As organizations deal with threats they are also struggle with an increased push for efficiency and a demand by CEO’s to lower their cost of IT per employee. Managing this trade-off can be a very difficult task as the objectives seem to go in orthogonal directions. Security professionals must be able to provide security for their business within the context of these declining budgets. The complex system approaches of the past lead to both an increased number of devices and service contract requirements that drive costs up.
As network connections increase between customers and suppliers, businesses continue to deliver solutions as services over the network with perimeters which protect the organization from threats that are no longer secure. Organized crime has found ways to skirt perimeter defenses and leverage insiders knowingly and unknowingly to gain access to your critical information. As a result, organizations muct protect against internal and external threats.
Each user has been placed in an access policy group (APG) by the administrator. When a user is authenticated IDM looks at the rules for the user’s access policy group. The rules are based on time, location, Device ID, and client integrity status.When a rule match is found then an associated ‘Access Profile’ is invoked that sets a policy on the user’s port that can include ACL’s, VLANs, QoS and Bandwidth limitations.Access Control Lists (ACL’s) and client integrity checking are the new features.Access Controls Lists are filters on users enforced at the port or AP that allows or denies access to protocols, destination IP addresses, or destination TCP/UDP ports. The addresses (TCP/UDP or IP) may also be specified in ranges as well as individual addresses.Client integrity is an indicator sent to IDM from a 3rd party client integrity agent like Sygate, Zonelabs, etc. When IDM sees the client status indicator IDM can send a ‘dirty’ client to a remediation VLAN or server.
Microsoft® Network Access Protection is a policy enforcement technology built into the Windows Vista® and Windows® Server 2008 operating systems that allows customers to better protect network assets from unhealthy computers by enforcing compliance with network health policies. Microsoft’s Network Access Protection technology is available with Windows Vista and Windows Server 2008 and will be available with Windows XP SP3.ProCurve IDM provides network administrators with the ability to centrally define and apply policy-based network access rights that allow the network to automatically adapt to the needs of users and devices as they connect, thereby enforcing network security while providing appropriate access to network users and devices.
W&M 2009 – HP ProCurve Unified Wireless and Wired Networks
HP ProCurve NetworkingHow to Integrate Wired and Wireless LANs<br />Lars Koelendorf<br />Category Manager, Wireless<br />HP Networking, EMEA<br />Email: email@example.com<br />
3<br />21 May 2009<br />Agenda<br />Mobility Market Highlights<br />The challenges<br />WLAN Evolution<br />Unified wired and wireless<br />Integration options<br />Improved user experience<br />Advanced security<br />Simplified management<br /><ul><li>Conclusion</li></li></ul><li>4<br />21 May 2009<br />Mobility Market Highlights <br />Increasing number and diversity of clients<br />Persistent wireless coverage<br />Reduced cost<br />Dramatic improvements in technology<br />Business critical applications via wired or wireless<br />
Business Needs Driving everywhere Wireless Access<br />Collaboration of <br />mobile workforce<br />Access from Anywhere<br />Secure guest access<br />IMPROVED PRODUCTIVITY<br />Wireless<br />Asset tracking<br />Physical security<br />Converged voice and data over WiFi<br />5<br />
The business challenge <br />6<br />21 May 2009<br />With access to the network coming from any device you need a centralized <br />approach to wired and wireless management to streamline device configuration and enable network monitoring and response to wired and wireless network threats. <br />Build an agile security aware network that support all types of users and devices – not barriers to entry<br />IT <br /><ul><li>Ensure compliance
Flexible access</li></li></ul><li>The Network Administrator Challenge<br />Need a wireless solution that can be managed easily, and integrated with wired infrastructure and existing user policies – not another administrative burden<br />Single management solution<br />Wireless network management<br />Policy coordination<br />Wired network management<br />
The Security challenge<br />What is the activity inside the network ? <br />How to protect against internal threats ?<br />How to deal with an increasingly mobile and fragmented workforce ?<br />How to meet new regulatory compliance requirements ?<br />…….Within the (declining?) IT budget ?<br />
Key Components Development over time<br />12<br />21 May 2009<br />Time<br />
Commandfrom the Center<br />Unified network:Wired and wireless is just two was of accessing it<br />Increased productivity: Consistent user experience Seamless access to business applications<br />Servers<br />WirelessClients<br />IntelligentEDGE<br />Interconnect<br />Fabric<br />Ease of management: Single management platform with common tools, optimization<br />Intelligent<br />Switches<br />Clients<br />Intelligent<br />Switches<br />Clients<br />Security: <br />One user identity, and system for access control<br />One system for network threat management<br />EdgePortal<br />WirelessAccess Points<br />EdgeNetwork<br />Internet<br />WirelessClients<br />
Same security solutions</li></ul>Wireless<br />What are the user’s rights?<br />
Policy management – wired and wireless<br />19<br />21 May 2009<br /><ul><li>Use a tool that allows network administrators to efficiently manage the users and devices connecting to their network
A way to virtualize the network versus the user</li></ul>Easy creation and management of user policy groups<br /><ul><li> Dynamically apply security, access and performance settings at port level based on policies
Network Reports and Logs based on Users for Audit</li></ul>Authenticating and Provisioning<br />Client<br />Integrity Status<br />Location<br />Based on =><br />Time<br />Device ID<br />User/Group<br />ACLs per user /<br />Packet filtering FW<br />Set =><br />Bandwidth<br />Limit<br />I/O port<br />VLAN<br />QoS<br />
How it works<br />Access only to Internetat 2 Mbps<br />Guest<br />Access to Internet and corp. servers <br />Employee<br />Access to financial information <br />Employee<br />finance<br />Networkadministrator<br />Conference room<br />Internet<br />1. Sets up role based access policy groups & assigns rules and access profiles:<br /><ul><li>Set rules
based on policies you define</li></ul>Employees , Partners, Vendors<br />Customers<br />Partners<br />Remote Employees<br />
Regulatory Compliance Assistance <br /><ul><li>Central management and monitoring of security policies provides immediate visibility and assistance with regulatory compliance on the unified network</li></ul>22<br /><ul><li>Current credentials report
One Network Wired & Wireless Unified and Secure<br />Real OPEX Savings<br />Reduced network management <br /> administration costs<br />Improved Security<br />Consistent policies, applied once, removes error<br />Improved End-User Experience<br />Network follows the user from work site to work site<br />