OCS LIA. The intergration of the Enterasys NAC Solution and Siemens Enterprise Networking - Totally Intergrated Security Architecture The first technical intergration that provides a truely unique proposition when combining an Enterasys NAC solution with a SEC UC solution

1. “There is nothing more important
than our customers”
Identity Management and Network Access Control
An open communication solution for location and identity assurance OCS LIA formerly known as
SALERNO
Markus Nispel
VP Solutions Architecture
markus.nispel@enterasys.com
Inderpreet Singh
Director, Solution Architecture
inderpreet.singh@siemens-enterprise.com

2. © 2008 Enterasys Networks, Inc. All rights reserved.
Why should you care ?
• OCS LIA is the first technical integration that
provides a true unique selling proposition when
combining a Enterasys (NAC) solution with a
SIEMENS Enterprise Communications UC solution
­ even using standard protocols and API´s noone in the
market is able to provide a similar solution
­ a unique value in projects and RFP´s
­ and still open to other vendor´s infrastructure as
Enterasys NAC does support this inherently
• It provides a tangible value to the customer that
results in a lower TCO (through lower OPEX) and a
higher security along with visibility into the IT
infrastructure
• The solution is not limited to VOIP only. A
professional services based integration into any
asset/inventory database at the customer site is
always possible: the result is IT workflow
integration, reduced operational costs and a
loyal customer

3. © 2008 Enterasys Networks, Inc. All rights reserved.
What does it for you ?
• Automatic inventory and location service reduces risk of operation
of non­compliant end­devices with invalid configuration or software
release.
• Automatic adaptation and location-based configuration of end­
devices and usage of special functionalities (e.g. configuration of
speed dial button)
• IP phone monitoring Detecting non­compliant and compromised
end­devices
• Automatic authentication and authorization Warranty of secure,
reliable and high­quality operation of real­time applications through
automatically assigned QoS-parameter and security profiles
(ACL and VLAN)
• Finally the use of this solution provides the following value
add:
• Reduces administrative effort and costs
• Increases protection and reliability of real­time applications
• Minimizes the risk of attacks and the probability of outage
• Increases compliance to enterprise’s security policies
• http://www.enterasys.com/company/literature/auto-voip-deploy.pdf

4. © 2008 Enterasys Networks, Inc. All rights reserved. 4
What is NAC ?
• A User focused technology that:
­ Authorizes a user or device (PC, Phone, Printer) and
­ Permits access to resources based on identity authentication of
the user (and/or device) as well as based on the security
posture of the device along with location and time
­ The parameters are set in the so called Pre-Connect Assessment
(aka Health Check), i.e. before connecting to the infrastructure
­ However, during normal operation, regular checks should be
conducted as part of the Post-Connect Assessment

5. © 2008 Enterasys Networks, Inc. All rights reserved.
What do you need to deploy OCS LIA ?
• Enterasys Network Access Control NAC
Version 3.1.2 or above
­ at least implemented in discovery mode (with
MAC authentication (802.1x can be used too)
enabled on the access sitches and access points)
using a default autorization for all endpoints
­ along with professional services from Enterasys
to implement the solution and the OCS LIA
middleware
• Siemens HiPath Deployment Service DLS
V2R4
­ supporting OpenStage and Optipoint VOIP
endpoints in both SIP and HFA mode
­ Additional location service licenses for each
device that should be supported for this feature
­ Along with professional services from SEN to
properly setup up the DLS (also for web
services usage) and optionally configure the
infrastructure policies
5

6. © 2008 Enterasys Networks, Inc. All rights reserved.
Enterasys NAC - in Any Environment
•Hybrid deployment
­ Best of both models for mixed environments
­ Single, integrated solution – seamless management from single system
.
Enterprise
Network
Enterasys Policy
capable switch
RFC3580 capable
switch
RFC3580 capable
Wireless Access PointNAC Gateway
Core EdgeDistribution
Non-intelligent
Wireless
VPN
Non-intelligent edge
switches
Shared Access LAN
NAC Controller
NAC Manager

7. © 2008 Enterasys Networks, Inc. All rights reserved. 7
• Enterasys Matrix™
and SecureStack™
Switches, HiPath
WLAN, Roamabout
• and/or
• Third Party Switch or
WLAN Access Point
(RFC 3580-compliant)
• and/or
• NAC Controller (includes
all Gateways functions and
Assessment Service)
• Enterasys NAC
Manager
­ Software plugin to NetSight
Console
­ Centralized administration of
NAC Gateways and
Controllers
Management
Enterasys NAC - Components
Detection, Authentication,
Remediation, Assessment
• Enterasys NAC Gateway
­ (Proxy) RADIUS
­ Remediation and Registration
­ Optional Assessment Service
integrated
• Assessment Service
­ optional
­ Nessus, Retina Eye, Enterasys
­ Interface to integrate other
servers
Authorization

8. © 2008 Enterasys Networks, Inc. All rights reserved.
NAC Gateway – with „any“ access device
• Policy Mapping table in NAC 3.2 - create independency of device
type and topology
- More flexible VLAN name based approaches
- Globally configured
- Location based = Switch IP and Switch Port (and AP´s, SSID´s etc. ..)
• Will also support authorization methods like Cisco ACL, Login-LAT
Group or a combination of these along with fully customizeable radius
attributes to map Policy to an appropriate authorization
alternative

9. © 2008 Enterasys Networks, Inc. All rights reserved.
wired
LAN
Siemens
HiPath DLS
Event-based
synchronization of
data-bases via API: IP
phone, phone
number, switch,
switch-port, building,
room
NAC
Manager
HiPath/OpenSc
ape
Platform
Enterasys NAC
Appliance
Database with physical
infrastructure / cabling
- wall-socket
- Building
- Room
Open Communication Solution for Location
and Identity Assurance: Enterasys NAC / Siemens HiPath
DLS
12345 10.1.1.10 xx-xy-yy-yz-zz-az Access 1 10.9.9.8 fe.0.15 B. A 130 3 4.2.4
34567 10.1.1.18 aa-bb-cc-dd-ee-ff Access 2 10.9.9.9 fe.1.8 B. B 241 1 4.2.4
56789 10.1.1.25 ab-cd-ef-gh-ij-kl Access 3 10.9.9.10 fe.2.21 B. A 412 2 4.2.2
Phone
number
Phone IP
Address
Phone MAC
Address
Switch-
name
Switch IP
Address
Switch-
port
Building Room Wall jacket
Phone
Software
pro services

10. © 2008 Enterasys Networks, Inc. All rights reserved. 10
Agile enterprises use service-
oriented architectures (SOAs) and
extend SOA with events where
appropriate. Service and event
architectures make enterprise
computing more effective and
flexible than traditional,
monolithic "stovepipe" systems.
Success requires a knowledge of
common deployment patterns and
fundamental success factors.
Source: Gartner, 4. April 2007 Applied SOA:
Transforming Fundamental Principles Into Best
Practices
OCS LIA Integrator/Middleware –
SOA based

11. © 2008 Enterasys Networks, Inc. All rights reserved. 11
•WSDL (Web Services Description
Language) is the proposed standard
that is used for the service interface
definition in most new development
tools
•XML (eXtended Markup Language)
is used to transport the messages in
a machine to machine
communication scenario over IP
based networks
•OCS LIA is based on these widely
accepted and deployed standards
OCS LIA Integrator/Middleware –
SOA and Web Services

12. © 2008 Enterasys Networks, Inc. All rights reserved.
OCS LIA Integrator/Middleware –
General Features
• Synchronize endsystem data from NetSight (NAC) database to HiPath
DLS
• Synchronize VoIP phone number, type and SW version to NetSight
endsystem database
• Detect HiPath DLS restarts (for full re-sync)
• Detect new phones on DLS side (for individual sync)
• Periodic cache cleanup to eliminate old outdated cache entries
• Retry mechanism in case of unreachable external systems
• Detection of IP mismatch due to VLAN configuration with delayed DLS
update (to prevent DLS jobs sent to old device IP)
• Flexible logging configuration
• Very flexible component configuration
• Support of multiple switches
• Support of multiple DLS servers

13. © 2008 Enterasys Networks, Inc. All rights reserved.
All device relevant data from NetSight, HiPath DLS servers and switches are
collected and cached within the Integrator using an internal cache. The IP
Infrastructure data record used here contains the following information:
Open Communication Solution for Location
and Identity Assurance: IP Infrastructure Cache

14. © 2008 Enterasys Networks, Inc. All rights reserved.
• The exchanged data is presented as additional endsystem data in the NAC
Manager but also on the HiPath DLS
Device phone number
(e.g. 43254)
Device Type and SW version
(e.g. OpenStage 80:V1
R4.14.0)
DLS IP Infrastructure
Enterasys NMS NAC Manager: Endsystem View
Open Communication Solution for
Location and Identity Assurance: data
exchange

15. © 2008 Enterasys Networks, Inc. All rights reserved.
Siemens OpenStage VOIP Phone
Open Communication Solution for
Location and Identity Assurance: location
based configuration

16. © 2008 Enterasys Networks, Inc. All rights reserved. 16
MUA&PLogic 802.1X
PWA
MAC
RADIUSauthority
Dynamic
admin rule
DFE
802.1X credentials
PWA credentials
802.1X login
Filter ID  policy sales
SMAC = Anita
SMAC = Bob
PWA login
SMAC = Phone
MAC traffic
MAC credentials
Filter ID  policy phone
Dynamic
admin rule
Dynamic
Admin rule
Port X
Filter ID  credit
Policy sales
Policy credit
Policy Phone
• Inherent advantage, from 2 (3) up to 2048 devices per port and system
• Supported by B/C/G/D and N/NGN/S Series (partially dependant on licenses)
• Different authentication methods (in random (depends on the product)
combination per port/user)
­ 802.1x, PWA (Web), MAC authentication, RADIUS, Kerberos, Default role ....
• Single physical interface but multiple roles (and VLAN´s)
The value of using Enterasys switch hardware
Multi-user authentication AND policy
Enterasys Switch

17. © 2008 Enterasys Networks, Inc. All rights reserved.
Roles, Services , Rules
Network
Administrator
VOIPOffice Non-OfficeDenyRIP
DenyOSPF
DenyApple
DenyIPX
DenyDHCPReply
DenyIPRange
AllowARP,DNS
AllowRTP128kbit/s
AllowSNMP
AllowSIP2Mbit/s
DenySNMP
DenyTelnet
DenyTFTP
DropApple
DropIPX
DropDecNet
Deny Faculty
Server Farm
Administrative
Protocols
Acceptable Use
Legacy
Protocols SIP Only
The value of using Enterasys switch hardware
Authorization/Policy – roles & rules

18. © 2008 Enterasys Networks, Inc. All rights reserved. 18
Corporate &
Regulatory
Compliance
Can I enforce these regulations prior to granting network
access?
Do I have reporting and auditing tools to verify compliance?
NAC – other application scenarios
Network
Usage
Who is using the network infrastructure?
Are these users authorized?
Does access correspond to organizational role?
Workstation
Security
Does system have up-to-date OS patches?
Does every system conform to corporate security standards?
Guest
Users
Does a guest system contain threats?
Can I limit access for guest users?
Non-Workstation
End Systems
Is this device what it claims to be?
Can I assess its security posture?
Can I locate rogue Access Points, hijacked print servers etc?

19. © 2008 Enterasys Networks, Inc. All rights reserved.
IAM - principles
• Network technology, distributed
computing and the Internet have made
it possible to dramatically extend
application and information access to
users well beyond the typical
organizational boundaries. The related
security risks, management issues and
compliance requirements mus be
adressed.
o Who is accessing my applications or
data?
o What are they authorized to do?
o Should they have those authorizations?
• The tools that allow to answer these
questions and maintain control over
users and their access make up an
identity and access management (IAM)
solution

20. © 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM integration - Why
• NAC is a very useful tool in reducing and controlling the risks to
your network infrastructure. However, although it relies on user
authentication, on its own this is really no more than a means to
identify a device.
• The problems of providing each individual user with only the
access they are authorised for, and no more, remain. The solution
is to tie the authentication process with a robust identity management
(IDM) solution, applying network controls to an individual or a well­
defined group. This process is sometimes referred to as Identity Driven
Networking (IDN).

21. © 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM – Positioning
Enterasys
NAC
Gateway
Enterasys
NAC
Controller
Directory
MS-NPS
RADIUS
SIEM
802.1X
MS
AGENT
1X,MAC,WEB LDAP
EAP-PEAP [TNCCS-SOH]
PAP, CHAP, EAP-M
D5
HEALTH CHECK
XM
L_API
802.1X
IF-MAP
PEP and PDP
Policy Enforcement Point
Policy Decision Point
Kerberos
Location
Asset Management
Policy provisioning
and
assignm
ent
Enterasys
AGENT
XM
L API

22. © 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM integration - Advantages
• Users are managed
centrally in the IDM system
for all connected applications
(including the network).
• The process of managing
joiners, movers and
leavers can be automated
and linked to other key
processes (e.g. HR).
• Users are automatically
added or deleted when
they join and leave the
organisation. This not only
eases the administrative
burden for IT support, but
also enhances security
because users have their
access revoked or suspended
the moment they leave.

23. © 2008 Enterasys Networks, Inc. All rights reserved.
NAC & IAM - Status
• Integration of Enterasys NAC and the SEN TISA – Totally Integrated
Security Architecture
­ proof of Concept shown at Open Minds event in april 2009
­ plans to show at Interop 2009
­ Joint Whitepaper available on BeFirst
• Currently based on NAC 3.2 with LDAP integration (role/policy
assigment based on LDAP attributes) and Kerberos based
authentication
­ Offical integration and documentation underway
­ Possible Web­ and 802.1x­based Integration
23

24. © 2008 Enterasys Networks, Inc. All rights reserved.
First Win – Higher Education Vertical
European School of Management and Technology (ESMT)
Berlin, Germany
Business Drivers ESMT Solution
Case Results…
 Segregated data and telecom networks
 IP phone inventory and config
management was cumbersome
 No single view of IP comms
infrastructure and devices for admin and
management
 Enterasys NMS and NAC solution
 HiPath DLS
 Full policy enabled networking
infrastructure with N-Series switches
 Voice/Telephony HiPath 3000
 Low cost, low effort to integrate ETS and SEN components (within one week)
 Total view (location, state, posture) of IP devices throughout network under one
management domain
 Rules based policy enforcement, error flagging and notification in real time
“The open architecture and integration of
SEN and Enterasys’ systems required
minimal effort from our team. Their
professional services experts succeeded in
implementing an overarching management
system in just one week, saving us a huge
amount of work while at the same time
making communication more secure.”
Thomas Giese, IT Network Services for
ESMT.

25. © 2008 Enterasys Networks, Inc. All rights reserved.
More questions
• Just contact
Markus Nispel
VP Solutions Architecture
Enterasys Networks
Solmsstrasse 83
60486 Frankfurt
Phone: +49 69 47860 253
Fax: +49 69 47860 364
Cell: +49 172 8638003
Email:
markus.nispel@enterasys.com
www: http://www.enterasys.com
25
Inderpreet Singh
Director, Solutions Architecture
Converged Networks and Security
Siemens Enterprise Communications
271 Mill Road
Chelmsford, MA 01824
USA
Phone: +1 978 367 7604
Cell: +1 978 764 6855
Email:
inderpreet.singh@siemens­enterprise.c
Please contact us if you have additional input on potential joint solutions of Enterasys and SEN

26. “There is nothing more important
than our customers”
Thank You