enterprise.
All network security components use consistent, authoritative data which makes your access story stronger.
PAN COVERS THIS SLIDE
New user habits, threats, and end-points require you to rethink how you protect your access layer. Best-of-breed but siloed security solutions like Palo Alto , MobileIron, and others for protecting the perimeter no longer cut it. #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. Your infrastructure needs to aware of the changes in the environment and adapt!
To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security.
Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
ClearPass Exchange is the glue that makes everything work seamlessly and lets you customize new workflows. Using common-language representational state transfer (REST) APIs and data feeds like syslog, Context like user ID, device, location, and authentication state can be shared with 3rd party systems. No more complex scripting languages and tedious manual configurations. Let’s look at an example:
User authentication attempt with jail broken device
ClearPass quarantines device via RADIUS
Using RESTful API, ClearPass automatically creates trouble ticket in ServiceNow including:
User ID
MAC address
Device type
Location
Email sent to helpdesk staff